ome.security.basic

Class BasicACLVoter

java.lang.Object

ome.security.basic.BasicACLVoter

All Implemented Interfaces:

ACLVoter

public class BasicACLVoter
extends java.lang.Object
implements ACLVoter

Since:

3.0-M3

See Also:

Token, SecuritySystem, Details, Permissions

Field Summary

Fields

Modifier and Type	Field and Description
protected CurrentDetails	currentUser
protected PolicyService	policyService
protected ome.system.Roles	roles
protected SecurityFilter	securityFilter
protected SystemTypes	sysTypes
protected TokenHolder	tokenHolder

Constructor Summary

Constructors

Constructor and Description
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter)
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService) Deprecated.
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, ome.system.Roles roles)
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, ome.system.Roles roles, LightAdminPrivileges adminPrivileges, SessionProvider sessionProvider, ReadOnlyStatus readOnly, java.util.Set<java.lang.String> managedRepoUuids, java.util.Set<java.lang.String> scriptRepoUuids, java.lang.String fileRepoSecretKey)
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, ome.system.Roles roles, SessionProvider sessionProvider, ReadOnlyStatus readOnly)
BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, SessionProvider sessionProvider, ReadOnlyStatus readOnly)

Method Summary

Modifier and Type	Method and Description
boolean	allowAnnotate(ome.model.IObject iObject, ome.model.internal.Details trustedDetails) test whether the given object should be annotatable given the trusted details.
boolean	allowChmod(ome.model.IObject iObject) test whether the given object can have its Permissions changed within the current security context.
boolean	allowCreation(ome.model.IObject iObject) test whether the given object should be insertable into the DB.
boolean	allowDelete(ome.model.IObject iObject, ome.model.internal.Details trustedDetails) test whether the given object should be deleteable given the trusted details.
boolean	allowLoad(org.hibernate.Session session, java.lang.Class<? extends ome.model.IObject> klass, ome.model.internal.Details d, long id) delegates to SecurityFilter because that is where the logic is defined for the read filter Ignores the id for the moment.
boolean	allowUpdate(ome.model.IObject iObject, ome.model.internal.Details trustedDetails) test whether the given object should be updateable given the trusted details.
void	postProcess(ome.model.IObject object) Gives the ACLVoter instance a chance to act on the IObject after the transaction but before finishing the AOP stack.
java.util.Set<java.lang.String>	restrictions(ome.model.IObject object) Provide the active restrictions for this IObject.
void	setPermittedClasses(java.util.Map<java.lang.Integer,java.util.Set<java.lang.Class<? extends ome.model.IObject>>> objectClassesPermitted) Specify object classes based on restriction constants in Permissions that do not always have those restrictions.
void	throwCreationViolation(ome.model.IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwDeleteViolation(ome.model.IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwLoadViolation(ome.model.IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.
void	throwUpdateViolation(ome.model.IObject iObject) throws a SecurityViolation based on the given IObject and the context of the current user.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

currentUser

protected final CurrentDetails currentUser

sysTypes

protected final SystemTypes sysTypes

tokenHolder

protected final TokenHolder tokenHolder

securityFilter

protected final SecurityFilter securityFilter

policyService

protected final PolicyService policyService

roles

protected final ome.system.Roles roles

Constructor Detail

BasicACLVoter

public BasicACLVoter(CurrentDetails cd,
                     SystemTypes sysTypes,
                     TokenHolder tokenHolder,
                     SecurityFilter securityFilter)

BasicACLVoter

public BasicACLVoter(CurrentDetails cd,
                     SystemTypes sysTypes,
                     TokenHolder tokenHolder,
                     SecurityFilter securityFilter,
                     SessionProvider sessionProvider,
                     ReadOnlyStatus readOnly)

BasicACLVoter

@Deprecated
public BasicACLVoter(CurrentDetails cd,
                                 SystemTypes sysTypes,
                                 TokenHolder tokenHolder,
                                 SecurityFilter securityFilter,
                                 PolicyService policyService)

Deprecated.

