|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.acegisecurity.acls.domain.AclImpl
public class AclImpl
Base implementation of Acl
.
Constructor Summary | |
---|---|
AclImpl(ObjectIdentity objectIdentity,
java.io.Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger)
Minimal constructor, which should be used MutableAclService.createAcl(ObjectIdentity) . |
|
AclImpl(ObjectIdentity objectIdentity,
java.io.Serializable id,
AclAuthorizationStrategy aclAuthorizationStrategy,
AuditLogger auditLogger,
Acl parentAcl,
Sid[] loadedSids,
boolean entriesInheriting,
Sid owner)
Full constructor, which should be used by persistence tools that do not provide field-level access features. |
Method Summary | |
---|---|
void |
deleteAce(java.io.Serializable aceId)
|
AccessControlEntry[] |
getEntries()
Returns all of the entries represented by the present Acl (not parents). |
java.io.Serializable |
getId()
Obtains an identifier that represents this MutableAcl . |
ObjectIdentity |
getObjectIdentity()
Obtains the domain object this Acl provides entries for. |
Sid |
getOwner()
Determines the owner of the Acl . |
Acl |
getParentAcl()
A domain object may have a parent for the purpose of ACL inheritance. |
void |
insertAce(java.io.Serializable afterAceId,
Permission permission,
Sid sid,
boolean granting)
|
boolean |
isEntriesInheriting()
Indicates whether the ACL entries from the Acl.getParentAcl() should flow down into the current
Acl . |
boolean |
isGranted(Permission[] permission,
Sid[] sids,
boolean administrativeMode)
Determines authorization. |
boolean |
isSidLoaded(Sid[] sids)
For efficiency reasons an Acl may be loaded and not contain entries for every
Sid in the system. |
void |
setEntriesInheriting(boolean entriesInheriting)
Change the value returned by Acl.isEntriesInheriting() . |
void |
setOwner(Sid newOwner)
|
void |
setParent(Acl newParent)
Changes the parent of this ACL. |
java.lang.String |
toString()
|
void |
updateAce(java.io.Serializable aceId,
Permission permission)
|
void |
updateAuditing(java.io.Serializable aceId,
boolean auditSuccess,
boolean auditFailure)
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Constructor Detail |
---|
public AclImpl(ObjectIdentity objectIdentity, java.io.Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger)
MutableAclService.createAcl(ObjectIdentity)
.
objectIdentity
- the object identity this ACL relates to (required)id
- the primary key assigned to this ACL (required)aclAuthorizationStrategy
- authorization strategy (required)auditLogger
- audit logger (required)public AclImpl(ObjectIdentity objectIdentity, java.io.Serializable id, AclAuthorizationStrategy aclAuthorizationStrategy, AuditLogger auditLogger, Acl parentAcl, Sid[] loadedSids, boolean entriesInheriting, Sid owner)
objectIdentity
- the object identity this ACL relates to (required)id
- the primary key assigned to this ACL (required)aclAuthorizationStrategy
- authorization strategy (required)auditLogger
- audit logger (required)parentAcl
- the parent (may be null
)loadedSids
- the loaded SIDs if only a subset were loaded (may be
null
)entriesInheriting
- if ACEs from the parent should inherit into
this ACLowner
- the owner (required)Method Detail |
---|
public void deleteAce(java.io.Serializable aceId) throws NotFoundException
deleteAce
in interface MutableAcl
NotFoundException
public AccessControlEntry[] getEntries()
Acl
Acl
(not parents).This method is typically used for administrative purposes.
The order that entries appear in the array is unspecified. However, if implementations use particular ordering logic in authorization decisions, the entries returned by this method MUST be ordered in that manner.
Do NOT use this method for making authorization decisions. Instead use Acl.isGranted(Permission[], Sid[], boolean)
.
This method must operate correctly even if the Acl
only represents a subset of
Sid
s. The caller is responsible for correctly handling the result if only a subset of
Sid
s is represented.
getEntries
in interface Acl
getEntries
in interface MutableAcl
Acl
public java.io.Serializable getId()
MutableAcl
MutableAcl
.
getId
in interface MutableAcl
null
if unsavedpublic ObjectIdentity getObjectIdentity()
Acl
Acl
provides entries for. This is immutable once an
Acl
is created.
getObjectIdentity
in interface Acl
public Sid getOwner()
Acl
Acl
. The meaning of ownership varies by implementation and is
unspecified.
getOwner
in interface Acl
public Acl getParentAcl()
Acl
This
method solely represents the presence of a navigation hierarchy between the parent Acl
and this
Acl
. For actual inheritance to take place, the Acl.isEntriesInheriting()
must also be
true
.
