MethodInvocationPrivilegeEvaluator xref

View Javadoc

1   /* Copyright 2004, 2005 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.acegisecurity.intercept.method;
17  
18  import org.acegisecurity.AccessDeniedException;
19  import org.acegisecurity.Authentication;
20  import org.acegisecurity.ConfigAttributeDefinition;
21  
22  import org.acegisecurity.intercept.AbstractSecurityInterceptor;
23  
24  import org.aopalliance.intercept.MethodInvocation;
25  
26  import org.springframework.beans.factory.InitializingBean;
27  
28  import org.springframework.util.Assert;
29  
30  
31  /***
32   * Allows users to determine whether they have "before invocation" privileges
33   * for a given method invocation.
34   * 
35   * <p>
36   * Of course, if an {@link org.acegisecurity.AfterInvocationManager} is used to
37   * authorize the <em>result</em> of a method invocation, this class cannot
38   * assist determine whether or not the <code>AfterInvocationManager</code>
39   * will enable access. Instead this class aims to allow applications to
40   * determine whether or not the current principal would be allowed to at least
41   * attempt to invoke the method, irrespective of the "after" invocation
42   * handling.
43   * </p>
44   *
45   * @author Ben Alex
46   * @version $Id: MethodInvocationPrivilegeEvaluator.java,v 1.2 2005/11/25 04:56:01 benalex Exp $
47   */
48  public class MethodInvocationPrivilegeEvaluator implements InitializingBean {
49      //~ Instance fields ========================================================
50  
51      private AbstractSecurityInterceptor securityInterceptor;
52  
53      //~ Methods ================================================================
54  
55      public boolean isAllowed(MethodInvocation mi, Authentication authentication) {
56          Assert.notNull(authentication, "Authentication required");
57          Assert.notNull(authentication.getAuthorities(),
58              "Authentication must provided non-null GrantedAuthority[]s");
59          Assert.notNull(mi, "MethodInvocation required");
60          Assert.notNull(mi.getMethod(),
61              "MethodInvocation must provide a non-null getMethod()");
62  
63          ConfigAttributeDefinition attrs = securityInterceptor.obtainObjectDefinitionSource()
64                                                               .getAttributes(mi);
65  
66          if (attrs == null) {
67              if (securityInterceptor.isRejectPublicInvocations()) {
68                  return false;
69              }
70  
71              return true;
72          }
73  
74          if (authentication == null) {
75              return false;
76          }
77  
78          try {
79              securityInterceptor.getAccessDecisionManager().decide(authentication,
80                  mi, attrs);
81          } catch (AccessDeniedException unauthorized) {
82              unauthorized.printStackTrace();
83  
84              return false;
85          }
86  
87          return true;
88      }
89  
90      public void setSecurityInterceptor(
91          AbstractSecurityInterceptor securityInterceptor) {
92          Assert.notNull(securityInterceptor,
93              "AbstractSecurityInterceptor cannot be null");
94          Assert.isTrue(MethodInvocation.class.equals(
95                  securityInterceptor.getSecureObjectClass()),
96              "AbstractSecurityInterceptor does not support MethodInvocations");
97          Assert.notNull(securityInterceptor.getAccessDecisionManager(),
98              "AbstractSecurityInterceptor must provide a non-null AccessDecisionManager");
99          this.securityInterceptor = securityInterceptor;
100     }
101 
102     public void afterPropertiesSet() throws Exception {
103         Assert.notNull(securityInterceptor, "SecurityInterceptor required");
104     }
105 }