src/org/jsecurity/mgt/AuthorizingSecurityManager.java - jsecurity - Git at Google

 /*
  * Copyright 2005-2008 Les Hazlewood
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.jsecurity.mgt;

 import org.jsecurity.authz.AuthorizationException;
 import org.jsecurity.authz.Authorizer;
 import org.jsecurity.authz.ModularRealmAuthorizer;
 import org.jsecurity.authz.Permission;
 import org.jsecurity.authz.permission.PermissionResolver;
 import org.jsecurity.authz.permission.PermissionResolverAware;
 import org.jsecurity.realm.Realm;
 import org.jsecurity.subject.PrincipalCollection;
 import org.jsecurity.util.LifecycleUtils;

 import java.util.Collection;
 import java.util.List;

 /**
  * JSecurity support of a {@link SecurityManager} class hierarchy that delegates all
  * authorization (access control) operations to a wrapped {@link Authorizer Authorizer} instance.  That is,
  * this class implements all the <tt>Authorizer</tt> methods in the {@link SecurityManager SecurityManager}
  * interface, but in reality, those methods are merely passthrough calls to the underlying 'real'
  * <tt>Authorizer</tt> instance.
  *
  * <p>All remaining <tt>SecurityManager</tt> methods not covered by this class or its parents (mostly Session support)
  * are left to be implemented by subclasses.
  *
  * <p>In keeping with the other classes in this hierarchy and JSecurity's desire to minimize configuration whenever
  * possible, suitable default instances for all dependencies will be created upon {@link #init() initialization} if
  * they have not been provided.
  *
  * @author Les Hazlewood
  * @since 0.9
  */
 public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager implements PermissionResolverAware {

     /**
      * The wrapped instance to which all of this <tt>SecurityManager</tt> authorization calls are delegated.
      */
     protected Authorizer authorizer = null;

     /**
      * The <tt>PermissionResolver</tt> instance to pass to the wrapped <tt>Authorizer</tt> instance during init.
      */
     protected PermissionResolver permissionResolver = null;

     /**
      * Default no-arg constructor - used in IoC environments or when the programmer wishes to explicitly call
      * {@link #init()} after the necessary properties have been set.
      */
     public AuthorizingSecurityManager() {
     }

     /**
      * Supporting constructor for a single-realm application (automatically calls {@link #init()} before returning).
      *
      * @param singleRealm the single realm used by this SecurityManager.
      */
     public AuthorizingSecurityManager(Realm singleRealm) {
         super(singleRealm);
     }

     /**
      * Supporting constructor that sets the {@link #setRealms realms} property and then automatically calls {@link #init()}.
      *
      * @param realms the realm instances backing this SecurityManager.
      */
     public AuthorizingSecurityManager(Collection<Realm> realms) {
         super(realms);
     }

     /**
      * Returns the underlying wrapped <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt>
      * implementation delegates all of its authorization calls.
      *
      * @return the wrapped <tt>Authorizer</tt> used by this <tt>SecurityManager</tt> implementation.
      */
     public Authorizer getAuthorizer() {
         return authorizer;
     }

     /**
      * Sets the underlying <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> implementation will
      * delegate all of its authorization calls.
      *
      * <p>If you don't set this attribute, a suitable default instance will be created for you during
      * {@link #init initialization}.
      *
      * @param authorizer the <tt>Authorizer</tt> this <tt>SecurityManager</tt> should wrap and delegate all of its
      *                   authorization calls to.
      */
     public void setAuthorizer(Authorizer authorizer) {
         this.authorizer = authorizer;
     }

     /**
      * Returns the <tt>PermissionResolver</tt> instance that will be passed on to the underlying wrapped
      * {@link Authorizer Authorizer} instance during {@link #init() initialization}.
      *
      * <p>See the {@link #setPermissionResolver setPermissionResolver} method for more detail.
      *
      * @return the <tt>PermissionResolver</tt> instance that will be passed on to the underlying wrapped
      *         {@link Authorizer Authorizer} instance during {@link #init() initialization}.
      * @see #setPermissionResolver setPermissionResolver
      */
     public PermissionResolver getPermissionResolver() {
         return permissionResolver;
     }

