spring-projects · mdeinum · Jan 3, 2013
diff --git a/acl/src/main/java/org/springframework/security/acls/domain/SpringCacheBasedAclCache.java b/acl/src/main/java/org/springframework/security/acls/domain/SpringCacheBasedAclCache.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.acls.domain;
+
+import net.sf.ehcache.CacheException;
+import net.sf.ehcache.Ehcache;
+import net.sf.ehcache.Element;
+import org.springframework.cache.Cache;
+import org.springframework.security.acls.model.AclCache;
+import org.springframework.security.acls.model.MutableAcl;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.PermissionGrantingStrategy;
+import org.springframework.security.util.FieldUtils;
+import org.springframework.util.Assert;
+
+import java.io.Serializable;
+
+
+/**
+ * Simple implementation of {@link org.springframework.security.acls.model.AclCache} that delegates to {@link Cache} implementation.
+ * <p>
+ * Designed to handle the transient fields in {@link org.springframework.security.acls.domain.AclImpl}. Note that this implementation assumes all
+ * {@link org.springframework.security.acls.domain.AclImpl} instances share the same {@link org.springframework.security.acls.model.PermissionGrantingStrategy} and {@link org.springframework.security.acls.domain.AclAuthorizationStrategy}
+ * instances.
+ *
+ * @author Marten Deinum
+ * @since 3.2
+ */
+public class SpringCacheBasedAclCache implements AclCache {
+    //~ Instance fields ================================================================================================
+
+    private final Cache cache;
+    private PermissionGrantingStrategy permissionGrantingStrategy;
+    private AclAuthorizationStrategy aclAuthorizationStrategy;
+
+    //~ Constructors ===================================================================================================
+
+    public SpringCacheBasedAclCache(Cache cache, PermissionGrantingStrategy permissionGrantingStrategy,
+                                    AclAuthorizationStrategy aclAuthorizationStrategy) {
+        Assert.notNull(cache, "Cache required");
+        Assert.notNull(permissionGrantingStrategy, "PermissionGrantingStrategy required");
+        Assert.notNull(aclAuthorizationStrategy, "AclAuthorizationStrategy required");
+        this.cache = cache;
+        this.permissionGrantingStrategy = permissionGrantingStrategy;
+        this.aclAuthorizationStrategy = aclAuthorizationStrategy;
+    }
+
+    //~ Methods ========================================================================================================
+
+    public void evictFromCache(Serializable pk) {
+        Assert.notNull(pk, "Primary key (identifier) required");
+
+        MutableAcl acl = getFromCache(pk);
+
+        if (acl != null) {
+            cache.evict(acl.getId());
+            cache.evict(acl.getObjectIdentity());
+        }
+    }
+
+    public void evictFromCache(ObjectIdentity objectIdentity) {
+        Assert.notNull(objectIdentity, "ObjectIdentity required");
+
+        MutableAcl acl = getFromCache(objectIdentity);
+
+        if (acl != null) {
+            cache.evict(acl.getId());
+            cache.evict(acl.getObjectIdentity());
+        }
+    }
+
+    public MutableAcl getFromCache(ObjectIdentity objectIdentity) {
+        Assert.notNull(objectIdentity, "ObjectIdentity required");
+
+        Cache.ValueWrapper element = null;
+
+        try {
+            element = cache.get(objectIdentity);
+        } catch (CacheException ignored) {}
+
+        if (element == null) {
+            return null;
+        }
+
+        return initializeTransientFields((MutableAcl)element.get());
+    }
+
+    public MutableAcl getFromCache(Serializable pk) {
+        Assert.notNull(pk, "Primary key (identifier) required");
+
+        Cache.ValueWrapper element = null;
+
+        try {
+            element = cache.get(pk);
+        } catch (CacheException ignored) {}
+
+        if (element == null) {
+            return null;
+        }
+
+        return initializeTransientFields((MutableAcl) element.get());
+    }
+
+    public void putInCache(MutableAcl acl) {
+        Assert.notNull(acl, "Acl required");
+        Assert.notNull(acl.getObjectIdentity(), "ObjectIdentity required");
+        Assert.notNull(acl.getId(), "ID required");
+
+        if ((acl.getParentAcl() != null) && (acl.getParentAcl() instanceof MutableAcl)) {
+            putInCache((MutableAcl) acl.getParentAcl());
+        }
+
+        cache.put(acl.getObjectIdentity(), acl);
+        cache.put(acl.getId(), acl);
+    }
+
+    private MutableAcl initializeTransientFields(MutableAcl value) {
+        if (value instanceof AclImpl) {
+            FieldUtils.setProtectedFieldValue("aclAuthorizationStrategy", value, this.aclAuthorizationStrategy);
+            FieldUtils.setProtectedFieldValue("permissionGrantingStrategy", value, this.permissionGrantingStrategy);
+        }
+
+        if (value.getParentAcl() != null) {
+            initializeTransientFields((MutableAcl) value.getParentAcl());
+        }
+        return value;
+    }
+
+    public void clearCache() {
+        cache.clear();
+    }
+}
diff --git a/acl/src/test/java/org/springframework/security/acls/jdbc/SpringCacheBasedAclCacheTests.java b/acl/src/test/java/org/springframework/security/acls/jdbc/SpringCacheBasedAclCacheTests.java
@@ -0,0 +1,172 @@
+package org.springframework.security.acls.jdbc;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.springframework.cache.Cache;
+import org.springframework.cache.CacheManager;
+import org.springframework.cache.concurrent.ConcurrentMapCacheManager;
+import org.springframework.security.acls.domain.*;
+import org.springframework.security.acls.model.MutableAcl;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.PermissionGrantingStrategy;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.util.FieldUtils;
+
