|
|
@@ -12,7 +12,6 @@
|
|
|
* See the License for the specific language governing permissions and
|
|
|
* limitations under the License.
|
|
|
*/
|
|
|
-
|
|
|
package net.sf.acegisecurity.intercept;
|
|
|
|
|
|
import net.sf.acegisecurity.AccessDecisionManager;
|
|
|
@@ -51,15 +50,15 @@ import java.util.Set;
|
|
|
|
|
|
/**
|
|
|
* Abstract class that implements security interception for secure objects.
|
|
|
- *
|
|
|
+ *
|
|
|
* <P>
|
|
|
* The <code>AbstractSecurityInterceptor</code> will ensure the proper startup
|
|
|
* configuration of the security interceptor. It will also implement the
|
|
|
* proper handling of secure object invocations, being:
|
|
|
- *
|
|
|
+ *
|
|
|
* <ol>
|
|
|
* <li>
|
|
|
- * Obtain the {@link Authentication} object from the
|
|
|
+ * Obtain the {@link Authentication} object from the
|
|
|
* {@link SecurityContextHolder}.
|
|
|
* </li>
|
|
|
* <li>
|
|
|
@@ -70,7 +69,7 @@ import java.util.Set;
|
|
|
* <li>
|
|
|
* For an invocation that is secured (there is a
|
|
|
* <code>ConfigAttributeDefinition</code> for the secure object invocation):
|
|
|
- *
|
|
|
+ *
|
|
|
* <ol type="a">
|
|
|
* <li>
|
|
|
* If either the {@link net.sf.acegisecurity.Authentication#isAuthenticated()}
|
|
|
@@ -109,12 +108,12 @@ import java.util.Set;
|
|
|
* caller.
|
|
|
* </li>
|
|
|
* </ol>
|
|
|
- *
|
|
|
+ *
|
|
|
* </li>
|
|
|
* <li>
|
|
|
* For an invocation that is public (there is no
|
|
|
* <code>ConfigAttributeDefinition</code> for the secure object invocation):
|
|
|
- *
|
|
|
+ *
|
|
|
* <ol type="a">
|
|
|
* <li>
|
|
|
* As described above, the concrete subclass will be returned an
|
|
|
@@ -125,7 +124,7 @@ import java.util.Set;
|
|
|
* Object)} is called.
|
|
|
* </li>
|
|
|
* </ol>
|
|
|
- *
|
|
|
+ *
|
|
|
* </li>
|
|
|
* <li>
|
|
|
* Control again returns to the concrete subclass, along with the
|
|
|
@@ -140,12 +139,7 @@ import java.util.Set;
|
|
|
*/
|
|
|
public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
ApplicationContextAware {
|
|
|
- //~ Static fields/initializers =============================================
|
|
|
-
|
|
|
protected static final Log logger = LogFactory.getLog(AbstractSecurityInterceptor.class);
|
|
|
-
|
|
|
- //~ Instance fields ========================================================
|
|
|
-
|
|
|
private AccessDecisionManager accessDecisionManager;
|
|
|
private AfterInvocationManager afterInvocationManager;
|
|
|
private ApplicationContext context;
|
|
|
@@ -154,8 +148,6 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
private boolean alwaysReauthenticate = false;
|
|
|
private boolean validateConfigAttributes = true;
|
|
|
|
|
|
- //~ Methods ================================================================
|
|
|
-
|
|
|
public void setAfterInvocationManager(
|
|
|
AfterInvocationManager afterInvocationManager) {
|
|
|
this.afterInvocationManager = afterInvocationManager;
|
|
|
@@ -253,27 +245,27 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
|
|
|
if (!this.obtainObjectDefinitionSource().supports(getSecureObjectClass())) {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "ObjectDefinitionSource does not support secure object class: "
|
|
|
- + getSecureObjectClass());
|
|
|
+ "ObjectDefinitionSource does not support secure object class: " +
|
|
|
+ getSecureObjectClass());
|
|
|
}
|
|
|
|
|
|
if (!this.runAsManager.supports(getSecureObjectClass())) {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "RunAsManager does not support secure object class: "
|
|
|
- + getSecureObjectClass());
|
|
|
+ "RunAsManager does not support secure object class: " +
|
|
|
+ getSecureObjectClass());
|
|
|
}
|
|
|
|
|
|
if (!this.accessDecisionManager.supports(getSecureObjectClass())) {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "AccessDecisionManager does not support secure object class: "
|
|
|
- + getSecureObjectClass());
|
|
|
+ "AccessDecisionManager does not support secure object class: " +
|
|
|
+ getSecureObjectClass());
|
|
|
}
|
|
|
|
|
|
- if ((this.afterInvocationManager != null)
|
|
|
- && !this.afterInvocationManager.supports(getSecureObjectClass())) {
|
|
|
+ if ((this.afterInvocationManager != null) &&
|
|
|
+ !this.afterInvocationManager.supports(getSecureObjectClass())) {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "AfterInvocationManager does not support secure object class: "
|
|
|
- + getSecureObjectClass());
|
|
|
+ "AfterInvocationManager does not support secure object class: " +
|
|
|
+ getSecureObjectClass());
|
|
|
}
|
|
|
|
|
|
if (this.validateConfigAttributes) {
|
|
|
@@ -289,18 +281,16 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
Set set = new HashSet();
|
|
|
|
|
|
while (iter.hasNext()) {
|
|
|
- ConfigAttributeDefinition def = (ConfigAttributeDefinition) iter
|
|
|
- .next();
|
|
|
+ ConfigAttributeDefinition def = (ConfigAttributeDefinition) iter.next();
|
|
|
Iterator attributes = def.getConfigAttributes();
|
|
|
|
|
|
while (attributes.hasNext()) {
|
|
|
