Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

added arbitrary dynamic security

  • Loading branch information...
commit d91fd3ab70af664fffa8fe4f911fc4a95dd746c4 1 parent f3f3180
Steve Chaloner authored
Showing with 597 additions and 4 deletions.
  1. +1 −0  README.textile
  2. +8 −0 app/controllers/deadbolt/AbstractDeadboltHandler.java
  3. +99 −0 app/controllers/deadbolt/Deadbolt.java
  4. +7 −0 app/controllers/deadbolt/DeadboltHandler.java
  5. +2 −0  app/controllers/deadbolt/ExternalRestrictions.java
  6. +2 −0  app/controllers/deadbolt/Restrict.java
  7. +49 −0 app/controllers/deadbolt/RestrictedResource.java
  8. +41 −0 app/controllers/deadbolt/RestrictedResourcesHandler.java
  9. +2 −0  app/controllers/deadbolt/Restrictions.java
  10. +26 −0 app/models/deadbolt/AccessResult.java
  11. +7 −0 app/views/tags/deadbolt/restrictedResource.html
  12. +57 −3 documentation/manual/home.textile
  13. +35 −0 samples-and-tests/restriction-samples/app/controllers/AllowedRestrictedResourceClassSample.java
  14. +34 −0 samples-and-tests/restriction-samples/app/controllers/DenyRestrictedResourceClassSample.java
  15. +7 −1 samples-and-tests/restriction-samples/app/controllers/MyDeadboltHandler.java
  16. +55 −0 samples-and-tests/restriction-samples/app/controllers/MyRestrictedResourcesHandler.java
  17. +72 −0 samples-and-tests/restriction-samples/app/controllers/RestrictedResourceMethodsSample.java
  18. +29 −0 samples-and-tests/restriction-samples/app/controllers/RestrictedResourceTagRestrictions.java
  19. +18 −0 samples-and-tests/restriction-samples/app/views/RestrictedResourceMethodsSample/index.html
  20. +42 −0 samples-and-tests/restriction-samples/app/views/RestrictedResourceTagRestrictions/index.html
  21. +4 −0 samples-and-tests/restriction-samples/app/views/Unrestricted/index.html
1  README.textile
View
@@ -10,4 +10,5 @@ h2. Features
* Define access using AND, OR and NOT combinations
* Define access at the class, method or view level
* Define permissions at the database level, allowing you change them instantly without redeploying
+* Define restricted resources at the class, method or view level and control access to them on an artibrarily fine-grained level. You can also drop back to other restrictions to allow specific and general cases in the same combination.
* Combine all of the above to get the best fit for your application
8 app/controllers/deadbolt/AbstractDeadboltHandler.java
View
@@ -46,4 +46,12 @@ public ExternalizedRestrictionsAccessor getExternalizedRestrictionsAccessor()
{
return null;
}
+
+ /**
+ * {@inheritDoc}
+ */
+ public RestrictedResourcesHandler getRestrictedResourcesHandler()
+ {
+ return null;
+ }
}
99 app/controllers/deadbolt/Deadbolt.java
View
@@ -15,6 +15,7 @@
*/
package controllers.deadbolt;
+import models.deadbolt.AccessResult;
import models.deadbolt.ExternalizedRestriction;
import models.deadbolt.ExternalizedRestrictions;
import models.deadbolt.Role;
@@ -71,12 +72,71 @@ static void checkRestrictions() throws Throwable
RoleHolder roleHolder = DEADBOLT_HANDLER.getRoleHolder();
+ handleDynamicChecks(roleHolder);
+ handleStaticChecks(roleHolder);
+ }
+
+ @Util
+ static void handleDynamicChecks(RoleHolder roleHolder)throws Throwable
+ {
+ handleRestrictedResources(roleHolder);
+ }
+
+ @Util
+ static void handleStaticChecks(RoleHolder roleHolder)throws Throwable
+ {
handleRestrict(roleHolder);
handleRestrictions(roleHolder);
handleExternalRestrictions(roleHolder);
}
@Util
+ static void handleRestrictedResources(RoleHolder roleHolder) throws Throwable
+ {
+ RestrictedResource restrictedResource = getActionAnnotation(RestrictedResource.class);
+ if (restrictedResource == null)
+ {
+ restrictedResource = getControllerInheritedAnnotation(RestrictedResource.class);
+ }
+
+ if (restrictedResource != null)
+ {
+ RestrictedResourcesHandler restrictedResourcesHandler = DEADBOLT_HANDLER.getRestrictedResourcesHandler();
+
+ if (restrictedResourcesHandler == null)
+ {
+ Logger.fatal("A RestrictedResource is specified but no RestrictedResourcesHandler is available. Denying access to resource.");
+ }
+ else
+ {
+ String name = restrictedResource.name();
+ AccessResult accessResult = restrictedResourcesHandler.checkAccess(name);
+ switch (accessResult)
+ {
+ case DENIED:
+ accessFailed();
+ break;
+ case NOT_SPECIFIED:
+ if (restrictedResource.staticFallback())
+ {
+ Logger.info("Access for [%s] not defined for current user - processing further with other Deadbolt annotations",
+ name);
+ handleStaticChecks(roleHolder);
+ }
+ else
+ {
+ accessFailed();
+ }
+ break;
+ default:
+ Logger.debug("RestrictedResource - access allowed for [%s]",
+ name);
+ }
+ }
+ }
+ }
+
+ @Util
static void handleExternalRestrictions(RoleHolder roleHolder) throws Throwable
{
ExternalRestrictions externalRestrictions = getActionAnnotation(ExternalRestrictions.class);
@@ -251,6 +311,45 @@ public static boolean hasRoles(List<String> roleNames) throws Throwable
roleNames.toArray(new String[roleNames.size()]));
}
+ public static boolean checkRestrictedResource(String resourceKey,
+ Boolean allowUnspecified)
+ {
+ DEADBOLT_HANDLER.beforeRoleCheck();
+
+ RestrictedResourcesHandler restrictedResourcesHandler = DEADBOLT_HANDLER.getRestrictedResourcesHandler();
+ boolean accessedAllowed = false;
+
+ if (restrictedResourcesHandler == null)
+ {
+ Logger.fatal("A RestrictedResource is specified but no RestrictedResourcesHandler is available. Denying access to resource.");
+ }
+ else
+ {
+ AccessResult accessResult = restrictedResourcesHandler.checkAccess(resourceKey);
+ switch (accessResult)
+ {
+ case ALLOWED:
+ accessedAllowed = true;
+ break;
+ case NOT_SPECIFIED:
+ allowUnspecified = allowUnspecified != null && allowUnspecified;
+ Logger.info("Access for [%s] not defined for current user - specified behaviour is [%s]",
+ resourceKey,
+ allowUnspecified ? "allow" : "deny");
+ if (allowUnspecified)
+ {
+ accessedAllowed = true;
+ }
+ break;
+ default:
+ Logger.debug("RestrictedResource - access allowed for [%s]",
+ resourceKey);
+ }
+ }
+
+ return accessedAllowed;
+ }
+
public static void forbidden()
{
Controller.forbidden();
7 app/controllers/deadbolt/DeadboltHandler.java
View
@@ -48,4 +48,11 @@
* @return the accessor for externalised restrictions. May be null.
*/
ExternalizedRestrictionsAccessor getExternalizedRestrictionsAccessor();
+
+ /**
+ * Gets the handler used for dealing with resources restricted to specific users/groups.
+ *
+ * @return the handler for restricted resources. May be null.
+ */
+ RestrictedResourcesHandler getRestrictedResourcesHandler();
}
2  app/controllers/deadbolt/ExternalRestrictions.java
View
@@ -17,6 +17,7 @@
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@@ -30,6 +31,7 @@
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
@Documented
+@Inherited
public @interface ExternalRestrictions
{
/**
2  app/controllers/deadbolt/Restrict.java
View
@@ -17,6 +17,7 @@
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@@ -29,6 +30,7 @@
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
@Documented
+@Inherited
public @interface Restrict
{
/**
49 app/controllers/deadbolt/RestrictedResource.java
View
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers.deadbolt;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ *
+ * @author Steve Chaloner (steve@objectify.be)
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Inherited
+@Documented
+public @interface RestrictedResource
+{
+ /**
+ * The name of the resource.
+ *
+ * @return the name of the resource
+ */
+ String name();
+
+ /**
+ * Indicates if further security checking should be done using the static role checking in cases
+ * where a restricted resource check gives a {@link models.deadbolt.AccessResult#NOT_SPECIFIED} result.