This method must operate correctly even if the Acl
only represents a subset of
Sid
s. The caller is responsible for correctly handling the result if only a subset of
Sid
s is represented.
getParentAcl
in interface Acl
Acl
public void insertAce(java.io.Serializable afterAceId, Permission permission, Sid sid, boolean granting) throws NotFoundException
insertAce
in interface MutableAcl
NotFoundException
public boolean isEntriesInheriting()
Acl
Acl.getParentAcl()
should flow down into the current
Acl
.The mere link between an Acl
and a parent Acl
on its own
is insufficient to cause ACL entries to inherit down. This is because a domain object may wish to have entirely
independent entries, but maintain the link with the parent for navigation purposes. Thus, this method denotes
whether or not the navigation relationship also extends to the actual inheritence of entries.
isEntriesInheriting
in interface Acl
true
if parent ACL entries inherit into the current Acl
public boolean isGranted(Permission[] permission, Sid[] sids, boolean administrativeMode) throws NotFoundException, UnloadedSidException
permission
and sid
arguments is
extremely important! The method will iterate through each of the permission
s in the order
specified. For each iteration, all of the sid
s will be considered, again in the order they are
presented. A search will then be performed for the first AccessControlEntry
object that directly
matches that permission:sid
combination. When the first full match is found (ie an ACE
that has the SID currently being searched for and the exact permission bit mask being search for), the grant or
deny flag for that ACE will prevail. If the ACE specifies to grant access, the method will return
true
. If the ACE specifies to deny access, the loop will stop and the next permission
iteration will be performed. If each permission indicates to deny access, the first deny ACE found will be
considered the reason for the failure (as it was the first match found, and is therefore the one most logically
requiring changes - although not always). If absolutely no matching ACE was found at all for any permission,
the parent ACL will be tried (provided that there is a parent and isEntriesInheriting()
is
true
. The parent ACL will also scan its parent and so on. If ultimately no matching ACE is found,
a NotFoundException
will be thrown and the caller will need to decide how to handle the permission
check. Similarly, if any of the SID arguments presented to the method were not loaded by the ACL,
UnloadedSidException
will be thrown.
isGranted
in interface Acl
permission
- the exact permissions to scan for (order is important)sids
- the exact SIDs to scan for (order is important)administrativeMode
- if true
denotes the query is for administrative purposes and no auditing
will be undertaken
true
if one of the permissions has been granted, false
if one of the
permissions has been specifically revoked
NotFoundException
- if an exact ACE for one of the permission bit masks and SID combination could not be
found
UnloadedSidException
- if the passed SIDs are unknown to this ACL because the ACL was only loaded for a
subset of SIDspublic boolean isSidLoaded(Sid[] sids)
Acl
Acl
may be loaded and not contain entries for every
Sid
in the system. If an Acl
has been loaded and does not represent every
Sid
, all methods of the Sid
can only be used within the limited scope of the
Sid
instances it actually represents.
It is normal to load an Acl
for only particular Sid
s if read-only authorization
decisions are being made. However, if user interface reporting or modification of Acl
s are
desired, an Acl
should be loaded with all Sid
s. This method denotes whether or
not the specified Sid
s have been loaded or not.
isSidLoaded
in interface Acl
sids
- one or more security identities the caller is interest in knowing whether this Sid
supports
true
if every passed Sid
is represented by this Acl
instancepublic void setEntriesInheriting(boolean entriesInheriting)
MutableAcl
Acl.isEntriesInheriting()
.
setEntriesInheriting
in interface MutableAcl
entriesInheriting
- the new valuepublic void setOwner(Sid newOwner)
setOwner
in interface OwnershipAcl
public void setParent(Acl newParent)
MutableAcl
setParent
in interface MutableAcl
newParent
- the new parentpublic java.lang.String toString()
toString
in class java.lang.Object
public void updateAce(java.io.Serializable aceId, Permission permission) throws NotFoundException
updateAce
in interface MutableAcl
NotFoundException
public void updateAuditing(java.io.Serializable aceId, boolean auditSuccess, boolean auditFailure)
updateAuditing
in interface AuditableAcl
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |