source: branches/TaskRewrite/src/plugins/acegi-0.5.1/src/groovy/org/codehaus/groovy/grails/plugins/springsecurity/AuthenticatedVetoableDecisionManager.groovy @ 58

Last change on this file since 58 was 58, checked in by gav, 15 years ago

Configure BootStrap? with latest concepts.
Install and setup Acegi plugin with custom views.
Test Fixture plugin in a test app but couldn't get it to work with Acegi encodePassword() so gave up.
File size: 3.8 KB
Line 
1/* Copyright 2006-2009 the original author or authors.
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *      http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15package org.codehaus.groovy.grails.plugins.springsecurity
16
17import org.springframework.security.AccessDeniedException
18import org.springframework.security.Authentication
19import org.springframework.security.ConfigAttribute
20import org.springframework.security.ConfigAttributeDefinition
21import org.springframework.security.vote.AbstractAccessDecisionManager
22import org.springframework.security.vote.AccessDecisionVoter
23import org.springframework.security.vote.AuthenticatedVoter
24
25/**
26 * Uses the affirmative-based logic for roles, i.e. any in the list will grant access, but allows
27 * an authenticated voter to 'veto' access. This allows specification of roles and
28 * <code>IS_AUTHENTICATED_FULLY</code> on one line in SecurityConfig.groovy.
29 *
30 * @author <a href='mailto:beckwithb@studentsonly.com'>Burt Beckwith</a>
31 */
32class AuthenticatedVetoableDecisionManager extends AbstractAccessDecisionManager {
33
34        /**
35         * {@inheritDoc}
36         * @see org.springframework.security.vote.AbstractAccessDecisionManager#decide(
37         *      org.springframework.security.Authentication, java.lang.Object,
38         *      org.springframework.security.ConfigAttributeDefinition)
39         */
40        void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
41            throws AccessDeniedException {
42
43                boolean authenticatedVotersGranted = checkAuthenticatedVoters(authentication, object, config)
44                boolean otherVotersGranted = checkOtherVoters(authentication, object, config)
45
46                if (!authenticatedVotersGranted && !otherVotersGranted) {
47                        checkAllowIfAllAbstainDecisions()
48                }
49        }
50
51        /**
52         * Allow any {@link AuthenticatedVoter} to veto. If any voter denies,
53         * throw an exception; if any grant, return <code>true</code>;
54         * otherwise return <code>false</code> if all abstain.
55         */
56        private boolean checkAuthenticatedVoters(authentication, object, config) {
57                boolean grant = false
58                for (AccessDecisionVoter voter in decisionVoters) {
59                        if (voter instanceof AuthenticatedVoter) {
60                                int result = voter.vote(authentication, object, config)
61                                switch (result) {
62                                        case AccessDecisionVoter.ACCESS_GRANTED:
63                                                grant = true
64                                                break
65                                        case AccessDecisionVoter.ACCESS_DENIED:
66                                                deny()
67                                                break
68                                        default: // abstain
69                                                break
70                                }
71                        }
72                }
73                return grant
74        }
75
76        /**
77         * Check the other (non-{@link AuthenticatedVoter}) voters. If any voter grants,
78         * return true. If any voter denies, throw exception. Otherwise return <code>false</code>
79         * to indicate that all abstained.
80         */
81        private boolean checkOtherVoters(authentication, object, config) {
82                int denyCount = 0
83                for (AccessDecisionVoter voter in decisionVoters) {
84                        if (voter instanceof AuthenticatedVoter) {
85                                continue
86                        }
87
88                        int result = voter.vote(authentication, object, config)
89                        switch (result) {
90                case AccessDecisionVoter.ACCESS_GRANTED:
91                        return true
92                case AccessDecisionVoter.ACCESS_DENIED:
93                        denyCount++
94                        break
95                                default: // abstain
96                        break
97            }
98        }
99
100        if (denyCount) {
101            deny()
102        }
103
104        // all abstain
105        return false
106        }
107
108        private void deny() {
109                throw new AccessDeniedException(messages.getMessage(
110                                "AbstractAccessDecisionManager.accessDenied",
111                                "Access is denied"))
112        }
113}
Note: See TracBrowser for help on using the repository browser.