Index: topia-security/src/java/org/codelutin/topia/security/TopiaSecurityService.java diff -u topia-security/src/java/org/codelutin/topia/security/TopiaSecurityService.java:1.1 topia-security/src/java/org/codelutin/topia/security/TopiaSecurityService.java:1.2 --- topia-security/src/java/org/codelutin/topia/security/TopiaSecurityService.java:1.1 Wed Oct 18 08:46:34 2006 +++ topia-security/src/java/org/codelutin/topia/security/TopiaSecurityService.java Fri Oct 27 08:03:39 2006 @@ -1,6 +1,5 @@ package org.codelutin.topia.security; -import org.codelutin.topia.TopiaException; import org.codelutin.topia.framework.TopiaService; public interface TopiaSecurityService extends TopiaService { @@ -13,7 +12,7 @@ * @throws TopiaSecurityException */ public abstract void checkPermission(Class entityClass, int actions) - throws TopiaException; + throws SecurityException; /** * Vérifie si l'utilisateur actuellement loggué a le droit d'accéder à @@ -23,6 +22,6 @@ * @throws TopiaSecurityException */ public abstract void checkPermission(String topiaId, int actions) - throws TopiaException; + throws SecurityException; } Index: topia-security/src/java/org/codelutin/topia/security/TopiaSecurityServiceImpl.java diff -u topia-security/src/java/org/codelutin/topia/security/TopiaSecurityServiceImpl.java:1.4 topia-security/src/java/org/codelutin/topia/security/TopiaSecurityServiceImpl.java:1.5 --- topia-security/src/java/org/codelutin/topia/security/TopiaSecurityServiceImpl.java:1.4 Wed Oct 25 09:13:29 2006 +++ topia-security/src/java/org/codelutin/topia/security/TopiaSecurityServiceImpl.java Fri Oct 27 08:03:39 2006 @@ -22,12 +22,13 @@ import static org.codelutin.topia.security.util.TopiaSecurityUtil.TOPIA_SECURITY_PERSISTENCE_CLASSES; -import java.security.AccessControlException; import java.security.AccessController; import java.security.Permission; +import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashSet; +import java.util.List; import java.util.Map; import java.util.Set; @@ -50,18 +51,18 @@ import org.codelutin.topia.security.entities.authorization.TopiaEntityAuthorization; import org.codelutin.topia.security.entities.authorization.TopiaEntityAuthorizationDAO; import org.codelutin.topia.security.entities.authorization.TopiaEntityAuthorizationImpl; -import org.codelutin.topia.security.entities.authorization.TopiaIdLink; -import org.codelutin.topia.security.entities.authorization.TopiaIdLinkDAO; +import org.codelutin.topia.security.entities.authorization.TopiaExpressionLink; +import org.codelutin.topia.security.entities.authorization.TopiaExpressionLinkDAO; import org.codelutin.topia.security.entities.user.TopiaGroupDAO; import org.codelutin.topia.security.entities.user.TopiaUser; import org.codelutin.topia.security.entities.user.TopiaUserDAO; import org.codelutin.topia.security.jaas.TopiaConfiguration; import org.codelutin.topia.security.jaas.TopiaPermission; import org.codelutin.topia.security.jaas.TopiaPolicy; -import org.codelutin.topia.security.listener.PropertyReadListener; -import org.codelutin.topia.security.listener.PropertyWriteListener; import org.codelutin.topia.security.listener.EntityVetoable; +import org.codelutin.topia.security.listener.PropertyReadListener; import org.codelutin.topia.security.listener.PropertyVetoable; +import org.codelutin.topia.security.listener.PropertyWriteListener; import org.codelutin.topia.security.util.TopiaSecurityCaching; import org.codelutin.topia.security.util.TopiaSecurityUtil; @@ -208,11 +209,11 @@ /** * Permet de récupérer le DAO dans le contexte de sécurité. - * @return DAO du TopiaIdLinkDAO + * @return DAO du TopiaExpressionLinkDAO */ - public TopiaIdLinkDAO getTopiaIdLinkDAO() { + public TopiaExpressionLinkDAO getTopiaIdLinkDAO() { try { - return TopiaServiceDAOHelper.getTopiaIdLinkDAO(getSecurityContext()); + return TopiaServiceDAOHelper.getTopiaExpressionLinkDAO(getSecurityContext()); } catch (TopiaException te) { log.error("Recuperation du TopiaLinkAuthorizationDAO impossible", te); } @@ -336,31 +337,35 @@ } /** - * Renvoi l'identifiant qui remplace l'identifiant en cours d'après la table - * de correspondance TopiaIdLink. + * Renvoi les identifiants qui remplacent l'identifiant en cours d'après la table + * de correspondance TopiaExpressionLink. * @param topiaId identifiant à remplacer * @return retourne l'identifiant remplacé * @throws TopiaException */ - protected String replaceByTopiaIdLink(String topiaId) throws TopiaException { - TopiaIdLinkDAO linkDAO = getTopiaIdLinkDAO(); - TopiaIdLink link = linkDAO.findByReplace(topiaId); - if(link == null) { - return topiaId; - } else { - return link.getBy(); + //FIXME : Voir si on peut mettre en relation un objet vers plusieurs objets + protected List getAllPossibleExpression(String topiaId) throws TopiaException { + List allBy = getSecurityContext().find("select distinct link.by from " + + TopiaExpressionLink.class.getName() + " link where link.replace=?", + topiaId); + + if(allBy == null) { + allBy = new ArrayList(); } + + allBy.add(topiaId); + return allBy; } /* (non-Javadoc) * @see org.codelutin.topia.security.TopiaSecurityService#checkPermission(java.lang.Class, int) */ - public void checkPermission(Class entityClass, int actions) throws TopiaException { + public void checkPermission(Class entityClass, int actions) throws SecurityException { if (log.isTraceEnabled()) { log.trace("Checking permissions to entity class : " + entityClass); } if (entityClass == null) { - throw new TopiaException("Class cannot be null"); + throw new SecurityException("Class cannot be null"); } String topiaId = entityClass.getName() + "#*"; checkPermission(topiaId, actions); @@ -369,18 +374,31 @@ /* (non-Javadoc) * @see org.codelutin.topia.security.TopiaSecurityService#checkPermission(java.lang.String, int) */ - public void checkPermission(String topiaId, int actions) throws TopiaException { - Subject subj = Subject.getSubject(AccessController.getContext()); - if (subj != null) { + public void checkPermission(String topiaId, int actions) throws SecurityException { + List expressions; + Subject subject = Subject.getSubject(AccessController.getContext()); + if (subject != null) { try { + expressions = getAllPossibleExpression(topiaId); + } catch (TopiaException te) { + throw new SecurityException("Replace expression for link failed", te); + } + + boolean authorized = false; + for (String expression : expressions) { TopiaEntityAuthorization authorization = new TopiaEntityAuthorizationImpl( - replaceByTopiaIdLink(topiaId), actions, subj.getPrincipals()); - AccessController.checkPermission(new TopiaPermission(authorization)); - } catch (AccessControlException e) { - throw new TopiaException("access denied to object \"" + topiaId + "\" for \"" + subj + "\"", e); + expression, actions, subject.getPrincipals()); + try { + AccessController.checkPermission(new TopiaPermission(authorization)); + authorized = true; + break; + } catch (SecurityException se) { + authorized = false; + } } - if (log.isTraceEnabled()) { - log.trace("Permission granted for entity : " + topiaId); + + if(!authorized) { + throw new SecurityException("Access denied to object \"" + topiaId + "\" for \"" + subject + "\""); } } else { if(log.isWarnEnabled()) { @@ -388,5 +406,4 @@ } } } - }