org.springframework.security.acls.domain

Class DefaultPermissionGrantingStrategy

java.lang.Object

org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy

All Implemented Interfaces:

PermissionGrantingStrategy

public class DefaultPermissionGrantingStrategy
extends java.lang.Object
implements PermissionGrantingStrategy

Constructor Summary

Constructors

Constructor and Description
DefaultPermissionGrantingStrategy(AuditLogger auditLogger) Creates an instance with the logger which will be used to record granting and denial of requested permissions.

Method Summary

Modifier and Type	Method and Description
boolean	isGranted(Acl acl, java.util.List<Permission> permission, java.util.List<Sid> sids, boolean administrativeMode) Determines authorization.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultPermissionGrantingStrategy

public DefaultPermissionGrantingStrategy(AuditLogger auditLogger)

Creates an instance with the logger which will be used to record granting and denial of requested permissions.

Method Detail

isGranted

public boolean isGranted(Acl acl,
                         java.util.List<Permission> permission,
                         java.util.List<Sid> sids,
                         boolean administrativeMode)
                  throws NotFoundException

Determines authorization. The order of the permission and sid arguments is extremely important! The method will iterate through each of the permissions in the order specified. For each iteration, all of the sids will be considered, again in the order they are presented. A search will then be performed for the first AccessControlEntry object that directly matches that permission:sid combination. When the first full match is found (ie an ACE that has the SID currently being searched for and the exact permission bit mask being search for), the grant or deny flag for that ACE will prevail. If the ACE specifies to grant access, the method will return true. If the ACE specifies to deny access, the loop will stop and the next permission iteration will be performed. If each permission indicates to deny access, the first deny ACE found will be considered the reason for the failure (as it was the first match found, and is therefore the one most logically requiring changes - although not always). If absolutely no matching ACE was found at all for any permission, the parent ACL will be tried (provided that there is a parent and Acl.isEntriesInheriting() is true. The parent ACL will also scan its parent and so on. If ultimately no matching ACE is found, a NotFoundException will be thrown and the caller will need to decide how to handle the permission check. Similarly, if any of the SID arguments presented to the method were not loaded by the ACL, UnloadedSidException will be thrown.

Specified by:

isGranted in interface PermissionGrantingStrategy

Parameters:

permission - the exact permissions to scan for (order is important)

sids - the exact SIDs to scan for (order is important)

administrativeMode - if true denotes the query is for administrative purposes and no auditing will be undertaken

Returns:

true if one of the permissions has been granted, false if one of the permissions has been specifically revoked

Throws:

NotFoundException - if an exact ACE for one of the permission bit masks and SID combination could not be found