原帖地址:http://bulain.javaeye.com/blog/24000
学习acegi-security
这几天对acegi研究了一下,现对这几天的研究做个总结。
网上资料对于acegi在web上的应用非常多,所以特意不从web入手,而从一般的java方法入手。
acegi的基本原理就是利用拦截器,对请求进行拦截,在拦截前和拦截后做些安全验证,以达到安全目的。所谓安全,一般包括两个部分,一为认证(authentication),二为授权(authorization)。
1,拦截器体系
acegi中拦截器为分为三类:
(1)filter拦截器(FilterSecurityInterceptor),主要对web应用进行拦截,即利用servlet的filter进行拦截。
(2)method拦截器,分为spring的method拦截器(MethodSecurityInterceptor)和aspectj的method拦截器(AspectJSecurityInterceptor)。
代码
-
public
abstract
class
AbstractSecurityInterceptor
implements
InitializingBean, ApplicationEventPublisherAware,
-
MessageSourceAware {
-
private
AccessDecisionManager accessDecisionManager;
-
private
AfterInvocationManager afterInvocationManager;
-
private
ApplicationEventPublisher eventPublisher;
-
private
AuthenticationManager authenticationManager;
-
protected
MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
-
private
RunAsManager runAsManager =
new
NullRunAsManager();
-
private
boolean
alwaysReauthenticate =
false
;
-
private
boolean
rejectPublicInvocations =
false
;
-
private
boolean
validateConfigAttributes =
true
;
-
.........
-
-
protected
Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
-
............
-
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
-
............
-
if
(afterInvocationManager !=
null
) {
-
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
-
}
-
............
-
}
-
-
protected
InterceptorStatusToken beforeInvocation(Object object) {
-
............
-
authenticated =
this
.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
-
............
-
this
.accessDecisionManager.decide(authenticated, object, attr);
-
............
-
Authentication runAs =
this
.runAsManager.buildRunAs(authenticated, object, attr);
-
if
(runAs ==
null
) {
-
............
-
return
new
InterceptorStatusToken(authenticated,
false
, attr, object);
-
}
else
{
-
............
-
SecurityContextHolder.getContext().setAuthentication(runAs);
-
return
new
InterceptorStatusToken(authenticated,
true
, attr, object);
-
}
-
............
-
}
-
}
-
-
public
class
FilterSecurityInterceptor
extends
AbstractSecurityInterceptor
implements
Filter {
-
public
void
invoke(FilterInvocation fi)
throws
IOException, ServletException {
-
if
((fi.getRequest() !=
null
) && (fi.getRequest().getAttribute(FILTER_APPLIED) !=
null
)
-
&& observeOncePerRequest) {
-
-
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
-
}
else
{
-
-
if
(fi.getRequest() !=
null
) {
-
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
-
}
-
-
InterceptorStatusToken token =
super
.beforeInvocation(fi);
-
-
try
{
-
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
-
}
finally
{
-
super
.afterInvocation(token,
null
);
-
}
-
}
-
}
-
............
-
}
-
-
public
class
MethodSecurityInterceptor
extends
AbstractSecurityInterceptor
implements
MethodInterceptor {
-
public
Object invoke(MethodInvocation mi)
throws
Throwable {
-
Object result =
null
;
-
InterceptorStatusToken token =
super
.beforeInvocation(mi);
-
-
try
{
-
result = mi.proceed();
-
}
finally
{
-
result =
super
.afterInvocation(token, result);
-
}
-
-
return
result;
-
}
-
............
-
}
-
-
public
class
AspectJSecurityInterceptor
extends
AbstractSecurityInterceptor {
-
public
Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
-
Object result =
null
;
-
InterceptorStatusToken token =
super
.beforeInvocation(jp);
-
-
try
{
-
result = advisorProceed.proceedWithObject();
-
}
finally
{
-
result =
super
.afterInvocation(token, result);
-
}
-
-
return
result;
-
}
-
............