+import java.io.*;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+/**
+ * Tests {@link org.springframework.security.acls.domain.EhCacheBasedAclCache}
+ *
+ * @author Andrei Stefan
+ */
+public class SpringCacheBasedAclCacheTests {
+    private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";
+
+    private static CacheManager cacheManager;
+
+    @BeforeClass
+    public static void initCacheManaer() {
+        cacheManager = new ConcurrentMapCacheManager();
+        // Use disk caching immediately (to test for serialization issue reported in SEC-527)
+        cacheManager.getCache("springcasebasedacltests");
+    }
+
+    @After
+    public void clearContext() {
+        SecurityContextHolder.clearContext();
+    }
+
+    private Cache getCache() {
+        Cache cache = cacheManager.getCache("springcasebasedacltests");
+        cache.clear();
+        return cache;
+    }
+
+    @Test(expected=IllegalArgumentException.class)
+    public void constructorRejectsNullParameters() throws Exception {
+        new SpringCacheBasedAclCache(null, null, null);
+    }
+
+    @Test
+    public void cacheOperationsAclWithoutParent() throws Exception {
+        Cache cache = getCache();
+        Map realCache = (Map) cache.getNativeCache();
+        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(100));
+        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
+                new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
+                new SimpleGrantedAuthority("ROLE_GENERAL"));
+        AuditLogger auditLogger = new ConsoleAuditLogger();
+
+        PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
+        SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy, aclAuthorizationStrategy);
+        MutableAcl acl = new AclImpl(identity, Long.valueOf(1), aclAuthorizationStrategy, auditLogger);
+
+        assertEquals(0, realCache.size());
+        myCache.putInCache(acl);
+
+        // Check we can get from cache the same objects we put in
+        assertEquals(myCache.getFromCache(Long.valueOf(1)), acl);
+        assertEquals(myCache.getFromCache(identity), acl);
+
+        // Put another object in cache
+        ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(101));
+        MutableAcl acl2 = new AclImpl(identity2, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger());
+
+        myCache.putInCache(acl2);
+
+        // Try to evict an entry that doesn't exist
+        myCache.evictFromCache(Long.valueOf(3));
+        myCache.evictFromCache(new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(102)));
+        assertEquals(realCache.size(), 4);
+
+        myCache.evictFromCache(Long.valueOf(1));
+        assertEquals(realCache.size(), 2);
+
+        // Check the second object inserted
+        assertEquals(myCache.getFromCache(Long.valueOf(2)), acl2);
+        assertEquals(myCache.getFromCache(identity2), acl2);
+
+        myCache.evictFromCache(identity2);
+        assertEquals(realCache.size(), 0);
+    }
+
+    @SuppressWarnings("unchecked")
+    @Test
+    public void cacheOperationsAclWithParent() throws Exception {
+        Cache cache = getCache();
+        Map realCache = (Map) cache.getNativeCache();
+
+        Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
+        auth.setAuthenticated(true);
+        SecurityContextHolder.getContext().setAuthentication(auth);
+
+        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(1));
+        ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(2));
+        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
+                new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
+                new SimpleGrantedAuthority("ROLE_GENERAL"));
+        AuditLogger auditLogger = new ConsoleAuditLogger();
+
+        PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
+        SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy, aclAuthorizationStrategy);
+
+        MutableAcl acl = new AclImpl(identity, Long.valueOf(1), aclAuthorizationStrategy, auditLogger);
+        MutableAcl parentAcl = new AclImpl(identityParent, Long.valueOf(2), aclAuthorizationStrategy, auditLogger);
+
+        acl.setParent(parentAcl);
+
+        assertEquals(0, realCache.size());
+        myCache.putInCache(acl);
+        assertEquals(realCache.size(), 4);
+
+        // Check we can get from cache the same objects we put in
+        AclImpl aclFromCache = (AclImpl) myCache.getFromCache(Long.valueOf(1));
+        assertEquals(acl, aclFromCache);
+        // SEC-951 check transient fields are set on parent
+        assertNotNull(FieldUtils.getFieldValue(aclFromCache.getParentAcl(), "aclAuthorizationStrategy"));
+        assertNotNull(FieldUtils.getFieldValue(aclFromCache.getParentAcl(), "permissionGrantingStrategy"));
+        assertEquals(acl, myCache.getFromCache(identity));
+        assertNotNull(FieldUtils.getFieldValue(aclFromCache, "aclAuthorizationStrategy"));
+        AclImpl parentAclFromCache = (AclImpl) myCache.getFromCache(Long.valueOf(2));
+        assertEquals(parentAcl, parentAclFromCache);
+        assertNotNull(FieldUtils.getFieldValue(parentAclFromCache, "aclAuthorizationStrategy"));
+        assertEquals(parentAcl, myCache.getFromCache(identityParent));
+    }
+
+    //~ Inner Classes ==================================================================================================
+
+    private class MockCache implements Cache {
+
+        @Override
+        public String getName() {
+            return "mockcache";
+        }
+
+        @Override
+        public Object getNativeCache() {
+            return null;
+        }
+
+        @Override
+        public ValueWrapper get(Object key) {
+            return null;
+        }
+
+        @Override
+        public void put(Object key, Object value) {}
+
+        @Override
+        public void evict(Object key) {}
+
+        @Override
+        public void clear() {}
+    }
+}