You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by cl...@apache.org on 2021/05/25 14:26:01 UTC
[jena] branch main updated: Code to differentiate between hard and
soft read errors.
This is an automated email from the ASF dual-hosted git repository.
claude pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/jena.git
The following commit(s) were added to refs/heads/main by this push:
new 6b24765 Code to differentiate between hard and soft read errors.
new 041ec26 Merge pull request #1006 from Claudenw/permissionsV4_main
6b24765 is described below
commit 6b247650a89af4c9f59e8f9427c73ecd447b8299
Author: Claude Warren <cl...@xenei.com>
AuthorDate: Thu Mar 4 22:32:55 2021 +0000
Code to differentiate between hard and soft read errors.
There is a SecurityEvaluator change and change to test cases to test it.
Fixed javadoc and compiler warnings.
fixed typos
cleaned up and formatted test and example code
---
jena-permissions/readme.md | 31 +-
.../jena/permissions/example/ExampleEvaluator.java | 216 +-
.../jena/permissions/example/SecurityExample.java | 96 +-
.../permissions/example/ShiroExampleEvaluator.java | 395 +-
.../permissions/example/readonly/ReadOnlyEval.java | 47 +-
.../jena/permissions/AssemblerConstants.java | 70 +-
.../java/org/apache/jena/permissions/Factory.java | 82 +-
.../apache/jena/permissions/SecuredAssembler.java | 332 +-
.../org/apache/jena/permissions/SecuredItem.java | 418 +-
.../apache/jena/permissions/SecurityEvaluator.java | 681 ++-
.../permissions/SecurityEvaluatorAssembler.java | 283 +-
.../permissions/graph/SecuredCapabilities.java | 99 +-
.../jena/permissions/graph/SecuredGraph.java | 166 +-
.../graph/SecuredGraphEventManager.java | 1024 ++--
.../permissions/graph/SecuredPrefixMapping.java | 258 +-
.../jena/permissions/graph/impl/Factory.java | 106 +-
.../permissions/graph/impl/SecuredGraphImpl.java | 536 +-
.../graph/impl/SecuredPrefixMappingImpl.java | 264 +-
.../jena/permissions/graph/package-info.java | 64 +-
.../permissions/impl/CachedSecurityEvaluator.java | 114 +-
.../apache/jena/permissions/impl/ItemHolder.java | 149 +-
.../jena/permissions/impl/SecuredItemImpl.java | 1603 +++---
.../jena/permissions/impl/SecuredItemInvoker.java | 186 +-
.../apache/jena/permissions/model/SecuredAlt.java | 313 +-
.../apache/jena/permissions/model/SecuredBag.java | 11 +-
.../jena/permissions/model/SecuredContainer.java | 273 +-
.../jena/permissions/model/SecuredLiteral.java | 195 +-
.../jena/permissions/model/SecuredModel.java | 1887 +------
.../jena/permissions/model/SecuredProperty.java | 18 +-
.../jena/permissions/model/SecuredRDFList.java | 543 +-
.../jena/permissions/model/SecuredRDFNode.java | 44 +-
.../permissions/model/SecuredReifiedStatement.java | 15 +-
.../jena/permissions/model/SecuredResource.java | 419 +-
.../apache/jena/permissions/model/SecuredSeq.java | 541 +-
.../jena/permissions/model/SecuredStatement.java | 355 +-
.../SecuredUnsupportedPolymorphismException.java | 28 +-
.../permissions/model/impl/SecuredAltImpl.java | 740 ++-
.../permissions/model/impl/SecuredBagImpl.java | 93 +-
.../model/impl/SecuredContainerImpl.java | 905 ++--
.../permissions/model/impl/SecuredLiteralImpl.java | 459 +-
.../permissions/model/impl/SecuredModelImpl.java | 5613 ++++++++++++--------
.../model/impl/SecuredNodeIterator.java | 203 +-
.../model/impl/SecuredPropertyImpl.java | 152 +-
.../permissions/model/impl/SecuredRDFListImpl.java | 1691 +++---
.../permissions/model/impl/SecuredRDFNodeImpl.java | 364 +-
.../permissions/model/impl/SecuredRSIterator.java | 247 +-
.../model/impl/SecuredReifiedStatementImpl.java | 108 +-
.../permissions/model/impl/SecuredResIterator.java | 206 +-
.../model/impl/SecuredResourceImpl.java | 1718 +++---
.../permissions/model/impl/SecuredSelector.java | 85 +-
.../permissions/model/impl/SecuredSeqImpl.java | 1317 +++--
.../model/impl/SecuredStatementImpl.java | 1219 +++--
.../model/impl/SecuredStatementIterator.java | 204 +-
.../org/apache/jena/permissions/package-info.java | 52 +-
.../jena/permissions/query/SecuredQueryEngine.java | 187 +-
.../query/SecuredQueryEngineConfig.java | 12 +-
.../query/SecuredQueryEngineFactory.java | 181 +-
.../permissions/query/rewriter/OpRewriter.java | 1094 ++--
.../query/rewriter/SecuredFunction.java | 157 +-
.../jena/permissions/utils/ContainerFilter.java | 46 +-
.../permissions/utils/PermStatementFilter.java | 203 +-
.../jena/permissions/utils/PermTripleFilter.java | 200 +-
.../jena/permissions/utils/RDFListIterator.java | 101 +-
.../jena/permissions/utils/RDFListSecFilter.java | 55 +-
.../apache/jena/permissions/EqualityTester.java | 39 +-
.../apache/jena/permissions/MockPrefixMapping.java | 157 +-
.../jena/permissions/MockSecurityEvaluator.java | 389 +-
.../permissions/ModelBasedSecurityEvaluator.java | 108 +-
.../jena/permissions/SecuredAssemblerTest.java | 107 +-
.../permissions/SecurityEvaluatorParameters.java | 181 +-
.../jena/permissions/SecurityEvaluatorTest.java | 6 +-
.../jena/permissions/StaticSecurityEvaluator.java | 112 +-
.../graph/CachedSecurityEvaluatorTest.java | 29 +-
.../contract/graph/SecuredGraphContractTests.java | 40 +-
.../contract/graph/SecuredGraphListenerTest.java | 45 +-
.../graph/SecuredTDBGraphContractTests.java | 41 +-
.../permissions/contract/model/ModelTestSuite.java | 160 +-
.../contract/model/SecTestLiterals.java | 10 +-
.../permissions/contract/model/SecTestPackage.java | 141 +-
.../contract/model/SecTestReaderEvents.java | 8 +-
.../permissions/contract/model/SecTestReaders.java | 8 +-
.../graph/CrossIDGraphEventManagerTest.java | 70 +-
.../permissions/graph/GraphEventManagerTest.java | 132 +-
.../jena/permissions/graph/MemGraphTest.java | 464 +-
.../permissions/graph/RecordingGraphListener.java | 152 +-
.../graph/SecuredPrefixMappingTest.java | 646 +--
.../jena/permissions/graph/TDBGraphTest.java | 36 +-
.../jena/permissions/impl/SecuredItemImplTest.java | 397 +-
.../jena/permissions/model/SecuredAltTest.java | 718 ++-
.../jena/permissions/model/SecuredBagTest.java | 21 +-
.../permissions/model/SecuredContainerTest.java | 509 +-
.../jena/permissions/model/SecuredLiteralTest.java | 553 +-
.../permissions/model/SecuredModelDetailTest.java | 624 +--
.../jena/permissions/model/SecuredModelTest.java | 3222 ++++++-----
.../permissions/model/SecuredPropertyTest.java | 62 +-
.../jena/permissions/model/SecuredRDFListTest.java | 1330 ++---
.../jena/permissions/model/SecuredRDFNodeTest.java | 251 +-
.../model/SecuredReifiedStatementTest.java | 68 +-
.../permissions/model/SecuredResourceTest.java | 1373 +++--
.../jena/permissions/model/SecuredSeqTest.java | 1120 ++--
.../permissions/model/SecuredStatementTest.java | 917 ++--
.../apache/jena/permissions/query/DataSetTest.java | 308 +-
.../jena/permissions/query/QueryEngineTest.java | 332 +-
.../permissions/query/rewriter/OpRewriterTest.java | 131 +-
pom.xml | 4 +-
105 files changed, 20854 insertions(+), 23641 deletions(-)
diff --git a/jena-permissions/readme.md b/jena-permissions/readme.md
index 23599c8..09a0328 100644
--- a/jena-permissions/readme.md
+++ b/jena-permissions/readme.md
@@ -1,30 +1,35 @@
+## Overview
JenaPermissions is a SecurityEvaluator interface and a set of dynamic proxies that apply that interface to Jena Graphs, Models, and associated methods and classes.
The SecurityEvaluator class must be implemented. This class provides the interface to the authentication results (e.g. getPrincipal())) and the authorization system.
-Create a SecuredGraph by calling Factory.getInstance( SecurityEvaluator, String, Graph );
-Create a SecuredModel by calling Factory.getInstance( SecurityEvaluator, String, Model ) or ModelFactory.createModelForGraph( SecuredGraph );
+## Programatic usage
-NOTE: when creating a model by wrapping a secured graph (e.g. ModelFactory.createModelForGraph( SecuredGraph );) the resulting Model does not
+Create a SecuredGraph by calling `Factory.getInstance( SecurityEvaluator, String, Graph );`
+Create a SecuredModel by calling `Factory.getInstance( SecurityEvaluator, String, Model )` or `ModelFactory.createModelForGraph( SecuredGraph );`
+
+**NOTE:** when creating a model by wrapping a secured graph (e.g. `ModelFactory.createModelForGraph( SecuredGraph );`) the resulting Model does not
have the same permission requirements that the standard secured model does.
-For instance when creating a list on a secured model calling model.createList( RDFNode[] ); The standard secured model verifies that the user
+For instance when creating a list on a secured model calling `model.createList( RDFNode[] );` The standard secured model verifies that the user
has the right to update the triples and allows or denies the entire operation accordingly. The wrapped secured graph does not have visibility
-to the createList() command and can only operate on the instructions issued by the model.createList() implementation. In the standard implementation
+to the `createList()` command and can only operate on the instructions issued by the `model.createList()` implementation. In the standard implementation
the model requests the graph to delete one triple and then insert another. Thus the user must have delete and add permissions, not the update permission.
There are several other cases where the difference in the layer can trip up the permission system. In all known cases the result is a tighter
permission definition than was requested. For simplicity sake we recommend that the wrapped secured graph only be used in cases where access to the
graph as a whole is granted/denied. In these cases the user either has all CRUD capabilities or none.
+
+## Assembler example
-[] a ja:Model ;
- sec:baseModel jena:model ;
- ja:modelName "modelName";
- sec:evaluatorFactory "javaclass";
- .
+ [] a ja:Model ;
+ sec:baseModel jena:model ;
+ ja:modelName "modelName";
+ sec:evaluatorFactory "javaclass";
+ .
-jena:model A model defined in the assembler file.
-"modelName" The name of the model as identified in the security manager
-"javaclass" The name of a java class that implements a Evaluator Factory. The Factory must have static method getInstance() that
+ * jena:model A model defined in the assembler file.
+ * "modelName" The name of the model as identified in the security manager
+ * "javaclass" The name of a java class that implements a Evaluator Factory. The Factory must have static method `getInstance()` that
returns a SecurityEvaluator.
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
index 467f05e..282ce74 100644
--- a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ExampleEvaluator.java
@@ -17,139 +17,127 @@
*/
package org.apache.jena.permissions.example;
-import java.security.Principal ;
-import java.util.Set ;
+import java.security.Principal;
+import java.util.Set;
-import org.apache.http.auth.BasicUserPrincipal ;
+import org.apache.http.auth.BasicUserPrincipal;
import org.apache.jena.graph.Node;
import org.apache.jena.graph.Triple;
-import org.apache.jena.permissions.SecurityEvaluator ;
-import org.apache.jena.rdf.model.* ;
+import org.apache.jena.permissions.SecurityEvaluator;
+import org.apache.jena.rdf.model.*;
import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.vocabulary.RDF ;
+import org.apache.jena.vocabulary.RDF;
/**
- * An example evaluator that only provides access to messages in the graph that
+ * An example evaluator that only provides access to messages in the graph that
* are from or to the principal.
*
*/
public class ExampleEvaluator implements SecurityEvaluator {
-
- private Principal principal;
- private Model model;
- private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
- private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
- private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
-
- /**
- *
- * @param model The graph we are going to evaluate against.
- */
- public ExampleEvaluator( Model model )
- {
- this.model = model;
- }
-
- @Override
- public boolean evaluate(Object principal, Action action, Node graphIRI) {
- // we allow any action on a graph.
- return true;
- }
-
- // not that in this implementation all permission checks flow through
- // this method. We can do this because we have a simple permissions
- // requirement. A more complex set of permissions requirement would
+
+ private Principal principal;
+ private Model model;
+ private RDFNode msgType = ResourceFactory.createResource("http://example.com/msg");
+ private Property pTo = ResourceFactory.createProperty("http://example.com/to");
+ private Property pFrom = ResourceFactory.createProperty("http://example.com/from");
+
+ /**
+ *
+ * @param model The graph we are going to evaluate against.
+ */
+ public ExampleEvaluator(Model model) {
+ this.model = model;
+ }
+
+ @Override
+ public boolean evaluate(Object principal, Action action, Node graphIRI) {
+ // we allow any action on a graph.
+ return true;
+ }
+
+ // not that in this implementation all permission checks flow through
+ // this method. We can do this because we have a simple permissions
+ // requirement. A more complex set of permissions requirement would
// require a different strategy.
- private boolean evaluate( Object principalObj, Resource r )
- {
- Principal principal = (Principal)principalObj;
+ private boolean evaluate(Object principalObj, Resource r) {
+ Principal principal = (Principal) principalObj;
// we do not allow anonymous (un-authenticated) reads of data.
// Another strategy would be to only require authentication if the
// data being requested was restricted -- but that is a more complex
// process and not suitable for this simple example.
- if (principal == null)
- {
+ if (principal == null) {
throw new AuthenticationRequiredException();
}
-
+
// a message is only available to sender or recipient
- if (r.hasProperty( RDF.type, msgType ))
- {
- return r.hasProperty( pTo, principal.getName() ) ||
- r.hasProperty( pFrom, principal.getName());
+ if (r.hasProperty(RDF.type, msgType)) {
+ return r.hasProperty(pTo, principal.getName()) || r.hasProperty(pFrom, principal.getName());
}
- return true;
+ return true;
+ }
+
+ private boolean evaluate(Object principal, Node node) {
+ if (node.equals(Node.ANY)) {
+ return false; // all wild cards are false
+ }
+
+ if (node.isURI() || node.isBlank()) {
+ Resource r = model.getRDFNode(node).asResource();
+ return evaluate(principal, r);
+ }
+ return true;
+ }
+
+ private boolean evaluate(Object principal, Triple triple) {
+ return evaluate(principal, triple.getSubject()) && evaluate(principal, triple.getObject())
+ && evaluate(principal, triple.getPredicate());
+ }
+
+ @Override
+ public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple) {
+ return evaluate(principal, triple);
+ }
+
+ @Override
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI) {
+ return true;
+ }
+
+ @Override
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI, Triple triple) {
+ return evaluate(principal, triple);
+ }
+
+ @Override
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI) {
+ return true;
+ }
+
+ @Override
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI, Triple triple) {
+ return evaluate(principal, triple);
+ }
+
+ @Override
+ public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to) {
+ return evaluate(principal, from) && evaluate(principal, to);
+ }
+
+ public void setPrincipal(String userName) {
+ if (userName == null) {
+ principal = null;
+ }
+ principal = new BasicUserPrincipal(userName);
+ }
+
+ @Override
+ public Principal getPrincipal() {
+ return principal;
+ }
+
+ @Override
+ public boolean isPrincipalAuthenticated(Object principal) {
+ return principal != null;
}
-
-
- private boolean evaluate( Object principal, Node node )
- {
- if (node.equals( Node.ANY )) {
- return false; // all wild cards are false
- }
-
- if (node.isURI() || node.isBlank()) {
- Resource r = model.getRDFNode( node ).asResource();
- return evaluate( principal, r );
- }
- return true;
- }
-
- private boolean evaluate( Object principal, Triple triple ) {
- return evaluate( principal, triple.getSubject()) &&
- evaluate( principal, triple.getObject()) &&
- evaluate( principal, triple.getPredicate());
- }
-
- @Override
- public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple) {
- return evaluate( principal, triple );
- }
-
- @Override
- public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI) {
- return true;
- }
-
- @Override
- public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI,
- Triple triple) {
- return evaluate( principal, triple );
- }
-
- @Override
- public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI) {
- return true;
- }
-
- @Override
- public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI,
- Triple triple) {
- return evaluate( principal, triple );
- }
-
- @Override
- public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to) {
- return evaluate( principal, from ) && evaluate( principal, to );
- }
-
- public void setPrincipal( String userName )
- {
- if (userName == null)
- {
- principal = null;
- }
- principal = new BasicUserPrincipal( userName );
- }
-
- @Override
- public Principal getPrincipal() {
- return principal;
- }
-
- @Override
- public boolean isPrincipalAuthenticated(Object principal) {
- return principal != null;
- }
}
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java b/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
index a6f9e63..c165b7e 100644
--- a/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/SecurityExample.java
@@ -33,61 +33,55 @@ import org.apache.jena.vocabulary.RDF;
public class SecurityExample {
- /**
- * @param args
- */
+ /**
+ * @param args
+ */
- public static void main(String[] args) {
- String[] names = { "alice", "bob", "chuck", "darla" };
+ public static void main(String[] args) {
+ String[] names = { "alice", "bob", "chuck", "darla" };
- RDFNode msgType = ResourceFactory
- .createResource("http://example.com/msg");
- Property pTo = ResourceFactory.createProperty("http://example.com/to");
- Property pFrom = ResourceFactory
- .createProperty("http://example.com/from");
- Property pSubj = ResourceFactory
- .createProperty("http://example.com/subj");
+ RDFNode msgType = ResourceFactory.createResource("http://example.com/msg");
+ Property pTo = ResourceFactory.createProperty("http://example.com/to");
+ Property pFrom = ResourceFactory.createProperty("http://example.com/from");
+ Property pSubj = ResourceFactory.createProperty("http://example.com/subj");
- Model model = ModelFactory.createDefaultModel();
- URL url = SecurityExample.class.getClassLoader().getResource(
- "org/apache/jena/security/example/example.ttl");
- model.read(url.toExternalForm());
- ResIterator ri = model.listSubjectsWithProperty(RDF.type, msgType);
- System.out.println("All the messages");
- while (ri.hasNext()) {
- Resource msg = ri.next();
- Statement to = msg.getProperty(pTo);
- Statement from = msg.getProperty(pFrom);
- Statement subj = msg.getProperty(pSubj);
- System.out.println(String.format("%s to: %s from: %s subj: %s",
- msg, to.getObject(), from.getObject(), subj.getObject()));
- }
- System.out.println();
+ Model model = ModelFactory.createDefaultModel();
+ URL url = SecurityExample.class.getClassLoader().getResource("org/apache/jena/security/example/example.ttl");
+ model.read(url.toExternalForm());
+ ResIterator ri = model.listSubjectsWithProperty(RDF.type, msgType);
+ System.out.println("All the messages");
+ while (ri.hasNext()) {
+ Resource msg = ri.next();
+ Statement to = msg.getProperty(pTo);
+ Statement from = msg.getProperty(pFrom);
+ Statement subj = msg.getProperty(pSubj);
+ System.out.println(String.format("%s to: %s from: %s subj: %s", msg, to.getObject(), from.getObject(),
+ subj.getObject()));
+ }
+ System.out.println();
- ExampleEvaluator evaluator = new ExampleEvaluator(model);
- model = Factory.getInstance(evaluator,
- "http://example.com/SecuredModel", model);
- for (String userName : names) {
- evaluator.setPrincipal(userName);
+ ExampleEvaluator evaluator = new ExampleEvaluator(model);
+ model = Factory.getInstance(evaluator, "http://example.com/SecuredModel", model);
+ for (String userName : names) {
+ evaluator.setPrincipal(userName);
- System.out.println("Messages " + userName + " can manipulate");
- ri = model.listSubjectsWithProperty(RDF.type, msgType);
- while (ri.hasNext()) {
- Resource msg = ri.next();
- Statement to = msg.getProperty(pTo);
- Statement from = msg.getProperty(pFrom);
- Statement subj = msg.getProperty(pSubj);
- System.out.println(String.format(
- "%s to: %s from: %s subj: %s", msg, to.getObject(),
- from.getObject(), subj.getObject()));
- }
- ri.close();
- for (String name : names)
- {
- System.out.println( String.format( "%s messages to %s", model.listSubjectsWithProperty( pTo, name ).toList().size(), name ) );
- }
- System.out.println();
- }
- }
+ System.out.println("Messages " + userName + " can manipulate");
+ ri = model.listSubjectsWithProperty(RDF.type, msgType);
+ while (ri.hasNext()) {
+ Resource msg = ri.next();
+ Statement to = msg.getProperty(pTo);
+ Statement from = msg.getProperty(pFrom);
+ Statement subj = msg.getProperty(pSubj);
+ System.out.println(String.format("%s to: %s from: %s subj: %s", msg, to.getObject(), from.getObject(),
+ subj.getObject()));
+ }
+ ri.close();
+ for (String name : names) {
+ System.out.println(String.format("%s messages to %s",
+ model.listSubjectsWithProperty(pTo, name).toList().size(), name));
+ }
+ System.out.println();
+ }
+ }
}
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
index d58c60e..e9826cc 100644
--- a/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/ShiroExampleEvaluator.java
@@ -17,219 +17,212 @@
*/
package org.apache.jena.permissions.example;
-import java.util.Set ;
+import java.util.Set;
import org.apache.jena.graph.Node;
import org.apache.jena.graph.Triple;
-import org.apache.jena.permissions.SecurityEvaluator ;
-import org.apache.jena.rdf.model.* ;
-import org.apache.jena.vocabulary.RDF ;
-import org.apache.shiro.SecurityUtils ;
-import org.apache.shiro.subject.Subject ;
-import org.slf4j.Logger ;
-import org.slf4j.LoggerFactory ;
+import org.apache.jena.permissions.SecurityEvaluator;
+import org.apache.jena.rdf.model.*;
+import org.apache.jena.vocabulary.RDF;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* Class to use Shiro to provide credentials.
*
- * An example evaluator that only provides access to messages in the graph that
+ * An example evaluator that only provides access to messages in the graph that
* are from or to the principal.
*
*/
public class ShiroExampleEvaluator implements SecurityEvaluator {
- private static final Logger LOG = LoggerFactory.getLogger(ShiroExampleEvaluator.class);
- // the model that contains the messages.
- private Model model;
- private RDFNode msgType = ResourceFactory.createResource( "http://example.com/msg" );
- private Property pTo = ResourceFactory.createProperty( "http://example.com/to" );
- private Property pFrom = ResourceFactory.createProperty( "http://example.com/from" );
-
- /**
- *
- * @param model The graph we are going to evaluate against.
- */
- public ShiroExampleEvaluator( Model model )
- {
- this.model = model;
- }
-
- /**
- * We allow any action on the graph itself, so this is always true.
- */
- @Override
- public boolean evaluate(Object principal, Action action, Node graphIRI) {
- // we allow any action on a graph.
- return true;
- }
-
- /**
- * This is our internal check to see if the user may access the resource.
- * This method is called from the evaluate(Object,Node) method.
- * A user may only access the resource if they are authenticated, and are either the
- * sender or the recipient.
- * Additionally the admin can always see the messages.
- * @param principalObj
- * @param r
- * @return
- */
- private boolean evaluate( Object principalObj, Resource r )
- {
- // cast to the Subject because we know that it comes from Shiro and that
- // our getPrincipal() method returns a Subject.
- Subject subject = (Subject)principalObj;
- if (! subject.isAuthenticated())
- {
- // we could throw an AuthenticationRequiredException but
- // in our case we just return false.
- LOG.info( "User not authenticated");
- return false;
- }
- // a message is only available to sender or recipient
- LOG.debug( "checking {}", subject.getPrincipal());
- Object principal = subject.getPrincipal();
-
- // We put the admin check here but it could have been done much earlier.
- if ("admin".equals(principal.toString()))
- {
- return true;
- }
- // if we are looking at a message object then check the restrictions.
- if (r.hasProperty( RDF.type, msgType ))
- {
- return r.hasProperty( pTo, subject.getPrincipal().toString() ) ||
- r.hasProperty( pFrom, subject.getPrincipal().toString());
- }
- // otherwise user can see the object.
- return true;
- }
-
- /**
- * Check that the user can see a specific node.
- * @param principal
- * @param node
- * @return
- */
- private boolean evaluate( Object principal, Node node )
- {
- // Access to wild card is false -- this forces checks to the acutal nodes
- // to be returned.