-
}
上面的代码片断已经显示,所有的真正参与验证的代码都在父类AbstractSecurityInterceptor.beforeInvocation()之中进行,而对于拦截器都只是做些委托罢了。这样可以把具体的验证代码同拦截器分开,也有利于扩展,用其他的aop技术或拦截器进行扩展,可以很轻松。
认证体系由AuthenticationManager负责,授权体系由AccessDecisionManager负责,RunAsManager 是作为用户身份转换的手段。AfterInvocationManager留下了一个接口,可以扩展默认的授权体系,可以做一些其他额外的工作。
在AbstractSecurityInterceptor.beforeInvocation()中,
首先进行认证,authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
其次进行授权,this.accessDecisionManager.decide(authenticated, object, attr);
AbstractSecurityInterceptor.afterInvocation()中,
做其他扩展,returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
2,认证体系
2.1认证管理器
认证体系的核心为AuthenticationManager,他的方法authenticate(Authentication authentication)负责所有的认证。在acegi中,由具体类ProviderManager来进行认证过程。
代码
-
public
interface
AuthenticationManager {
-
public
Authentication authenticate(Authentication authentication)
-
throws
AuthenticationException;
-
}
-
-
public
abstract
class
AbstractAuthenticationManager
-
implements
AuthenticationManager{
-
public
final
Authentication authenticate(Authentication authRequest)
-
throws
AuthenticationException {
-
try
{
-
Authentication authResult = doAuthentication(authRequest);
-
copyDetails(authRequest, authResult);
-
-
return
authResult;
-
}
catch
(AuthenticationException e) {
-
e.setAuthentication(authRequest);
-
throw
e;
-
}
-
}
-
-
private
void
copyDetails(Authentication source, Authentication dest) {
-
if
((dest
instanceof
AbstractAuthenticationToken) && (dest.getDetails() ==
null
)) {
-
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
-
-
token.setDetails(source.getDetails());
-
}
-
}
-
-
protected
abstract
Authentication doAuthentication(Authentication authentication)
-
throws
AuthenticationException;
-
-
.........
-
}
-
-
public
class
ProviderManager
extends
AbstractAuthenticationManager
implements
InitializingBean,
-
ApplicationEventPublisherAware, MessageSourceAware {
-
private
List providers;
-
............
-
public
Authentication doAuthentication(Authentication authentication)
-
throws
AuthenticationException {
-
.........
-
Iterator iter = providers.iterator();
-
............
-
while
(iter.hasNext()) {
-
.............
-
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
-
.........
-
result = provider.authenticate(authentication);
-
............
-
}
-
............
-
}
-
.........
-
}
从上面代码片断可以看出,真正的认证过程是在ProviderManager.doAuthentication()中进行的。而ProviderManager并不是具体的认证者,他只是个管理器,它要将具体的认证过程委托给具体的认证器提供者AuthenticationProvider去做。
2.2认证提供者
认证提供者就有很多了,可以提供各种各样的认证。如dao,ldap,anonymous,authbyadapter,cas,jaas,remeberme,remote,runnasimpl,testing,x509等。
代码
-
public
interface
AuthenticationProvider {
-
public
Authentication authenticate(Authentication authentication)
throws
AuthenticationException;
-
public
boolean
supports(Class authentication);
-
}
具体的认证提供者类就不详细分析了,只提个名字:DaoAuthenticationProvider,LdapAuthenticationProvider,AnonymousAuthenticationProvider,AuthByAdapterProvider,CasAuthenticationProvider,JaasAuthenticationProvider,RememberMeAuthenticationProvider,RemoteAuthenticationProvider,RunAsImplAuthenticationProvider,TestingAuthenticationProvider,X509AuthenticationProvider。
3,授权体系
3.1授权管理器
授权体系的核心为授权管理器(AccessDecisionManager),它的方法decide(Authentication authentication, Object object, ConfigAttributeDefinition config)进行具体的授权动作。
代码
-
public
interface
AccessDecisionManager {
-
-
public
void
decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
-
throws
AccessDeniedException, InsufficientAuthenticationException;
-
public
boolean
supports(ConfigAttribute attribute);
-
public
boolean
supports(Class clazz);
-
}
-
-
public
abstract
class
AbstractAccessDecisionManager
implements
AccessDecisionManager, InitializingBean,
-
MessageSourceAware {
-
private
List decisionVoters;
-
protected
MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
-
private
boolean
allowIfAllAbstainDecisions =
false
;
-
-
public
boolean
supports(ConfigAttribute attribute) {
-
Iterator iter =
this
.decisionVoters.iterator();
-
-
while
(iter.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
-
-
if
(voter.supports(attribute)) {
-
return
true
;
-
}
-
}
-
-
return
false
;
-
}
-
-
public
boolean
supports(Class clazz) {
-
Iterator iter =
this
.decisionVoters.iterator();
-
-
while
(iter.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
-
-
if
(!voter.supports(clazz)) {
-
return
false
;
-
}
-
}
-
-
return
true
;
-
}
-
..............
