diff --git a/src/main/java/info/bukova/isspst/security/Evaluator.java b/src/main/java/info/bukova/isspst/security/Evaluator.java new file mode 100644 index 00000000..f403cc8b --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/Evaluator.java @@ -0,0 +1,10 @@ +package info.bukova.isspst.security; + +import org.springframework.security.core.Authentication; + +public interface Evaluator { + + public boolean evaluate(Authentication authentication, + Object targetDomainObject, String permission); + +} diff --git a/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java b/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java new file mode 100644 index 00000000..d5800b8c --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java @@ -0,0 +1,41 @@ +package info.bukova.isspst.security; + +import java.util.Map; + +public class EvaluatorsHolder { + + private Map, Evaluator> globalEvaluators; + private Map, Evaluator> specialEvaluators; + + public void setGlobalEvaluators(Map, Evaluator> globalEvaluators) { + this.globalEvaluators = globalEvaluators; + } + + public void setSpecialEvaluators(Map, Evaluator> specialEvaluators) { + this.specialEvaluators = specialEvaluators; + } + + public Evaluator getForObject(Object object, boolean special) { + Map, Evaluator> evals; + + if (special) { + evals = specialEvaluators; + } else { + evals = globalEvaluators; + } + + for (Class key : evals.keySet()) { + if (key.equals(object.getClass())) { + return evals.get(key); + } + } + + for (Class key : evals.keySet()) { + if (key.isAssignableFrom(object.getClass())) { + return evals.get(key); + } + } + + return null; + } +} diff --git a/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java new file mode 100644 index 00000000..3454bf27 --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java @@ -0,0 +1,44 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.data.Permission; +import info.bukova.isspst.data.PermissionType; + +import java.io.Serializable; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.core.Authentication; + +public class IsPermissionEvaluator implements PermissionEvaluator { + + @Autowired + private EvaluatorsHolder evalHolder; + + @Override + public boolean hasPermission(Authentication authentication, + Object targetDomainObject, Object permission) { + + Permission appPermission = null; + for (Permission p : Constants.SPECIAL_PERMISSIONS) { + if (p.getAuthority().equals(permission)) { + appPermission = p; + } + } + + Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL); + + if (eval != null) { + return eval.evaluate(authentication, targetDomainObject, (String)permission); + } + + return false; + } + + @Override + public boolean hasPermission(Authentication authentication, + Serializable targetId, String targetType, Object permission) { + return false; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java index 6b118cbd..5f37461a 100644 --- a/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java +++ b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java @@ -17,9 +17,8 @@ import java.util.List; import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; -import org.springframework.transaction.annotation.Transactional; -@Transactional +@Deprecated public class IsspstPermissionEvaluator implements PermissionEvaluator { private WorkgroupService wgService; diff --git a/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java b/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java new file mode 100644 index 00000000..db70c8da --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java @@ -0,0 +1,68 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.data.Permission; +import info.bukova.isspst.data.PermissionType; +import info.bukova.isspst.data.RequirementBase; +import info.bukova.isspst.data.Role; +import info.bukova.isspst.data.User; +import info.bukova.isspst.data.Workgroup; +import info.bukova.isspst.services.workgroups.WorkgroupService; + +import java.util.List; + +import org.springframework.security.core.Authentication; + +public class RequirementFilterEvaluator implements Evaluator { + + private WorkgroupService wgService; + + public RequirementFilterEvaluator(WorkgroupService wgService) { + this.wgService = wgService; + } + + @Override + public boolean evaluate(Authentication authentication, + Object targetDomainObject, String permission) { + + RequirementBase req = (RequirementBase) targetDomainObject; + Workgroup reqWg; + + if (!(authentication.getPrincipal() instanceof User)) { + return false; + } + + User user = (User)authentication.getPrincipal(); + + Permission appPermission = null; + for (Permission p : Constants.SPECIAL_PERMISSIONS) { + if (p.getAuthority().equals(permission)) { + appPermission = p; + } + } + + if (appPermission == null) { + return false; + } + + if (appPermission.getType() == PermissionType.CENTRE) { + reqWg = req.getCentre(); + } else { + reqWg = req.getWorkgroup(); + } + + if (wgService.isMember(reqWg, user)) { + List roles = wgService.getUserWorkgroupRoles(reqWg, user); + for (Role r : roles) { + for (Permission p : r.getPermissions()) { + if (p.getAuthority().equals(appPermission.getAuthority())) { + return true; + } + } + } + } + + return false; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java new file mode 100644 index 00000000..26545acf --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java @@ -0,0 +1,46 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.Module; +import info.bukova.isspst.data.Role; + +import java.util.List; + +import org.springframework.security.core.Authentication; + +public class ServiceEvaluator implements Evaluator { + + @SuppressWarnings("unchecked") + @Override + public boolean evaluate(Authentication authentication, + Object targetDomainObject, String permission) { + + List roles = (List) authentication.getAuthorities(); + String moduleId = ""; + String perm = permission; + + for (Module m : Constants.MODULES) { + if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) { + moduleId = m.getId(); + break; + } + } + + perm += "_" + moduleId; + + for (int i = 0; i < roles.size(); i++) { + if (!(roles.get(i) instanceof Role)) { + return false; + } + if (roles.get(i).getAuthority().equals(perm)) { + return true; + } + if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) { + return true; + } + } + + return false; + } + +} diff --git a/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java b/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java new file mode 100644 index 00000000..dacfee26 --- /dev/null +++ b/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java @@ -0,0 +1,71 @@ +package info.bukova.isspst.security; + +import info.bukova.isspst.Constants; +import info.bukova.isspst.data.Permission; +import info.bukova.isspst.data.PermissionType; +import info.bukova.isspst.data.Role; +import info.bukova.isspst.data.User; +import info.bukova.isspst.data.Workgroup; +import info.bukova.isspst.services.workgroups.WorkgroupService; + +import java.util.List; + +import org.springframework.security.core.Authentication; + +public class WorkgroupAwareServiceEvaluator implements Evaluator { + + private WorkgroupService wgService; + + public WorkgroupAwareServiceEvaluator(WorkgroupService wgService) { + this.wgService = wgService; + } + + @Override + public boolean evaluate(Authentication authentication, + Object targetDomainObject, String permission) { + + List userWorkgroups; + + if (!(authentication.getPrincipal() instanceof User)) { + return false; + } + + User user = (User)authentication.getPrincipal(); + + Permission appPermission = null; + for (Permission p : Constants.SPECIAL_PERMISSIONS) { + if (p.getAuthority().equals(permission)) { + appPermission = p; + } + } + + if (appPermission == null) { + return false; + } + + if (appPermission.getType() == PermissionType.CENTRE) { + userWorkgroups = wgService.getUserCentres(user); + } else { + userWorkgroups = wgService.getUserWorkgroups(user); + } + + for (Workgroup wg : userWorkgroups) { + List wgRoles = wgService.getUserWorkgroupRoles(wg, user); + + if (wgRoles == null) { + continue; + } + + for (Role r : wgRoles) { + for (Permission p : r.getPermissions()) { + if (p.getAuthority().equals(appPermission.getAuthority())) { + return true; + } + } + } + } + + return false; + } + +} diff --git a/src/main/webapp/WEB-INF/spring/root-context.xml b/src/main/webapp/WEB-INF/spring/root-context.xml index 181e3060..66350175 100644 --- a/src/main/webapp/WEB-INF/spring/root-context.xml +++ b/src/main/webapp/WEB-INF/spring/root-context.xml @@ -75,8 +75,32 @@ - - + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -85,7 +109,7 @@ -