AnnotationsPermissionAuthorizationStrategy.java

package fr.openwide.core.wicket.more.security.authorization;

import org.apache.wicket.Component;
import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.request.resource.IResource;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.model.Permission;

import fr.openwide.core.jpa.business.generic.model.GenericEntity;
import fr.openwide.core.jpa.security.service.IAuthenticationService;

public class AnnotationsPermissionAuthorizationStrategy implements IAuthorizationStrategy {

	private IAuthenticationService authenticationService;

	private PermissionFactory permissionFactory;

	public AnnotationsPermissionAuthorizationStrategy(IAuthenticationService authenticationService,
			PermissionFactory permissionFactory) {
		this.authenticationService = authenticationService;
		this.permissionFactory = permissionFactory;
	}

	@Override
	public boolean isActionAuthorized(Component component, Action action) {
		final Class<? extends Component> componentClass = component.getClass();

		final AuthorizeActionIfPermission permissionAnnotation =
				componentClass.getAnnotation(AuthorizeActionIfPermission.class);
		if (permissionAnnotation != null) {
			if (action.getName().equals(permissionAnnotation.action())) {
				String[] permissionNames = permissionAnnotation.permissions();
				for (String permissionName : permissionNames) {
					Permission permission = permissionFactory.buildFromName(permissionName);
					if (authenticationService.hasPermission(permission)) {
						return true;
					}
				}
				return false;
			}
		}

		if (Component.RENDER.equals(action)) {
			@SuppressWarnings("deprecation")
			final AuthorizeRenderIfPermissionOnModelObject permissionOnModelObjectAnnotation =
					componentClass.getAnnotation(AuthorizeRenderIfPermissionOnModelObject.class);

			if (permissionOnModelObjectAnnotation != null) {
				Object modelObject = component.getDefaultModelObject();

				if (modelObject != null && (modelObject instanceof GenericEntity<?, ?>)) {
					@SuppressWarnings("unchecked")
					GenericEntity<Long, ?> securedObject = (GenericEntity<Long, ?>) modelObject;

					@SuppressWarnings("deprecation")
					String[] permissionNames = permissionOnModelObjectAnnotation.permissions();
					for (String permissionName : permissionNames) {
						Permission permission = permissionFactory.buildFromName(permissionName);
						if (authenticationService.hasPermission(securedObject, permission)) {
							return true;
						}
					}
					return false;
				} else {
					return false;
				}
			}
		}
		return true;
	}

	@Override
	public <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass) {
		final AuthorizeInstantiationIfPermission authorizeInstantiationAnnotation =
				componentClass.getAnnotation(AuthorizeInstantiationIfPermission.class);
		if (authorizeInstantiationAnnotation != null) {
			String[] permissionNames = authorizeInstantiationAnnotation.permissions();
			for (String permissionName : permissionNames) {
				Permission permission = permissionFactory.buildFromName(permissionName);
				if (authenticationService.hasPermission(permission)) {
					return true;
				}
			}
			return false;
		}

		return true;
	}

	@Override
	public boolean isResourceAuthorized(IResource resource, PageParameters parameters) {
		// TODO 0.10 : implémenter un truc intelligent là-dessus
		return true;
	}

}