com.evolveum.midpoint.security.impl

Class SecurityEnforcerImpl

java.lang.Object

com.evolveum.midpoint.security.impl.SecurityEnforcerImpl

All Implemented Interfaces:

SecurityEnforcer, org.springframework.security.access.AccessDecisionManager

@Component(value="securityEnforcer")
public class SecurityEnforcerImpl
extends Object
implements SecurityEnforcer

Author:

Radovan Semancik

Constructor Summary

Constructors

Constructor and Description
SecurityEnforcerImpl()

Method Summary

Methods

Modifier and Type	Method and Description
<O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> void	authorize(String operationUrl, com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase, PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, OperationResult result) Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action.
<O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> ObjectSecurityConstraints	compileSecurityConstraints(PrismObject<O> object, OwnerResolver ownerResolver)
void	decide(org.springframework.security.core.Authentication authentication, Object object, Collection<org.springframework.security.access.ConfigAttribute> configAttributes) Spring security method.
MidPointPrincipal	getPrincipal() Returns principal representing the currently logged-in user.
UserProfileService	getUserProfileService()
boolean	isAuthenticated()
<O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> boolean	isAuthorized(String operationUrl, com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase, PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) Returns true if the currently logged-in user is authorized for specified action, returns false otherwise.
<T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> ObjectFilter	preProcessObjectFilter(String operationUrl, com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase, Class<T> objectType, PrismObject<O> object, ObjectFilter origFilter) TODO If it returns NoneFilter then no search should be done.
<T> T	runAs(Producer<T> producer, PrismObject<com.evolveum.midpoint.xml.ns._public.common.common_3.UserType> user)
<T> T	runPrivileged(Producer<T> producer)
void	setupPreAuthenticatedSecurityContext(org.springframework.security.core.Authentication authentication)
void	setupPreAuthenticatedSecurityContext(PrismObject<com.evolveum.midpoint.xml.ns._public.common.common_3.UserType> user)
void	setUserProfileService(UserProfileService userProfileService)
boolean	supports(Class<?> clazz)
boolean	supports(org.springframework.security.access.ConfigAttribute attribute)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecurityEnforcerImpl

public SecurityEnforcerImpl()

Method Detail

getUserProfileService

public UserProfileService getUserProfileService()

Specified by:

getUserProfileService in interface SecurityEnforcer

setUserProfileService

public void setUserProfileService(UserProfileService userProfileService)

Specified by:

setUserProfileService in interface SecurityEnforcer

getPrincipal

public MidPointPrincipal getPrincipal()
                               throws SecurityViolationException

Description copied from interface: SecurityEnforcer

Returns principal representing the currently logged-in user. Assumes that the user is logged-in. Otherwise an exception is thrown.

Specified by:

getPrincipal in interface SecurityEnforcer

Throws:

SecurityViolationException

isAuthenticated

public boolean isAuthenticated()

Specified by:

isAuthenticated in interface SecurityEnforcer

setupPreAuthenticatedSecurityContext

public void setupPreAuthenticatedSecurityContext(org.springframework.security.core.Authentication authentication)

Specified by:

setupPreAuthenticatedSecurityContext in interface SecurityEnforcer

setupPreAuthenticatedSecurityContext

public void setupPreAuthenticatedSecurityContext(PrismObject<com.evolveum.midpoint.xml.ns._public.common.common_3.UserType> user)

Specified by:

setupPreAuthenticatedSecurityContext in interface SecurityEnforcer

isAuthorized

public <O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> boolean isAuthorized(String operationUrl,
                                                                                                                                                                         com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase,
                                                                                                                                                                         PrismObject<O> object,
                                                                                                                                                                         ObjectDelta<O> delta,
                                                                                                                                                                         PrismObject<T> target,
                                                                                                                                                                         OwnerResolver ownerResolver)
                     throws SchemaException

Description copied from interface: SecurityEnforcer

Returns true if the currently logged-in user is authorized for specified action, returns false otherwise. Does not throw SecurityViolationException.

Specified by:

isAuthorized in interface SecurityEnforcer

phase - check authorization for a specific phase. If null then all phases are checked.

Throws:

SchemaException

authorize

public <O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> void authorize(String operationUrl,
                                                                                                                                                                   com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase,
                                                                                                                                                                   PrismObject<O> object,
                                                                                                                                                                   ObjectDelta<O> delta,
                                                                                                                                                                   PrismObject<T> target,
                                                                                                                                                                   OwnerResolver ownerResolver,
                                                                                                                                                                   OperationResult result)
               throws SecurityViolationException,
                      SchemaException

Description copied from interface: SecurityEnforcer

Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action. If it is not authorized then a SecurityViolationException is thrown and the error is recorded in the result.

Specified by:

authorize in interface SecurityEnforcer

phase - check authorization for a specific phase. If null then all phases are checked.

Throws:

SecurityViolationException

SchemaException

decide

public void decide(org.springframework.security.core.Authentication authentication,
          Object object,
          Collection<org.springframework.security.access.ConfigAttribute> configAttributes)
            throws org.springframework.security.access.AccessDeniedException,
                   org.springframework.security.authentication.InsufficientAuthenticationException

Spring security method. It is practically applicable only for simple cases.

Specified by:

decide in interface org.springframework.security.access.AccessDecisionManager

Throws:

org.springframework.security.access.AccessDeniedException

org.springframework.security.authentication.InsufficientAuthenticationException

supports

public boolean supports(org.springframework.security.access.ConfigAttribute attribute)

Specified by:

supports in interface org.springframework.security.access.AccessDecisionManager

supports

public boolean supports(Class<?> clazz)

Specified by:

supports in interface org.springframework.security.access.AccessDecisionManager

compileSecurityConstraints

public <O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object,
                                                                                                                               OwnerResolver ownerResolver)
                                                     throws SchemaException

Specified by:

compileSecurityConstraints in interface SecurityEnforcer

Throws:

SchemaException

preProcessObjectFilter

public <T extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType,O extends com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType> ObjectFilter preProcessObjectFilter(String operationUrl,
                                                                                                                                                                                        com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType phase,
                                                                                                                                                                                        Class<T> objectType,
                                                                                                                                                                                        PrismObject<O> object,
                                                                                                                                                                                        ObjectFilter origFilter)
                                    throws SchemaException

Description copied from interface: SecurityEnforcer

TODO If it returns NoneFilter then no search should be done. The principal is not authorized for this operation at all. It may return null in case that the original filter was also null. If object is null then the method will return a filter that is applicable to look for object. If object is present then the method will return a filter that is applicable to look for a target. The objectType parameter defines the class of the object for which should be the returned filter applicable.

Specified by:

preProcessObjectFilter in interface SecurityEnforcer

Throws:

SchemaException

runAs

public <T> T runAs(Producer<T> producer,
          PrismObject<com.evolveum.midpoint.xml.ns._public.common.common_3.UserType> user)

Specified by:

runAs in interface SecurityEnforcer

runPrivileged

public <T> T runPrivileged(Producer<T> producer)

Specified by:

runPrivileged in interface SecurityEnforcer