public class DefaultPermissionGrantingStrategy extends java.lang.Object implements PermissionGrantingStrategy
Constructor and Description |
---|
DefaultPermissionGrantingStrategy(AuditLogger auditLogger)
Creates an instance with the logger which will be used to record granting and
denial of requested permissions.
|
Modifier and Type | Method and Description |
---|---|
protected boolean |
isGranted(AccessControlEntry ace,
Permission p)
Compares an ACE Permission to the given Permission.
|
boolean |
isGranted(Acl acl,
java.util.List<Permission> permission,
java.util.List<Sid> sids,
boolean administrativeMode)
Determines authorization.
|
public DefaultPermissionGrantingStrategy(AuditLogger auditLogger)
public boolean isGranted(Acl acl, java.util.List<Permission> permission, java.util.List<Sid> sids, boolean administrativeMode) throws NotFoundException
permission
and
sid
arguments is extremely important! The method will iterate
through each of the permission
s in the order specified. For each
iteration, all of the sid
s will be considered, again in the order they
are presented. A search will then be performed for the first
AccessControlEntry
object that directly matches that
permission:sid
combination. When the first full match is
found (ie an ACE that has the SID currently being searched for and the exact
permission bit mask being search for), the grant or deny flag for that ACE will
prevail. If the ACE specifies to grant access, the method will return
true
. If the ACE specifies to deny access, the loop will stop and the
next permission
iteration will be performed. If each permission
indicates to deny access, the first deny ACE found will be considered the reason
for the failure (as it was the first match found, and is therefore the one most
logically requiring changes - although not always). If absolutely no matching ACE
was found at all for any permission, the parent ACL will be tried (provided that
there is a parent and Acl.isEntriesInheriting()
is true
. The
parent ACL will also scan its parent and so on. If ultimately no matching ACE is
found, a NotFoundException
will be thrown and the caller will need to
decide how to handle the permission check. Similarly, if any of the SID arguments
presented to the method were not loaded by the ACL,
UnloadedSidException
will be thrown.isGranted
in interface PermissionGrantingStrategy
permission
- the exact permissions to scan for (order is important)sids
- the exact SIDs to scan for (order is important)administrativeMode
- if true
denotes the query is for
administrative purposes and no auditing will be undertakentrue
if one of the permissions has been granted,
false
if one of the permissions has been specifically revokedNotFoundException
- if an exact ACE for one of the permission bit masks and
SID combination could not be foundprotected boolean isGranted(AccessControlEntry ace, Permission p)
if (ace.isGranting() && p.getMask() != 0) {
return (ace.getPermission().getMask() & p.getMask()) != 0;
} else {
return ace.getPermission().getMask() == p.getMask();
}
ace
- the ACE from the Acl holding the mask.p
- the Permission we are checking against.