- // we could have checked for admin access here and returned true since the admin
- // can see any node.
- if (node.equals( Node.ANY )) {
- return false;
- }
-
- // URI nodes and blank nodes are retrieved from the model and evaluated
- if (node.isURI() || node.isBlank()) {
- Resource r = model.getRDFNode( node ).asResource();
- return evaluate( principal, r );
- }
- // anything else (literals) can be seen.
- return true;
- }
-
- /**
- * Evaluate if the user can see the triple.
- * @param principal
- * @param triple
- * @return
- */
- private boolean evaluate( Object principal, Triple triple ) {
- // we could have checked here to see if the principal was the admin and
- // just returned true since the admin can perform any operation on any triple.
- return evaluate( principal, triple.getSubject()) &&
- evaluate( principal, triple.getObject()) &&
- evaluate( principal, triple.getPredicate());
- }
-
- /**
- * As per our design, users can do anything with triples they have access to, so we just
- * ignore the action parameter. If we were to implement rules restricted access based
- * upon action this method would sort those out appropriately.
- */
- @Override
- public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple) {
- // we could have checked here to see if the principal was the admin and
- // just returned true since the admin can perform any operation on any triple.
- return evaluate( principal, triple );
- }
-
- /**
- * As per our design, users can access any graph. If we were to implement rules that
- * restricted user access to specific graphs, those checks would be here and we would
- * return <code>false</code> if they were not allowed to access the graph. Note that this
- * method is checking to see that the user may perform ALL the actions in the set on the
- * graph.
- */
- @Override
- public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI) {
- return true;
- }
-
- /**
- * As per our design, users can access any triple from a message that is from or to them.
- * Since we don't have restrictions on actions this is no different then checking access
- * for a single action.
- */
- @Override
- public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI,
- Triple triple) {
- return evaluate( principal, triple );
- }
-
- /**
- * As per our design, users can access any graph. If we were to implement rules that
- * restricted user access to specific graphs, those checks would be here and we would
- * return <code>false</code> if they were not allowed to access the graph. Note that this
- * method is checking to see that the user may perform ANY of the actions in the set on the
- * graph.
- */
- @Override
- public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI) {
- return true;
- }
-
- /**
- * As per our design, users can access any triple from a message that is from or to them.
- * Since we don't have restrictions on actions this is no different then checking access
- * for a single action.
- */
- @Override
- public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI,
- Triple triple) {
- return evaluate( principal, triple );
- }
-
- /**
- * As per our design, users can access any triple from a message that is from or to them.
- * So for an update they can only change triples they have access to into other triples
- * they have access to. (e.g. they can not remove themselves from the message).
- */
- @Override
- public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to) {
- return evaluate( principal, from ) && evaluate( principal, to );
- }
-
- /**
- * Return the Shiro subject. This is the subject that Shiro currently has logged in.
- */
- @Override
- public Object getPrincipal() {
- return SecurityUtils.getSubject();
- }
-
- /**
- * Verify the Shiro subject is authenticated.
- */
- @Override
- public boolean isPrincipalAuthenticated(Object principal) {
- if (principal instanceof Subject)
- {
- return ((Subject)principal).isAuthenticated();
- }
- return false;
- }
+ private static final Logger LOG = LoggerFactory.getLogger(ShiroExampleEvaluator.class);
+ // the model that contains the messages.
+ private Model model;
+ private RDFNode msgType = ResourceFactory.createResource("http://example.com/msg");
+ private Property pTo = ResourceFactory.createProperty("http://example.com/to");
+ private Property pFrom = ResourceFactory.createProperty("http://example.com/from");
+ /**
+ *
+ * @param model The graph we are going to evaluate against.
+ */
+ public ShiroExampleEvaluator(Model model) {
+ this.model = model;
+ }
+
+ /**
+ * We allow any action on the graph itself, so this is always true.
+ */
+ @Override
+ public boolean evaluate(Object principal, Action action, Node graphIRI) {
+ // we allow any action on a graph.
+ return true;
+ }
+
+ /**
+ * This is our internal check to see if the user may access the resource. This
+ * method is called from the evaluate(Object,Node) method. A user may only
+ * access the resource if they are authenticated, and are either the sender or
+ * the recipient. Additionally the admin can always see the messages.
+ *
+ * @param principalObj
+ * @param r
+ * @return
+ */
+ private boolean evaluate(Object principalObj, Resource r) {
+ // cast to the Subject because we know that it comes from Shiro and that
+ // our getPrincipal() method returns a Subject.
+ Subject subject = (Subject) principalObj;
+ if (!subject.isAuthenticated()) {
+ // we could throw an AuthenticationRequiredException but
+ // in our case we just return false.
+ LOG.info("User not authenticated");
+ return false;
+ }
+ // a message is only available to sender or recipient
+ LOG.debug("checking {}", subject.getPrincipal());
+ Object principal = subject.getPrincipal();
+
+ // We put the admin check here but it could have been done much earlier.
+ if ("admin".equals(principal.toString())) {
+ return true;
+ }
+ // if we are looking at a message object then check the restrictions.
+ if (r.hasProperty(RDF.type, msgType)) {
+ return r.hasProperty(pTo, subject.getPrincipal().toString())
+ || r.hasProperty(pFrom, subject.getPrincipal().toString());
+ }
+ // otherwise user can see the object.
+ return true;
+ }
+
+ /**
+ * Check that the user can see a specific node.
+ *
+ * @param principal
+ * @param node
+ * @return
+ */
+ private boolean evaluate(Object principal, Node node) {
+ // Access to wild card is false -- this forces checks to the acutal nodes
+ // to be returned.
+ // we could have checked for admin access here and returned true since the admin
+ // can see any node.
+ if (node.equals(Node.ANY)) {
+ return false;
+ }
+
+ // URI nodes and blank nodes are retrieved from the model and evaluated
+ if (node.isURI() || node.isBlank()) {
+ Resource r = model.getRDFNode(node).asResource();
+ return evaluate(principal, r);
+ }
+ // anything else (literals) can be seen.
+ return true;
+ }
+
+ /**
+ * Evaluate if the user can see the triple.
+ *
+ * @param principal
+ * @param triple
+ * @return
+ */
+ private boolean evaluate(Object principal, Triple triple) {
+ // we could have checked here to see if the principal was the admin and
+ // just returned true since the admin can perform any operation on any triple.
+ return evaluate(principal, triple.getSubject()) && evaluate(principal, triple.getObject())
+ && evaluate(principal, triple.getPredicate());
+ }
+
+ /**
+ * As per our design, users can do anything with triples they have access to, so
+ * we just ignore the action parameter. If we were to implement rules restricted
+ * access based upon action this method would sort those out appropriately.
+ */
+ @Override
+ public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple) {
+ // we could have checked here to see if the principal was the admin and
+ // just returned true since the admin can perform any operation on any triple.
+ return evaluate(principal, triple);
+ }
+
+ /**
+ * As per our design, users can access any graph. If we were to implement rules
+ * that restricted user access to specific graphs, those checks would be here
+ * and we would return <code>false</code> if they were not allowed to access the
+ * graph. Note that this method is checking to see that the user may perform ALL
+ * the actions in the set on the graph.
+ */
+ @Override
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI) {
+ return true;
+ }
+
+ /**
+ * As per our design, users can access any triple from a message that is from or
+ * to them. Since we don't have restrictions on actions this is no different
+ * then checking access for a single action.
+ */
+ @Override
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI, Triple triple) {
+ return evaluate(principal, triple);
+ }
+
+ /**
+ * As per our design, users can access any graph. If we were to implement rules
+ * that restricted user access to specific graphs, those checks would be here
+ * and we would return <code>false</code> if they were not allowed to access the
+ * graph. Note that this method is checking to see that the user may perform ANY
+ * of the actions in the set on the graph.
+ */
+ @Override
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI) {
+ return true;
+ }
+
+ /**
+ * As per our design, users can access any triple from a message that is from or
+ * to them. Since we don't have restrictions on actions this is no different
+ * then checking access for a single action.
+ */
+ @Override
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI, Triple triple) {
+ return evaluate(principal, triple);
+ }
+
+ /**
+ * As per our design, users can access any triple from a message that is from or
+ * to them. So for an update they can only change triples they have access to
+ * into other triples they have access to. (e.g. they can not remove themselves
+ * from the message).
+ */
+ @Override
+ public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to) {
+ return evaluate(principal, from) && evaluate(principal, to);
+ }
+
+ /**
+ * Return the Shiro subject. This is the subject that Shiro currently has logged
+ * in.
