de.hybris.platform.jalo.security

Class AccessManager

java.lang.Object

de.hybris.platform.jalo.Manager

de.hybris.platform.jalo.security.AccessManager

All Implemented Interfaces:

java.io.Serializable

public class AccessManager
extends Manager

Manager of all security based functionality of the hybris Platform. Here you can defined new UserRights, assign them to Principals and Items, and check access on items.
There are two ways of assigning rights to a user (all Users are Principals): as global permission or as local permission. First is not bound to an Item and so can be checked without one. Local permissions are assignments of userrights for a user to a specific item. This permission can only be checked on this item.
You can combine both ways to have a hierarchical permission checking, if you assign one right global and optionally local. Example: A user might global be allowed to see all products (by globally assigning the right product.read), but is forbidden to see the special product MY_CHEFS_SECRET_CAR (by negatively assigning this right to this product). The great advantage is that all other products must not have this righ explicitely assigned, but can be checked anyway (because it is globally assigned).

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	AccessManager.AccessManagerSerializableDTO

Nested classes/interfaces inherited from class de.hybris.platform.jalo.Manager

Manager.GenericManagerSingletonCreator, Manager.ManagerSingletonCreator

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	BEAN_NAME
static java.lang.String	CHANGE Deprecated. since ages - Instead use PermissionsConstants.CHANGE
static java.lang.String	CHANGE_PERMISSIONS Deprecated. since ages - Instead use PermissionsConstants.CHANGE_PERMISSIONS
static java.lang.String	CREATE Deprecated. since ages - Instead use PermissionsConstants.CREATE
static java.lang.String	READ Deprecated. since ages - Instead use PermissionsConstants.READ
static java.lang.String	REMOVE Deprecated. since ages - Instead use PermissionsConstants.REMOVE

Constructor Summary

Constructors

Constructor and Description
AccessManager()

Method Summary

Modifier and Type	Method and Description
void	addGlobalNegativePermission(Principal caller, Principal principal, UserRight permission) Deprecated. since ages - please usePrincipal.addGlobalNegativePermission(UserRight) instead
void	addGlobalPermissions(Principal caller, java.util.Collection permissions) Assigns a list of global rights
void	addGlobalPositivePermission(Principal caller, Principal principal, UserRight permission) Deprecated. since ages - please usePrincipal.addGlobalPositivePermission(UserRight) instead
void	addNegativePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) Negatively assigns a right for a user to a item (prohibition).
void	addPositivePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) Positively assigns a right for a user to a item.
protected void	checkBeforeItemRemoval(SessionContext ctx, Item item) Superclass method overridden to avoid call to EJB layer.
java.util.ArrayList	checkLicence() This Method returns a list with LicenceInfo objects.
boolean	checkPermission(Principal principal, java.lang.String permissionCode) Same as checkPermission(Principal,UserRight) but with the permissions code instead of passing the whole UserRight object.
boolean	checkPermission(Principal principal, UserRight permission) Checks a global permission for a user and a right.
boolean	checkPermissionOn(Item item, Principal principal, java.lang.String permissionCode) Same as checkPermissionOn(Item,Principal,UserRight) but with the permissions code instead of passing the whole UserRight object.
boolean	checkPermissionOn(Item item, Principal principal, UserRight permission) Checks permission on an item.
UserRight	createUserRight(java.lang.String code) Creates a new UserRight with a given code.
java.util.Collection	getAllGlobalNegativePermissions(Principal principal) Returns all globally negatively assigned rights of a user.
java.util.Collection	getAllGlobalPositivePermissions(Principal principal) Returns all globally positively assigned rights of a user.
java.util.Collection	getAllUserRights() All existing userrights in the system.
java.util.Collection	getGlobalNegativePermissions(Principal principal) Returns all globally negatively assigned rights of a user.
java.util.Collection	getGlobalPositivePermissions(Principal principal) Returns all globally positively assigned rights of a user.
java.util.Collection	getGlobalRestrictedPrincipals(PK permissionPK)
java.util.Collection	getGlobalRestrictedPrincipals(UserRight permission)
static AccessManager	getInstance()
UserRight	getOrCreateUserRightByCode(java.lang.String code) Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.
java.util.Map	getRestrictedItemsMapForPrincipal(Principal p, java.util.List permissionList)
java.util.Set<Language>	getRestrictedLanguages(Item item) Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.
UserRight	getUserRightByCode(java.lang.String code) Returns the UserRight with the specified code.
java.util.Collection	getUserRightsByCode(java.lang.String code) Returns all UserRights which code matches the specified search string.
boolean	isEditable(Item item, AttributeDescriptor descriptor) Asks all those extensions which implement RightsProvider if the attribute should be editable.
protected void	notifyItemRemoval(SessionContext ctx, Item item) Clears all permissions which are set for this item.
void	removeGlobalPermission(Principal caller, Principal principal, UserRight permission) Deprecated. since ages - please usePrincipal.clearGlobalPermission(UserRight) instead
void	removePermissionOn(Item item, Principal caller, Principal principal, UserRight permission) Removes the local assignment of a userright for a user on a specific item.
java.lang.Object	writeReplace()