-
}
-
-
public
class
AffirmativeBased
extends
AbstractAccessDecisionManager {
-
public
void
decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
-
throws
AccessDeniedException {
-
Iterator iter =
this
.getDecisionVoters().iterator();
-
int
deny =
0
;
-
-
while
(iter.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
-
int
result = voter.vote(authentication, object, config);
-
-
switch
(result) {
-
case
AccessDecisionVoter.ACCESS_GRANTED:
-
return
;
-
-
case
AccessDecisionVoter.ACCESS_DENIED:
-
deny++;
-
-
break
;
-
-
default
:
-
break
;
-
}
-
}
-
-
if
(deny >
0
) {
-
throw
new
AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied"
,
-
"Access is denied"
));
-
}
-
-
-
checkAllowIfAllAbstainDecisions();
-
}
-
..............
-
}
-
-
public
class
ConsensusBased
extends
AbstractAccessDecisionManager {
-
public
void
decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
-
throws
AccessDeniedException {
-
Iterator iter =
this
.getDecisionVoters().iterator();
-
int
grant =
0
;
-
int
deny =
0
;
-
int
abstain =
0
;
-
-
while
(iter.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
-
int
result = voter.vote(authentication, object, config);
-
-
switch
(result) {
-
case
AccessDecisionVoter.ACCESS_GRANTED:
-
grant++;
-
-
break
;
-
-
case
AccessDecisionVoter.ACCESS_DENIED:
-
deny++;
-
-
break
;
-
-
default
:
-
abstain++;
-
-
break
;
-
}
-
}
-
-
if
(grant > deny) {
-
return
;
-
}
-
-
if
(deny > grant) {
-
throw
new
AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied"
,
-
"Access is denied"
));
-
}
-
-
if
((grant == deny) && (grant !=
0
)) {
-
if
(
this
.allowIfEqualGrantedDeniedDecisions) {
-
return
;
-
}
else
{
-
throw
new
AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied"
,
-
"Access is denied"
));
-
}
-
}
-
-
-
checkAllowIfAllAbstainDecisions();
-
}
-
..............
-
}
-
-
public
class
UnanimousBased
extends
AbstractAccessDecisionManager {
-
public
void
decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
-
throws
AccessDeniedException {
-
int
grant =
0
;
-
int
abstain =
0
;
-
-
Iterator configIter = config.getConfigAttributes();
-
-
while
(configIter.hasNext()) {
-
ConfigAttributeDefinition thisDef =
new
ConfigAttributeDefinition();
-
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
-
-
Iterator voters =
this
.getDecisionVoters().iterator();
-
-
while
(voters.hasNext()) {
-
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
-
int
result = voter.vote(authentication, object, thisDef);
-
-
switch
(result) {
-
case
AccessDecisionVoter.ACCESS_GRANTED:
-
grant++;
-
-
break
;
-
-
case
AccessDecisionVoter.ACCESS_DENIED:
-
throw
new
AccessDeniedException(messages.getMessage(
"AbstractAccessDecisionManager.accessDenied"
,
-
"Access is denied"
));
-
-
default
:
-
abstain++;
-
-
break
;
-
}
-
}
-
}
-
-
-
if
(grant >
0
) {
-
return
;
-
}
-
-
-
checkAllowIfAllAbstainDecisions();
-
}
-
..............
-
}
授权管理器AccessDecisionManager默认有三个实现,具体为AffirmativeBased,ConsensusBased,UnanimousBased。三个具体实现都大同小异,主要在具有角色是否应该授权上。
而具体能否单个角色是否授权,是委派给AccessDecisionVoter去做的。
3.2授权投票者
授权投票责的核心是接口AccessDecisionVoter。他有几个具体实现类:BasicAclEntryVoter,AuthenticatedVoter,RoleVoter。
代码
-
public
interface
AccessDecisionVoter {
-
-
public
static
final
int
ACCESS_GRANTED =
1
;
-
public
static
final
int
ACCESS_ABSTAIN =
0
;
-
public
static
final
int
ACCESS_DENIED = -
1
;
-
-
public
boolean
supports(ConfigAttribute attribute);
-
public
boolean
supports(Class clazz);
-
public
int
vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
-
}
-
-
public
abstract
class
AbstractAclVoter
implements
AccessDecisionVoter {
-
public
boolean
supports(Class clazz) {
-
if
(MethodInvocation.
class
.isAssignableFrom(clazz)) {
-
return
true
;
-
}
else
if
(JoinPoint.
class
.isAssignableFrom(clazz)) {
-
return
true
;
-
}
else
{
-
return
false
;
-
}
-
}
-
............
