SEC-2194: Add Java Config samples
This commit is contained in:
@@ -0,0 +1,87 @@
|
||||
package sample.dms.secured;
|
||||
|
||||
import javax.sql.DataSource;
|
||||
|
||||
import org.springframework.security.acls.domain.BasePermission;
|
||||
import org.springframework.security.acls.domain.GrantedAuthoritySid;
|
||||
import org.springframework.security.acls.domain.ObjectIdentityImpl;
|
||||
import org.springframework.security.acls.domain.PrincipalSid;
|
||||
import org.springframework.security.acls.model.MutableAcl;
|
||||
import org.springframework.security.acls.model.MutableAclService;
|
||||
import org.springframework.security.acls.model.NotFoundException;
|
||||
import org.springframework.security.acls.model.ObjectIdentity;
|
||||
import org.springframework.security.acls.model.Permission;
|
||||
import org.springframework.security.acls.model.Sid;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import sample.dms.AbstractElement;
|
||||
import sample.dms.DataSourcePopulator;
|
||||
import sample.dms.DocumentDao;
|
||||
|
||||
public class SecureDataSourcePopulator extends DataSourcePopulator {
|
||||
|
||||
private MutableAclService aclService;
|
||||
|
||||
public SecureDataSourcePopulator(DataSource dataSource, SecureDocumentDao documentDao, MutableAclService aclService) {
|
||||
super(dataSource, documentDao);
|
||||
Assert.notNull(aclService, "MutableAclService required");
|
||||
this.aclService = aclService;
|
||||
}
|
||||
|
||||
protected void addPermission(DocumentDao documentDao, AbstractElement element, String recipient, int level) {
|
||||
Assert.notNull(documentDao, "DocumentDao required");
|
||||
Assert.isInstanceOf(SecureDocumentDao.class, documentDao, "DocumentDao should have been a SecureDocumentDao");
|
||||
Assert.notNull(element, "Element required");
|
||||
Assert.hasText(recipient, "Recipient required");
|
||||
Assert.notNull(SecurityContextHolder.getContext().getAuthentication(), "SecurityContextHolder must contain an Authentication");
|
||||
|
||||
// We need SecureDocumentDao to assign different permissions
|
||||
//SecureDocumentDao dao = (SecureDocumentDao) documentDao;
|
||||
|
||||
// We need to construct an ACL-specific Sid. Note the prefix contract is defined on the superclass method's JavaDocs
|
||||
Sid sid = null;
|
||||
if (recipient.startsWith("ROLE_")) {
|
||||
sid = new GrantedAuthoritySid(recipient);
|
||||
} else {
|
||||
sid = new PrincipalSid(recipient);
|
||||
}
|
||||
|
||||
// We need to identify the target domain object and create an ObjectIdentity for it
|
||||
// This works because AbstractElement has a "getId()" method
|
||||
ObjectIdentity identity = new ObjectIdentityImpl(element);
|
||||
// ObjectIdentity identity = new ObjectIdentityImpl(element.getClass(), element.getId()); // equivalent
|
||||
|
||||
// Next we need to create a Permission
|
||||
Permission permission = null;
|
||||
if (level == LEVEL_NEGATE_READ || level == LEVEL_GRANT_READ) {
|
||||
permission = BasePermission.READ;
|
||||
} else if (level == LEVEL_GRANT_WRITE) {
|
||||
permission = BasePermission.WRITE;
|
||||
} else if (level == LEVEL_GRANT_ADMIN) {
|
||||
permission = BasePermission.ADMINISTRATION;
|
||||
} else {
|
||||
throw new IllegalArgumentException("Unsupported LEVEL_");
|
||||
}
|
||||
|
||||
// Attempt to retrieve the existing ACL, creating an ACL if it doesn't already exist for this ObjectIdentity
|
||||
MutableAcl acl = null;
|
||||
try {
|
||||
acl = (MutableAcl) aclService.readAclById(identity);
|
||||
} catch (NotFoundException nfe) {
|
||||
acl = aclService.createAcl(identity);
|
||||
Assert.notNull(acl, "Acl could not be retrieved or created");
|
||||
}
|
||||
|
||||
// Now we have an ACL, add another ACE to it
|
||||
if (level == LEVEL_NEGATE_READ) {
|
||||
acl.insertAce(acl.getEntries().size(), permission, sid, false); // not granting
|
||||
} else {
|
||||
acl.insertAce(acl.getEntries().size(), permission, sid, true); // granting
|
||||
}
|
||||
|
||||
// Finally, persist the modified ACL
|
||||
aclService.updateAcl(acl);
|
||||
}
|
||||
|
||||
}
|
||||
16
samples/dms-xml/src/main/java/sample/dms/secured/SecureDocumentDao.java
Executable file
16
samples/dms-xml/src/main/java/sample/dms/secured/SecureDocumentDao.java
Executable file
@@ -0,0 +1,16 @@
|
||||
package sample.dms.secured;
|
||||
|
||||
import sample.dms.DocumentDao;
|
||||
|
||||
/**
|
||||
* Extends the {@link DocumentDao} and introduces ACL-related methods.
