Printable View
I would also suggest adding a "sort_order" column to the SECURE_OBJECT table to determine sort order if you plan on using this table to FilterInvocation definitions. With FilterInvocation defintions, the more specific URLs will need to be evaluted first.Quote:
Originally Posted by Ben Alex
http://acegisecurity.org/docbook/ace...lterinvocation
This is a good observation.Quote:
Originally Posted by russpitre
Hi,
I'm interested on implementing this approach in our app as well. Our admin user needs to be able to change property level access permissions based on the ROLE at runtime and save these permission in the database.
Is there any document or tutorial that I could use to guide me through this besides this thread?
Than you
Raul
I would suggest looking in the following:
http://www.springframework.org/articles
As far I could see this is a custom rolled solution.....it would be nice to see this in the acegi api, but I think since many people need different types of method level auth...that making a generic api for it my be difficult....although....I have been known to be wrong. LOL.
I would like to implement this....but will wait a while before I attempt it....
If someone does implement this....please added a tutorial in the articles or ask the senior members where to put it.....
I am also very interested in this. I see that org.acegisecurity.userdetails.jdbc.JdbcDaoImpl allready implements this for the Users, it would be nice to have aQuote:
Originally Posted by raulraja
org.acegisecurity.intercept.web.jdbc.JdbcFilterInv ocationDefinitionSource
with cache, and properties for overriding the query.
I have searched in a lot of places and this doesn't seem to exist, anyone has some tips to share?
Here's a bit of code you may be able to adjust to your environment.
DatabasePathBasedFilterInvocationDefinitionMap.jav a
Code:package com.mycompany.security.acegisecurity.intercept.web;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.SecurityConfig;
import org.acegisecurity.intercept.web.AbstractFilterInvocationDefinitionSource;
import org.acegisecurity.intercept.web.FilterInvocationDefinitionMap;
import org.apache.log4j.Logger;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
import com.mycompany.model.security.Role;
import com.mycompany.model.security.SecureObject;
import com.mycompany.service.security.SecurityService;
public class DatabasePathBasedFilterInvocationDefinitionMap extends AbstractFilterInvocationDefinitionSource implements FilterInvocationDefinitionMap {
protected class EntryHolder {
private String antPath;
private ConfigAttributeDefinition configAttributeDefinition;
protected EntryHolder() {
throw new IllegalArgumentException("Cannot use default constructor");
}
public EntryHolder(String antPath, ConfigAttributeDefinition attr) {
this.antPath = antPath;
this.configAttributeDefinition = attr;
}
public String getAntPath() {
return antPath;
}
public ConfigAttributeDefinition getConfigAttributeDefinition() {
return configAttributeDefinition;
}
}
private static final Logger logger = Logger.getLogger(DatabasePathBasedFilterInvocationDefinitionMap.class);
private boolean convertUrlToLowercaseBeforeComparison = true;
private PathMatcher pathMatcher = new AntPathMatcher();
private List requestMap = new Vector();
private SecurityService securityService;
@SuppressWarnings("unchecked")
public void addSecureUrl(String antPath, ConfigAttributeDefinition attr) {
requestMap.add(new EntryHolder(antPath, attr));
if (logger.isDebugEnabled()) {
logger.debug("Added Ant path: " + antPath + "; attributes: " + attr);
}
}
@SuppressWarnings("unchecked")
public Iterator getConfigAttributeDefinitions() {
initRequestMap();
Set set = new HashSet();
Iterator iter = requestMap.iterator();
while (iter.hasNext()) {
EntryHolder entryHolder = (EntryHolder) iter.next();
set.add(entryHolder.getConfigAttributeDefinition());
}
return set.iterator();
}
public int getMapSize() {
return this.requestMap.size();
}
@SuppressWarnings({"unused","unchecked"})
private void initRequestMap() {
List<SecureObject> secureUrlObjects = securityService.getSecureFilterInvocationObjects();
ConfigAttributeDefinition def = new ConfigAttributeDefinition();
for(SecureObject filterInvocation: secureUrlObjects) {
if(logger.isDebugEnabled()) {
logger.debug("<Setting Secure Object Filter Definition: " + filterInvocation.getSecureObject() );
}
def = new ConfigAttributeDefinition();
for(Role role : filterInvocation.getRoles()){
def.addConfigAttribute(new SecurityConfig(role.getName()));
requestMap.add(filterInvocation.getSortOrder() , new EntryHolder(filterInvocation.getSecureObject(), def) );
}
}
}
public boolean isConvertUrlToLowercaseBeforeComparison() {
return convertUrlToLowercaseBeforeComparison;
}
@SuppressWarnings("unchecked")
@Override
public ConfigAttributeDefinition lookupAttributes(String url) {
//initRequestMap();
// Strip anything after a question mark symbol, as per SEC-161.