     /**
      * Sets the <tt>PermissionResolver</tt> instance that will be passed on to the underlying default wrapped
      * {@link Authorizer Authorizer} instance during {@link #init() initialization}.
      *
      * <p>This is a convenience method:  it allows you to configure an application-wide
      * <tt>PermissionResolver</tt> on the <tt>SecurityManager</tt> instance, and it will trickle its way down to the
      * 'real' authorizer and/or underlying Realms.  This is easier to configure at the <tt>SecurityManager</tt> level
      * than constructing your own object graph just to configure a <tt>PermissionResolver</tt> instance on objects
      * deep in the graph.
      *
      * @param permissionResolver the <tt>PermissionResolver</tt> instance to set on the wrapped <tt>Authorizer</tt> if
      *                           and only if that Authorizer instance also implements the <tt>PermissionResolverAware</tt> interface.
      */
     public void setPermissionResolver(PermissionResolver permissionResolver) {
         this.permissionResolver = permissionResolver;
     }

     /**
      * Creates a new <tt>Authorizer</tt> to use as the wrapped instance for this <tt>SecurityManager</tt>
      * implementation.
      *
      * @return the new <tt>Authorizer</tt> to use as the wrapped instance for this <tt>SecurityManager</tt> implementation.
      */
     protected Authorizer createAuthorizer() {
         ModularRealmAuthorizer mra = new ModularRealmAuthorizer();
         mra.setRealms(getRealms());
         if ( getPermissionResolver() != null ) {
             mra.setPermissionResolver( getPermissionResolver() );
         }
         mra.init();
         return mra;
     }

     /**
      * Called during the init process, this method ensures that an underlying wrapped <tt>Authorizer</tt> instance will
      * exist to support all of this <tt>SecurityManager</tt>'s delegate authorization calls.  If one does not exist,
      * a default will be created via the {@link #createAuthorizer createAuthorizer()} method which will then be set as
      * an attribute of this class.
      */
     protected void ensureAuthorizer() {
         Authorizer authorizer = getAuthorizer();
         if ( authorizer == null) {
             authorizer = createAuthorizer();
             setAuthorizer(authorizer);
         }
     }

     /**
      * Implementation of parent class's template hook for initialization logic.  This implementation
      * {@link #ensureAuthorizer ensures} an <tt>Authorizer</tt> exists and is fully initialized and then calls
      * {@link #afterAuthorizerSet() afterAuthorizerSet()} for further subclass initialization logic.
      */
     protected void afterAuthenticatorSet() {
         ensureAuthorizer();
         afterAuthorizerSet();
     }

     /**
      * Template hook for subclasses to implement initialization logic.  This will be called after an
      * <tt>Authorizer</tt> instance is guaranteed to have been set and initialized on this <tt>SecurityManager</tt>
      * instance.
      */
     protected void afterAuthorizerSet() {
     }

     /**
      * Template hook for subclasses to implement destruction/cleanup logic.  This will be called before this
      * instance's <tt>Authorizer</tt> instance will be cleaned up.
      */
     protected void beforeAuthorizerDestroyed() {
     }

     /**
      * Cleanup method that destroys/cleans up the wrapped {@link #getAuthorizer Authorizer} instance.
      */
     protected void destroyAuthorizer() {
         LifecycleUtils.destroy(getAuthorizer());
         this.authorizer = null;
     }

     /**
      * Implementation of parent class's template hook for destruction/cleanup logic.
      *
      * <p>This implementation ensures subclasses are cleaned up first by calling
      * {@link #beforeAuthorizerDestroyed() beforeAuthorizerDestroyed()} and then actually cleans up the
      * wrapped <tt>Authorizer</tt> via the {@link #destroyAuthorizer() desroyAuthorizer()} method.
      */
     protected void beforeAuthenticatorDestroyed() {
         beforeAuthorizerDestroyed();
         destroyAuthorizer();
     }

     /**
      * Utility method that ensures a delegate {@link #getAuthorizer() Authorizer} instance exists as an attribute of
      * this class.  If it does not, an IllegalStateException will be thrown because that indicates this
      * <tt>SecurityManager</tt> instance was not properly {@link #init() initialized}.
      *
      * @return the delegate <tt>Authorizer</tt> instance used by this <tt>SecurityManager</tt>
      * @throws IllegalStateException if for some reason the <tt>Authorizer</tt> instance is <tt>null</tt>, indicating
      *                               this <tt>SecurityManager</tt> instance was not properly {@link #init() initialized}.
      */
     protected Authorizer getRequiredAuthorizer() throws IllegalStateException {
         Authorizer authz = getAuthorizer();
         if (authz == null) {
             String msg = "No authorizer attribute configured for this SecurityManager instance.  Please ensure " +
                     "the init() method is called prior to using this instance and a default one will be created.";
             throw new IllegalStateException(msg);
         }
         return authz;
     }