|
||||
*
|
||||
* @author Ben Alex
|
||||
*
|
||||
*/
|
||||
public interface SecureDocumentDao extends DocumentDao {
|
||||
/**
|
||||
* @return all the usernames existing in the system.
|
||||
*/
|
||||
public String[] getUsers();
|
||||
}
|
||||
60
samples/dms-xml/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java
Executable file
60
samples/dms-xml/src/main/java/sample/dms/secured/SecureDocumentDaoImpl.java
Executable file
@@ -0,0 +1,60 @@
|
||||
package sample.dms.secured;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
|
||||
import org.springframework.jdbc.core.RowMapper;
|
||||
import org.springframework.security.acls.domain.BasePermission;
|
||||
import org.springframework.security.acls.domain.ObjectIdentityImpl;
|
||||
import org.springframework.security.acls.domain.PrincipalSid;
|
||||
import org.springframework.security.acls.model.MutableAcl;
|
||||
import org.springframework.security.acls.model.MutableAclService;
|
||||
import org.springframework.security.acls.model.ObjectIdentity;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
import sample.dms.AbstractElement;
|
||||
import sample.dms.DocumentDaoImpl;
|
||||
|
||||
/**
|
||||
* Adds extra {@link SecureDocumentDao} methods.
|
||||
*
|
||||
* @author Ben Alex
|
||||
*
|
||||
*/
|
||||
public class SecureDocumentDaoImpl extends DocumentDaoImpl implements SecureDocumentDao {
|
||||
|
||||
private static final String SELECT_FROM_USERS = "SELECT USERNAME FROM USERS ORDER BY USERNAME";
|
||||
private MutableAclService mutableAclService;
|
||||
|
||||
public SecureDocumentDaoImpl(MutableAclService mutableAclService) {
|
||||
Assert.notNull(mutableAclService, "MutableAclService required");
|
||||
this.mutableAclService = mutableAclService;
|
||||
}
|
||||
|
||||
public String[] getUsers() {
|
||||
return (String[]) getJdbcTemplate().query(SELECT_FROM_USERS, new RowMapper<String>() {
|
||||
public String mapRow(ResultSet rs, int rowNumber) throws SQLException {
|
||||
return rs.getString("USERNAME");
|
||||
}
|
||||
}).toArray(new String[] {});
|
||||
}
|
||||
|
||||
public void create(AbstractElement element) {
|
||||
super.create(element);
|
||||
|
||||
// Create an ACL identity for this element
|
||||
ObjectIdentity identity = new ObjectIdentityImpl(element);
|
||||
MutableAcl acl = mutableAclService.createAcl(identity);
|
||||
|
||||
// If the AbstractElement has a parent, go and retrieve its identity (it should already exist)
|
||||
if (element.getParent() != null) {
|
||||
ObjectIdentity parentIdentity = new ObjectIdentityImpl(element.getParent());
|
||||
MutableAcl aclParent = (MutableAcl) mutableAclService.readAclById(parentIdentity);
|
||||
acl.setParent(aclParent);
|
||||
}
|
||||
acl.insertAce(acl.getEntries().size(), BasePermission.ADMINISTRATION, new PrincipalSid(SecurityContextHolder.getContext().getAuthentication()), true);
|
||||
|
||||
mutableAclService.updateAcl(acl);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user