+ *
+ * @return true if Deadbolt should apply @Restrict and @Restrictions checks
+ */
+ boolean staticFallback() default false;
+}
41 app/controllers/deadbolt/RestrictedResourcesHandler.java
View
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers.deadbolt;
+
+import models.deadbolt.AccessResult;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be)
+ */
+public interface RestrictedResourcesHandler
+{
+ /**
+ * Check the access of someone, typically the current user, for the named resource.
+ *
+ * <ul>
+ * <li>If {@link AccessResult#NOT_SPECIFIED} is returned and
+ * {@link controllers.deadbolt.RestrictedResource#staticFallback()} is false, access is denied.</li>
+ * <li>If {@link AccessResult#NOT_SPECIFIED} is returned and
+ * {@link controllers.deadbolt.RestrictedResource#staticFallback()} is true, any further Restrict or
+ * Restrictions annotations are processed. Note that if no Restrict or Restrictions annotations are present,
+ * access will be allowed.</li>
+ * </ul>
+ * @param resourceName the name of the resource
+ * @return {@link AccessResult#ALLOWED} if access is permitted. {@link AccessResult#DENIED} if access is denied.
+ * {@link AccessResult#NOT_SPECIFIED} if access is not specified.
+ */
+ AccessResult checkAccess(String resourceName);
+}
2  app/controllers/deadbolt/Restrictions.java
View
@@ -17,6 +17,7 @@
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@@ -29,6 +30,7 @@
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
@Documented
+@Inherited
public @interface Restrictions
{
Restrict[] value();
26 app/models/deadbolt/AccessResult.java
View
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package models.deadbolt;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be)
+ */
+public enum AccessResult
+{
+ ALLOWED,
+ DENIED,
+ NOT_SPECIFIED
+}
7 app/views/tags/deadbolt/restrictedResource.html
View
@@ -0,0 +1,7 @@
+%{
+ boolean allowUnspecified = _allowUnspecified != null && _allowUnspecified;
+ boolean allowAccess = controllers.deadbolt.Deadbolt.checkRestrictedResource(_resourceKey, allowUnspecified);
+}%
+#{if allowAccess}
+ #{doBody /}
+#{/if}
60 documentation/manual/home.textile
View
@@ -75,6 +75,10 @@ This method is invoked when a restricted resource is accessed without permission
If your application externalized restrictions, e.g. in a database or XML file, you will need to provide a way to access them by implementing an ExternalizedRestrictionsAccessor. That implementation can then be passed into Deadbolt by returning it from this method. If you don't use external restrictions in your app, you can safely return null from this method.
+* RestrictedResourcesHandler getRestrictedResourcesHandler()
+
+If your application supports dynamic restrictions, you will need to provide a way to evaluate them by implementing a RestrictedResourcesHandler. That implementation can then be passed into Deadbolt by returning it from this method. If you don't use dynamic restrictions in your app, you can safely return null from this method.
+
Once you've implemented DeadboltHandler, you can declare it in your application.conf file. Don't forget a no-args constructor is required!
bc. deadbolt.handler=controllers.MyDeadboltHandler
@@ -84,18 +88,67 @@ If you want to have different DeadboltHandlers used in different contexts, the s
bc. %production.deadbolt.handler=controllers.ProductionDeadboltHandler
%test.deadbolt.handler=controllers.TestDeadboltHandler
-h3. Securing controllers
+h3. Connecting Deadbolt to your controllers
Controllers are secured using the @With annotation to ensure method calls are checked against the current user.
bc. @With(Deadbolt.class)
public class MyController extends Controller
+
+h2. Dynamic restrictions
+
+Dynamic restrictions are completely arbitrary, and work by naming a resource - class, method or view - and then passing that name to a handler implemented by you. You can then use this name to check roles belonging to the current user, the roles belonging to a group the current user is in, the time of day...it's completely arbitrary. Dynamic restrictions take precedence over static restrictions.