+ */
+ @Override
+ public Object getPrincipal() {
+ return SecurityUtils.getSubject();
+ }
+
+ /**
+ * Verify the Shiro subject is authenticated.
+ */
+ @Override
+ public boolean isPrincipalAuthenticated(Object principal) {
+ if (principal instanceof Subject) {
+ return ((Subject) principal).isAuthenticated();
+ }
+ return false;
+ }
}
diff --git a/jena-permissions/src/example/java/org/apache/jena/permissions/example/readonly/ReadOnlyEval.java b/jena-permissions/src/example/java/org/apache/jena/permissions/example/readonly/ReadOnlyEval.java
index 3bf0e24..32dcf51 100644
--- a/jena-permissions/src/example/java/org/apache/jena/permissions/example/readonly/ReadOnlyEval.java
+++ b/jena-permissions/src/example/java/org/apache/jena/permissions/example/readonly/ReadOnlyEval.java
@@ -28,60 +28,57 @@ import org.apache.jena.shared.AuthenticationRequiredException;
/**
* An example of a security evaluator that creates read-only graphs and models.
*
- * This evaluator does this by only allowing the Action.READ action, all others
- * are denied.
+ * This evaluator does this by only allowing the Action.READ action, all others
+ * are denied.
*
*/
public class ReadOnlyEval implements SecurityEvaluator {
@Override
- public boolean evaluate(Object principal, Action action, Node graphIRI)
- throws AuthenticationRequiredException {
- return Action.Read.equals( action );
+ public boolean evaluate(Object principal, Action action, Node graphIRI) throws AuthenticationRequiredException {
+ return Action.Read.equals(action);
}
@Override
- public boolean evaluate(Object principal, Action action, Node graphIRI,
- Triple triple) throws AuthenticationRequiredException {
- return Action.Read.equals( action );
+ public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple)
+ throws AuthenticationRequiredException {
+ return Action.Read.equals(action);
}
@Override
- public boolean evaluate(Object principal, Set<Action> actions,
- Node graphIRI) throws AuthenticationRequiredException {
- Set<Action> s = new HashSet<Action>( actions );
- s.remove( Action.Read );
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI)
+ throws AuthenticationRequiredException {
+ Set<Action> s = new HashSet<Action>(actions);
+ s.remove(Action.Read);
return s.isEmpty();
}
@Override
- public boolean evaluate(Object principal, Set<Action> actions,
- Node graphIRI, Triple triple)
+ public boolean evaluate(Object principal, Set<Action> actions, Node graphIRI, Triple triple)
throws AuthenticationRequiredException {
- Set<Action> s = new HashSet<Action>( actions );
- s.remove( Action.Read );
+ Set<Action> s = new HashSet<Action>(actions);
+ s.remove(Action.Read);
return s.isEmpty();
}
@Override
- public boolean evaluateAny(Object principal, Set<Action> actions,
- Node graphIRI) throws AuthenticationRequiredException {
- return actions.contains( Action.Read );
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI)
+ throws AuthenticationRequiredException {
+ return actions.contains(Action.Read);
}
@Override
- public boolean evaluateAny(Object principal, Set<Action> actions,
- Node graphIRI, Triple triple)
+ public boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI, Triple triple)
throws AuthenticationRequiredException {
- return actions.contains( Action.Read );
+ return actions.contains(Action.Read);
}
/**
* No updated are allowed.
*/
@Override
- public boolean evaluateUpdate(Object principal, Node graphIRI,
- Triple from, Triple to) throws AuthenticationRequiredException {
+ public boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to)
+ throws AuthenticationRequiredException {
return false;
}
@@ -100,5 +97,5 @@ public class ReadOnlyEval implements SecurityEvaluator {
public boolean isPrincipalAuthenticated(Object principal) {
return false;
}
-
+
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/AssemblerConstants.java b/jena-permissions/src/main/java/org/apache/jena/permissions/AssemblerConstants.java
index 4a57986..c3ab238 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/AssemblerConstants.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/AssemblerConstants.java
@@ -18,45 +18,41 @@
package org.apache.jena.permissions;
-import org.apache.jena.rdf.model.Property ;
-import org.apache.jena.rdf.model.ResourceFactory ;
+import org.apache.jena.rdf.model.Property;
+import org.apache.jena.rdf.model.ResourceFactory;
public interface AssemblerConstants {
- public static final String URI = "http://apache.org/jena/permissions/Assembler#";
- /**
- * Property named URI+"evaluatorFactory"
- */
- public static final Property EVALUATOR_FACTORY =
- ResourceFactory.createProperty( URI + "evaluatorFactory" );
- /**
- * Property named URI+"Model"
- */
- public static final Property SECURED_MODEL = ResourceFactory.createProperty( URI + "Model" );
- /**
- * Property named URI+"baseModel"
- */
- public static final Property BASE_MODEL = ResourceFactory.createProperty( URI + "baseModel" );
- /**
- * Property named URI+"Evaluator"
- */
- public static final Property EVALUATOR_ASSEMBLER = ResourceFactory.createProperty( URI+"Evaluator" );
+ public static final String URI = "http://apache.org/jena/permissions/Assembler#";
/**
- * Property named URI+"evaluatorImpl"
- */
- public static final Property EVALUATOR_IMPL =
- ResourceFactory.createProperty( URI + "evaluatorImpl" );
-
- /**
- * Property named URI+"evaluatorClass"
- */
- public static final Property EVALUATOR_CLASS =
- ResourceFactory.createProperty( URI + "evaluatorClass" );
- /**
- * Property named URI+"evaluatorImpl"
- */
- public static final Property ARGUMENT_LIST =
- ResourceFactory.createProperty( URI + "args" );
-
- // message formats
+ * Property named URI+"evaluatorFactory"
+ */
+ public static final Property EVALUATOR_FACTORY = ResourceFactory.createProperty(URI + "evaluatorFactory");
+ /**
+ * Property named URI+"Model"
+ */
+ public static final Property SECURED_MODEL = ResourceFactory.createProperty(URI + "Model");
+ /**
+ * Property named URI+"baseModel"
+ */
+ public static final Property BASE_MODEL = ResourceFactory.createProperty(URI + "baseModel");
+ /**
+ * Property named URI+"Evaluator"
+ */
+ public static final Property EVALUATOR_ASSEMBLER = ResourceFactory.createProperty(URI + "Evaluator");
+ /**
+ * Property named URI+"evaluatorImpl"
+ */
+ public static final Property EVALUATOR_IMPL = ResourceFactory.createProperty(URI + "evaluatorImpl");
+
+ /**
+ * Property named URI+"evaluatorClass"
+ */
+ public static final Property EVALUATOR_CLASS = ResourceFactory.createProperty(URI + "evaluatorClass");
+ /**
+ * Property named URI+"evaluatorImpl"
+ */
+ public static final Property ARGUMENT_LIST = ResourceFactory.createProperty(URI + "args");
+
+ // message formats
public static final String NO_X_PROVIDED = "No %s provided for %s";
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/Factory.java b/jena-permissions/src/main/java/org/apache/jena/permissions/Factory.java
index 61a0448..49178c6 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/Factory.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/Factory.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,54 +17,46 @@
*/
package org.apache.jena.permissions;
-import org.apache.jena.graph.Graph ;
+import org.apache.jena.graph.Graph;
import org.apache.jena.permissions.graph.SecuredGraph;
import org.apache.jena.permissions.model.SecuredModel;
-import org.apache.jena.rdf.model.Model ;
-import org.apache.jena.sys.JenaSystem ;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.sys.JenaSystem;
/**
- * The factory that can be used to create an instance of a SecuredGraph or a SecuredModel.
+ * The factory that can be used to create an instance of a SecuredGraph or a
+ * SecuredModel.
*/
-public class Factory
-{
- static { JenaSystem.init(); }
- /**
- * Create an instance of the SecuredGraph
- *
- * @param securityEvaluator
- * The security evaluator to use
- * @param graphIRI
- * The IRI for the graph.
- * @param graph
- * The graph that we are wrapping.
- * @return the graph secured under the name graphIRI
- */
- public static SecuredGraph getInstance(
- final SecurityEvaluator securityEvaluator, final String graphIRI,
- final Graph graph )
- {
+public class Factory {
+ static {
+ JenaSystem.init();
+ }
- return org.apache.jena.permissions.graph.impl.Factory.getInstance(
- securityEvaluator, graphIRI, graph);
- }
+ /**
+ * Create an instance of the SecuredGraph
+ *
+ * @param securityEvaluator The security evaluator to use
+ * @param graphIRI The IRI for the graph.
