Package de.hybris.platform.jalo.security
Class AccessManager
- java.lang.Object
-
- de.hybris.platform.jalo.Manager
-
- de.hybris.platform.jalo.security.AccessManager
-
- All Implemented Interfaces:
ItemLifecycleListener
,java.io.Serializable
public class AccessManager extends Manager
Manager of all security based functionality of the hybris Platform. Here you can defined newUserRights
, assign them toPrincipals
andItems
, and check access on items.
There are two ways of assigning rights to a user (all Users are Principals): as global permission or as local permission. First is not bound to an Item and so can be checked without one. Local permissions are assignments of userrights for a user to a specific item. This permission can only be checked on this item.
You can combine both ways to have a hierarchical permission checking, if you assign one right global and optionally local. Example: A user might global be allowed to see all products (by globally assigning the rightproduct.read
), but is forbidden to see the special productMY_CHEFS_SECRET_CAR
(by negatively assigning this right to this product). The great advantage is that all other products must not have this righ explicitely assigned, but can be checked anyway (because it is globally assigned).- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
AccessManager.AccessManagerSerializableDTO
-
Nested classes/interfaces inherited from class de.hybris.platform.jalo.Manager
Manager.GenericManagerSingletonCreator, Manager.ManagerSingletonCreator
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
BEAN_NAME
static java.lang.String
CHANGE
Deprecated.since ages - Instead usePermissionsConstants.CHANGE
static java.lang.String
CHANGE_PERMISSIONS
Deprecated.since ages - Instead usePermissionsConstants.CHANGE_PERMISSIONS
static java.lang.String
CREATE
Deprecated.since ages - Instead usePermissionsConstants.CREATE
static java.lang.String
READ
Deprecated.since ages - Instead usePermissionsConstants.READ
static java.lang.String
REMOVE
Deprecated.since ages - Instead usePermissionsConstants.REMOVE
-
Constructor Summary
Constructors Constructor Description AccessManager()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addGlobalNegativePermission(Principal caller, Principal principal, UserRight permission)
Deprecated.since ages - please usePrincipal.addGlobalNegativePermission(UserRight)
insteadvoid
addGlobalPermissions(Principal caller, java.util.Collection permissions)
Assigns a list of global rightsvoid
addGlobalPositivePermission(Principal caller, Principal principal, UserRight permission)
Deprecated.since ages - please usePrincipal.addGlobalPositivePermission(UserRight)
insteadvoid
addNegativePermissionOn(Item item, Principal caller, Principal principal, UserRight permission)
Negatively assigns a right for a user to a item (prohibition).void
addPositivePermissionOn(Item item, Principal caller, Principal principal, UserRight permission)
Positively assigns a right for a user to a item.protected void
checkBeforeItemRemoval(SessionContext ctx, Item item)
Superclass method overridden to avoid call to EJB layer.java.util.ArrayList
checkLicence()
This Method returns a list withLicenceInfo
objects.boolean
checkPermission(Principal principal, UserRight permission)
Checks a global permission for a user and a right.boolean
checkPermission(Principal principal, java.lang.String permissionCode)
Same ascheckPermission(Principal, UserRight)
but with the permissions code instead of passing the whole UserRight object.boolean
checkPermissionOn(Item item, Principal principal, UserRight permission)
Checks permission on an item.boolean
checkPermissionOn(Item item, Principal principal, java.lang.String permissionCode)
Same ascheckPermissionOn(Item, Principal, UserRight)
but with the permissions code instead of passing the whole UserRight object.UserRight
createUserRight(java.lang.String code)
Creates a new UserRight with a given code.java.util.Collection
getAllGlobalNegativePermissions(Principal principal)
Returns all globally negatively assigned rights of a user.java.util.Collection
getAllGlobalPositivePermissions(Principal principal)
Returns all globally positively assigned rights of a user.java.util.Collection
getAllUserRights()
All existing userrights in the system.java.util.Collection