+
+h3. RestrictedResourcesHandler
+
+RestrictedResourceHandlers are used to determine access to a resource. DeadboltHandler has a getRestrictedResourcesHandler() method from which you can return a handler - or one of several handlers, again based on arbitrary reasons - which will be passed the name of the resource. From that point on, it's up to you to decide the access. Access requests can have one of three results - ALLOWED, DENIED or NOT_SPECIFIED. The first two are self-explanatory, whereas the third is a bit more complicated. You may decide that if you can't determine if access to a resource - for example, your database might not map the current user to the resource - then access should be denied. However, you could return NOT_SPECIFIED which - if the RestrictedResource staticFallback parameter is true - would make Deadbolt drop back to static Deadbolt restrictions.
+
+h3. Securing controllers
+
+The @RestrictedResource annotation is used to mark a source as having dynamic security. It takes a mandatory name value, which should be unique if you want fine-grained control, and an optional boolean to indicate if integration with static restrictions should be allowed. The RestrictedResource annotation can be set at the class or method level.
+
+bc. // This restricts access to the list method according to how your RestrictedResourcesHandler deals with the name "foo". If NOT_SPECIFIED is returned, access is denied.
+@RestrictedResource(name = "foo")
+public static void list()
+
+bc. // This restricts access to the list method according to how your RestrictedResourcesHandler deals with the name "foo". If NOT_SPECIFIED is returned, access is allowed.
+@RestrictedResource(name = "foo", staticFallback = true)
+public static void list()
+
+bc. // This restricts access to the list method according to how your RestrictedResourcesHandler deals with the name "foo". If NOT_SPECIFIED is returned, access is determined by the Restrict annotation.
+@RestrictedResource(name = "foo", staticFallback = true)
+@Restrict("foo")
+public static void list()
+
+
+h3. Securing views
+
+Views are secured with the deadbolt.restrictedResource tag.
+
+bc. #{deadbolt.restrictedResource resourceKey:'resourceA'}
+ this restricts access to this content to how you deal with "resourceA". If NOT_SPECIFIED is returned, access is denied.
+#{/deadbolt.restrictedResource}
+
+bc. #{deadbolt.restrictedResource resourceKey:'resourceA', allowUnspecified:false}
+ this restricts access to this content to how you deal with "resourceA". If NOT_SPECIFIED is returned, access is denied.
+#{/deadbolt.restrictedResource}
+
+bc. #{deadbolt.restrictedResource resourceKey:'resourceA', allowUnspecified:true}
+ this restricts access to this content to how you deal with "resourceA". If NOT_SPECIFIED is returned, access is allowed.
+#{/deadbolt.restrictedResource}
+
+
+h2. Static restrictions
+
+Static restrictions work by specifying hard-coded information into your controllers and views.
+
+h3. Securing controllers
+
Rolenames are matched against result of the Role.getRoleName() method of the roles return from RoleHolder#getRoles().
There are two annotations available to define access to a controller method - @Restrict, and @Restrictions.
-
h3. @Restrict
The @Restrict annotation defines a set of role names that are ANDed together.
@@ -170,7 +223,8 @@ bc. #{deadbolt.restrict roles:[['foo', 'bar', 'gee']]}
h3. Externalised restrictions
-Deadbolt allows you to annotation controller classes and methods with named restriction trees.
+Deadbolt allows you to annotation controller classes and methods with named restriction trees. It's debatable whether this can
+be classed as a static restriction, but since it works along the same lines as the truly static mechanisms I'm not going to split hairs.
bc. @ExternalRestrictions("admin-only")
public static void edit()
35 samples-and-tests/restriction-samples/app/controllers/AllowedRestrictedResourceClassSample.java
View
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers;
+
+import controllers.deadbolt.Deadbolt;
+import controllers.deadbolt.Restrict;
+import controllers.deadbolt.RestrictedResource;
+import play.mvc.Controller;
+import play.mvc.With;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be).
+ */
+@With(Deadbolt.class)
+@RestrictedResource(name = "resourceA")
+public class AllowedRestrictedResourceClassSample extends Controller
+{
+ public static void index()
+ {
+ render("authorised.html");
+ }
+}
34 samples-and-tests/restriction-samples/app/controllers/DenyRestrictedResourceClassSample.java
View
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers;
+
+import controllers.deadbolt.Deadbolt;
+import controllers.deadbolt.RestrictedResource;
+import play.mvc.Controller;
+import play.mvc.With;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be).
