Package de.hybris.platform.jalo.security

Class AccessManager

java.lang.Object
de.hybris.platform.jalo.Manager
de.hybris.platform.jalo.security.AccessManager
All Implemented Interfaces:
ItemLifecycleListener, Serializable
public class AccessManager extends Manager
Manager of all security based functionality of the hybris Platform. Here you can defined new UserRights, assign them to Principals and Items, and check access on items.
There are two ways of assigning rights to a user (all Users are Principals): as global permission or as local permission. First is not bound to an Item and so can be checked without one. Local permissions are assignments of userrights for a user to a specific item. This permission can only be checked on this item.
You can combine both ways to have a hierarchical permission checking, if you assign one right global and optionally local. Example: A user might global be allowed to see all products (by globally assigning the right product.read), but is forbidden to see the special product MY_CHEFS_SECRET_CAR (by negatively assigning this right to this product). The great advantage is that all other products must not have this righ explicitely assigned, but can be checked anyway (because it is globally assigned).
See Also:

  • Field Details

  • Constructor Details

    • AccessManager

      public AccessManager()

  • Method Details

    • getInstance

      public static AccessManager getInstance()
      Returns:
      instance of this manager

    • checkBeforeItemRemoval

      protected void checkBeforeItemRemoval(SessionContext ctx, Item item) throws ConsistencyCheckException
      Superclass method overridden to avoid call to EJB layer.
      Overrides:
      checkBeforeItemRemoval in class Manager
      Parameters:
      ctx - the current session context
      item - the item which should be removed
      Throws:
      ConsistencyCheckException - thrown to abort removal due to consistency errors
      Since:
      2.10

    • notifyItemRemoval

      protected void notifyItemRemoval(SessionContext ctx, Item item)
      Clears all permissions which are set for this item. If the item is a Principal it clears its permissions on any other item too.
      Overrides:
      notifyItemRemoval in class Manager
      Parameters:
      ctx - the currency session context
      item - the item which is going to be removed
      Since:
      2.10

    • checkPermissionOn

      public boolean checkPermissionOn(Item item, Principal principal, UserRight permission)
      Checks permission on an item. This will give a positive result, if this userright was positively assigned to this item and user or (if not locally assigned) if it was positively globally assigned ti the user. If it was local (or global if not local ) negatively assigned the result is negative.
      Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the reault is negative.
      As you can see we have two kind of hierarchy in our security model: global and local permissions, and user and usergroup permissions. As a rule of thumb you should allwas expect local permissions and user permissions to be stronger than global and usergroup permissions.

      The return values for item i, Principal p and UserRight r as table:

      entry return value comment
      none false default is 'not allowed'
      (i,p,r,+) true user has permission
      (i,p,r,-) false user has negative permission
      (*,p,r,+) true user has global permission (item-independent)
      (*,p,r,-) false user has negative global permission (item-independent)
      (i,G(p),r,+) true (at least) one group of user has permission
      (i,G(p),r,-) false groups of user have negative permissions (or none!)
      (*,G(p),r,+) true (at least) one group of user has global permission
      (*,G(p),r,-) false groups of user have negative global permissions (or none)
      special cases
      (*,G1(p),r,+) but also (*,G2(p),r,-) false if one group is not allowed the user is not allowed
      (*,p,r,+) but also (i,p,r,-) false global permissions are overruled by item-permissions
      (i,G(p),r,+) but also (i,p,r,-) false group permissions are overruled by principal permissions
      Syntax: + ... positive permission
      - ... negative permission
      ... permission is global (item-independent)
      G(p)... the groups of principal p
      G1(p), G2(p) ... groups of principal in two parts
      Parameters:
      item - the item to check the right for
      principal - the user to check the right for
      permission - the right to check

    • checkPermissionOn

      public boolean checkPermissionOn(Item item, Principal principal, String permissionCode)
      Same as checkPermissionOn(Item, Principal, UserRight) but with the permissions code instead of passing the whole UserRight object.

    • removePermissionOn

      public void removePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Removes the local assignment of a userright for a user on a specific item. Since assignments can only be removed by ACL-owners of this item such one must be specified too.
      Parameters:
      item - the item to remove the assignment from
      caller - the ACL-owner which is allowed to remove this assignment on this item
      principal - the user to remove the assignment for
      permission - the right to remove
      Throws:
      JaloSecurityException

    • addPositivePermissionOn

      public void addPositivePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Positively assigns a right for a user to a item. Since assignments can only be created by ACL-owners of this item such one must be specified too.
      Parameters:
      item - the item to add the assignment to
      caller - the ACL-owner which is allowed to add this assignment to this item
      principal - the user to add the assignment for
      permission - the right to add
      Throws:
      JaloSecurityException

    • addNegativePermissionOn

      public void addNegativePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Negatively assigns a right for a user to a item (prohibition). Since assignments can only be created by ACL-owners of this item such one must be specified too.
      Parameters:
      item - the item to add the assignment to
      caller - the ACL-owner which is allowed to add this assignment to this item
      principal - the user to add the assignment for
      permission - the right to add
      Throws:
      JaloSecurityException

    • addGlobalPermissions

      public void addGlobalPermissions(Principal caller, Collection permissions) throws JaloSecurityException
      Assigns a list of global rights
      Parameters:
      caller - the ACL-owner which is allowed to add this assignment
      permissions - a collection of PermissionContainers
      Throws:
      JaloSecurityException

    • checkPermission

      public boolean checkPermission(Principal principal, UserRight permission)
      Checks a global permission for a user and a right. The result will only be positive if a positive global assignment for this user and this right exists.
      Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the result is negative.
      Parameters:
      principal - the user to check the right for
      permission - the right to check

    • checkPermission

      public boolean checkPermission(Principal principal, String permissionCode)
      Same as checkPermission(Principal, UserRight) but with the permissions code instead of passing the whole UserRight object.