getGlobalNegativePermissions(Principal principal)
Returns all globally negatively assigned rights of a user.java.util.Collection
getGlobalPositivePermissions(Principal principal)
Returns all globally positively assigned rights of a user.java.util.Collection
getGlobalRestrictedPrincipals(PK permissionPK)
java.util.Collection
getGlobalRestrictedPrincipals(UserRight permission)
static AccessManager
getInstance()
UserRight
getOrCreateUserRightByCode(java.lang.String code)
Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.java.util.Map
getRestrictedItemsMapForPrincipal(Principal p, java.util.List permissionList)
java.util.Set<Language>
getRestrictedLanguages(Item item)
Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.UserRight
getUserRightByCode(java.lang.String code)
Returns the UserRight with the specified code.java.util.Collection
getUserRightsByCode(java.lang.String code)
Returns all UserRights which code matches the specified search string.boolean
isEditable(Item item, AttributeDescriptor descriptor)
Asks all those extensions which implement RightsProvider if the attribute should be editable.protected void
notifyItemRemoval(SessionContext ctx, Item item)
Clears all permissions which are set for this item.void
removeGlobalPermission(Principal caller, Principal principal, UserRight permission)
Deprecated.since ages - please usePrincipal.clearGlobalPermission(UserRight)
insteadvoid
removePermissionOn(Item item, Principal caller, Principal principal, UserRight permission)
Removes the local assignment of a userright for a user on a specific item.java.lang.Object
writeReplace()
-
Methods inherited from class de.hybris.platform.jalo.Manager
afterItemCreation, beforeItemCreation, destroy, extractNonRequiredRemoteFromItem, extractRequiredRemoteFromItem, getAllValuesSessionContext, getAttribute, getAttributeMap, getFirstItemByAttribute, getFirstItemByAttribute, getRemote, getRemoteManagerClass, getSession, getSingletonManagerInstance, getTenant, getTransientObject, getTransientObjectMap, init, setAttribute, setTenant, setTransientObject, wrap
-
-
-
-
Field Detail
-
BEAN_NAME
public static final java.lang.String BEAN_NAME
- See Also:
- Constant Field Values
-
READ
@Deprecated public static final java.lang.String READ
Deprecated.since ages - Instead usePermissionsConstants.READ
- See Also:
- Constant Field Values
-
CHANGE
@Deprecated public static final java.lang.String CHANGE
Deprecated.since ages - Instead usePermissionsConstants.CHANGE
- See Also:
- Constant Field Values
-
CHANGE_PERMISSIONS
@Deprecated public static final java.lang.String CHANGE_PERMISSIONS
Deprecated.since ages - Instead usePermissionsConstants.CHANGE_PERMISSIONS
- See Also:
- Constant Field Values
-
CREATE
@Deprecated public static final java.lang.String CREATE
Deprecated.since ages - Instead usePermissionsConstants.CREATE
- See Also:
- Constant Field Values
-
REMOVE
@Deprecated public static final java.lang.String REMOVE
Deprecated.since ages - Instead usePermissionsConstants.REMOVE
- See Also:
- Constant Field Values
-
-
Method Detail
-
getInstance
public static AccessManager getInstance()
- Returns:
- instance of this manager
-
checkBeforeItemRemoval
protected void checkBeforeItemRemoval(SessionContext ctx, Item item) throws ConsistencyCheckException
Superclass method overridden to avoid call to EJB layer.- Overrides:
checkBeforeItemRemoval
in classManager
- Parameters:
ctx
- the current session contextitem
- the item which should be removed- Throws:
ConsistencyCheckException
- thrown to abort removal due to consistency errors- Since:
- 2.10
-
notifyItemRemoval
protected void notifyItemRemoval(SessionContext ctx, Item item)
Clears all permissions which are set for this item. If the item is aPrincipal
it clears its permissions on any other item too.- Overrides:
notifyItemRemoval
in classManager
- Parameters:
ctx
- the currency session contextitem
- the item which is going to be removed- Since:
- 2.10
-
checkPermissionOn
public boolean checkPermissionOn(Item item, Principal principal, UserRight permission)
Checks permission on an item. This will give a positive result, if this userright was positively assigned to this item and user or (if not locally assigned) if it was positively globally assigned ti the user. If it was local (or global if not local ) negatively assigned the result is negative.
