Class DefaultPermissionGrantingStrategy
- java.lang.Object
-
- org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy
-
- All Implemented Interfaces:
PermissionGrantingStrategy
public class DefaultPermissionGrantingStrategy extends java.lang.Object implements PermissionGrantingStrategy
-
-
Constructor Summary
Constructors Constructor Description DefaultPermissionGrantingStrategy(AuditLogger auditLogger)Creates an instance with the logger which will be used to record granting and denial of requested permissions.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected booleanisGranted(AccessControlEntry ace, Permission p)Compares an ACE Permission to the given Permission.booleanisGranted(Acl acl, java.util.List<Permission> permission, java.util.List<Sid> sids, boolean administrativeMode)Determines authorization.
-
-
-
Constructor Detail
-
DefaultPermissionGrantingStrategy
public DefaultPermissionGrantingStrategy(AuditLogger auditLogger)
Creates an instance with the logger which will be used to record granting and denial of requested permissions.
-
-
Method Detail
-
isGranted
public boolean isGranted(Acl acl, java.util.List<Permission> permission, java.util.List<Sid> sids, boolean administrativeMode) throws NotFoundException
Determines authorization. The order of thepermissionandsidarguments is extremely important! The method will iterate through each of thepermissions in the order specified. For each iteration, all of thesids will be considered, again in the order they are presented. A search will then be performed for the firstAccessControlEntryobject that directly matches thatpermission:sidcombination. When the first full match is found (ie an ACE that has the SID currently being searched for and the exact permission bit mask being search for), the grant or deny flag for that ACE will prevail. If the ACE specifies to grant access, the method will returntrue. If the ACE specifies to deny access, the loop will stop and the nextpermissioniteration will be performed. If each permission indicates to deny access, the first deny ACE found will be considered the reason for the failure (as it was the first match found, and is therefore the one most logically requiring changes - although not always). If absolutely no matching ACE was found at all for any permission, the parent ACL will be tried (provided that there is a parent andAcl.isEntriesInheriting()istrue. The parent ACL will also scan its parent and so on. If ultimately no matching ACE is found, aNotFoundExceptionwill be thrown and the caller will need to decide how to handle the permission check. Similarly, if any of the SID arguments presented to the method were not loaded by the ACL,UnloadedSidExceptionwill be thrown.- Specified by:
isGrantedin interfacePermissionGrantingStrategy- Parameters:
permission- the exact permissions to scan for (order is important)sids- the exact SIDs to scan for (order is important)administrativeMode- iftruedenotes the query is for administrative purposes and no auditing will be undertaken- Returns:
trueif one of the permissions has been granted,falseif one of the permissions has been specifically revoked- Throws:
NotFoundException- if an exact ACE for one of the permission bit masks and SID combination could not be found
-
isGranted
protected boolean isGranted(AccessControlEntry ace, Permission p)
Compares an ACE Permission to the given Permission. By default, we compare the Permission masks for exact match. Subclasses of this strategy can override this behavior and implement more sophisticated comparisons, e.g. a bitwise comparison for ACEs that grant access.if (ace.isGranting() && p.getMask() != 0) { return (ace.getPermission().getMask() & p.getMask()) != 0; } else { return ace.getPermission().getMask() == p.getMask(); }- Parameters:
ace- the ACE from the Acl holding the mask.p- the Permission we are checking against.- Returns:
- true, if the respective masks are considered to be equal.
-
-