Methods inherited from class de.hybris.platform.jalo.Manager

afterItemCreation, beforeItemCreation, destroy, getAllValuesSessionContext, getAttribute, getAttributeMap, getFirstItemByAttribute, getFirstItemByAttribute, getRemote, getRemoteManagerClass, getSession, getSingletonManagerInstance, getTenant, getTransientObject, getTransientObjectMap, init, setAttribute, setTenant, setTransientObject, unwrap, unwrap, wrap

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BEAN_NAME

public static final java.lang.String BEAN_NAME

See Also:

Constant Field Values

READ

@Deprecated
public static final java.lang.String READ

Deprecated. since ages - Instead use PermissionsConstants.READ

See Also:

Constant Field Values

CHANGE

@Deprecated
public static final java.lang.String CHANGE

Deprecated. since ages - Instead use PermissionsConstants.CHANGE

See Also:

Constant Field Values

CHANGE_PERMISSIONS

@Deprecated
public static final java.lang.String CHANGE_PERMISSIONS

Deprecated. since ages - Instead use PermissionsConstants.CHANGE_PERMISSIONS

See Also:

Constant Field Values

CREATE

@Deprecated
public static final java.lang.String CREATE

Deprecated. since ages - Instead use PermissionsConstants.CREATE

See Also:

Constant Field Values

REMOVE

@Deprecated
public static final java.lang.String REMOVE

Deprecated. since ages - Instead use PermissionsConstants.REMOVE

See Also:

Constant Field Values

Constructor Detail

AccessManager

public AccessManager()

Method Detail

getInstance

public static AccessManager getInstance()

Returns:

instance of this manager

checkBeforeItemRemoval

protected void checkBeforeItemRemoval(SessionContext ctx,
                                      Item item)
                               throws ConsistencyCheckException

Superclass method overridden to avoid call to EJB layer.

Overrides:

checkBeforeItemRemoval in class Manager

Parameters:

ctx - the current session context

item - the item which should be removed

Throws:

ConsistencyCheckException - thrown to abort removal due to consistency errors

Since:

2.10

notifyItemRemoval

protected void notifyItemRemoval(SessionContext ctx,
                                 Item item)

Clears all permissions which are set for this item. If the item is a Principal it clears its permissions on any other item too.

Overrides:

notifyItemRemoval in class Manager

Parameters:

ctx - the currency session context

item - the item which is going to be removed

Since:

2.10

checkPermissionOn

public boolean checkPermissionOn(Item item,
                                 Principal principal,
                                 UserRight permission)

Checks permission on an item. This will give a positive result, if this userright was positively assigned to this item and user or (if not locally assigned) if it was positively globally assigned ti the user. If it was local (or global if not local ) negatively assigned the result is negative.
Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the reault is negative.
As you can see we have two kind of hierarchy in our security model: global and local permissions, and user and usergroup permissions. As a rule of thumb you should allwas expect local permissions and user permissions to be stronger than global and usergroup permissions.

