Improvements for ACL advice

gsec/pom.xml

@@ -8,7 +8,7 @@
     </parent>
     <groupId>pavlab</groupId>
     <artifactId>gemma-gsec</artifactId>
-    <version>0.0.22</version>
+    <version>0.0.23-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>gsec</name>
     <organization>
@@ -49,6 +49,12 @@
             <artifactId>commons-logging</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.5.0</version>
+        </dependency>
+
         <!-- Hibernate -->
         <dependency>
             <groupId>org.hibernate</groupId>
@@ -137,7 +143,7 @@
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20250107</version>
+            <version>20251224</version>
             <optional>true</optional>
         </dependency>
         <dependency>
@@ -318,7 +324,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.20.1</version>
+                <version>2.21.0</version>
                 <configuration>
                     <dependencyExcludes>
                         <dependencyExclude>org.hibernate:hibernate-core:*</dependencyExclude>

gsec/src/main/java/gemma/gsec/acl/ObjectTransientnessRetrievalStrategyImpl.java

@@ -1,6 +1,5 @@
 package gemma.gsec.acl;
 
-import gemma.gsec.acl.ObjectTransientnessRetrievalStrategy;
 import gemma.gsec.model.Securable;
 import org.springframework.util.Assert;
 

gsec/src/main/java/gemma/gsec/acl/ParentIdentityRetrievalStrategy.java

@@ -0,0 +1,21 @@
+package gemma.gsec.acl;
+
+import org.springframework.security.acls.model.ObjectIdentity;
+
+import javax.annotation.Nullable;
+
+/**
+ * Strategy for locating parent ACL identities.
+ *
+ * @author poirigui
+ */
+public interface ParentIdentityRetrievalStrategy {
+
+    /**
+     * Obtain the parent ACL identity for the given domain object.
+     *
+     * @return the parent ACL identity if it can be determined, null otherwise
+     */
+    @Nullable
+    ObjectIdentity getParentIdentity( Object domainObject );
+}

gsec/src/main/java/gemma/gsec/acl/domain/AclObjectIdentity.java

@@ -25,6 +25,7 @@
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 
+import javax.annotation.Nullable;
 import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
@@ -49,6 +50,7 @@ public class AclObjectIdentity implements ObjectIdentity {
 
     private AclSid ownerSid;
 
+    @Nullable
     private AclObjectIdentity parentObject;
 
     private Set<AclEntry> entries = new HashSet<>();
@@ -138,11 +140,12 @@ public void setOwnerSid( Sid ownerSid ) {
         this.ownerSid = ( AclSid ) ownerSid;
     }
 
+    @Nullable
     public AclObjectIdentity getParentObject() {
         return parentObject;
     }
 
-    public void setParentObject( AclObjectIdentity parentObject ) {
+    public void setParentObject( @Nullable AclObjectIdentity parentObject ) {
         assert parentObject != this && !this.equals( parentObject );
         this.parentObject = parentObject;
     }

gsec/src/main/java/gemma/gsec/model/Securable.java

@@ -19,7 +19,10 @@
 package gemma.gsec.model;
 
 /**
- * Interface that indicates an entity can be secured. By default, permissions are inherited by associated objects.
+ * Interface that indicates an entity can be secured.
+ * <p>
+ * Securables have ACLs associated with them and may inherit permissions from parent securables (see {@link SecuredChild}), or
+ * not (see {@link SecuredNotChild}).
  *
  * @author paul
  * @version $Id: Securable.java,v 1.4 2013/03/16 00:39:24 paul Exp $

gsec/src/main/java/gemma/gsec/model/SecuredChild.java

@@ -18,14 +18,16 @@
  */
 package gemma.gsec.model;
 
+import javax.annotation.Nullable;
+
 /**
- * Indicates a securable that must have a parent that holds the permissons. For example, BioAssays are given the same
- * permissions as the holding Experiment, and no object should have the BioAssay's ACL as its parent.
+ * Indicates a {@link Securable} must have a parent from which it inherits permissions.
  *
  * @author paul
  * @version $Id: SecuredChild.java,v 1.3 2013/03/16 00:39:24 paul Exp $
  */
 public interface SecuredChild extends Securable {
 
+    @Nullable
     Securable getSecurityOwner();
 }

gsec/src/main/java/gemma/gsec/model/SecuredNotChild.java

@@ -19,8 +19,7 @@
 package gemma.gsec.model;
 
 /**
- * Interface to mark entities which are secured, and which should not have 'parent's, and therefore do not inherit
- * permissions from other objects.
+ * Indicates that a {@link Securable} cannot have a parent.
  *
  * @author paul
  * @version $Id: SecuredNotChild.java,v 1.2 2009/11/23 20:26:42 paul Exp $