int firstQuestionMarkIndex = url.lastIndexOf("?");
if (firstQuestionMarkIndex != -1) {
url = url.substring(0, firstQuestionMarkIndex);
}
if (convertUrlToLowercaseBeforeComparison) {
url = url.toLowerCase();
if (logger.isDebugEnabled()) {
logger.debug("Converted URL to lowercase, from: '" + url
+ "'; to: '" + url + "'");
}
}
Iterator iter = requestMap.iterator();
while (iter.hasNext()) {
EntryHolder entryHolder = (EntryHolder) iter.next();
boolean matched = pathMatcher.match(entryHolder.getAntPath(), url);
if (logger.isDebugEnabled()) {
logger.debug("Candidate is: '" + url + "'; pattern is "
+ entryHolder.getAntPath() + "; matched=" + matched);
}
if (matched) {
return entryHolder.getConfigAttributeDefinition();
}
}
return null;
}
public void setConvertUrlToLowercaseBeforeComparison(boolean convertUrlToLowercaseBeforeComparison) {
this.convertUrlToLowercaseBeforeComparison = convertUrlToLowercaseBeforeComparison;
}
public SecurityService getSecurityService() {
return securityService;
}
public void setSecurityService(SecurityService securityService) {
this.securityService = securityService;
}
}
SecureObject domain object....
Code:package com.mycompany.model.security;
import java.util.Set;
import org.apache.commons.lang.builder.EqualsBuilder;
import org.apache.commons.lang.builder.HashCodeBuilder;
import com.mycompany.model.BaseObject;
public class SecureObject extends BaseObject {
private static final long serialVersionUID = 7093257566823171405L;
private Integer secureObjectId;
private Integer secureObjectTypeId;
private String secureObject;
private Integer sortOrder;
private Set<Role> roles;
public Set<Role> getRoles() {
return roles;
}
public void setRoles(Set<Role> roles) {
this.roles = roles;
}
public String getSecureObject() {
return secureObject;
}
public void setSecureObject(String secureObject) {
this.secureObject = secureObject;
}
public Integer getSecureObjectId() {
return secureObjectId;
}
public void setSecureObjectId(Integer secureObjectId) {
this.secureObjectId = secureObjectId;
}
public Integer getSortOrder() {
return sortOrder;
}
public void setSortOrder(Integer sortOrder) {
this.sortOrder = sortOrder;
}
public Integer getSecureObjectTypeId() {
return secureObjectTypeId;
}
public void setSecureObjectTypeId(Integer secureObjectTypeId) {
this.secureObjectTypeId = secureObjectTypeId;
}
public boolean equals(Object object) {
if (!(object instanceof SecureObject)) {
return false;
}
SecureObject rhs = (SecureObject) object;
return new EqualsBuilder().
append(this.secureObjectTypeId,rhs.getSecureObjectTypeId() ).
append(this.sortOrder, rhs.getSortOrder() ).
append(this.secureObject,rhs.getSecureObject() ).
isEquals();
}
public int hashCode() {
return new HashCodeBuilder(-1639360101, 1081503241).
append(this.secureObjectTypeId).
append(this.sortOrder).
append(this.roles).
append(this.secureObject).
toHashCode();
}
}
cont'd...
Role domain object.