- ConfigAttribute attr = (ConfigAttribute) attributes
|
|
|
- .next();
|
|
|
+ ConfigAttribute attr = (ConfigAttribute) attributes.next();
|
|
|
|
|
|
- if (!this.runAsManager.supports(attr)
|
|
|
- && !this.accessDecisionManager.supports(attr)
|
|
|
- && ((this.afterInvocationManager == null)
|
|
|
- || !this.afterInvocationManager.supports(attr))) {
|
|
|
+ if (!this.runAsManager.supports(attr) &&
|
|
|
+ !this.accessDecisionManager.supports(attr) &&
|
|
|
+ ((this.afterInvocationManager == null) ||
|
|
|
+ !this.afterInvocationManager.supports(attr))) {
|
|
|
set.add(attr);
|
|
|
}
|
|
|
}
|
|
|
@@ -312,8 +302,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
}
|
|
|
} else {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "Unsupported configuration attributes: "
|
|
|
- + set.toString());
|
|
|
+ "Unsupported configuration attributes: " +
|
|
|
+ set.toString());
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
@@ -340,18 +330,16 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
|
|
|
if (token.isContextHolderRefreshRequired()) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Reverting to original Authentication: "
|
|
|
- + token.getAuthentication().toString());
|
|
|
+ logger.debug("Reverting to original Authentication: " +
|
|
|
+ token.getAuthentication().toString());
|
|
|
}
|
|
|
|
|
|
- SecurityContextHolder.getContext().setAuthentication(token
|
|
|
- .getAuthentication());
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
|
|
|
}
|
|
|
|
|
|
if (afterInvocationManager != null) {
|
|
|
- returnedObject = afterInvocationManager.decide(token
|
|
|
- .getAuthentication(), token.getSecureObject(),
|
|
|
- token.getAttr(), returnedObject);
|
|
|
+ returnedObject = afterInvocationManager.decide(token.getAuthentication(),
|
|
|
+ token.getSecureObject(), token.getAttr(), returnedObject);
|
|
|
}
|
|
|
|
|
|
return returnedObject;
|
|
|
@@ -360,17 +348,18 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
protected InterceptorStatusToken beforeInvocation(Object object) {
|
|
|
Assert.notNull(object, "Object was null");
|
|
|
Assert.isTrue(getSecureObjectClass().isAssignableFrom(object.getClass()),
|
|
|
- "Security invocation attempted for object " + object
|
|
|
- + " but AbstractSecurityInterceptor only configured to support secure objects of type: "
|
|
|
- + getSecureObjectClass());
|
|
|
+ "Security invocation attempted for object " +
|
|
|
+ object.getClass().getName() +
|
|
|
+ " but AbstractSecurityInterceptor only configured to support secure objects of type: " +
|
|
|
+ getSecureObjectClass());
|
|
|
|
|
|
ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource()
|
|
|
.getAttributes(object);
|
|
|
|
|
|
if (attr != null) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Secure object: " + object.toString()
|
|
|
- + "; ConfigAttributes: " + attr.toString());
|
|
|
+ logger.debug("Secure object: " + object.toString() +
|
|
|
+ "; ConfigAttributes: " + attr.toString());
|
|
|
}
|
|
|
|
|
|
// We check for just the property we're interested in (we do
|
|
|
@@ -384,8 +373,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
Authentication authenticated;
|
|
|
|
|
|
if (!SecurityContextHolder.getContext().getAuthentication()
|
|
|
- .isAuthenticated()
|
|
|
- || alwaysReauthenticate) {
|
|
|
+ .isAuthenticated() ||
|
|
|
+ alwaysReauthenticate) {
|
|
|
try {
|
|
|
authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext()
|
|
|
.getAuthentication());
|
|
|
@@ -402,8 +391,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
|
|
|
// We don't authenticated.setAuthentication(true), because each provider should do that
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Successfully Authenticated: "
|
|
|
- + authenticated.toString());
|
|
|
+ logger.debug("Successfully Authenticated: " +
|
|
|
+ authenticated.toString());
|
|
|
}
|
|
|
|
|
|
SecurityContextHolder.getContext().setAuthentication(authenticated);
|
|
|
@@ -412,8 +401,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
.getAuthentication();
|
|
|
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Previously Authenticated: "
|
|
|
- + authenticated.toString());
|
|
|
+ logger.debug("Previously Authenticated: " +
|
|
|
+ authenticated.toString());
|
|
|
}
|
|
|
}
|
|
|
|
|
|
@@ -450,8 +439,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
object); // no further work post-invocation
|
|
|
} else {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Switching to RunAs Authentication: "
|
|
|
- + runAs.toString());
|
|
|
+ logger.debug("Switching to RunAs Authentication: " +
|
|
|
+ runAs.toString());
|
|
|
}
|
|
|
|
|
|
SecurityContextHolder.getContext().setAuthentication(runAs);
|
|
|
@@ -473,7 +462,7 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
|
|
|
/**
|
|
|
* Helper method which generates an exception containing the passed reason,
|
|
|
* and publishes an event to the application context.
|
|
|
- *
|
|
|
+ *
|
|
|
* <P>
|
|
|
* Always throws an exception.
|
|
|
* </p>
|
Ben Alex