     public boolean isPermitted(PrincipalCollection principals, String permissionString) {
         return getRequiredAuthorizer().isPermitted(principals, permissionString);
     }

     public boolean isPermitted(PrincipalCollection principals, Permission permission) {
         return getRequiredAuthorizer().isPermitted(principals, permission);
     }

     public boolean[] isPermitted(PrincipalCollection principals, String... permissions) {
         return getRequiredAuthorizer().isPermitted(principals, permissions);
     }

     public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions) {
         return getRequiredAuthorizer().isPermitted(principals, permissions);
     }

     public boolean isPermittedAll(PrincipalCollection principals, String... permissions) {
         return getRequiredAuthorizer().isPermittedAll(principals, permissions);
     }

     public boolean isPermittedAll(PrincipalCollection principals, Collection<Permission> permissions) {
         return getRequiredAuthorizer().isPermittedAll(principals, permissions);
     }

     public void checkPermission(PrincipalCollection principals, String permission) throws AuthorizationException {
         getRequiredAuthorizer().checkPermission(principals, permission);
     }

     public void checkPermission(PrincipalCollection principals, Permission permission) throws AuthorizationException {
         getRequiredAuthorizer().checkPermission(principals, permission);
     }

     public void checkPermissions(PrincipalCollection principals, String... permissions) throws AuthorizationException {
         getRequiredAuthorizer().checkPermissions(principals, permissions);
     }

     public void checkPermissions(PrincipalCollection principals, Collection<Permission> permissions) throws AuthorizationException {
         getRequiredAuthorizer().checkPermissions(principals, permissions);
     }

     public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
         return getRequiredAuthorizer().hasRole(principals, roleIdentifier);
     }

     public boolean[] hasRoles(PrincipalCollection principals, List<String> roleIdentifiers) {
         return getRequiredAuthorizer().hasRoles(principals, roleIdentifiers);
     }

     public boolean hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers) {
         return getRequiredAuthorizer().hasAllRoles(principals, roleIdentifiers);
     }

     public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
         getRequiredAuthorizer().checkRole(principals, role);
     }

     public void checkRoles(PrincipalCollection principals, Collection<String> roles) throws AuthorizationException {
         getRequiredAuthorizer().checkRoles(principals, roles);
     }
 }
	/*
	* Copyright 2005-2008 Les Hazlewood
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.jsecurity.mgt;

	import org.jsecurity.authz.AuthorizationException;
	import org.jsecurity.authz.Authorizer;
	import org.jsecurity.authz.ModularRealmAuthorizer;
	import org.jsecurity.authz.Permission;
	import org.jsecurity.authz.permission.PermissionResolver;
	import org.jsecurity.authz.permission.PermissionResolverAware;
	import org.jsecurity.realm.Realm;
	import org.jsecurity.subject.PrincipalCollection;
	import org.jsecurity.util.LifecycleUtils;

	import java.util.Collection;
	import java.util.List;

	/**
	* JSecurity support of a {@link SecurityManager} class hierarchy that delegates all
	* authorization (access control) operations to a wrapped {@link Authorizer Authorizer} instance. That is,
	* this class implements all the <tt>Authorizer</tt> methods in the {@link SecurityManager SecurityManager}
	* interface, but in reality, those methods are merely passthrough calls to the underlying 'real'
	* <tt>Authorizer</tt> instance.
	*
	* <p>All remaining <tt>SecurityManager</tt> methods not covered by this class or its parents (mostly Session support)
	* are left to be implemented by subclasses.
	*
	* <p>In keeping with the other classes in this hierarchy and JSecurity's desire to minimize configuration whenever
	* possible, suitable default instances for all dependencies will be created upon {@link #init() initialization} if
	* they have not been provided.
	*
	* @author Les Hazlewood
	* @since 0.9
	*/
	public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager implements PermissionResolverAware {

	/**
	* The wrapped instance to which all of this <tt>SecurityManager</tt> authorization calls are delegated.
	*/
	protected Authorizer authorizer = null;

	/**
	* The <tt>PermissionResolver</tt> instance to pass to the wrapped <tt>Authorizer</tt> instance during init.
	*/
	protected PermissionResolver permissionResolver = null;

	/**
	* Default no-arg constructor - used in IoC environments or when the programmer wishes to explicitly call
	* {@link #init()} after the necessary properties have been set.
	*/
	public AuthorizingSecurityManager() {
	}