BasicACLVoter

public BasicACLVoter(CurrentDetails cd,
                     SystemTypes sysTypes,
                     TokenHolder tokenHolder,
                     SecurityFilter securityFilter,
                     PolicyService policyService,
                     ome.system.Roles roles)

BasicACLVoter

public BasicACLVoter(CurrentDetails cd,
                     SystemTypes sysTypes,
                     TokenHolder tokenHolder,
                     SecurityFilter securityFilter,
                     PolicyService policyService,
                     ome.system.Roles roles,
                     SessionProvider sessionProvider,
                     ReadOnlyStatus readOnly)

BasicACLVoter

public BasicACLVoter(CurrentDetails cd,
                     SystemTypes sysTypes,
                     TokenHolder tokenHolder,
                     SecurityFilter securityFilter,
                     PolicyService policyService,
                     ome.system.Roles roles,
                     LightAdminPrivileges adminPrivileges,
                     SessionProvider sessionProvider,
                     ReadOnlyStatus readOnly,
                     java.util.Set<java.lang.String> managedRepoUuids,
                     java.util.Set<java.lang.String> scriptRepoUuids,
                     java.lang.String fileRepoSecretKey)

Method Detail

allowChmod

public boolean allowChmod(ome.model.IObject iObject)

Description copied from interface: ACLVoter

test whether the given object can have its Permissions changed within the current security context.

Specified by:

allowChmod in interface ACLVoter

Parameters:

iObject - a model object

Returns:

if the object's permissions may be changed

allowLoad

public boolean allowLoad(org.hibernate.Session session,
                         java.lang.Class<? extends ome.model.IObject> klass,
                         ome.model.internal.Details d,
                         long id)

delegates to SecurityFilter because that is where the logic is defined for the read filter Ignores the id for the moment. Though we pass in whether or not a share is active for completeness, a different ACLVoter implementation will almost certainly be active for share use.

Specified by:

allowLoad in interface ACLVoter

Parameters:

session - the Hibernate session to use for the query

klass - a non-null class to test for loading

d - the non-null trusted details (usually from the db) for this instance

id - the id of the object which will be loaded. As opposed to the rest of the object, this must be known.

Returns:

true if loading of this object can proceed

See Also:

ACLEventListener.onPostLoad(org.hibernate.event.PostLoadEvent)

throwLoadViolation

public void throwLoadViolation(ome.model.IObject iObject)
                        throws ome.conditions.SecurityViolation

Description copied from interface: ACLVoter

throws a SecurityViolation based on the given IObject and the context of the current user.

Specified by:

throwLoadViolation in interface ACLVoter

Parameters:

iObject - Non-null object which caused this violation

Throws:

ome.conditions.SecurityViolation

See Also:

ACLEventListener.onPostLoad(org.hibernate.event.PostLoadEvent)

allowCreation

public boolean allowCreation(ome.model.IObject iObject)

Description copied from interface: ACLVoter

test whether the given object should be insertable into the DB. No trusted details is passed to this method, since for transient entities there are no trusted values. The SecuritySystem implementors will usually call ACLVoter.throwCreationViolation(IObject) if this method returns false.

Specified by:

allowCreation in interface ACLVoter

Parameters:

iObject - a non-null entity to test for creation.

Returns:

true if creation of this object can proceed

See Also:

ACLEventListener.onPreInsert(org.hibernate.event.PreInsertEvent)

throwCreationViolation

public void throwCreationViolation(ome.model.IObject iObject)
                            throws ome.conditions.SecurityViolation

Description copied from interface: ACLVoter

throws a SecurityViolation based on the given IObject and the context of the current user.

