我想创建一个BasicPermission的子类来添加动作,根据java文档应该是可能的:
如果需要,子类可以在BasicPermission之上实现操作。
这是我最初的尝试:
public class BasicPermissionWithActions extends BasicPermission {
String actions;
String[] actionList;
String name;
public BasicPermissionWithActions(String name, String actions) {
super(name, actions);
this.actions = actions;
this.actionList = actions.split("\\,");
this.name = name;
}
private static final long serialVersionUID = 7608854273379948062L;
@Override
public boolean implies(Permission p) {
// name and class check can be done by super
if (!super.implies(p))
return false;
// now check actions
String requestedActions = p.getActions();
String[] requestedActionList = requestedActions.split("\\,");
for (String requestedAction : requestedActionList) {
if (!hasRequestedAction(requestedAction))
return false;
}
return true;
}
private boolean hasRequestedAction(String requestedAction) {
for (String action : actionList) {
if (action.equals(requestedAction))
return true;
}
return false;
}
@Override
public String getActions() {
return actions;
}
@Override
public int hashCode() {
final int prime = 31;
int result = super.hashCode();
result = prime * result + ((actions == null) ? 0 : actions.hashCode());
result = prime * result + ((name == null) ? 0 : name.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (!super.equals(obj))
return false;
if (getClass() != obj.getClass())
return false;
BasicPermissionWithActions other = (BasicPermissionWithActions) obj;
if (actions == null) {
if (other.actions != null)
return false;
} else if (!actions.equals(other.actions))
return false;
if (name == null) {
if (other.name != null)
return false;
} else if (!name.equals(other.name))
return false;
return true;
}
@Override
public String toString() {
return "(\"" + this.getClass().getName() + "\" \"" + name + "\" \"" + actions + "\")";
}
在政策文件中使用此权限授予访问权限的条目(在这种情况下,我指定的权限不足以允许所需的操作):
grant principal sample.principal.SampleGroup "TestGroup" {
permission BasicPermissionWithActions "*", "read";
};
检查权限的代码:
rep.getAccessControlContext().checkPermission(new BasicPermissionWithActions(getName(), "write"));
我希望此检查失败,因为策略仅指定了读取操作。然而,支票安静地通过。
问题在于,只要策略文件中的权限具有名称" *",就不会检查操作。在调试模式下运行表明从不调用方法BasicPermissionWithActions.implies方法。
如果我省略了策略文件的权限,我会收到预期的安全异常,但我无法使操作有效。
答案 0 :(得分:2)
问题与PermissionCollection有关。 BasicPermission实现自己的PermissionCollection以获得更好的性能。不幸的是,这个实现做了一些简化的假设,打破了子类的语义。具体来说,它实现了“*”的快捷方式,绕过Permission.implies方法并始终返回true。
解决方案是实现一个自定义的PermissionCollection,它只调用其成员的Permission.implies方法:
private class CustomPermissionCollection extends PermissionCollection {
private static final long serialVersionUID = 5654758059940546018L;
Collection<Permission> perms = new ArrayList<Permission>();
@Override
public void add(Permission permission) {
perms.add(permission);
}
@Override
public boolean implies(Permission permission) {
for (Permission p : perms) {
if (p.implies(permission))
return true;
}
return false;
}
@Override
public Enumeration<Permission> elements() {
return Collections.enumeration(perms);
}
}
并在BasicPermissionWithActions的newPermissionCollection方法中返回它
@Override
public PermissionCollection newPermissionCollection() {
return new CustomPermissionCollection();
}