org.acegisecurity.afterinvocation
Class BasicAclEntryAfterInvocationCollectionFilteringProvider

java.lang.Object
  org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider

All Implemented Interfaces:

AfterInvocationProvider, org.springframework.beans.factory.InitializingBean

public class BasicAclEntryAfterInvocationCollectionFilteringProvider
extends Object
implements AfterInvocationProvider, org.springframework.beans.factory.InitializingBean

Given a Collection of domain object instances returned from a secure object invocation, remove any Collection elements the principal does not have appropriate permission to access as defined by the AclManager.

The AclManager is used to retrieve the access control list (ACL) permissions associated with each Collection domain object instance element for the current Authentication object. This class is designed to process AclEntrys that are subclasses of BasicAclEntry only. Generally these are obtained by using the BasicAclProvider.

This after invocation provider will fire if any ConfigAttribute.getAttribute() matches the processConfigAttribute. The provider will then lookup the ACLs from the AclManager and ensure the principal is BasicAclEntry.isPermitted(int) for at least one of the requirePermissions for each Collection element. If the principal does not have at least one of the permissions, that element will not be included in the returned Collection.

Often users will setup a BasicAclEntryAfterInvocationProvider with a processConfigAttribute of AFTER_ACL_COLLECTION_READ and a requirePermission of SimpleAclEntry.READ. These are also the defaults.

The AclManager is allowed to return any implementations of AclEntry it wishes. However, this provider will only be able to validate against BasicAclEntrys, and thus a Collection element will be filtered from the resulting Collection if no AclEntry is of type BasicAclEntry.

If the provided returnObject is null, a nullCollection will be returned. If the provided returnObject is not a Collection, an AuthorizationServiceException will be thrown.

All comparisons and prefixes are case sensitive.

Version:

$Id: BasicAclEntryAfterInvocationCollectionFilteringProvider.java 1784 2007-02-24 21:00:24Z luke_t $

Author:

Ben Alex, Paulo Neves

Field Summary

protected static org.apache.commons.logging.Log

logger

Constructor Summary

BasicAclEntryAfterInvocationCollectionFilteringProvider()

Method Summary

void	afterPropertiesSet()
Object	decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Object returnedObject)
AclManager	getAclManager()
String	getProcessConfigAttribute()
int[]	getRequirePermission()
void	setAclManager(AclManager aclManager)
void	setProcessConfigAttribute(String processConfigAttribute)
void	setProcessDomainObjectClass(Class processDomainObjectClass)
void	setRequirePermission(int[] requirePermission)
void	setRequirePermissionFromString(String[] requiredPermissions) Allow setting permissions with String literals instead of integers as setRequirePermission(int[])
boolean	supports(Class clazz) This implementation supports any type of class, because it does not query the presented secure object.
boolean	supports(ConfigAttribute attribute) Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

Constructor Detail

BasicAclEntryAfterInvocationCollectionFilteringProvider

public BasicAclEntryAfterInvocationCollectionFilteringProvider()

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

Exception

decide

public Object decide(Authentication authentication,
                     Object object,
                     ConfigAttributeDefinition config,
                     Object returnedObject)
              throws AccessDeniedException

Specified by:

decide in interface AfterInvocationProvider

Throws:

AccessDeniedException

getAclManager

public AclManager getAclManager()

getProcessConfigAttribute

public String getProcessConfigAttribute()

getRequirePermission

public int[] getRequirePermission()

setAclManager

public void setAclManager(AclManager aclManager)

setProcessConfigAttribute

public void setProcessConfigAttribute(String processConfigAttribute)

setProcessDomainObjectClass

public void setProcessDomainObjectClass(Class processDomainObjectClass)

setRequirePermission

public void setRequirePermission(int[] requirePermission)

setRequirePermissionFromString

public void setRequirePermissionFromString(String[] requiredPermissions)

Allow setting permissions with String literals instead of integers as setRequirePermission(int[])

Parameters:

requiredPermissions - permission literals

See Also:

for valid values

supports

public boolean supports(ConfigAttribute attribute)

Description copied from interface: AfterInvocationProvider

Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AccessDecisionManager.

Specified by:

supports in interface AfterInvocationProvider

Parameters:

attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor

Returns:

true if this AfterInvocationProvider can support the passed configuration attribute

supports

public boolean supports(Class clazz)

This implementation supports any type of class, because it does not query the presented secure object.

Specified by:

supports in interface AfterInvocationProvider

Parameters:

clazz - the secure object

Returns:

always true