-
}
-
-
public
class
BasicAclEntryVoter
extends
AbstractAclVoter
implements
InitializingBean {
-
private
AclManager aclManager;
-
private
String internalMethod;
-
private
String processConfigAttribute;
-
private
int
[] requirePermission;
-
-
public
boolean
supports(ConfigAttribute attribute) {
-
if
((attribute.getAttribute() !=
null
) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
-
return
true
;
-
}
else
{
-
return
false
;
-
}
-
}
-
-
public
int
vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
-
Iterator iter = config.getConfigAttributes();
-
-
while
(iter.hasNext()) {
-
ConfigAttribute attr = (ConfigAttribute) iter.next();
-
-
if
(
this
.supports(attr)) {
-
-
-
Object domainObject = getDomainObjectInstance(object);
-
-
-
if
(domainObject ==
null
) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"Voting to abstain - domainObject is null"
);
-
}
-
-
return
AccessDecisionVoter.ACCESS_ABSTAIN;
-
}
-
-
-
if
((internalMethod !=
null
) && !
""
.equals(internalMethod)) {
-
try
{
-
Class clazz = domainObject.getClass();
-
Method method = clazz.getMethod(internalMethod,
new
Class[] {});
-
domainObject = method.invoke(domainObject,
new
Object[] {});
-
}
catch
(NoSuchMethodException nsme) {
-
throw
new
AuthorizationServiceException(
"Object of class '"
+ domainObject.getClass()
-
+
"' does not provide the requested internalMethod: "
+ internalMethod);
-
}
catch
(IllegalAccessException iae) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"IllegalAccessException"
, iae);
-
-
if
(iae.getCause() !=
null
) {
-
logger.debug(
"Cause: "
+ iae.getCause().getMessage(), iae.getCause());
-
}
-
}
-
-
throw
new
AuthorizationServiceException(
"Problem invoking internalMethod: "
+ internalMethod
-
+
" for object: "
+ domainObject);
-
}
catch
(InvocationTargetException ite) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"InvocationTargetException"
, ite);
-
-
if
(ite.getCause() !=
null
) {
-
logger.debug(
"Cause: "
+ ite.getCause().getMessage(), ite.getCause());
-
}
-
}
-
-
throw
new
AuthorizationServiceException(
"Problem invoking internalMethod: "
+ internalMethod
-
+
" for object: "
+ domainObject);
-
}
-
}
-
-
-
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
-
-
-
if
((acls ==
null
) || (acls.length ==
0
)) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"Voting to deny access - no ACLs returned for this principal"
);
-
}
-
-
return
AccessDecisionVoter.ACCESS_DENIED;
-
}
-
-
-
for
(
int
i =
0
; i < acls.length; i++) {
-
-
if
(acls[i]
instanceof
BasicAclEntry) {
-
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
-
-
-
for
(
int
y =
0
; y < requirePermission.length; y++) {
-
if
(processableAcl.isPermitted(requirePermission[y])) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"Voting to grant access"
);
-
}
-
-
return
AccessDecisionVoter.ACCESS_GRANTED;
-
}
-
}
-
}
-
}
-
-
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
-
"Voting to deny access - ACLs returned, but insufficient permissions for this principal"
);
-
}
-
-
return
AccessDecisionVoter.ACCESS_DENIED;
-
}
-
}
-
-
return
AccessDecisionVoter.ACCESS_ABSTAIN;
-
}
-
...............