	/**
	* Supporting constructor for a single-realm application (automatically calls {@link #init()} before returning).
	*
	* @param singleRealm the single realm used by this SecurityManager.
	*/
	public AuthorizingSecurityManager(Realm singleRealm) {
	super(singleRealm);
	}

	/**
	* Supporting constructor that sets the {@link #setRealms realms} property and then automatically calls {@link #init()}.
	*
	* @param realms the realm instances backing this SecurityManager.
	*/
	public AuthorizingSecurityManager(Collection<Realm> realms) {
	super(realms);
	}

	/**
	* Returns the underlying wrapped <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt>
	* implementation delegates all of its authorization calls.
	*
	* @return the wrapped <tt>Authorizer</tt> used by this <tt>SecurityManager</tt> implementation.
	*/
	public Authorizer getAuthorizer() {
	return authorizer;
	}

	/**
	* Sets the underlying <tt>Authorizer</tt> instance to which this <tt>SecurityManager</tt> implementation will
	* delegate all of its authorization calls.
	*
	* <p>If you don't set this attribute, a suitable default instance will be created for you during
	* {@link #init initialization}.
	*
	* @param authorizer the <tt>Authorizer</tt> this <tt>SecurityManager</tt> should wrap and delegate all of its
	* authorization calls to.
	*/
	public void setAuthorizer(Authorizer authorizer) {
	this.authorizer = authorizer;
	}

	/**
	* Returns the <tt>PermissionResolver</tt> instance that will be passed on to the underlying wrapped
	* {@link Authorizer Authorizer} instance during {@link #init() initialization}.
	*
	* <p>See the {@link #setPermissionResolver setPermissionResolver} method for more detail.
	*
	* @return the <tt>PermissionResolver</tt> instance that will be passed on to the underlying wrapped
	* {@link Authorizer Authorizer} instance during {@link #init() initialization}.
	* @see #setPermissionResolver setPermissionResolver
	*/
	public PermissionResolver getPermissionResolver() {
	return permissionResolver;
	}

	/**
	* Sets the <tt>PermissionResolver</tt> instance that will be passed on to the underlying default wrapped
	* {@link Authorizer Authorizer} instance during {@link #init() initialization}.
	*
	* <p>This is a convenience method: it allows you to configure an application-wide
	* <tt>PermissionResolver</tt> on the <tt>SecurityManager</tt> instance, and it will trickle its way down to the
	* 'real' authorizer and/or underlying Realms. This is easier to configure at the <tt>SecurityManager</tt> level
	* than constructing your own object graph just to configure a <tt>PermissionResolver</tt> instance on objects
	* deep in the graph.
	*
	* @param permissionResolver the <tt>PermissionResolver</tt> instance to set on the wrapped <tt>Authorizer</tt> if
	* and only if that Authorizer instance also implements the <tt>PermissionResolverAware</tt> interface.
	*/
	public void setPermissionResolver(PermissionResolver permissionResolver) {
	this.permissionResolver = permissionResolver;
	}

	/**
	* Creates a new <tt>Authorizer</tt> to use as the wrapped instance for this <tt>SecurityManager</tt>
	* implementation.
	*
	* @return the new <tt>Authorizer</tt> to use as the wrapped instance for this <tt>SecurityManager</tt> implementation.
	*/
	protected Authorizer createAuthorizer() {
	ModularRealmAuthorizer mra = new ModularRealmAuthorizer();
	mra.setRealms(getRealms());
	if ( getPermissionResolver() != null ) {
	mra.setPermissionResolver( getPermissionResolver() );
	}
	mra.init();
	return mra;
	}

	/**
	* Called during the init process, this method ensures that an underlying wrapped <tt>Authorizer</tt> instance will
	* exist to support all of this <tt>SecurityManager</tt>'s delegate authorization calls. If one does not exist,
	* a default will be created via the {@link #createAuthorizer createAuthorizer()} method which will then be set as
	* an attribute of this class.
	*/
	protected void ensureAuthorizer() {
	Authorizer authorizer = getAuthorizer();
	if ( authorizer == null) {
	authorizer = createAuthorizer();
	setAuthorizer(authorizer);
	}
	}

	/**
	* Implementation of parent class's template hook for initialization logic. This implementation
	* {@link #ensureAuthorizer ensures} an <tt>Authorizer</tt> exists and is fully initialized and then calls
	* {@link #afterAuthorizerSet() afterAuthorizerSet()} for further subclass initialization logic.
	*/
	protected void afterAuthenticatorSet() {
	ensureAuthorizer();
	afterAuthorizerSet();
	}