+ * @param graph The graph that we are wrapping.
+ * @return the graph secured under the name graphIRI
+ */
+ public static SecuredGraph getInstance(final SecurityEvaluator securityEvaluator, final String graphIRI,
+ final Graph graph) {
- /**
- * Get an instance of SecuredModel
- *
- * @param securityEvaluator
- * The security evaluator to use
- * @param modelIRI
- * The securedModel IRI (graph IRI) to evaluate against.
- * @param model
- * The model to secure.
- * @return the model secured under the name modelIRI
- */
- public static SecuredModel getInstance(
- final SecurityEvaluator securityEvaluator, final String modelIRI,
- final Model model )
- {
- return org.apache.jena.permissions.model.impl.SecuredModelImpl.getInstance(
- securityEvaluator, modelIRI, model);
- }
+ return org.apache.jena.permissions.graph.impl.Factory.getInstance(securityEvaluator, graphIRI, graph);
+ }
+
+ /**
+ * Get an instance of SecuredModel
+ *
+ * @param securityEvaluator The security evaluator to use
+ * @param modelIRI The securedModel IRI (graph IRI) to evaluate
+ * against.
+ * @param model The model to secure.
+ * @return the model secured under the name modelIRI
+ */
+ public static SecuredModel getInstance(final SecurityEvaluator securityEvaluator, final String modelIRI,
+ final Model model) {
+ return org.apache.jena.permissions.model.impl.SecuredModelImpl.getInstance(securityEvaluator, modelIRI, model);
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredAssembler.java b/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredAssembler.java
index 9ffc455..1435211 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredAssembler.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredAssembler.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -21,33 +21,32 @@ import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
-import org.apache.jena.assembler.Assembler ;
-import org.apache.jena.assembler.JA ;
-import org.apache.jena.assembler.Mode ;
-import org.apache.jena.assembler.assemblers.AssemblerGroup ;
-import org.apache.jena.assembler.assemblers.ModelAssembler ;
-import org.apache.jena.assembler.exceptions.AssemblerException ;
-import org.apache.jena.rdf.model.Literal ;
-import org.apache.jena.rdf.model.Model ;
-import org.apache.jena.rdf.model.Resource ;
-import org.apache.jena.sparql.util.MappingRegistry ;
+import org.apache.jena.assembler.Assembler;
+import org.apache.jena.assembler.JA;
+import org.apache.jena.assembler.Mode;
+import org.apache.jena.assembler.assemblers.AssemblerGroup;
+import org.apache.jena.assembler.assemblers.ModelAssembler;
+import org.apache.jena.assembler.exceptions.AssemblerException;
+import org.apache.jena.rdf.model.Literal;
+import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.sparql.util.MappingRegistry;
/**
* Assembler for a secured model.
- *
+ *
* <p>
- * The assembler file should include the following
- * <code><pre>
+ * The assembler file should include the following <code><pre>
* <> ja:loadClass "org.apache.jena.permission.SecuredAssembler" .
- *
+ *
* sec:Model rdfs:subClassOf ja:NamedModel .
- *
+ *
* sec:evaluator rdfs:domain sec:Model ;
* rdfs:range sec:Evaluator .
* </pre></code>
- *
+ *
* The model definition should include something like.
- *
+ *
* <code><pre>
* my:secModel a sec:Model ;
* sec:baseModel my:baseModel ;
@@ -55,210 +54,197 @@ import org.apache.jena.sparql.util.MappingRegistry ;
* sec:evaluatorFactory "org.apache.jena.permission.MockSecurityEvaluator" ;
* .
* </pre></code>
- *
+ *
* Terms used in above example:
- *
+ *
* <dl>
* <dt>my:secModel</dt>
* <dd>The secured model as referenced in the assembler file.</dd>
- *
+ *
* <dt>sec:Model</dt>
* <dd>Identifes my:secModel as a secured model</dd>
- *
+ *
* <dt>sec:baseModel</dt>
- * <dd>Identifies my:baseModel as the base model we are applying permissions to</dd>
- *
+ * <dd>Identifies my:baseModel as the base model we are applying permissions
+ * to</dd>
+ *
* <dt>my:baseModel</dt>
* <dd>a ja:Model (or subclass) defined elsewhere in the assembler file</dd>
- *
- * <dt>ja:modelName</dt>
- * <dd>The name of the graph as it will be addressed in the permission environment
- * (see ja:NamedModel examples from Jena)</dd>
*
+ * <dt>ja:modelName</dt>
+ * <dd>The name of the graph as it will be addressed in the permission
+ * environment (see ja:NamedModel examples from Jena)</dd>
+ *
* <dt>sec:evaluatorFactory</dt>
- * <dd>Identifies "org.apache.jena.permission.MockSecurityEvaluator" as the java class
- * that implements an Evaluator Factory. The Factory must have
- * static method <code>getInstance()</code> that returns a SecurityEvaluator.</dd>
+ * <dd>Identifies "org.apache.jena.permission.MockSecurityEvaluator" as the java
+ * class that implements an Evaluator Factory. The Factory must have static
+ * method <code>getInstance()</code> that returns a SecurityEvaluator.</dd>
* </dl>
- *
+ *
* or if using an evaluator assembler
- *
+ *
* <code><pre>
* my:secModel a sec:Model ;
* sec:baseModel my:baseModel ;
* ja:modelName "http://example.com/securedModel" ;
* sec:evaluatorImpl ex:myEvaluator;
* .
- *
+ *
* ex:myEvaluator a sec:Evaluator ;
* ex:arg1 "argument 1 for my evaluator constructor" ;
* ex:arg2 "argument 2 for my evaluator constructor" ;
* .
- *
+ *
* </pre></code>
- *
+ *
* Terms used in above example:
- *
+ *
* <dl>
* <dt>my:secModel</dt>
* <dd>The secured model as referenced in the assembler file.</dd>
- *
+ *
* <dt>sec:Model</dt>
* <dd>Identifes my:secModel as a secured model</dd>
- *
+ *
* <dt>sec:baseModel</dt>
- * <dd>Identifies my:baseModel as the base model we are applying permissions to</dd>
- *
+ * <dd>Identifies my:baseModel as the base model we are applying permissions
+ * to</dd>
+ *
* <dt>my:baseModel</dt>
* <dd>a ja:Model (or subclass) defined elsewhere in the assembler file</dd>
- *
- * <dt>ja:modelName</dt>
- * <dd>The name of the graph as it will be addressed in the permission environment
- * (see ja:NamedModel examples from Jena)</dd>
*
+ * <dt>ja:modelName</dt>
+ * <dd>The name of the graph as it will be addressed in the permission
+ * environment (see ja:NamedModel examples from Jena)</dd>
+ *
* <dt>sec:evaluatorImpl</dt>
- * <dd>Identifies ex:myEvaluator as a SecurityEvaluator defined elsewhere in the assembler file.
- * It must subclass as a sec:Evaluator.</dd>
- * </dd>
- *
+ * <dd>Identifies ex:myEvaluator as a SecurityEvaluator defined elsewhere in the
+ * assembler file. It must subclass as a sec:Evaluator.</dd></dd>
+ *
* <dt>ex:arg1 and ex:arg2</dt>
- * <dd>Arguments as defined by the user defined security evaluator assembler.</dd>
+ * <dd>Arguments as defined by the user defined security evaluator
+ * assembler.</dd>
* </dl>
-
+ *
* </p>
- *
+ *
*/
public class SecuredAssembler extends ModelAssembler implements AssemblerConstants {
- private static boolean initialized;
-
+ private static boolean initialized;
+
// message formats
private static final String ERROR_FINDING_FACTORY = "Error finding factory class %s: %s";
-
- static { init() ; }
-
- /**
- * Initialize the assembler.
- * Registers the prefix "sec" with the uri http://apache.org/jena/permission/Assembler#
- * and registers this assembler with the uri http://apache.org/jena/permission/Assembler#Model
- */
- static synchronized public void init()
- {
- if ( initialized )
- return ;
- MappingRegistry.addPrefixMapping("sec", URI) ;
- registerWith(Assembler.general) ;
- initialized = true ;
+
+ static {
+ init();
}
-
+
+ /**
+ * Initialize the assembler. Registers the prefix "sec" with the uri
+ * http://apache.org/jena/permission/Assembler# and registers this assembler
+ * with the uri http://apache.org/jena/permission/Assembler#Model
+ */
+ static synchronized public void init() {
+ if (initialized)
+ return;
+ MappingRegistry.addPrefixMapping("sec", URI);
+ registerWith(Assembler.general);
+ initialized = true;
+ }
+
/**
* Register this assembler in the assembler group.
