Announcement Announcement Module
Collapse
No announcement yet.
help on acegi's ACL. I can't well understand with sample. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • help on acegi's ACL. I can't well understand with sample.

    How does it return the owner's recoder?

    Code:
    dianne's Contacts
    id Name Email 
    4  Karen Sutherland  [email protected]  Del Admin Permission 
    5  Mitchell Howard  [email protected]  
    6  Rose Costas  [email protected]  Del 
    8  Cindy Smith  [email protected]  
    
    
    Add 
    
    Logoff (also clears any remember-me cookie)
    I try to trace it with codes, buy I didn't find how to do.


    from login:
    Code:
        <bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
            <property name="mappings">
                <props>
                    <prop key="/hello.htm">publicIndexController</prop>
                    <prop key="/secure/add.htm">secureAddForm</prop>
                    <prop key="/secure/index.htm">secureIndexController</prop>
                    <prop key="/secure/del.htm">secureDeleteController</prop>
                    <prop key="/secure/adminPermission.htm">adminPermissionController</prop>
                    <prop key="/secure/deletePermission.htm">deletePermissionController</prop>
                    <prop key="/secure/addPermission.htm">addPermissionForm</prop>
    			</props>
            </property>
        </bean>
    Code:
        <bean id="secureIndexController" class="sample.contact.SecureIndexController">
        	<property name="contactManager"><ref bean="contactManager"/></property>
     	</bean>
    Code:
        public ModelAndView handleRequest&#40;HttpServletRequest request, HttpServletResponse response&#41; throws ServletException, IOException &#123;
            List myContactsList = contactManager.getAll&#40;&#41;;
            Contact myContacts&#91;&#93;;
            if&#40;myContactsList.size&#40;&#41; == 0&#41;
                myContacts = null;
            else
                myContacts = &#40;Contact&#91;&#93;&#41;&#40;Contact&#91;&#93;&#41;myContactsList.toArray&#40;new Contact&#91;0&#93;&#41;;
            Map model = new HashMap&#40;&#41;;
            model.put&#40;"contacts", myContacts&#41;;
            return new ModelAndView&#40;"index", "model", model&#41;;
        &#125;
    Code:
       <bean id="contactManager" class="org.springframework.aop.framework.ProxyFactoryBean">
          <property name="proxyInterfaces"><value>sample.contact.ContactManager</value></property>
          <property name="interceptorNames">
             <list>
                <idref local="transactionInterceptor"/>
    
                <idref bean="contactManagerSecurity"/>
    
    <!--
    I know that 's the bean "contactManagerSecurity " does.
    
    because after I remove it , it shows all 9 recorders.
    -->
    
                <idref local="contactManagerTarget"/>
             </list>
          </property>
       </bean>


    Code:
      <bean id="contactManagerSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
          <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
          <property name="objectDefinitionSource">
             <value>
    				sample.contact.ContactManager.create=ROLE_USER
    				sample.contact.ContactManager.getAllRecipients=ROLE_USER
    				sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
    				sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
    				sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
    				sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
    				sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
             </value>
          </property>
    I'm puzzled here. I don't know how it filtes the recorders?

  • #2
    I decompiled class DataSourcePopulator.

    Code:
    CREATE TABLE CONTACTS&#40;ID INTEGER NOT NULL PRIMARY KEY, CONTACT_NAME VARCHAR_IGNORECASE&#40;50&#41; NOT NULL, EMAIL VARCHAR_IGNORECASE&#40;50&#41; NOT NULL&#41;
    INSERT INTO contacts VALUES &#40;1, 'John Smith', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;2, 'Michael Citizen', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;3, 'Joe Bloggs', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;4, 'Karen Sutherland', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;5, 'Mitchell Howard', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;6, 'Rose Costas', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;7, 'Amanda Smith', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;8, 'Cindy Smith', '[email protected]'&#41;;
    INSERT INTO contacts VALUES &#40;9, 'Jonathan Citizen', '[email protected]'&#41;;
    CREATE TABLE ACL_OBJECT_IDENTITY&#40;ID INTEGER GENERATED BY DEFAULT AS IDENTITY&#40;START WITH 100&#41;  NOT NULL PRIMARY KEY,
    OBJECT_IDENTITY VARCHAR_IGNORECASE&#40;250&#41; NOT NULL,PARENT_OBJECT INTEGER,ACL_CLASS VARCHAR_IGNORECASE&#40;250&#41; NOT NULL,
    CONSTRAINT UNIQUE_OBJECT_IDENTITY UNIQUE&#40;OBJECT_IDENTITY&#41;,CONSTRAINT SYS_FK_3 FOREIGN KEY&#40;PARENT_OBJECT&#41; REFERENCES ACL_OBJECT_IDENTITY&#40;ID&#41;&#41;
    INSERT INTO acl_object_identity VALUES &#40;1, 'sample.contact.Contact&#58;1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;2, 'sample.contact.Contact&#58;2', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;3, 'sample.contact.Contact&#58;3', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;4, 'sample.contact.Contact&#58;4', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;5, 'sample.contact.Contact&#58;5', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;6, 'sample.contact.Contact&#58;6', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;7, 'sample.contact.Contact&#58;7', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;8, 'sample.contact.Contact&#58;8', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;9, 'sample.contact.Contact&#58;9', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    
    CREATE TABLE ACL_PERMISSION&#40;ID INTEGER GENERATED BY DEFAULT AS IDENTITY&#40;START WITH 100&#41;  NOT NULL PRIMARY KEY,
    ACL_OBJECT_IDENTITY INTEGER NOT NULL,
    RECIPIENT VARCHAR_IGNORECASE&#40;100&#41; NOT NULL,
    MASK INTEGER NOT NULL,
    CONSTRAINT UNIQUE_RECIPIENT UNIQUE&#40;ACL_OBJECT_IDENTITY,RECIPIENT&#41;,
    CONSTRAINT SYS_FK_7 FOREIGN KEY&#40;ACL_OBJECT_IDENTITY&#41;
    REFERENCES ACL_OBJECT_IDENTITY&#40;ID&#41;&#41;
    
