[58] | 1 | /* Copyright 2006-2009 the original author or authors. |
---|
| 2 | * |
---|
| 3 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
| 4 | * you may not use this file except in compliance with the License. |
---|
| 5 | * You may obtain a copy of the License at |
---|
| 6 | * |
---|
| 7 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 8 | * |
---|
| 9 | * Unless required by applicable law or agreed to in writing, software |
---|
| 10 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
| 12 | * See the License for the specific language governing permissions and |
---|
| 13 | * limitations under the License. |
---|
| 14 | */ |
---|
| 15 | package org.codehaus.groovy.grails.plugins.springsecurity |
---|
| 16 | |
---|
| 17 | import org.springframework.security.AccessDeniedException |
---|
| 18 | import org.springframework.security.Authentication |
---|
| 19 | import org.springframework.security.ConfigAttribute |
---|
| 20 | import org.springframework.security.ConfigAttributeDefinition |
---|
| 21 | import org.springframework.security.vote.AbstractAccessDecisionManager |
---|
| 22 | import org.springframework.security.vote.AccessDecisionVoter |
---|
| 23 | import org.springframework.security.vote.AuthenticatedVoter |
---|
| 24 | |
---|
| 25 | /** |
---|
| 26 | * Uses the affirmative-based logic for roles, i.e. any in the list will grant access, but allows |
---|
| 27 | * an authenticated voter to 'veto' access. This allows specification of roles and |
---|
| 28 | * <code>IS_AUTHENTICATED_FULLY</code> on one line in SecurityConfig.groovy. |
---|
| 29 | * |
---|
| 30 | * @author <a href='mailto:beckwithb@studentsonly.com'>Burt Beckwith</a> |
---|
| 31 | */ |
---|
| 32 | class AuthenticatedVetoableDecisionManager extends AbstractAccessDecisionManager { |
---|
| 33 | |
---|
| 34 | /** |
---|
| 35 | * {@inheritDoc} |
---|
| 36 | * @see org.springframework.security.vote.AbstractAccessDecisionManager#decide( |
---|
| 37 | * org.springframework.security.Authentication, java.lang.Object, |
---|
| 38 | * org.springframework.security.ConfigAttributeDefinition) |
---|
| 39 | */ |
---|
| 40 | void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) |
---|
| 41 | throws AccessDeniedException { |
---|
| 42 | |
---|
| 43 | boolean authenticatedVotersGranted = checkAuthenticatedVoters(authentication, object, config) |
---|
| 44 | boolean otherVotersGranted = checkOtherVoters(authentication, object, config) |
---|
| 45 | |
---|
| 46 | if (!authenticatedVotersGranted && !otherVotersGranted) { |
---|
| 47 | checkAllowIfAllAbstainDecisions() |
---|
| 48 | } |
---|
| 49 | } |
---|
| 50 | |
---|
| 51 | /** |
---|
| 52 | * Allow any {@link AuthenticatedVoter} to veto. If any voter denies, |
---|
| 53 | * throw an exception; if any grant, return <code>true</code>; |
---|
| 54 | * otherwise return <code>false</code> if all abstain. |
---|
| 55 | */ |
---|
| 56 | private boolean checkAuthenticatedVoters(authentication, object, config) { |
---|
| 57 | boolean grant = false |
---|
| 58 | for (AccessDecisionVoter voter in decisionVoters) { |
---|
| 59 | if (voter instanceof AuthenticatedVoter) { |
---|
| 60 | int result = voter.vote(authentication, object, config) |
---|
| 61 | switch (result) { |
---|
| 62 | case AccessDecisionVoter.ACCESS_GRANTED: |
---|
| 63 | grant = true |
---|
| 64 | break |
---|
| 65 | case AccessDecisionVoter.ACCESS_DENIED: |
---|
| 66 | deny() |
---|
| 67 | break |
---|
| 68 | default: // abstain |
---|
| 69 | break |
---|
| 70 | } |
---|
| 71 | } |
---|
| 72 | } |
---|
| 73 | return grant |
---|
| 74 | } |
---|
| 75 | |
---|
| 76 | /** |
---|
| 77 | * Check the other (non-{@link AuthenticatedVoter}) voters. If any voter grants, |
---|
| 78 | * return true. If any voter denies, throw exception. Otherwise return <code>false</code> |
---|
| 79 | * to indicate that all abstained. |
---|
| 80 | */ |
---|
| 81 | private boolean checkOtherVoters(authentication, object, config) { |
---|
| 82 | int denyCount = 0 |
---|
| 83 | for (AccessDecisionVoter voter in decisionVoters) { |
---|
| 84 | if (voter instanceof AuthenticatedVoter) { |
---|
| 85 | continue |
---|
| 86 | } |
---|
| 87 | |
---|
| 88 | int result = voter.vote(authentication, object, config) |
---|
| 89 | switch (result) { |
---|
| 90 | case AccessDecisionVoter.ACCESS_GRANTED: |
---|
| 91 | return true |
---|
| 92 | case AccessDecisionVoter.ACCESS_DENIED: |
---|
| 93 | denyCount++ |
---|
| 94 | break |
---|
| 95 | default: // abstain |
---|
| 96 | break |
---|
| 97 | } |
---|
| 98 | } |
---|
| 99 | |
---|
| 100 | if (denyCount) { |
---|
| 101 | deny() |
---|
| 102 | } |
---|
| 103 | |
---|
| 104 | // all abstain |
---|
| 105 | return false |
---|
| 106 | } |
---|
| 107 | |
---|
| 108 | private void deny() { |
---|
| 109 | throw new AccessDeniedException(messages.getMessage( |
---|
| 110 | "AbstractAccessDecisionManager.accessDenied", |
---|
| 111 | "Access is denied")) |
---|
| 112 | } |
---|
| 113 | } |
---|