+ */
+@With(Deadbolt.class)
+@RestrictedResource(name = "resourceC")
+public class DenyRestrictedResourceClassSample extends Controller
+{
+ public static void index()
+ {
+ render("unauthorised.html");
+ }
+}
8 samples-and-tests/restriction-samples/app/controllers/MyDeadboltHandler.java
View
@@ -18,6 +18,7 @@
import controllers.deadbolt.Deadbolt;
import controllers.deadbolt.DeadboltHandler;
import controllers.deadbolt.ExternalizedRestrictionsAccessor;
+import controllers.deadbolt.RestrictedResourcesHandler;
import deadbolt.MyExternalizedRestrictionsAccessor;
import models.MyRoleHolder;
import models.deadbolt.RoleHolder;
@@ -54,4 +55,9 @@ public ExternalizedRestrictionsAccessor getExternalizedRestrictionsAccessor()
{
return new MyExternalizedRestrictionsAccessor();
}
-}
+
+ public RestrictedResourcesHandler getRestrictedResourcesHandler()
+ {
+ return new MyRestrictedResourcesHandler();
+ }
+}
55 samples-and-tests/restriction-samples/app/controllers/MyRestrictedResourcesHandler.java
View
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers;
+
+import controllers.deadbolt.RestrictedResourcesHandler;
+import models.deadbolt.AccessResult;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be)
+ */
+public class MyRestrictedResourcesHandler implements RestrictedResourcesHandler
+{
+ /**
+ * Various things can be done here, such as checking in a database table that maps the resource name to the
+ * current user name or a group the user is in. There are two rules and one guideline for an easy life here:
+ * <ol>
+ * <li>If access is allowed, return {@link AccessResult#ALLOWED}</li>
+ * <li>If access is denied, return {@link AccessResult#DENIED}</li>
+ * <li>If access is not specified in, e.g. the database you can choose to return {@link AccessResult#ALLOWED}
+ * or {@link AccessResult#DENIED} if you have a hard policy for this situation; alternatively you can return
+ * {@link AccessResult#NOT_SPECIFIED} and allow further processing.</li>
+ * </ol>
+ *
+ * {@inheritDoc}
+ */
+ public AccessResult checkAccess(String resourceName)
+ {
+ // This could be hitting a database to check the resource name against that of the current user, but for pure
+ // convenience it's hard-coded here.
+
+ AccessResult result = AccessResult.DENIED;
+ if ("resourceA".equals(resourceName))
+ {
+ result = AccessResult.ALLOWED;
+ }
+ else if ("resourceB".equals(resourceName))
+ {
+ result = AccessResult.NOT_SPECIFIED;
+ }
+ return result;
+ }
+}
72 samples-and-tests/restriction-samples/app/controllers/RestrictedResourceMethodsSample.java
View
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers;
+
+import controllers.deadbolt.Deadbolt;
+import controllers.deadbolt.Restrict;
+import controllers.deadbolt.RestrictedResource;
+import play.mvc.Controller;
+import play.mvc.With;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be).
+ */
+@With(Deadbolt.class)
+public class RestrictedResourceMethodsSample extends Controller
+{
+ public static void index()
+ {
+ render();
+ }
+
+ @RestrictedResource(name = "resourceA")
+ public static void allowed()
+ {
+ render("authorised.html");
+ }
+
+ @RestrictedResource(name = "resourceB")
+ public static void notSpecified()
+ {
+ render("unauthorised.html");
+ }
+
+ @RestrictedResource(name = "resourceB", staticFallback = true)
+ public static void notSpecifiedWithStaticFallbackAndNoStaticRestrictions()
+ {
+ render("authorised.html");
+ }
+
+ @RestrictedResource(name = "resourceB", staticFallback = true)
+ @Restrict("oof")
+ public static void notSpecifiedWithStaticFallbackAndBlockingStaticRestriction()
+ {
+ render("unauthorised.html");
+ }
+
+ @RestrictedResource(name = "resourceB", staticFallback = true)
+ @Restrict("foo")
+ public static void notSpecifiedWithStaticFallbackAndOkStaticRestriction()
+ {
+ render("authorised.html");
+ }
+
+ @RestrictedResource(name = "resourceC")
+ public static void denied()
+ {
+ render("unauthorised.html");
+ }
+}
29 samples-and-tests/restriction-samples/app/controllers/RestrictedResourceTagRestrictions.java
View
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2010-2011 Steve Chaloner
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package controllers;
+
+import play.mvc.Controller;
+
+/**
+ * @author Steve Chaloner (steve@objectify.be).