Since a user can be part of multipleUserGroups
which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the reault is negative.
As you can see we have two kind of hierarchy in our security model: global and local permissions, and user and usergroup permissions. As a rule of thumb you should allwas expect local permissions and user permissions to be stronger than global and usergroup permissions. The return values for item i, Principal p and UserRight r as table:entry return value comment none false default is 'not allowed' (i,p,r,+) true user has permission (i,p,r,-) false user has negative permission (*,p,r,+) true user has global permission (item-independent) (*,p,r,-) false user has negative global permission (item-independent) (i,G(p),r,+) true (at least) one group of user has permission (i,G(p),r,-) false groups of user have negative permissions (or none!) (*,G(p),r,+) true (at least) one group of user has global permission (*,G(p),r,-) false groups of user have negative global permissions (or none) special cases (*,G1(p),r,+) but also (*,G2(p),r,-) false if one group is not allowed the user is not allowed (*,p,r,+) but also (i,p,r,-) false global permissions are overruled by item-permissions (i,G(p),r,+) but also (i,p,r,-) false group permissions are overruled by principal permissions
- ... negative permission
... permission is global (item-independent)
G(p)... the groups of principal p
G1(p), G2(p) ... groups of principal in two parts- Parameters:
item
- the item to check the right forprincipal
- the user to check the right forpermission
- the right to check
-
checkPermissionOn
public boolean checkPermissionOn(Item item, Principal principal, java.lang.String permissionCode)
Same ascheckPermissionOn(Item, Principal, UserRight)
but with the permissions code instead of passing the whole UserRight object.
-
removePermissionOn
public void removePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Removes the local assignment of a userright for a user on a specific item. Since assignments can only be removed by ACL-owners of this item such one must be specified too.- Parameters:
item
- the item to remove the assignment fromcaller
- the ACL-owner which is allowed to remove this assignment on this itemprincipal
- the user to remove the assignment forpermission
- the right to remove- Throws:
JaloSecurityException
-
addPositivePermissionOn
public void addPositivePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Positively assigns a right for a user to a item. Since assignments can only be created by ACL-owners of this item such one must be specified too.- Parameters:
item
- the item to add the assignment tocaller
- the ACL-owner which is allowed to add this assignment to this itemprincipal
- the user to add the assignment forpermission
- the right to add- Throws:
JaloSecurityException
-
addNegativePermissionOn
public void addNegativePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Negatively assigns a right for a user to a item (prohibition). Since assignments can only be created by ACL-owners of this item such one must be specified too.- Parameters:
item
- the item to add the assignment tocaller
- the ACL-owner which is allowed to add this assignment to this itemprincipal
- the user to add the assignment forpermission
- the right to add- Throws:
JaloSecurityException
-
addGlobalPermissions
public void addGlobalPermissions(Principal caller, java.util.Collection permissions) throws JaloSecurityException
Assigns a list of global rights- Parameters:
caller
- the ACL-owner which is allowed to add this assignmentpermissions
- a collection ofPermissionContainers
- Throws:
JaloSecurityException
-
checkPermission
public boolean checkPermission(Principal principal, UserRight permission)
Checks a global permission for a user and a right. The result will only be positive if a positive global assignment for this user and this right exists.
Since a user can be part of multipleUserGroups
which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the result is negative.- Parameters:
principal
- the user to check the right forpermission
- the right to check
-
checkPermission
public boolean checkPermission(Principal principal, java.lang.String permissionCode)
Same ascheckPermission(Principal, UserRight)
but with the permissions code instead of passing the whole UserRight object.
