1

I have to implement access controls in my application and I am using spring ACLs for it. My model has User, groups, permissions.

The problem I am trying to solve is to get permissions on a domain object for a user. I was able to get all the access control entries for that user (principal sid, and group sids), and using that I was able to get a final set of permissions by taking a union over all the permissions. Lets say the combined mask is 111, which would be Read, Write, and Create permissions going by the permissions defined in BasePermissions.
The problem I am facing now is I cant find any way to get a list of all defined base permissions so that I can compare the mask to individual permissions. The base permission class does not seem to provide any such method. I do not want to hardcode cases in an if-then clause, since the number of permissions might increase in future.

Any pointers would be appreciated. Thanks.

Nishant Nagwani
  • 1,160
  • 3
  • 13
  • 26

3 Answers3

1

You can check for the permission by using the AclPermissionEvaluator by passing an array of Permission instances to hasPermission method as a parameter. Check the source in the given link for implementation.

@Autowired
private PermissionEvaluator permissionEvaluator ;

........

Object permission = new Permission[]{permissionFactory.buildFromName("READ"),permissionFactory.buildFromName("WRITE"), permissionFactory.buildFromName("CREATE")};

permissionEvaluator.hasPermission(authentication, oid, permission);

And as mentioned in this answer do not forget to register the AclPermissionEvaluator in your spring context.

UPDATE: To get all the permission that a user has on a domain object --

private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();

.......

List<Sid> sids = sidRetrievalStrategy.getSids(authentication);
// Lookup only ACLs for SIDs we're interested in
Acl acl = aclService.readAclById(oid, sids);
List<AccessControlEntry> aces = acl.getEntries();
List<String> permissionsList = new ArrayList<String>();
for (AccessControlEntry ace : aces ) {
    permissionsList.add(ace.getPermission().getPattern());
}
Community
  • 1
  • 1
Ravi Kadaboina
  • 8,494
  • 3
  • 30
  • 42
  • Checking whether an object has specific permissions is not my problem. I agree, that problem can be solved using PermissionEvaluator class. My problem is to get all the permissions on a domain object a user has (I want to return them back to the user for some reason). For example, a user might have R, W, C permissions not delete, so a list of these permissions should be returned. Thanks for helping out though. – Nishant Nagwani Oct 23 '12 at 15:13
0

As @Ravi said: use the method readAclById from the class JdbcAclService will not work if you use the BasicLookupStrategy.class. Becasuse the LookupStrategy.readAclsById (ignored the second paramter sids). I suggest you write your custom lookupstragey.

wei lei
  • 1
  • 1
0

What you are trying to do is check if a CumulativePermission has a specific permission. You can do it using this method:

public static boolean containsPermission(Permission cumulativePermission, Permission singlePermission) {
    return (cumulativePermission.getMask() & singlePermission.getMask()) == singlePermission.getMask();
}