+ */
+public class RestrictedResourceTagRestrictions extends Controller
+{
+ public static void index()
+ {
+ render();
+ }
+}
18 samples-and-tests/restriction-samples/app/views/RestrictedResourceMethodsSample/index.html
View
@@ -0,0 +1,18 @@
+<div>Authorised</div>
+<p>Each of the following links should lead to a valid page</p>
+<ul>
+ <li><a href="@{RestrictedResourceMethodsSample.allowed}">Allowed</a></li>
+ <li><a href="@{RestrictedResourceMethodsSample.notSpecifiedWithStaticFallbackAndNoStaticRestrictions}">Not specified, with static restriction checking enabled and no static restrictions present</a></li>
+ <li><a href="@{RestrictedResourceMethodsSample.notSpecifiedWithStaticFallbackAndOkStaticRestriction}">Not specified, with static restriction checking enabled and a static restriction that permits access</a></li>
+</ul>
+
+<br/>
+<br/>
+
+<div>Unauthorised</div>
+<p>Each of the following links should lead to a forbidden page</p>
+<ul>
+ <li><a href="@{RestrictedResourceMethodsSample.notSpecified}">Not specified</a></li>
+ <li><a href="@{RestrictedResourceMethodsSample.notSpecifiedWithStaticFallbackAndBlockingStaticRestriction}">Not specified, with static restriction checking enabled and a static restriction that blocks</a></li>
+ <li><a href="@{RestrictedResourceMethodsSample.denied}">Denied</a></li>
+</ul>
42 samples-and-tests/restriction-samples/app/views/RestrictedResourceTagRestrictions/index.html
View
@@ -0,0 +1,42 @@
+<p>The following box should contain text</p>
+<div style="border: 1px solid #000000">
+ #{deadbolt.restrictedResource resourceKey:'resourceA'}
+ blah blah blah
+ #{/deadbolt.restrictedResource}
+</div>
+<br/>
+<br/>
+<p>The following box should contain text</p>
+<div style="border: 1px solid #000000">
+ #{deadbolt.restrictedResource resourceKey:'resourceB', allowUnspecified:true}
+ blah blah blah
+ #{/deadbolt.restrictedResource}
+</div>
+<br/>
+<br/>
+<p>The following box should contain text</p>
+<div style="border: 1px solid #000000">
+ #{deadbolt.restrictedResource resourceKey:'resourceB', allowUnspecified:true}
+ #{deadbolt.restrict roles:[['foo'], ['bar']]}
+ blah blah blah
+ #{/deadbolt.restrict}
+ #{/deadbolt.restrictedResource}
+</div>
+<br/>
+<br/>
+<p>The following box should not contain text</p>
+<div style="border: 1px solid #000000">
+ #{deadbolt.restrictedResource resourceKey:'resourceB'}
+ blah blah blah
+ #{/deadbolt.restrictedResource}
+</div>
+<br/>
+<br/>
+<p>The following box should not contain text</p>
+<div style="border: 1px solid #000000">
+ #{deadbolt.restrictedResource resourceKey:'resourceC'}
+ blah blah blah
+ #{/deadbolt.restrictedResource}
+</div>
+<br/>
+<br/>
4 samples-and-tests/restriction-samples/app/views/Unrestricted/index.html
View
@@ -6,4 +6,8 @@
<li><a href="@{NegationSample.index()}">Negation samples</a></li>
<li><a href="@{ExternalRestrictionSample.index()}">External restriction samples</a></li>
<li><a href="@{TagRestrictions.index()}">Tag restriction samples</a></li>
+ <li><a href="@{RestrictedResourceMethodsSample.index()}">Restricted resource method samples</a></li>
+ <li><a href="@{AllowedRestrictedResourceClassSample.index()}">Restricted resource class sample - allow</a></li>
+ <li><a href="@{DenyRestrictedResourceClassSample.index()}">Restricted resource class sample - deny</a></li>
+ <li><a href="@{RestrictedResourceTagRestrictions.index()}">Restricted resource tag samples</a></li>
</ul>
Please sign in to comment.
Something went wrong with that request. Please try again.