com.atlassian.confluence.security.interceptors

Class ConfluenceAccessInterceptor

java.lang.Object

com.atlassian.confluence.setup.webwork.AbstractAwareInterceptor

com.atlassian.confluence.security.interceptors.ConfluenceAccessInterceptor

All Implemented Interfaces:

com.opensymphony.xwork.interceptor.Interceptor

public class ConfluenceAccessInterceptor
extends AbstractAwareInterceptor

Grants or denies the current user access to the action method currently being invoked, depending on which access check annotations are present. Annotations are checked in this order:

1. If the method being invoked has a concrete implementation in the current class AND it has access check annotations on it => allow or deny based on those access checks
2. Else if any access check annotations are present on the action class => allow or deny based on those access checks
3. Else if any access check annotations are present on the package => allow or deny based on those access checks
4. Else (no access check annotations found) => allow action through / no-op (relies on other access checks in the action)

This means that access check annotations on the action method override annotations on the class, and annotations on the class override annotations on the package. If for example, annotations are found on both the class and the package, then only the class level annotations will be checked

If multiple access check annotations are present on a particular method OR class OR package, then the user will be granted access if any of those access check annotations grant them access. For example, if a method has access check annotations "@A" and "@B", then the user will have access if either "@A" or "@B" grants access to that particular user.

If no access check annotations are found, this interceptor will have no effect. This will then fall back to the default check for SpacePermission.USE_CONFLUENCE_PERMISSION in ConfluenceActionSupport.isPermitted().

Available annotations:

• PublicAccess
• RequiresAnyConfluenceAccess
• RequiresLicensedOrAnonymousConfluenceAccess
• RequiresLicensedConfluenceAccess

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	ConfluenceAccessInterceptor.AccessDecision

Constructor Summary

Constructors

Constructor and Description
ConfluenceAccessInterceptor()

Method Summary

Modifier and Type	Method and Description
protected ConfluenceAccessInterceptor.AccessDecision	checkAccessAnnotations(AnnotatedElement annotatedElement, com.google.common.base.Supplier<AccessStatus> accessStatusSupplier) Checks if the user is granted access by any annotations on the provided annotated element (method / class / package).
protected List<AnnotatedElement>	getOrderedAnnotatedElements(com.opensymphony.xwork.ActionInvocation actionInvocation) Gets the method, class and package targets for the current action invocation, to be inspected for access check annotations.
String	intercept(com.opensymphony.xwork.ActionInvocation actionInvocation)

Methods inherited from class com.atlassian.confluence.setup.webwork.AbstractAwareInterceptor

destroy, getParameter, getUser, hasParameter, init

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ConfluenceAccessInterceptor

public ConfluenceAccessInterceptor()

Method Detail

intercept

public String intercept(com.opensymphony.xwork.ActionInvocation actionInvocation)
                 throws Exception

Specified by:

intercept in interface com.opensymphony.xwork.interceptor.Interceptor

Specified by:

intercept in class AbstractAwareInterceptor

Throws:

Exception

getOrderedAnnotatedElements

protected List<AnnotatedElement> getOrderedAnnotatedElements(com.opensymphony.xwork.ActionInvocation actionInvocation)

Gets the method, class and package targets for the current action invocation, to be inspected for access check annotations. The order returned is the order (and precedence) in which annotated elements are checked, i.e. the invoked method is checked first (but only if it has an implementation in the current class), then the class, then the package.

checkAccessAnnotations

protected ConfluenceAccessInterceptor.AccessDecision checkAccessAnnotations(AnnotatedElement annotatedElement,
                                                                            com.google.common.base.Supplier<AccessStatus> accessStatusSupplier)

Checks if the user is granted access by any annotations on the provided annotated element (method / class / package).

If any access check annotations are found on the element: if any checks grant access => GRANTED otherwise => DENIED If no access check annotations are found, the result will be ABSTAIN.