...spring bean definition...Code:package com.mycompany.model.security;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.builder.EqualsBuilder;
import org.apache.commons.lang.builder.HashCodeBuilder;
import org.apache.commons.lang.builder.ToStringBuilder;
import com.mycompany.model.BaseObject;
import com.mycompany.model.activedirectory.ADGroup;
import com.mycompany.model.user.PrologUserGroup;
public class Role extends BaseObject {
private static final long serialVersionUID = 5977582917018176333L;
private static String ROLE_PREFIX_ACTIVE_DIRECTORY = "ROLE_";
private static String ROLE_PREFIX_PROLOG = "ROLE_PROLOG_";
private Integer roleId;
private String description;
private String originalName;
private String name;
private String sourcePrimaryKey;
private Integer typeId;
private RoleType roleType;
private List<String> problemsHolder;
public String getDescription() {
return description;
}
public void setDescription(String description) {
this.description = description;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getOriginalName() {
return originalName;
}
public void setOriginalName(String originalName) {
this.originalName = originalName;
}
public Integer getRoleId() {
return roleId;
}
public void setRoleId(Integer roleId) {
this.roleId = roleId;
}
public RoleType getRoleType() {
return roleType;
}
public void setRoleType(RoleType roleType) {
this.roleType = roleType;
}
public String getSourcePrimaryKey() {
return sourcePrimaryKey;
}
public void setSourcePrimaryKey(String sourcePrimaryKey) {
this.sourcePrimaryKey = sourcePrimaryKey;
}
public Integer getTypeId() {
return typeId;
}
public void setTypeId(Integer typeId) {
this.typeId = typeId;
}
/**
* name is the business key. Do not change.
*
* @see java.lang.Object#equals(Object)
*/
public boolean equals(Object object) {
if (!(object instanceof Role)) {
return false;
}
Role rhs = (Role) object;
return new EqualsBuilder().
append(this.name, rhs.getName()).isEquals();
}
/**
* name is the business key. Do not change.
*
* @see java.lang.Object#hashCode()
*/
public int hashCode() {
return new HashCodeBuilder(-2067913629, -1342727107).
append(this.name).toHashCode();
}
/**
* @see java.lang.Object#toString()
*/
public String toString() {
return new ToStringBuilder(this) .append("name", this.name)
.append("description", this.description).append("typeId",
this.typeId).append("roleId", this.roleId).append(
"originalName", this.originalName).append(
"sourcePrimaryKey", this.sourcePrimaryKey).toString();
}
public static String formatActiveDirectoryGroupNameToRoleName(String groupName) {
try {
String retVal = groupName.toUpperCase();
retVal = StringUtils.replace(retVal, " ", "_");
retVal = StringUtils.replace(retVal, ",", "");
return ROLE_PREFIX_ACTIVE_DIRECTORY + retVal;
} catch (Exception e ) {
return null;
}
}
public static String formatPrologGroupNameToRoleName(String groupName) {
StringBuffer strBuffer = new StringBuffer( groupName.trim() );
return ROLE_PREFIX_PROLOG + strBuffer.toString().toUpperCase().replaceAll(" ", "_").replaceAll("/","_");
}
public static Role getRole(PrologUserGroup group) {
Role role = new Role();
role.setDescription(group.getDescription());
role.setName(Role.formatPrologGroupNameToRoleName(group.getName()));
role.setOriginalName(group.getName());
role.setSourcePrimaryKey(group.getGroupId() + "");
role.setTypeId(RoleType.PROLOG);
return role;
}
public static Role getRole(ADGroup group) {
Role role = new Role();
role.setDescription(group.getDescription());
role.setName(Role.formatActiveDirectoryGroupNameToRoleName(group.getCn()));
role.setOriginalName(group.getCn());
role.setSourcePrimaryKey(group.getDn());
role.setTypeId(RoleType.ACTIVE_DIRECTORY);
return role;
}
public List<String> getProblems() {
return problemsHolder;
}
public void setProblems(List<String> problemsHolder) {
this.problemsHolder = problemsHolder;
}
public boolean isProblemsExists(){
if(this.problemsHolder.size() > 0){
return true;
}else{
return false;
}
}
}
Code:
<property name="validateConfigAttributes" value="true"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource" ref="databasePathBasedFilterInvocationDefinitionMap"/>
</bean>
<bean id="databasePathBasedFilterInvocationDefinitionMap" class="com.shawmut.security.acegisecurity.intercept.web.DatabasePathBasedFilterInvocationDefinitionMap"></bean>
<property name="securityService" ref="securityService"/>
thanks! I'll give it a try.
Instead of using a seperate class I guess it should work if implementing the 3 interfaces in one class too?Quote:
Originally Posted by yfmoan
It still causes an endless loop and ultimately a Stack Overflow here...
I am new to Ageci so I might missing the all point but I think you went the wrong way
I think it would be better give each method it own role and let the adminstrator decide which users or groups can have that role
You then effectivly can load the list of role for certain user when the session start.
If permission change during an open session you will need to refresh the list.
Something like hot deploy. This can be done easliy by being aware to all open sessions.
Is this sound right?