java.lang.Object
org.springframework.security.acls.domain.AclImpl
All Implemented Interfaces:
Serializable, Acl, AuditableAcl, MutableAcl, OwnershipAcl

public class AclImpl extends Object implements Acl, MutableAcl, AuditableAcl, OwnershipAcl
Base implementation of Acl.
See Also:
  • Constructor Details

    • AclImpl

      public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger)
      Minimal constructor, which should be used MutableAclService.createAcl(ObjectIdentity) .
      Parameters:
      objectIdentity - the object identity this ACL relates to (required)
      id - the primary key assigned to this ACL (required)
      aclAuthorizationStrategy - authorization strategy (required)
      auditLogger - audit logger (required)
    • AclImpl

      public AclImpl(ObjectIdentity objectIdentity, Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, PermissionGrantingStrategy grantingStrategy, Acl parentAcl, List<Sid> loadedSids, boolean entriesInheriting, Sid owner)
      Full constructor, which should be used by persistence tools that do not provide field-level access features.
      Parameters:
      objectIdentity - the object identity this ACL relates to
      id - the primary key assigned to this ACL
      aclAuthorizationStrategy - authorization strategy
      grantingStrategy - the PermissionGrantingStrategy which will be used by the isGranted() method
      parentAcl - the parent (may be may be null)
      loadedSids - the loaded SIDs if only a subset were loaded (may be null )
      entriesInheriting - if ACEs from the parent should inherit into this ACL
      owner - the owner (required)
  • Method Details

    • deleteAce

      public void deleteAce(int aceIndex) throws NotFoundException
      Specified by:
      deleteAce in interface MutableAcl
      Throws:
      NotFoundException
    • insertAce

      public void insertAce(int atIndexLocation, Permission permission, Sid sid, boolean granting) throws NotFoundException
      Specified by:
      insertAce in interface MutableAcl
      Throws:
      NotFoundException
    • getEntries

      public List<AccessControlEntry> getEntries()
      Description copied from interface: Acl
      Returns all of the entries represented by the present Acl. Entries associated with the Acl parents are not returned.

      This method is typically used for administrative purposes.

      The order that entries appear in the array is important for methods declared in the MutableAcl interface. Furthermore, some implementations MAY use ordering as part of advanced permission checking.

      Do NOT use this method for making authorization decisions. Instead use Acl.isGranted(List, List, boolean).

      This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.

      Specified by:
      getEntries in interface Acl
      Returns:
      the list of entries represented by the Acl, or null if there are no entries presently associated with this Acl.
    • getId

      public Serializable getId()
      Description copied from interface: MutableAcl
      Obtains an identifier that represents this MutableAcl.
      Specified by:
      getId in interface MutableAcl
      Returns:
      the identifier, or null if unsaved
    • getObjectIdentity

      public ObjectIdentity getObjectIdentity()
      Description copied from interface: Acl
      Obtains the domain object this Acl provides entries for. This is immutable once an Acl is created.
      Specified by:
      getObjectIdentity in interface Acl
      Returns:
      the object identity (never null)
    • isEntriesInheriting

      public boolean isEntriesInheriting()
      Description copied from interface: Acl
      Indicates whether the ACL entries from the Acl.getParentAcl() should flow down into the current Acl.

      The mere link between an Acl and a parent Acl on its own is insufficient to cause ACL entries to inherit down. This is because a domain object may wish to have entirely independent entries, but maintain the link with the parent for navigation purposes. Thus, this method denotes whether or not the navigation relationship also extends to the actual inheritance of entries.

      Specified by:
      isEntriesInheriting in interface Acl
      Returns:
      true if parent ACL entries inherit into the current Acl
    • isGranted

      public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException, UnloadedSidException
      Delegates to the PermissionGrantingStrategy.
      Specified by:
      isGranted in interface Acl
      Parameters:
      permission - the permission or permissions required (at least one entry required)
      sids - the security identities held by the principal (at least one entry required)
      administrativeMode - if true denotes the query is for administrative purposes and no logging or auditing (if supported by the implementation) should be undertaken
      Returns:
      true if authorization is granted
      Throws:
      UnloadedSidException - if the passed SIDs are unknown to this ACL because the ACL was only loaded for a subset of SIDs
      NotFoundException - MUST be thrown if an implementation cannot make an authoritative authorization decision, usually because there is no ACL information for this particular permission and/or SID
      See Also:
    • isSidLoaded

      public boolean isSidLoaded(List<Sid> sids)
      Description copied from interface: Acl
      For efficiency reasons an Acl may be loaded and not contain entries for every Sid in the system. If an Acl has been loaded and does not represent every Sid, all methods of the Acl can only be used within the limited scope of the Sid instances it actually represents.

      It is normal to load an Acl for only particular Sids if read-only authorization decisions are being made. However, if user interface reporting or modification of Acls are desired, an Acl should be loaded with all Sids. This method denotes whether or not the specified Sids have been loaded or not.

      Specified by:
      isSidLoaded in interface Acl
      Parameters:
      sids - one or more security identities the caller is interest in knowing whether this Sid supports
      Returns:
      true if every passed Sid is represented by this Acl instance
    • setEntriesInheriting

      public void setEntriesInheriting(boolean entriesInheriting)
      Description copied from interface: MutableAcl
      Change the value returned by Acl.isEntriesInheriting().
      Specified by:
      setEntriesInheriting in interface MutableAcl
      Parameters:
      entriesInheriting - the new value
    • setOwner

      public void setOwner(Sid newOwner)
      Description copied from interface: MutableAcl
      Changes the present owner to a different owner.
      Specified by:
      setOwner in interface MutableAcl
      Specified by:
      setOwner in interface OwnershipAcl
      Parameters:
      newOwner - the new owner (mandatory; cannot be null)
    • getOwner

      public Sid getOwner()
      Description copied from interface: Acl
      Determines the owner of the Acl. The meaning of ownership varies by implementation and is unspecified.
      Specified by:
      getOwner in interface Acl
      Returns:
      the owner (may be null if the implementation does not use ownership concepts)
    • setParent

      public void setParent(Acl newParent)
      Description copied from interface: MutableAcl
      Changes the parent of this ACL.
      Specified by:
      setParent in interface MutableAcl
      Parameters:
      newParent - the new parent
    • getParentAcl

      public Acl getParentAcl()
      Description copied from interface: Acl
      A domain object may have a parent for the purpose of ACL inheritance. If there is a parent, its ACL can be accessed via this method. In turn, the parent's parent (grandparent) can be accessed and so on.

      This method solely represents the presence of a navigation hierarchy between the parent Acl and this Acl. For actual inheritance to take place, the Acl.isEntriesInheriting() must also be true.

      This method must operate correctly even if the Acl only represents a subset of Sids. The caller is responsible for correctly handling the result if only a subset of Sids is represented.

      Specified by:
      getParentAcl in interface Acl
      Returns:
      the parent Acl (may be null if this Acl does not have a parent)
    • updateAce

      public void updateAce(int aceIndex, Permission permission) throws NotFoundException
      Specified by:
      updateAce in interface MutableAcl
      Throws:
      NotFoundException
    • updateAuditing

      public void updateAuditing(int aceIndex, boolean auditSuccess, boolean auditFailure)
      Specified by:
      updateAuditing in interface AuditableAcl
    • equals

      public boolean equals(Object obj)
      Overrides:
      equals in class Object
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • toString

      public String toString()
      Overrides:
      toString in class Object