-
}
-
-
public
class
AuthenticatedVoter
implements
AccessDecisionVoter {
-
-
public
static
final
String IS_AUTHENTICATED_FULLY =
"IS_AUTHENTICATED_FULLY"
;
-
public
static
final
String IS_AUTHENTICATED_REMEMBERED =
"IS_AUTHENTICATED_REMEMBERED"
;
-
public
static
final
String IS_AUTHENTICATED_ANONYMOUSLY =
"IS_AUTHENTICATED_ANONYMOUSLY"
;
-
-
private
AuthenticationTrustResolver authenticationTrustResolver =
new
AuthenticationTrustResolverImpl();
-
-
private
boolean
isFullyAuthenticated(Authentication authentication) {
-
return
(!authenticationTrustResolver.isAnonymous(authentication)
-
&& !authenticationTrustResolver.isRememberMe(authentication));
-
}
-
-
public
void
setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
-
Assert.notNull(authenticationTrustResolver,
"AuthenticationTrustResolver cannot be set to null"
);
-
this
.authenticationTrustResolver = authenticationTrustResolver;
-
}
-
-
public
boolean
supports(ConfigAttribute attribute) {
-
if
((attribute.getAttribute() !=
null
)
-
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
-
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
-
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
-
return
true
;
-
}
else
{
-
return
false
;
-
}
-
}
-
-
public
boolean
supports(Class clazz) {
-
return
true
;
-
}
-
-
public
int
vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
-
int
result = ACCESS_ABSTAIN;
-
Iterator iter = config.getConfigAttributes();
-
-
while
(iter.hasNext()) {
-
ConfigAttribute attribute = (ConfigAttribute) iter.next();
-
-
if
(
this
.supports(attribute)) {
-
result = ACCESS_DENIED;
-
-
if
(IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
-
if
(isFullyAuthenticated(authentication)) {
-
return
ACCESS_GRANTED;
-
}
-
}
-
-
if
(IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
-
if
(authenticationTrustResolver.isRememberMe(authentication)
-
|| isFullyAuthenticated(authentication)) {
-
return
ACCESS_GRANTED;
-
}
-
}
-
-
if
(IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
-
if
(authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
-
|| authenticationTrustResolver.isRememberMe(authentication)) {
-
return
ACCESS_GRANTED;
-
}
-
}
-
}
-
}
-
-
return
result;
-
}
-
}
-
-
public
class
RoleVoter
implements
AccessDecisionVoter {
-
private
String rolePrefix =
"ROLE_"
;
-
-
public
boolean
supports(ConfigAttribute attribute) {
-
if
((attribute.getAttribute() !=
null
) && attribute.getAttribute().startsWith(getRolePrefix())) {
-
return
true
;
-
}
else
{
-
return
false
;
-
}
-
}
-
-
public
boolean
supports(Class clazz) {
-
return
true
;
-
}
-
-
public
int
vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
-
int
result = ACCESS_ABSTAIN;
-
Iterator iter = config.getConfigAttributes();
-
-
while
(iter.hasNext()) {
-
ConfigAttribute attribute = (ConfigAttribute) iter.next();
-
-
if
(
this
.supports(attribute)) {
-
result = ACCESS_DENIED;
-
-
for
(
int
i =
0
; i < authentication.getAuthorities().length; i++) {
-
if
(attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
-
return
ACCESS_GRANTED;
-
}
-
}
-
}
-
}
-
return
result;
-
}
-
}
这三个授权投票实现类中 acl 又最复杂。他会委托给acl管理器(AclManager)来做具体的授权工作。
3.3acl授权体系
AclManager只有一个实现类AclProviderManager ,负责提供acl授权实体。
代码
-
public
interface
AclManager {
-
-
public
AclEntry[] getAcls(Object domainInstance);
-
public
AclEntry[] getAcls(Object domainInstance, Authentication authentication);
-
}
-
-
public
class
AclProviderManager
implements
AclManager, InitializingBean {
-
public
AclEntry[] getAcls(Object domainInstance) {
-
Assert.notNull(domainInstance,
"domainInstance is null - violating interface contract"
);
-
-
Iterator iter = providers.iterator();
-
-
while
(iter.hasNext()) {
-
AclProvider provider = (AclProvider) iter.next();
-
-
if
(provider.supports(domainInstance)) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"ACL lookup using "
+ provider.getClass().getName());
-
}
-
-
return
provider.getAcls(domainInstance);
-
}
-
}
-
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"No AclProvider found for "
+ domainInstance.toString());
-
}
-
-
return
null
;
-
}
-
-
public
AclEntry[] getAcls(Object domainInstance, Authentication authentication) {
-
Assert.notNull(domainInstance,
"domainInstance is null - violating interface contract"
);
-
Assert.notNull(authentication,
"authentication is null - violating interface contract"
);
-
-
Iterator iter = providers.iterator();
-
-
while
(iter.hasNext()) {
-
AclProvider provider = (AclProvider) iter.next();
-
-
if
(provider.supports(domainInstance)) {
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"ACL lookup using "
+ provider.getClass().getName());
-
}
-
-
return
provider.getAcls(domainInstance, authentication);
-
}
else
{
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"Provider "
+ provider.toString() +
" does not support "
+ domainInstance);
-
}
-
}
-
}
-
-
if
(logger.isDebugEnabled()) {
-
logger.debug(
"No AclProvider found for "
+ domainInstance.toString());
-
}
-
-
return
null
;
-
}
-
.........
-
}
posted on 2006-12-28 23:52
OMG 阅读(1317)
评论(0) 编辑 收藏 所属分类:
Auth/acegi