Coverage Report

Coverage Report - net.sourceforge.pebble.security.PrivateBlogVoter

Classes in this File

0/15

0/10

 /*
  * Copyright (c) 2003-2011, Simon Brown
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
  *
  *   - Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  *
  *   - Redistributions in binary form must reproduce the above copyright
  *     notice, this list of conditions and the following disclaimer in
  *     the documentation and/or other materials provided with the
  *     distribution.
  *
  *   - Neither the name of Pebble nor the names of its contributors may
  *     be used to endorse or promote products derived from this software
  *     without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 package net.sourceforge.pebble.security;
 
 import net.sourceforge.pebble.domain.Blog;
 import net.sourceforge.pebble.util.SecurityUtils;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
 
 import java.util.Collection;
 
 /**
  * AccessDecisionVoter that votes ACCESS_GRANTED if the user is :
  *  - a blog admin user
  *  - authorised for the blog (owner, publisher or contributor)
  *  - a blog reader
  *
  * Otherwise, access is denied.
  *
  * @author Simon Brown
  */
 public class PrivateBlogVoter implements AccessDecisionVoter {
 
   /**
    * Indicates whether this <code>AccessDecisionVoter</code> is able to vote on the passed
    * <code>ConfigAttribute</code>.<p>This allows the <code>AbstractSecurityInterceptor</code> to check every
    * configuration attribute can be consumed by the configured <code>AccessDecisionManager</code> and/or
    * <code>RunAsManager</code> and/or <code>AfterInvocationManager</code>.</p>
    *
    * @param attribute a configuration attribute that has been configured against the
    *                  <code>AbstractSecurityInterceptor</code>
    * @return true if this <code>AccessDecisionVoter</code> can support the passed configuration attribute
    */
   public boolean supports(ConfigAttribute attribute) {
     return attribute instanceof PrivateBlogConfigAttributeDefinition;
   }
 
   /**
    * Indicates whether the <code>AccessDecisionVoter</code> implementation is able to provide access control
    * votes for the indicated secured object type.
    *
    * @param clazz the class that is being queried
    * @return true if the implementation can process the indicated class
    */
   public boolean supports(Class clazz) {
     return true;
   }
 
   /**
    * Indicates whether or not access is granted.<p>The decision must be affirmative
    * (<code>ACCESS_GRANTED</code>), negative (<code>ACCESS_DENIED</code>) or the <code>AccessDecisionVoter</code>
    * can abstain (<code>ACCESS_ABSTAIN</code>) from voting. Under no circumstances should implementing classes
    * return any other value. If a weighting of results is desired, this should be handled in a custom {@link
    * org.springframework.security.access.AccessDecisionManager} instead.</p>
    * <P>Unless an <code>AccessDecisionVoter</code> is specifically intended to vote on an access control
    * decision due to a passed method invocation or configuration attribute parameter, it must return
    * <code>ACCESS_ABSTAIN</code>. This prevents the coordinating <code>AccessDecisionManager</code> from counting
    * votes from those <code>AccessDecisionVoter</code>s without a legitimate interest in the access control
    * decision.</p>
    * <p>Whilst the method invocation is passed as a parameter to maximise flexibility in making access
    * control decisions, implementing classes must never modify the behaviour of the method invocation (such as
    * calling <Code>MethodInvocation.proceed()</code>).</p>
    *
    * @param authentication the caller invoking the method
    * @param object         the secured object
    * @param config         the configuration attributes associated with the method being invoked
    * @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or {@link #ACCESS_DENIED}
    */
   public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> config) {
     // Ok, the way this has been implemented is bad... but it's 2am and I'm not about to fix it.
     for (ConfigAttribute attribute : config) {
       if (attribute instanceof PrivateBlogConfigAttributeDefinition) {
         PrivateBlogConfigAttributeDefinition cad = (PrivateBlogConfigAttributeDefinition) attribute;
         Blog blog = cad.getBlog();
         if (SecurityUtils.isBlogAdmin(authentication)) {
           // admin users need access to all blogs
           return ACCESS_GRANTED;
         } else if (SecurityUtils.isUserAuthorisedForBlog(authentication, blog)) {
           // blog owners/publishers/contributors need access, if they have it
           return ACCESS_GRANTED;
         } else if (SecurityUtils.isUserAuthorisedForBlogAsBlogReader(authentication, blog)) {
           // the user is an authorised blog reader
             return ACCESS_GRANTED;
         }
         return ACCESS_DENIED;
       }
     }
     return ACCESS_ABSTAIN;
   }
 }