+ *
* @param group The assembler group to register with.
*/
- static void registerWith(AssemblerGroup group)
- {
- if ( group == null )
- group = Assembler.general ;
- group.implementWith( SECURED_MODEL, new SecuredAssembler()) ;
- group.implementWith( EVALUATOR_ASSEMBLER, new SecurityEvaluatorAssembler());
+ static void registerWith(AssemblerGroup group) {
+ if (group == null)
+ group = Assembler.general;
+ group.implementWith(SECURED_MODEL, new SecuredAssembler());
+ group.implementWith(EVALUATOR_ASSEMBLER, new SecurityEvaluatorAssembler());
+ }
+
+ @Override
+ public Model open(Assembler a, Resource root, Mode mode) {
+
+ Resource rootModel = getUniqueResource(root, BASE_MODEL);
+ if (rootModel == null) {
+ throw new AssemblerException(root, String.format(NO_X_PROVIDED, BASE_MODEL, root));
+ }
+ Model baseModel = a.openModel(rootModel, Mode.ANY);
+
+ Literal modelName = getUniqueLiteral(root, JA.modelName);
+ if (modelName == null) {
+ throw new AssemblerException(root, String.format(NO_X_PROVIDED, JA.modelName, root));
+ }
+
+ Literal factoryName = getUniqueLiteral(root, EVALUATOR_FACTORY);
+ Resource evaluatorImpl = getUniqueResource(root, EVALUATOR_IMPL);
+ if (factoryName == null && evaluatorImpl == null) {
+ throw new AssemblerException(root, String.format("Either a %s or a %s must be provided for %s",
+ EVALUATOR_FACTORY, EVALUATOR_IMPL, root));
+ }
+ if (factoryName != null && evaluatorImpl != null) {
+ throw new AssemblerException(root, String.format("May not specify both a %s and a %s for %s",
+ EVALUATOR_FACTORY, EVALUATOR_IMPL, root));
+ }
+ SecurityEvaluator securityEvaluator = null;
+ if (factoryName != null) {
+ securityEvaluator = executeEvaluatorFactory(root, factoryName);
+ }
+ if (evaluatorImpl != null) {
+ securityEvaluator = getEvaluatorImpl(a, evaluatorImpl);
+ }
+ return Factory.getInstance(securityEvaluator, modelName.asLiteral().getString(), baseModel);
+
}
-
- @Override
- public Model open(Assembler a, Resource root, Mode mode) {
- Resource rootModel = getUniqueResource( root, BASE_MODEL );
- if (rootModel == null)
- {
- throw new AssemblerException( root, String.format( NO_X_PROVIDED, BASE_MODEL, root ));
- }
- Model baseModel = a.openModel(rootModel, Mode.ANY);
-
- Literal modelName = getUniqueLiteral( root, JA.modelName );
- if (modelName == null)
- {
- throw new AssemblerException( root, String.format( NO_X_PROVIDED, JA.modelName, root ));
- }
-
- Literal factoryName = getUniqueLiteral( root, EVALUATOR_FACTORY );
- Resource evaluatorImpl = getUniqueResource( root, EVALUATOR_IMPL );
- if (factoryName == null && evaluatorImpl == null)
- {
- throw new AssemblerException( root,
- String.format( "Either a %s or a %s must be provided for %s" ,
- EVALUATOR_FACTORY, EVALUATOR_IMPL, root ));
- }
- if (factoryName != null && evaluatorImpl != null)
- {
- throw new AssemblerException( root,
- String.format( "May not specify both a %s and a %s for %s" ,
- EVALUATOR_FACTORY, EVALUATOR_IMPL, root ));
- }
- SecurityEvaluator securityEvaluator = null;
- if (factoryName != null)
- {
- securityEvaluator = executeEvaluatorFactory( root, factoryName );
- }
- if (evaluatorImpl != null)
- {
- securityEvaluator = getEvaluatorImpl( a, evaluatorImpl );
- }
- return Factory.getInstance(securityEvaluator, modelName.asLiteral().getString(), baseModel);
-
- }
+ @Override
+ protected Model openEmptyModel(Assembler a, Resource root, Mode mode) {
+ return open(a, root, mode);
+ }
- @Override
- protected Model openEmptyModel(Assembler a, Resource root, Mode mode) {
- return open(a, root, mode);
- }
+ private SecurityEvaluator executeEvaluatorFactory(Resource root, Literal factoryName) {
+ try {
+ Class<?> factoryClass = Class.forName(factoryName.getString());
+ Method method = factoryClass.getMethod("getInstance");
+ if (!SecurityEvaluator.class.isAssignableFrom(method.getReturnType())) {
+ throw new AssemblerException(root,
+ String.format(
+ "%s (found at %s for %s) getInstance() must return an instance of SecurityEvaluator",
+ factoryName, EVALUATOR_FACTORY, root));
+ }
+ if (!Modifier.isStatic(method.getModifiers())) {
+ throw new AssemblerException(root,
+ String.format("%s (found at %s for %s) getInstance() must be a static method", factoryName,
+ EVALUATOR_FACTORY, root));
+ }
+ return (SecurityEvaluator) method.invoke(null);
+ } catch (SecurityException e) {
+ throw new AssemblerException(root, String.format(ERROR_FINDING_FACTORY, factoryName, e.getMessage()), e);
+ } catch (IllegalArgumentException e) {
+ throw new AssemblerException(root, String.format(ERROR_FINDING_FACTORY, factoryName, e.getMessage()), e);
+ } catch (ClassNotFoundException e) {
+ throw new AssemblerException(root, String.format("Class %s (found at %s for %s) could not be loaded",
+ factoryName, EVALUATOR_FACTORY, root));
+ } catch (NoSuchMethodException e) {
+ throw new AssemblerException(root, String.format(
+ "%s (found at %s for %s) must implement a static getInstance() that returns an instance of SecurityEvaluator",
+ factoryName, EVALUATOR_FACTORY, root));
+ } catch (IllegalAccessException e) {
+ throw new AssemblerException(root, String.format(ERROR_FINDING_FACTORY, factoryName, e.getMessage()), e);
+ } catch (InvocationTargetException e) {
+ throw new AssemblerException(root, String.format(ERROR_FINDING_FACTORY, factoryName, e.getMessage()), e);
+ }
+ }
- private SecurityEvaluator executeEvaluatorFactory(Resource root, Literal factoryName ) {
- try
- {
- Class<?> factoryClass = Class.forName( factoryName.getString() );
- Method method = factoryClass.getMethod("getInstance" );
- if ( ! SecurityEvaluator.class.isAssignableFrom(method.getReturnType()))
- {
- throw new AssemblerException( root, String.format( "%s (found at %s for %s) getInstance() must return an instance of SecurityEvaluator", factoryName, EVALUATOR_FACTORY, root ));
- }
- if ( ! Modifier.isStatic( method.getModifiers()))
- {
- throw new AssemblerException( root, String.format( "%s (found at %s for %s) getInstance() must be a static method", factoryName, EVALUATOR_FACTORY, root ));
- }
- return (SecurityEvaluator) method.invoke( null );
- }
- catch (SecurityException e)
- {
- throw new AssemblerException( root, String.format( ERROR_FINDING_FACTORY, factoryName, e.getMessage() ), e);
- }
- catch (IllegalArgumentException e)
- {
- throw new AssemblerException( root, String.format( ERROR_FINDING_FACTORY, factoryName, e.getMessage() ), e);
- }
- catch (ClassNotFoundException e)
- {
- throw new AssemblerException( root, String.format( "Class %s (found at %s for %s) could not be loaded", factoryName, EVALUATOR_FACTORY, root ));
- }
- catch (NoSuchMethodException e)
- {
- throw new AssemblerException( root, String.format( "%s (found at %s for %s) must implement a static getInstance() that returns an instance of SecurityEvaluator", factoryName, EVALUATOR_FACTORY, root ));
- }
- catch (IllegalAccessException e)
- {
- throw new AssemblerException( root, String.format( ERROR_FINDING_FACTORY, factoryName, e.getMessage() ), e);
- }
- catch (InvocationTargetException e)
- {
- throw new AssemblerException( root, String.format( ERROR_FINDING_FACTORY, factoryName, e.getMessage() ), e);
- }
- }
-
- private SecurityEvaluator getEvaluatorImpl(Assembler a, Resource evaluatorImpl ) {
- Object obj = a.open(a, evaluatorImpl, Mode.ANY);
- if (obj instanceof SecurityEvaluator)
- {
- return (SecurityEvaluator) obj;
- }
- throw new AssemblerException( evaluatorImpl, String.format(
- "%s does not specify a SecurityEvaluator instance", evaluatorImpl));
- }
+ private SecurityEvaluator getEvaluatorImpl(Assembler a, Resource evaluatorImpl) {
+ Object obj = a.open(a, evaluatorImpl, Mode.ANY);
+ if (obj instanceof SecurityEvaluator) {
+ return (SecurityEvaluator) obj;
+ }
+ throw new AssemblerException(evaluatorImpl,
+ String.format("%s does not specify a SecurityEvaluator instance", evaluatorImpl));
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredItem.java b/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredItem.java
index b75a9d6..7348293 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredItem.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/SecuredItem.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -29,225 +29,199 @@ import org.apache.jena.shared.AuthenticationRequiredException;
*/
public interface SecuredItem {
- /**
- * Utilities for SecuredItem implementations.