    INSERT INTO acl_permission VALUES &#40;null, 1, 'marissa', 1&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 2, 'marissa', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 3, 'marissa', 22&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 4, 'marissa', 1&#41;;
    
    INSERT INTO acl_permission VALUES &#40;null, 4, 'scott', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 6, 'scott', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 7, 'scott', 1&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 8, 'scott', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 9, 'scott', 22&#41;;
    
    
    INSERT INTO acl_permission VALUES &#40;null, 4, 'dianne', 1&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 5, 'dianne', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 6, 'dianne', 22&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 8, 'dianne', 2&#41;;
    
    
    
    
    CREATE TABLE USERS&#40;USERNAME VARCHAR_IGNORECASE&#40;50&#41; NOT NULL PRIMARY KEY,PASSWORD VARCHAR_IGNORECASE&#40;50&#41; NOT NULL,ENABLED BOOLEAN NOT NULL&#41;;
    CREATE TABLE AUTHORITIES&#40;USERNAME VARCHAR_IGNORECASE&#40;50&#41; NOT NULL,AUTHORITY VARCHAR_IGNORECASE&#40;50&#41; NOT NULL,CONSTRAINT FK_AUTHORITIES_USERS FOREIGN KEY&#40;USERNAME&#41; REFERENCES USERS&#40;USERNAME&#41;&#41;;
    CREATE UNIQUE INDEX IX_AUTH_USERNAME ON AUTHORITIES&#40;USERNAME,AUTHORITY&#41;;
    INSERT INTO USERS VALUES&#40;'marissa','a564de63c2d0da68cf47586ee05984d7',TRUE&#41;;
    INSERT INTO USERS VALUES&#40;'dianne','65d15fe9156f9c4bbffd98085992a44e',TRUE&#41;;
    INSERT INTO USERS VALUES&#40;'scott','2b58af6dddbd072ed27ffc86725d7d3a',TRUE&#41;;
    INSERT INTO USERS VALUES&#40;'peter','22b5c9accc6e1ba628cedc63a72d57f8',FALSE&#41;;
    INSERT INTO AUTHORITIES VALUES&#40;'marissa','ROLE_USER'&#41;;
    INSERT INTO AUTHORITIES VALUES&#40;'marissa','ROLE_SUPERVISOR'&#41;;
    INSERT INTO AUTHORITIES VALUES&#40;'dianne','ROLE_USER'&#41;;
    INSERT INTO AUTHORITIES VALUES&#40;'scott','ROLE_USER'&#41;;
    INSERT INTO AUTHORITIES VALUES&#40;'peter','ROLE_USER'&#41;;

    I 'm sure that the recorder was binded to "dianne" here.

    Code:
    INSERT INTO acl_permission VALUES &#40;null, 4, 'dianne', 1&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 5, 'dianne', 2&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 6, 'dianne', 22&#41;;
    INSERT INTO acl_permission VALUES &#40;null, 8, 'dianne', 2&#41;;


    and the recorder is specify to a real Contact

    Code:
    INSERT INTO acl_object_identity VALUES &#40;1, 'sample.contact.Contact&#58;1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    but I didn't find where and how it process
    'sample.contact.Contact:1'

    Code:
    INSERT INTO acl_object_identity VALUES &#40;1, 'sample.contact.Contact&#58;1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;2, 'sample.contact.Contact&#58;2', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;3, 'sample.contact.Contact&#58;3', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;4, 'sample.contact.Contact&#58;4', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;5, 'sample.contact.Contact&#58;5', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;6, 'sample.contact.Contact&#58;6', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;7, 'sample.contact.Contact&#58;7', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;8, 'sample.contact.Contact&#58;8', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;
    INSERT INTO acl_object_identity VALUES &#40;9, 'sample.contact.Contact&#58;9', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'&#41;;

    Comment


    • #3
      The MethodSecurityInterceptor is weaved in using AOP and it in turn loads an AfterInvocationManager containing the Collection of all Contacts. The BasicAclEntryAfterInvocationCollectionProvider is then used to filter the unauthorised Contacts from the Collection. It does this by referring to the AclManager, which in turn delegates to the BasicAclProvider. The BasicAclProvider uses JdbcDaoImpl to convert the String representation of "sample.contact.Contact:1" into a NamedEntityObjectIdentity that represents the Contact class with an id of 1. The BasicAclProvider is thus able to identify the Object obtained from the Collection that it was passed via the AclManager and the corresponding ACL records. I know this seems confusing when written this way - the reference guide does a better job of explaining all the key actors.

      Comment

      Working...
      X