1		/*
2		* Copyright (c) 2003-2011, Simon Brown
3		* All rights reserved.
4		*
5		* Redistribution and use in source and binary forms, with or without
6		* modification, are permitted provided that the following conditions are met:
7		*
8		* - Redistributions of source code must retain the above copyright
9		* notice, this list of conditions and the following disclaimer.
10		*
11		* - Redistributions in binary form must reproduce the above copyright
12		* notice, this list of conditions and the following disclaimer in
13		* the documentation and/or other materials provided with the
14		* distribution.
15		*
16		* - Neither the name of Pebble nor the names of its contributors may
17		* be used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21		* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23		* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24		* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25		* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26		* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27		* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28		* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29		* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30		* POSSIBILITY OF SUCH DAMAGE.
31		*/
32		package net.sourceforge.pebble.security;
33
34		import net.sourceforge.pebble.domain.Blog;
35		import net.sourceforge.pebble.util.SecurityUtils;
36		import org.springframework.security.access.AccessDecisionVoter;
37		import org.springframework.security.access.ConfigAttribute;
38		import org.springframework.security.core.Authentication;
39
40		import java.util.Collection;
41
42		/**
43		* AccessDecisionVoter that votes ACCESS_GRANTED if the user is :
44		* - a blog admin user
45		* - authorised for the blog (owner, publisher or contributor)
46		* - a blog reader
47		*
48		* Otherwise, access is denied.
49		*
50		* @author Simon Brown
51		*/
52	0	public class PrivateBlogVoter implements AccessDecisionVoter {
53
54		/**
55		* Indicates whether this <code>AccessDecisionVoter</code> is able to vote on the passed
56		* <code>ConfigAttribute</code>.<p>This allows the <code>AbstractSecurityInterceptor</code> to check every
57		* configuration attribute can be consumed by the configured <code>AccessDecisionManager</code> and/or
58		* <code>RunAsManager</code> and/or <code>AfterInvocationManager</code>.</p>
59		*
60		* @param attribute a configuration attribute that has been configured against the
61		* <code>AbstractSecurityInterceptor</code>
62		* @return true if this <code>AccessDecisionVoter</code> can support the passed configuration attribute
63		*/
64		public boolean supports(ConfigAttribute attribute) {
65	0	return attribute instanceof PrivateBlogConfigAttributeDefinition;
66		}
67
68		/**
69		* Indicates whether the <code>AccessDecisionVoter</code> implementation is able to provide access control
70		* votes for the indicated secured object type.
71		*
72		* @param clazz the class that is being queried
73		* @return true if the implementation can process the indicated class
74		*/
75		public boolean supports(Class clazz) {
76	0	return true;
77		}
78
79		/**
80		* Indicates whether or not access is granted.<p>The decision must be affirmative
81		* (<code>ACCESS_GRANTED</code>), negative (<code>ACCESS_DENIED</code>) or the <code>AccessDecisionVoter</code>
82		* can abstain (<code>ACCESS_ABSTAIN</code>) from voting. Under no circumstances should implementing classes
83		* return any other value. If a weighting of results is desired, this should be handled in a custom {@link
84		* org.springframework.security.access.AccessDecisionManager} instead.</p>
85		* <P>Unless an <code>AccessDecisionVoter</code> is specifically intended to vote on an access control
86		* decision due to a passed method invocation or configuration attribute parameter, it must return
87		* <code>ACCESS_ABSTAIN</code>. This prevents the coordinating <code>AccessDecisionManager</code> from counting
88		* votes from those <code>AccessDecisionVoter</code>s without a legitimate interest in the access control
89		* decision.</p>
90		* <p>Whilst the method invocation is passed as a parameter to maximise flexibility in making access
91		* control decisions, implementing classes must never modify the behaviour of the method invocation (such as
92		* calling <Code>MethodInvocation.proceed()</code>).</p>
93		*
94		* @param authentication the caller invoking the method
95		* @param object the secured object
96		* @param config the configuration attributes associated with the method being invoked
97		* @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or {@link #ACCESS_DENIED}
98		*/
99		public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> config) {
100		// Ok, the way this has been implemented is bad... but it's 2am and I'm not about to fix it.
101	0	for (ConfigAttribute attribute : config) {
102	0	if (attribute instanceof PrivateBlogConfigAttributeDefinition) {
103	0	PrivateBlogConfigAttributeDefinition cad = (PrivateBlogConfigAttributeDefinition) attribute;
104	0	Blog blog = cad.getBlog();
105	0	if (SecurityUtils.isBlogAdmin(authentication)) {
106		// admin users need access to all blogs
107	0	return ACCESS_GRANTED;
108	0	} else if (SecurityUtils.isUserAuthorisedForBlog(authentication, blog)) {
109		// blog owners/publishers/contributors need access, if they have it
110	0	return ACCESS_GRANTED;
111	0	} else if (SecurityUtils.isUserAuthorisedForBlogAsBlogReader(authentication, blog)) {
112		// the user is an authorised blog reader
113	0	return ACCESS_GRANTED;
114		}
115	0	return ACCESS_DENIED;
116		}
117		}
118	0	return ACCESS_ABSTAIN;
119		}
120		}