Source Code of org.thymeleaf.extras.springsecurity3.dialect.processor.AuthorizeAclAttrProcessor

/*
 * =============================================================================
 *
 *   Copyright (c) 2011-2014, The THYMELEAF team (http://www.thymeleaf.org)
 *
 *   Licensed under the Apache License, Version 2.0 (the "License");
 *   you may not use this file except in compliance with the License.
 *   You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *
 *   Unless required by applicable law or agreed to in writing, software
 *   distributed under the License is distributed on an "AS IS" BASIS,
 *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *   See the License for the specific language governing permissions and
 *   limitations under the License.
 *
 * =============================================================================
 */
package org.thymeleaf.extras.springsecurity3.dialect.processor;

import javax.servlet.ServletContext;

import org.springframework.context.ApplicationContext;
import org.springframework.security.core.Authentication;
import org.thymeleaf.Arguments;
import org.thymeleaf.Configuration;
import org.thymeleaf.context.IContext;
import org.thymeleaf.context.IProcessingContext;
import org.thymeleaf.context.IWebContext;
import org.thymeleaf.dom.Element;
import org.thymeleaf.exceptions.ConfigurationException;
import org.thymeleaf.exceptions.TemplateProcessingException;
import org.thymeleaf.extras.springsecurity3.auth.AclAuthUtils;
import org.thymeleaf.extras.springsecurity3.auth.AuthUtils;
import org.thymeleaf.processor.attr.AbstractConditionalVisibilityAttrProcessor;
import org.thymeleaf.standard.expression.IStandardExpression;
import org.thymeleaf.standard.expression.IStandardExpressionParser;
import org.thymeleaf.standard.expression.StandardExpressions;
import org.thymeleaf.standard.expression.TextLiteralExpression;

/**
 * Takes the form sec:authorize-acl="object :: permissions", renders the element
 * children (*tag content*) if the authenticated user has the specified
 * permissions on the specified domain object, according to Spring Source's
 * Access Control List system.
 *
 * @author Daniel Fernández
 */
public class AuthorizeAclAttrProcessor
        extends AbstractConditionalVisibilityAttrProcessor {


    public static final int ATTR_PRECEDENCE = 300;
    public static final String ATTR_NAME = "authorize-acl";


    private static final String VALUE_SEPARATOR = "::";



    public AuthorizeAclAttrProcessor() {
        super(ATTR_NAME);
    }



    @Override
    public int getPrecedence() {
        return ATTR_PRECEDENCE;
    }



    @Override
    protected boolean isVisible(final Arguments arguments, final Element element,
            final String attributeName) {

        String attributeValue = element.getAttributeValue(attributeName);

        if (attributeValue == null || attributeValue.trim().equals("")) {
            return false;
        }
        attributeValue = attributeValue.trim();

        final IContext context = arguments.getContext();
        if (!(context instanceof IWebContext)) {
            throw new ConfigurationException(
                    "Thymeleaf execution context is not a web context (implementation of " +
                    IWebContext.class.getName() + ". Spring Security integration can only be used in " +
                    "web environements.");
        }
        final IWebContext webContext = (IWebContext) context;
        final ServletContext servletContext = webContext.getServletContext();

        final Authentication authentication = AuthUtils.getAuthenticationObject();
        if (authentication == null) {
            return false;
        }

        final ApplicationContext applicationContext = AuthUtils.getContext(servletContext);

        final Configuration configuration = arguments.getConfiguration();

        final int separatorPos = attributeValue.lastIndexOf(VALUE_SEPARATOR);
        if (separatorPos == -1) {
            throw new TemplateProcessingException(
                    "Could not parse \"" + attributeValue + "\" as an access control list " +
                    "expression. Syntax should be \"[domain object expression] :: [permissions]\"");
        }

        final String domainObjectExpression = attributeValue.substring(0,separatorPos).trim();
        final String permissionsExpression = attributeValue.substring(separatorPos + 2).trim();

        final IStandardExpressionParser expressionParser = StandardExpressions.getExpressionParser(configuration);

        final IStandardExpression domainObjectExpr =
                getExpressionDefaultToLiteral(expressionParser, configuration, arguments, domainObjectExpression);
        final IStandardExpression permissionsExpr =
                getExpressionDefaultToLiteral(expressionParser, configuration, arguments, permissionsExpression);

        final Object domainObject = domainObjectExpr.execute(configuration, arguments);

        final Object permissionsObject = permissionsExpr.execute(configuration, arguments);
        final String permissionsStr =
                (permissionsObject == null? null : permissionsObject.toString());

        return AclAuthUtils.authorizeUsingAccessControlList(
                domainObject, applicationContext, permissionsStr, authentication, servletContext);

    }





    protected static IStandardExpression getExpressionDefaultToLiteral(final IStandardExpressionParser expressionParser,
            final Configuration configuration, final IProcessingContext processingContext, final String input) {

        final IStandardExpression expression =
                expressionParser.parseExpression(configuration, processingContext, input);
        if (expression == null) {
            return new TextLiteralExpression(input);
        }
        return expression;

    }


}