-
removeGlobalPermission
@Deprecated public void removeGlobalPermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Deprecated.since ages - please usePrincipal.clearGlobalPermission(UserRight)
insteadRemoves the global assignment of a userright for a user on a specific item. Since assignments can only be removed by global ACL-owners such one must be specified too.- Parameters:
caller
- the ACL-owner which is allowed to remove this assignmentprincipal
- the user to remove the assignment forpermission
- the right to remove- Throws:
JaloSecurityException
-
addGlobalPositivePermission
@Deprecated public void addGlobalPositivePermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Deprecated.since ages - please usePrincipal.addGlobalPositivePermission(UserRight)
insteadPositively assigns a right for a user globally. Since assignments can only be created by global ACL-owners such one must be specified too.- Parameters:
caller
- the ACL-owner which is allowed to add this assignmentprincipal
- the user to add the assignment forpermission
- the right to add- Throws:
JaloSecurityException
-
addGlobalNegativePermission
@Deprecated public void addGlobalNegativePermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
Deprecated.since ages - please usePrincipal.addGlobalNegativePermission(UserRight)
insteadNegatively assigns a right for a user globally(prohibition). Since assignments can only be created by global ACL-owners such one must be specified too.- Parameters:
caller
- the ACL-owner which is allowed to add this assignmentprincipal
- the user to add the assignment forpermission
- the right to add- Throws:
JaloSecurityException
-
getGlobalPositivePermissions
public java.util.Collection getGlobalPositivePermissions(Principal principal)
Returns all globally positively assigned rights of a user.- Parameters:
principal
- the user for which the rights are assigned
-
getGlobalNegativePermissions
public java.util.Collection getGlobalNegativePermissions(Principal principal)
Returns all globally negatively assigned rights of a user.- Parameters:
principal
- the user for which the rights are assigned
-
getAllGlobalPositivePermissions
public java.util.Collection getAllGlobalPositivePermissions(Principal principal)
Returns all globally positively assigned rights of a user. Here also rights of usergroups which the user is in will be included.- Parameters:
principal
- the user for which the rights are assigned
-
getAllGlobalNegativePermissions
public java.util.Collection getAllGlobalNegativePermissions(Principal principal)
Returns all globally negatively assigned rights of a user. Here also rights of usergroups which the user is in will be included.- Parameters:
principal
- the user for which the rights are assigned
-
createUserRight
public UserRight createUserRight(java.lang.String code) throws ConsistencyCheckException
Creates a new UserRight with a given code. This code must be unique.- Parameters:
code
- the code of the user right- Returns:
- a new user right object
- Throws:
ConsistencyCheckException
- if this code is already in use- See Also:
for notes on code name conventions
-
getUserRightsByCode
public java.util.Collection getUserRightsByCode(java.lang.String code)
Returns all UserRights which code matches the specified search string. The syntax of this string is equivalent to SQL LIKE statements.- Parameters:
code
-- Returns:
- Collection
-
getUserRightByCode
public UserRight getUserRightByCode(java.lang.String code)
Returns the UserRight with the specified code. Unlike getUserRightsByCode( String ) this method does only exact matching.- Parameters:
code
-
-
getOrCreateUserRightByCode
public UserRight getOrCreateUserRightByCode(java.lang.String code)
Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.- Parameters:
code
-
-
getAllUserRights
public java.util.Collection getAllUserRights()
All existing userrights in the system.
-
isEditable
public boolean isEditable(Item item, AttributeDescriptor descriptor)
Asks all those extensions which implement RightsProvider if the attribute should be editable.- Since:
- 2.20
-
getRestrictedLanguages
public java.util.Set<Language> getRestrictedLanguages(Item item)
Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.- Since:
- 3.00 (beta1)
-
checkLicence
public java.util.ArrayList checkLicence()
This Method returns a list withLicenceInfo
objects. The size of this list is equal to how many licence terms exists.- Returns:
- a list
-
getRestrictedItemsMapForPrincipal
public java.util.Map getRestrictedItemsMapForPrincipal(Principal p, java.util.List permissionList)
-
getGlobalRestrictedPrincipals
public java.util.Collection getGlobalRestrictedPrincipals(UserRight permission)
-
getGlobalRestrictedPrincipals
public java.util.Collection getGlobalRestrictedPrincipals(PK permissionPK)
-
writeReplace
public java.lang.Object writeReplace() throws java.io.ObjectStreamException
- Specified by:
writeReplace
in classManager
- Throws:
java.io.ObjectStreamException
-
-