1 | /* Copyright 2006-2009 the original author or authors. |
---|
2 | * |
---|
3 | * Licensed under the Apache License, Version 2.0 (the "License"); |
---|
4 | * you may not use this file except in compliance with the License. |
---|
5 | * You may obtain a copy of the License at |
---|
6 | * |
---|
7 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
8 | * |
---|
9 | * Unless required by applicable law or agreed to in writing, software |
---|
10 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
11 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
12 | * See the License for the specific language governing permissions and |
---|
13 | * limitations under the License. |
---|
14 | */ |
---|
15 | package org.codehaus.groovy.grails.plugins.springsecurity |
---|
16 | |
---|
17 | import org.springframework.security.AccessDeniedException |
---|
18 | import org.springframework.security.Authentication |
---|
19 | import org.springframework.security.ConfigAttribute |
---|
20 | import org.springframework.security.ConfigAttributeDefinition |
---|
21 | import org.springframework.security.vote.AbstractAccessDecisionManager |
---|
22 | import org.springframework.security.vote.AccessDecisionVoter |
---|
23 | import org.springframework.security.vote.AuthenticatedVoter |
---|
24 | |
---|
25 | /** |
---|
26 | * Uses the affirmative-based logic for roles, i.e. any in the list will grant access, but allows |
---|
27 | * an authenticated voter to 'veto' access. This allows specification of roles and |
---|
28 | * <code>IS_AUTHENTICATED_FULLY</code> on one line in SecurityConfig.groovy. |
---|
29 | * |
---|
30 | * @author <a href='mailto:beckwithb@studentsonly.com'>Burt Beckwith</a> |
---|
31 | */ |
---|
32 | class AuthenticatedVetoableDecisionManager extends AbstractAccessDecisionManager { |
---|
33 | |
---|
34 | /** |
---|
35 | * {@inheritDoc} |
---|
36 | * @see org.springframework.security.vote.AbstractAccessDecisionManager#decide( |
---|
37 | * org.springframework.security.Authentication, java.lang.Object, |
---|
38 | * org.springframework.security.ConfigAttributeDefinition) |
---|
39 | */ |
---|
40 | void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) |
---|
41 | throws AccessDeniedException { |
---|
42 | |
---|
43 | boolean authenticatedVotersGranted = checkAuthenticatedVoters(authentication, object, config) |
---|
44 | boolean otherVotersGranted = checkOtherVoters(authentication, object, config) |
---|
45 | |
---|
46 | if (!authenticatedVotersGranted && !otherVotersGranted) { |
---|
47 | checkAllowIfAllAbstainDecisions() |
---|
48 | } |
---|
49 | } |
---|
50 | |
---|
51 | /** |
---|
52 | * Allow any {@link AuthenticatedVoter} to veto. If any voter denies, |
---|
53 | * throw an exception; if any grant, return <code>true</code>; |
---|
54 | * otherwise return <code>false</code> if all abstain. |
---|
55 | */ |
---|
56 | private boolean checkAuthenticatedVoters(authentication, object, config) { |
---|
57 | boolean grant = false |
---|
58 | for (AccessDecisionVoter voter in decisionVoters) { |
---|
59 | if (voter instanceof AuthenticatedVoter) { |
---|
60 | int result = voter.vote(authentication, object, config) |
---|
61 | switch (result) { |
---|
62 | case AccessDecisionVoter.ACCESS_GRANTED: |
---|
63 | grant = true |
---|
64 | break |
---|
65 | case AccessDecisionVoter.ACCESS_DENIED: |
---|
66 | deny() |
---|
67 | break |
---|
68 | default: // abstain |
---|
69 | break |
---|
70 | } |
---|
71 | } |
---|
72 | } |
---|
73 | return grant |
---|
74 | } |
---|
75 | |
---|
76 | /** |
---|
77 | * Check the other (non-{@link AuthenticatedVoter}) voters. If any voter grants, |
---|
78 | * return true. If any voter denies, throw exception. Otherwise return <code>false</code> |
---|
79 | * to indicate that all abstained. |
---|
80 | */ |
---|
81 | private boolean checkOtherVoters(authentication, object, config) { |
---|
82 | int denyCount = 0 |
---|
83 | for (AccessDecisionVoter voter in decisionVoters) { |
---|
84 | if (voter instanceof AuthenticatedVoter) { |
---|
85 | continue |
---|
86 | } |
---|
87 | |
---|
88 | int result = voter.vote(authentication, object, config) |
---|
89 | switch (result) { |
---|
90 | case AccessDecisionVoter.ACCESS_GRANTED: |
---|
91 | return true |
---|
92 | case AccessDecisionVoter.ACCESS_DENIED: |
---|
93 | denyCount++ |
---|
94 | break |
---|
95 | default: // abstain |
---|
96 | break |
---|
97 | } |
---|
98 | } |
---|
99 | |
---|
100 | if (denyCount) { |
---|
101 | deny() |
---|
102 | } |
---|
103 | |
---|
104 | // all abstain |
---|
105 | return false |
---|
106 | } |
---|
107 | |
---|
108 | private void deny() { |
---|
109 | throw new AccessDeniedException(messages.getMessage( |
---|
110 | "AbstractAccessDecisionManager.accessDenied", |
---|
111 | "Access is denied")) |
---|
112 | } |
---|
113 | } |
---|