Specified by:

throwCreationViolation in interface ACLVoter

Parameters:

iObject - Non-null object which caused this violation

Throws:

ome.conditions.SecurityViolation

See Also:

ACLEventListener.onPreInsert(org.hibernate.event.PreInsertEvent)

allowAnnotate

public boolean allowAnnotate(ome.model.IObject iObject,
                             ome.model.internal.Details trustedDetails)

Description copied from interface: ACLVoter

test whether the given object should be annotatable given the trusted details. The details will usually be retrieved from the current state array coming from the database.

Specified by:

allowAnnotate in interface ACLVoter

Parameters:

iObject - a non-null entity to test for update.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if annotation of this object can proceed

allowUpdate

public boolean allowUpdate(ome.model.IObject iObject,
                           ome.model.internal.Details trustedDetails)

Description copied from interface: ACLVoter

test whether the given object should be updateable given the trusted details. The details will usually be retrieved from the current state array coming from the database. The SecuritySystem implementors will usually call ACLVoter.throwUpdateViolation(IObject) if this method returns false.

Specified by:

allowUpdate in interface ACLVoter

Parameters:

iObject - a non-null entity to test for update.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if update of this object can proceed

See Also:

ACLEventListener.onPreUpdate(org.hibernate.event.PreUpdateEvent)

throwUpdateViolation

public void throwUpdateViolation(ome.model.IObject iObject)
                          throws ome.conditions.SecurityViolation

Description copied from interface: ACLVoter

throws a SecurityViolation based on the given IObject and the context of the current user.

Specified by:

throwUpdateViolation in interface ACLVoter

Parameters:

iObject - Non-null object which caused this violation

Throws:

ome.conditions.SecurityViolation

See Also:

ACLEventListener.onPreUpdate(org.hibernate.event.PreUpdateEvent)

allowDelete

public boolean allowDelete(ome.model.IObject iObject,
                           ome.model.internal.Details trustedDetails)

Description copied from interface: ACLVoter

test whether the given object should be deleteable given the trusted details. The details will usually be retrieved from the current state array coming from the database. The SecuritySystem implementors will usually call ACLVoter.throwDeleteViolation(IObject) if this method returns false.

Specified by:

allowDelete in interface ACLVoter

Parameters:

iObject - a non-null entity to test for deletion.

trustedDetails - a Details instance that is known to be valid.

Returns:

true if deletion of this object can proceed

See Also:

ACLEventListener.onPreDelete(org.hibernate.event.PreDeleteEvent)

throwDeleteViolation

public void throwDeleteViolation(ome.model.IObject iObject)
                          throws ome.conditions.SecurityViolation

Description copied from interface: ACLVoter

throws a SecurityViolation based on the given IObject and the context of the current user.

Specified by:

throwDeleteViolation in interface ACLVoter

Parameters:

iObject - Non-null object which caused this violation

Throws:

ome.conditions.SecurityViolation

See Also:

ACLEventListener.onPreDelete(org.hibernate.event.PreDeleteEvent)

restrictions

public java.util.Set<java.lang.String> restrictions(ome.model.IObject object)

Description copied from interface: ACLVoter

Provide the active restrictions for this IObject. See PolicyService for further details.

Specified by:

restrictions in interface ACLVoter

Parameters:

object - a model object

Returns:

the restrictions applying for the object

setPermittedClasses

public void setPermittedClasses(java.util.Map<java.lang.Integer,java.util.Set<java.lang.Class<? extends ome.model.IObject>>> objectClassesPermitted)

Description copied from interface: ACLVoter

Specify object classes based on restriction constants in Permissions that do not always have those restrictions. Previously set classes may not be cleared by subsequent calls to this method.

Specified by:

setPermittedClasses in interface ACLVoter

Parameters:

objectClassesPermitted - the map from restriction constants to object classes that may not have those restrictions

postProcess

public void postProcess(ome.model.IObject object)

Description copied from interface: ACLVoter

Gives the ACLVoter instance a chance to act on the IObject after the transaction but before finishing the AOP stack.

Specified by:

postProcess in interface ACLVoter

Parameters:

object - a model object