    • removeGlobalPermission

      @Deprecated(since="ages", forRemoval=false) public void removeGlobalPermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Deprecated.
      since ages - please usePrincipal.clearGlobalPermission(UserRight) instead
      Removes the global assignment of a userright for a user on a specific item. Since assignments can only be removed by global ACL-owners such one must be specified too.
      Parameters:
      caller - the ACL-owner which is allowed to remove this assignment
      principal - the user to remove the assignment for
      permission - the right to remove
      Throws:
      JaloSecurityException

    • addGlobalPositivePermission

      @Deprecated(since="ages", forRemoval=false) public void addGlobalPositivePermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Deprecated.
      since ages - please usePrincipal.addGlobalPositivePermission(UserRight) instead
      Positively assigns a right for a user globally. Since assignments can only be created by global ACL-owners such one must be specified too.
      Parameters:
      caller - the ACL-owner which is allowed to add this assignment
      principal - the user to add the assignment for
      permission - the right to add
      Throws:
      JaloSecurityException

    • addGlobalNegativePermission

      @Deprecated(since="ages", forRemoval=false) public void addGlobalNegativePermission(Principal caller, Principal principal, UserRight permission) throws JaloSecurityException
      Deprecated.
      since ages - please usePrincipal.addGlobalNegativePermission(UserRight) instead
      Negatively assigns a right for a user globally(prohibition). Since assignments can only be created by global ACL-owners such one must be specified too.
      Parameters:
      caller - the ACL-owner which is allowed to add this assignment
      principal - the user to add the assignment for
      permission - the right to add
      Throws:
      JaloSecurityException

    • getGlobalPositivePermissions

      public Collection getGlobalPositivePermissions(Principal principal)
      Returns all globally positively assigned rights of a user.
      Parameters:
      principal - the user for which the rights are assigned

    • getGlobalNegativePermissions

      public Collection getGlobalNegativePermissions(Principal principal)
      Returns all globally negatively assigned rights of a user.
      Parameters:
      principal - the user for which the rights are assigned

    • getAllGlobalPositivePermissions

      public Collection getAllGlobalPositivePermissions(Principal principal)
      Returns all globally positively assigned rights of a user. Here also rights of usergroups which the user is in will be included.
      Parameters:
      principal - the user for which the rights are assigned

    • getAllGlobalNegativePermissions

      public Collection getAllGlobalNegativePermissions(Principal principal)
      Returns all globally negatively assigned rights of a user. Here also rights of usergroups which the user is in will be included.
      Parameters:
      principal - the user for which the rights are assigned

    • createUserRight

      public UserRight createUserRight(String code) throws ConsistencyCheckException
      Creates a new UserRight with a given code. This code must be unique.
      Parameters:
      code - the code of the user right
      Returns:
      a new user right object
      Throws:
      ConsistencyCheckException - if this code is already in use
      See Also:

    • getUserRightsByCode

      public Collection getUserRightsByCode(String code)
      Returns all UserRights which code matches the specified search string. The syntax of this string is equivalent to SQL LIKE statements.
      Parameters:
      code -
      Returns:
      Collection

    • getUserRightByCode

      public UserRight getUserRightByCode(String code)
      Returns the UserRight with the specified code. Unlike getUserRightsByCode( String ) this method does only exact matching.
      Parameters:
      code -

    • getOrCreateUserRightByCode

      public UserRight getOrCreateUserRightByCode(String code)
      Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.
      Parameters:
      code -

    • getAllUserRights

      public Collection getAllUserRights()
      All existing userrights in the system.

    • isEditable

      public boolean isEditable(Item item, AttributeDescriptor descriptor)
      Asks all those extensions which implement RightsProvider if the attribute should be editable.
      Since:
      2.20

    • getRestrictedLanguages

      public Set<Language> getRestrictedLanguages(Item item)
      Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.
      Since:
      3.00 (beta1)

    • checkLicence

      public ArrayList checkLicence()
      This Method returns a list with LicenceInfo objects. The size of this list is equal to how many licence terms exists.
      Returns:
      a list

    • getRestrictedItemsMapForPrincipal

      public Map getRestrictedItemsMapForPrincipal(Principal p, List permissionList)

    • getGlobalRestrictedPrincipals

      public Collection getGlobalRestrictedPrincipals(UserRight permission)

    • getGlobalRestrictedPrincipals

      public Collection getGlobalRestrictedPrincipals(PK permissionPK)

    • writeReplace

      public Object writeReplace() throws ObjectStreamException
      Specified by:
      writeReplace in class Manager
      Throws:
      ObjectStreamException