Index: SidACL.java =================================================================== --- SidACL.java (revision 13757) +++ SidACL.java (working copy) @@ -45,6 +45,9 @@ // finally everyone b = hasPermission(EVERYONE,permission); if(b!=null) return b; + // permissions granted to anonymous users are granted to everyone + b=hasPermission(ANONYMOUS,permission); + if(b!=null) return b; return null; } @@ -69,10 +72,24 @@ */ protected abstract Boolean hasPermission(Sid p, Permission permission); + protected String toString(Sid p) { + if (p instanceof GrantedAuthoritySid) + return ((GrantedAuthoritySid) p).getGrantedAuthority(); + if (p instanceof PrincipalSid) + return ((PrincipalSid) p).getPrincipal(); + if (p == EVERYONE) + return "role_everyone"; + // hmm... + return p.toString(); + } + /** * Creates a new {@link SidACL} that first consults 'this' {@link SidACL} and then delegate to * the given parent {@link SidACL}. By doing this at the {@link SidACL} level and not at the * {@link ACL} level, this allows the child ACLs to have an explicit deny entry. + * Note that the combined ACL calls hasPermission(Sid,Permission) in the child and parent + * SidACLs directly, so if these override _hasPermission then this custom behavior will + * not be applied. */ public final SidACL newInheritingACL(final SidACL parent) { final SidACL child = this; Index: GlobalMatrixAuthorizationStrategy.java =================================================================== --- GlobalMatrixAuthorizationStrategy.java (revision 13757) +++ GlobalMatrixAuthorizationStrategy.java (working copy) @@ -112,22 +112,6 @@ return true; return null; } - - protected Boolean _hasPermission(Authentication a, Permission permission) { - Boolean b = super._hasPermission(a,permission); - // permissions granted to anonymous users are granted to everyone - if(b==null) b=hasPermission(ANONYMOUS,permission); - return b; - } - - private String toString(Sid p) { - if (p instanceof GrantedAuthoritySid) - return ((GrantedAuthoritySid) p).getGrantedAuthority(); - if (p instanceof PrincipalSid) - return ((PrincipalSid) p).getPrincipal(); - // hmm... - return p.toString(); - } } public Descriptor getDescriptor() { Index: AuthorizationMatrixProperty.java =================================================================== --- AuthorizationMatrixProperty.java (revision 13757) +++ AuthorizationMatrixProperty.java (working copy) @@ -146,31 +146,10 @@ private final class AclImpl extends SidACL { protected Boolean hasPermission(Sid sid, Permission p) { - String s = toString(sid); - for (; p != null; p = p.impliedBy) { - Set set = grantedPermissions.get(p); - if (set != null && set.contains(s)) - return true; - } + if (AuthorizationMatrixProperty.this.hasPermission(toString(sid),p)) + return true; return null; } - - protected Boolean _hasPermission(Authentication a, Permission permission) { - Boolean b = super._hasPermission(a, permission); - // permissions granted to anonymous users are granted to everyone - if (b == null) - b = hasPermission(ANONYMOUS, permission); - return b; - } - - private String toString(Sid p) { - if (p instanceof GrantedAuthoritySid) - return ((GrantedAuthoritySid) p).getGrantedAuthority(); - if (p instanceof PrincipalSid) - return ((PrincipalSid) p).getPrincipal(); - // hmm... - return p.toString(); - } } private Object readResolve() {