The return values for item i, Principal p and UserRight r as table:

entry	return value	comment
none	false	default is 'not allowed'
(i,p,r,+)	true	user has permission
(i,p,r,-)	false	user has negative permission
(*,p,r,+)	true	user has global permission (item-independent)
(*,p,r,-)	false	user has negative global permission (item-independent)
(i,G(p),r,+)	true	(at least) one group of user has permission
(i,G(p),r,-)	false	groups of user have negative permissions (or none!)
(*,G(p),r,+)	true	(at least) one group of user has global permission
(*,G(p),r,-)	false	groups of user have negative global permissions (or none)
special cases
(*,G1(p),r,+) but also (*,G2(p),r,-)	false	if one group is not allowed the user is not allowed
(*,p,r,+) but also (i,p,r,-)	false	global permissions are overruled by item-permissions
(i,G(p),r,+) but also (i,p,r,-)	false	group permissions are overruled by principal permissions

Syntax: + ... positive permission
- ... negative permission
... permission is global (item-independent)
G(p)... the groups of principal p
G1(p), G2(p) ... groups of principal in two parts

Parameters:

item - the item to check the right for

principal - the user to check the right for

permission - the right to check

checkPermissionOn

public boolean checkPermissionOn(Item item,
                                 Principal principal,
                                 java.lang.String permissionCode)

Same as checkPermissionOn(Item,Principal,UserRight) but with the permissions code instead of passing the whole UserRight object.

removePermissionOn

public void removePermissionOn(Item item,
                               Principal caller,
                               Principal principal,
                               UserRight permission)
                        throws JaloSecurityException

Removes the local assignment of a userright for a user on a specific item. Since assignments can only be removed by ACL-owners of this item such one must be specified too.

Parameters:

item - the item to remove the assignment from

caller - the ACL-owner which is allowed to remove this assignment on this item

principal - the user to remove the assignment for

permission - the right to remove

Throws:

JaloSecurityException

addPositivePermissionOn

public void addPositivePermissionOn(Item item,
                                    Principal caller,
                                    Principal principal,
                                    UserRight permission)
                             throws JaloSecurityException

Positively assigns a right for a user to a item. Since assignments can only be created by ACL-owners of this item such one must be specified too.

Parameters:

item - the item to add the assignment to

caller - the ACL-owner which is allowed to add this assignment to this item

principal - the user to add the assignment for

permission - the right to add

Throws:

JaloSecurityException

addNegativePermissionOn

public void addNegativePermissionOn(Item item,
                                    Principal caller,
                                    Principal principal,
                                    UserRight permission)
                             throws JaloSecurityException

Negatively assigns a right for a user to a item (prohibition). Since assignments can only be created by ACL-owners of this item such one must be specified too.

Parameters:

item - the item to add the assignment to

caller - the ACL-owner which is allowed to add this assignment to this item

principal - the user to add the assignment for

permission - the right to add

Throws:

JaloSecurityException

addGlobalPermissions

public void addGlobalPermissions(Principal caller,
                                 java.util.Collection permissions)
                          throws JaloSecurityException

Assigns a list of global rights

Parameters:

caller - the ACL-owner which is allowed to add this assignment

permissions - a collection of PermissionContainers

Throws:

JaloSecurityException

checkPermission

public boolean checkPermission(Principal principal,
                               UserRight permission)

Checks a global permission for a user and a right. The result will only be positive if a positive global assignment for this user and this right exists.
Since a user can be part of multiple UserGroups which might have their own rights assigned too, there is the case that positive and negative assignments might be found. In this case the result is negative.

Parameters:

principal - the user to check the right for

permission - the right to check

checkPermission

public boolean checkPermission(Principal principal,
                               java.lang.String permissionCode)

Same as checkPermission(Principal,UserRight) but with the permissions code instead of passing the whole UserRight object.

removeGlobalPermission

@Deprecated
public void removeGlobalPermission(Principal caller,
                                               Principal principal,
                                               UserRight permission)
                                        throws JaloSecurityException

Deprecated. since ages - please usePrincipal.clearGlobalPermission(UserRight) instead

Removes the global assignment of a userright for a user on a specific item. Since assignments can only be removed by global ACL-owners such one must be specified too.

Parameters:

caller - the ACL-owner which is allowed to remove this assignment

principal - the user to remove the assignment for

permission - the right to remove

Throws:

JaloSecurityException

addGlobalPositivePermission

@Deprecated
public void addGlobalPositivePermission(Principal caller,
                                                    Principal principal,
                                                    UserRight permission)
                                             throws JaloSecurityException

Deprecated. since ages - please usePrincipal.addGlobalPositivePermission(UserRight) instead

Positively assigns a right for a user globally. Since assignments can only be created by global ACL-owners such one must be specified too.

