requirementauthorizer.java

来自「一个很好的开源项目管理系统源代码」· Java 代码 · 共 132 行

package net.java.workeffort.service.security;

import java.util.HashMap;
import java.util.Map;

import net.java.workeffort.infrastructure.context.RequestContextHolder;
import net.java.workeffort.infrastructure.security.AuthorizationException;
import net.java.workeffort.infrastructure.security.ISecurityProfile;
import net.java.workeffort.infrastructure.view.ViewHelper;
import net.java.workeffort.service.BaseService;

import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.beanutils.PropertyUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * Fine grained authrorizer for requirement at a data level.
 * <p>
 * See configuration of 'requirementService' is file 'application-context.xml'.
 * @author Antony Joseph
 */
public class RequirementAuthorizer implements IServiceAuthorizer {
    protected static final Log logger = LogFactory
            .getLog(RequirementAuthorizer.class);

    /**
     * A user can update a requirement record only if they are the owner.
     * @param securityProfile The security profile
     * @param invocation The method invocation.
     */
    public void preMethodInvocation(ISecurityProfile securityProfile,
            MethodInvocation invocation) throws AuthorizationException {
        int accessDecision = securityProfile.getAccessDecision(
                getTarget(invocation), invocation.getMethod().getName());

        if (accessDecision == ISecurityProfile.DENIED) {
            throw new AuthorizationException("Authorization failed. partyCd="
                    + securityProfile.getPartyCd() + " target="
                    + getTarget(invocation) + " operation="
                    + invocation.getMethod().getName());
        }
        else if (accessDecision == ISecurityProfile.CONDITIONAL) {
            Object[] args = invocation.getArguments();
            if (!isOwnerOfRequirement(securityProfile, invocation, args[0]))
                throw new AuthorizationException(
                        "Authorization failed. Not owner of requirement. partyCd="
                                + securityProfile.getPartyCd() + " target="
                                + getTarget(invocation) + " operation="
                                + invocation.getMethod().getName());
        }
    }

    /**
     * When querying a requirement, set mode in request context. The 'mode' is
     * used by view to display the form in update/viewonly modes etc.
     * @param securityProfile The users security profile
     * @param invocation The invocation method
     * @param resultObject The result object of the method invocation. (See
     *            <code>SecurityInterceptor</code>)
     */
    public void postMethodInvocation(ISecurityProfile securityProfile,
            MethodInvocation invocation, Object resultObject)
            throws AuthorizationException {
        if ("getRequirement".equals(invocation.getMethod().getName())) {
            String mode = null;
            int accessDecision = securityProfile.getAccessDecision(
                    "RequirementService", "updateRequirement");

            if (accessDecision == ISecurityProfile.CONDITIONAL) {
                String ownerCd = null;
                try {
                    ownerCd = (String) PropertyUtils.getSimpleProperty(
                            resultObject, "ownerCd");
                }
                catch (Exception e) {
                    throw new RuntimeException(e);
                }
                if (securityProfile.getPartyCd().equals(ownerCd))
                    mode = ViewHelper.UPDATE_DELETE_MODE;
                else
                    mode = ViewHelper.VIEWONLY_MODE;
            }
            else if (accessDecision == ISecurityProfile.ALLOWED) {
                mode = ViewHelper.UPDATE_DELETE_MODE;
            }
            else
                mode = ViewHelper.VIEWONLY_MODE;

            if (logger.isInfoEnabled())
                logger.info("mode being set to " + mode
                        + " in RequirementAuthorizer");
            RequestContextHolder.getRequestContext().setMode(mode);
        }
    }

    private boolean isOwnerOfRequirement(ISecurityProfile securityProfile,
            MethodInvocation invocation, Object arg)
            throws AuthorizationException {

        Map map = new HashMap();
        if (arg instanceof Long) {
            map.put("requirementId", arg);
        }
        else {
            // arg is of type Requirement
            try {
                map.put("requirementId", PropertyUtils.getSimpleProperty(arg,
                        "requirementId"));
            }
            catch (Exception e) {
                throw new RuntimeException(
                        "Error getting property requirementId from arg:" + arg,
                        e);
            }
        }
        map.put("partyCd", securityProfile.getPartyCd());
        BaseService service = (BaseService) invocation.getThis();
        if (service.getDao().queryForObject("Requirement.getRequirementOwner",
                map) == null)
            return false;
        else
            return true;

    }

    private String getTarget(MethodInvocation invocation) {
        return StringUtils.substringAfterLast(invocation.getThis().getClass()
                .getName(), ".");
    }
}