@Test(expected = AccessDeniedException.class)
 public void accessIsDeniedIfPermissionIsNotGranted() {
   AclService service = mock(AclService.class);
   Acl acl = mock(Acl.class);
   when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(false);
   // Try a second time with no permissions found
   when(acl.isGranted(any(List.class), any(List.class), anyBoolean()))
       .thenThrow(new NotFoundException(""));
   when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
   AclEntryAfterInvocationProvider provider =
       new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
   provider.setProcessConfigAttribute("MY_ATTRIBUTE");
   provider.setMessageSource(new SpringSecurityMessageSource());
   provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
   provider.setProcessDomainObjectClass(Object.class);
   provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
   try {
     provider.decide(
         mock(Authentication.class),
         new Object(),
         SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"),
         new Object());
     fail("Expected Exception");
   } catch (AccessDeniedException expected) {
   }
   // Second scenario with no acls found
   provider.decide(
       mock(Authentication.class),
       new Object(),
       SecurityConfig.createList("UNSUPPORTED", "MY_ATTRIBUTE"),
       new Object());
 }
  @Test
  public void accessIsAllowedIfPermissionIsGranted() {
    AclService service = mock(AclService.class);
    Acl acl = mock(Acl.class);
    when(acl.isGranted(any(List.class), any(List.class), anyBoolean())).thenReturn(true);
    when(service.readAclById(any(ObjectIdentity.class), any(List.class))).thenReturn(acl);
    AclEntryAfterInvocationProvider provider =
        new AclEntryAfterInvocationProvider(service, Arrays.asList(mock(Permission.class)));
    provider.setMessageSource(new SpringSecurityMessageSource());
    provider.setObjectIdentityRetrievalStrategy(mock(ObjectIdentityRetrievalStrategy.class));
    provider.setProcessDomainObjectClass(Object.class);
    provider.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
    Object returned = new Object();

    assertThat(returned)
        .isSameAs(
            provider.decide(
                mock(Authentication.class),
                new Object(),
                SecurityConfig.createList("AFTER_ACL_READ"),
                returned));
  }
コード例 #3
0
  private boolean checkPermission(
      Authentication authentication, ObjectIdentity oid, Object permission) {
    // Obtain the SIDs applicable to the principal
    List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
    List<Permission> requiredPermission = resolvePermission(permission);

    final boolean debug = logger.isDebugEnabled();

    if (debug) {
      logger.debug("Checking permission '" + permission + "' for object '" + oid + "'");
    }

    try {
      // Lookup only ACLs for SIDs we're interested in
      Acl acl = aclService.readAclById(oid, sids);

      if (acl.isGranted(requiredPermission, sids, false)) {
        if (debug) {
          logger.debug("Access is granted");
        }

        return true;
      }

      if (debug) {
        logger.debug(
            "Returning false - ACLs returned, but insufficient permissions for this principal");
      }

    } catch (NotFoundException nfe) {
      if (debug) {
        logger.debug("Returning false - no ACLs apply for this principal");
      }
    }

    return false;
  }