Parameters:

caller - the ACL-owner which is allowed to add this assignment

principal - the user to add the assignment for

permission - the right to add

Throws:

JaloSecurityException

addGlobalNegativePermission

@Deprecated
public void addGlobalNegativePermission(Principal caller,
                                                    Principal principal,
                                                    UserRight permission)
                                             throws JaloSecurityException

Deprecated. since ages - please usePrincipal.addGlobalNegativePermission(UserRight) instead

Negatively assigns a right for a user globally(prohibition). Since assignments can only be created by global ACL-owners such one must be specified too.

Parameters:

caller - the ACL-owner which is allowed to add this assignment

principal - the user to add the assignment for

permission - the right to add

Throws:

JaloSecurityException

getGlobalPositivePermissions

public java.util.Collection getGlobalPositivePermissions(Principal principal)

Returns all globally positively assigned rights of a user.

Parameters:

principal - the user for which the rights are assigned

getGlobalNegativePermissions

public java.util.Collection getGlobalNegativePermissions(Principal principal)

Returns all globally negatively assigned rights of a user.

Parameters:

principal - the user for which the rights are assigned

getAllGlobalPositivePermissions

public java.util.Collection getAllGlobalPositivePermissions(Principal principal)

Returns all globally positively assigned rights of a user. Here also rights of usergroups which the user is in will be included.

Parameters:

principal - the user for which the rights are assigned

getAllGlobalNegativePermissions

public java.util.Collection getAllGlobalNegativePermissions(Principal principal)

Returns all globally negatively assigned rights of a user. Here also rights of usergroups which the user is in will be included.

Parameters:

principal - the user for which the rights are assigned

createUserRight

public UserRight createUserRight(java.lang.String code)
                          throws ConsistencyCheckException

Creates a new UserRight with a given code. This code must be unique.

Parameters:

code - the code of the user right

Returns:

a new user right object

Throws:

ConsistencyCheckException - if this code is already in use

See Also:

for notes on code name conventions

getUserRightsByCode

public java.util.Collection getUserRightsByCode(java.lang.String code)

Returns all UserRights which code matches the specified search string. The syntax of this string is equivalent to SQL LIKE statements.

Parameters:

code -

Returns:

Collection

getUserRightByCode

public UserRight getUserRightByCode(java.lang.String code)

Returns the UserRight with the specified code. Unlike getUserRightsByCode( String ) this method does only exact matching.

Parameters:

code -

getOrCreateUserRightByCode

public UserRight getOrCreateUserRightByCode(java.lang.String code)

Convenience method which first tries to get the user right with the given code and when such a user right does not exists, it will be created.

Parameters:

code -

getAllUserRights

public java.util.Collection getAllUserRights()

All existing userrights in the system.

isEditable

public boolean isEditable(Item item,
                          AttributeDescriptor descriptor)

Asks all those extensions which implement RightsProvider if the attribute should be editable.

Since:

2.20

getRestrictedLanguages

public java.util.Set<Language> getRestrictedLanguages(Item item)

Asks all those extensions which implement Extension.ResctrictedLanguageProvider for all available languages for the given item and returns the intersection of these languages.

Since:

3.00 (beta1)

checkLicence

public java.util.ArrayList checkLicence()

This Method returns a list with LicenceInfo objects. The size of this list is equal to how many licence terms exists.

Returns:

a list

getRestrictedItemsMapForPrincipal

public java.util.Map getRestrictedItemsMapForPrincipal(Principal p,
                                                       java.util.List permissionList)

getGlobalRestrictedPrincipals

public java.util.Collection getGlobalRestrictedPrincipals(UserRight permission)

getGlobalRestrictedPrincipals

public java.util.Collection getGlobalRestrictedPrincipals(PK permissionPK)

writeReplace

public java.lang.Object writeReplace()
                              throws java.io.ObjectStreamException

Specified by:

writeReplace in class Manager

Throws:

java.io.ObjectStreamException