	/**
	* Template hook for subclasses to implement initialization logic. This will be called after an
	* <tt>Authorizer</tt> instance is guaranteed to have been set and initialized on this <tt>SecurityManager</tt>
	* instance.
	*/
	protected void afterAuthorizerSet() {
	}

	/**
	* Template hook for subclasses to implement destruction/cleanup logic. This will be called before this
	* instance's <tt>Authorizer</tt> instance will be cleaned up.
	*/
	protected void beforeAuthorizerDestroyed() {
	}

	/**
	* Cleanup method that destroys/cleans up the wrapped {@link #getAuthorizer Authorizer} instance.
	*/
	protected void destroyAuthorizer() {
	LifecycleUtils.destroy(getAuthorizer());
	this.authorizer = null;
	}

	/**
	* Implementation of parent class's template hook for destruction/cleanup logic.
	*
	* <p>This implementation ensures subclasses are cleaned up first by calling
	* {@link #beforeAuthorizerDestroyed() beforeAuthorizerDestroyed()} and then actually cleans up the
	* wrapped <tt>Authorizer</tt> via the {@link #destroyAuthorizer() desroyAuthorizer()} method.
	*/
	protected void beforeAuthenticatorDestroyed() {
	beforeAuthorizerDestroyed();
	destroyAuthorizer();
	}

	/**
	* Utility method that ensures a delegate {@link #getAuthorizer() Authorizer} instance exists as an attribute of
	* this class. If it does not, an IllegalStateException will be thrown because that indicates this
	* <tt>SecurityManager</tt> instance was not properly {@link #init() initialized}.
	*
	* @return the delegate <tt>Authorizer</tt> instance used by this <tt>SecurityManager</tt>
	* @throws IllegalStateException if for some reason the <tt>Authorizer</tt> instance is <tt>null</tt>, indicating
	* this <tt>SecurityManager</tt> instance was not properly {@link #init() initialized}.
	*/
	protected Authorizer getRequiredAuthorizer() throws IllegalStateException {
	Authorizer authz = getAuthorizer();
	if (authz == null) {
	String msg = "No authorizer attribute configured for this SecurityManager instance. Please ensure " +
	"the init() method is called prior to using this instance and a default one will be created.";
	throw new IllegalStateException(msg);
	}
	return authz;
	}


	public boolean isPermitted(PrincipalCollection principals, String permissionString) {
	return getRequiredAuthorizer().isPermitted(principals, permissionString);
	}

	public boolean isPermitted(PrincipalCollection principals, Permission permission) {
	return getRequiredAuthorizer().isPermitted(principals, permission);
	}

	public boolean[] isPermitted(PrincipalCollection principals, String... permissions) {
	return getRequiredAuthorizer().isPermitted(principals, permissions);
	}

	public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions) {
	return getRequiredAuthorizer().isPermitted(principals, permissions);
	}

	public boolean isPermittedAll(PrincipalCollection principals, String... permissions) {
	return getRequiredAuthorizer().isPermittedAll(principals, permissions);
	}

	public boolean isPermittedAll(PrincipalCollection principals, Collection<Permission> permissions) {
	return getRequiredAuthorizer().isPermittedAll(principals, permissions);
	}

	public void checkPermission(PrincipalCollection principals, String permission) throws AuthorizationException {
	getRequiredAuthorizer().checkPermission(principals, permission);
	}

	public void checkPermission(PrincipalCollection principals, Permission permission) throws AuthorizationException {
	getRequiredAuthorizer().checkPermission(principals, permission);
	}

	public void checkPermissions(PrincipalCollection principals, String... permissions) throws AuthorizationException {
	getRequiredAuthorizer().checkPermissions(principals, permissions);
	}

	public void checkPermissions(PrincipalCollection principals, Collection<Permission> permissions) throws AuthorizationException {
	getRequiredAuthorizer().checkPermissions(principals, permissions);
	}

	public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
	return getRequiredAuthorizer().hasRole(principals, roleIdentifier);
	}

	public boolean[] hasRoles(PrincipalCollection principals, List<String> roleIdentifiers) {
	return getRequiredAuthorizer().hasRoles(principals, roleIdentifiers);
	}

	public boolean hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers) {
	return getRequiredAuthorizer().hasAllRoles(principals, roleIdentifiers);
	}

	public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
	getRequiredAuthorizer().checkRole(principals, role);
	}

	public void checkRoles(PrincipalCollection principals, Collection<String> roles) throws AuthorizationException {
	getRequiredAuthorizer().checkRoles(principals, roles);
	}
	}