- */
- public static class Util {
- /**
- * Secured items are equivalent if their security evaluators and
- * modelIRIs are equal.
- *
- * @param si1
- * A secured item to check
- * @param si2
- * A second secured item to check
- * @return true if si1 is equivalent to si2.
- */
- public static boolean isEquivalent(final SecuredItem si1,
- final SecuredItem si2) {
- return si1.getSecurityEvaluator()
- .equals(si2.getSecurityEvaluator())
- && si1.getModelIRI().equals(si2.getModelIRI());
- }
-
- public static String modelPermissionMsg(final Node modelURI) {
- return String.format("Model permissions violation: %s", modelURI);
- }
-
- public static String triplePermissionMsg(final Node modelURI) {
- return String.format("Triple permissions violation: %s", modelURI);
- }
- }
-
- /**
- * @return true if the securedModel allows items to be created.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canCreate() throws AuthenticationRequiredException;
-
- /**
- * Return true if the triple can be created. If any s,p or o is SecNode.ANY
- * then this method must return false if there are any restrictions where
- * the remaining nodes and held constant and the ANY node is allowed to
- * vary.
- *
- * See canRead(Triple t)
- *
- * @param t
- * The triple to check
- * @return true if the triple can be created.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canCreate(Triple t) throws AuthenticationRequiredException;
-
- /**
- * Return true if the fronted triple can be created.
- *
- * See canRead(Triple t)
- *
- * @param t
- * The fronted triple to check
- * @return true if the triple can be created.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canCreate(FrontsTriple t)
- throws AuthenticationRequiredException;
-
- /**
- * @return true if the securedModel allows items to be deleted.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canDelete() throws AuthenticationRequiredException;
-
- /**
- * Return true if the triple can be deleted. If any s,p or o is SecNode.ANY
- * then this method must return false if there are any restrictions where
- * the remaining nodes and held constant and the ANY node is allowed to
- * vary.
- *
- * See canRead(Triple t)
- *
- * @param t
- * The triple to check
- * @return true if the triple can be deleted.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canDelete(Triple t) throws AuthenticationRequiredException;
-
- /**
- * Return true if the fronted triple can be deleted.
- *
- * See canRead(Triple t)
- *
- * @param t
- * The fronted triple to check
- * @return true if the triple can be deleted.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canDelete(FrontsTriple t)
- throws AuthenticationRequiredException;
-
- /**
- * @return true if the securedModel allows items to be read.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canRead() throws AuthenticationRequiredException;
-
- /**
- * Return true if the triple can be read. If any s,p or o is SecNode.ANY
- * then this method must return false if there are any restrictions where
- * the remaining nodes and held constant and the ANY node is allowed to
- * vary.
- *
- * (S, P, O) check if S,P,O can be read. (S, P, ANY) check if there are any
- * S,P,x restrictions. (S, ANY, P) check if there are any S,x,P
- * restrictions. (ANY, ANY, ANY) check if there are any restrictions on
- * reading.
- *
- * @param t
- * The triple to check
- * @return true if the triple can be read.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canRead(Triple t) throws AuthenticationRequiredException;
-
- /**
- * Return true if the fronted triple can be read.
- *
- * @param t
- * The frontedtriple to check
- * @return true if the triple can be read.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canRead(FrontsTriple t)
- throws AuthenticationRequiredException;
-
- /**
- * @return true if the securedModel allows items to be updated.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canUpdate() throws AuthenticationRequiredException;
-
- /**
- * Return true if the triple can be updated. If any s,p or o is SecNode.ANY
- * then this method must return false if there are any restrictions where
- * the remaining nodes and held constant and the ANY node is allowed to
- * vary.
- *
- * See canRead(Triple t)
- *
- * @param from
- * The triple that will be changed
- * @param to
- * The resulting triple.
- * @return true if the from triple can be updated as the to triple.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canUpdate(Triple from, Triple to)
- throws AuthenticationRequiredException;
-
- /**
- * Return true if the fronted triple can be updated.
- *
- *
- * See canUpdate(Triple from, Triple to)
- *
- * @param from
- * The fronted triple that will be changed
- * @param to
- * The resulting fronted triple.
- * @return true if the from triple can be updated as the to triple.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean canUpdate(FrontsTriple from, FrontsTriple to)
- throws AuthenticationRequiredException;
-
- @Override
- public boolean equals(Object o);
-
- /**
- * @return the base item that is being secured.
- */
- public Object getBaseItem();
-
- /**
- * @return The IRI of the securedModel that the item belongs to.
- */
- public String getModelIRI();
-
- /**
- * @return The node representation of the securedModel IRI.
- */
- public Node getModelNode();
-
- /**
- * The SecurityEvaluator implementation that is being used to determine
- * access.
- *
- * @return The SecurityEvaluator implementation.
- */
- public SecurityEvaluator getSecurityEvaluator();
-
- /**
- * Return true if this secured item is equivalent to another secured item.
- * Generally implemented by calling SecuredItem.Util.isEquivalent
- *
- * @param securedItem
- * the other secured item.
- * @return True if they are equivalent, false otherwise.
- */
- public boolean isEquivalent(SecuredItem securedItem);
+ /**
+ * Utilities for SecuredItem implementations.
+ */
+ public static class Util {
+ /**
+ * Secured items are equivalent if their security evaluators and modelIRIs are
+ * equal.
+ *
+ * @param si1 A secured item to check
+ * @param si2 A second secured item to check
+ * @return true if si1 is equivalent to si2.
+ */
+ public static boolean isEquivalent(final SecuredItem si1, final SecuredItem si2) {
+ return si1.getSecurityEvaluator().equals(si2.getSecurityEvaluator())
+ && si1.getModelIRI().equals(si2.getModelIRI());
+ }
+
+ public static String modelPermissionMsg(final Node modelURI) {
+ return String.format("Model permissions violation: %s", modelURI);
+ }
+
+ public static String triplePermissionMsg(final Node modelURI) {
+ return String.format("Triple permissions violation: %s", modelURI);
+ }
+ }
+
+ /**
+ * @return true if the securedModel allows items to be created.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canCreate() throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the triple can be created. If any s,p or o is SecNode.ANY then
+ * this method must return false if there are any restrictions where the
+ * remaining nodes and held constant and the ANY node is allowed to vary.
+ *
+ * See canRead(Triple t)
+ *
+ * @param t The triple to check
+ * @return true if the triple can be created.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canCreate(Triple t) throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the fronted triple can be created.
+ *
+ * See canRead(Triple t)
+ *
+ * @param t The fronted triple to check
+ * @return true if the triple can be created.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canCreate(FrontsTriple t) throws AuthenticationRequiredException;
+
+ /**
+ * @return true if the securedModel allows items to be deleted.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canDelete() throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the triple can be deleted. If any s,p or o is SecNode.ANY then
+ * this method must return false if there are any restrictions where the
+ * remaining nodes and held constant and the ANY node is allowed to vary.
+ *
+ * See canRead(Triple t)
+ *
+ * @param t The triple to check
+ * @return true if the triple can be deleted.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canDelete(Triple t) throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the fronted triple can be deleted.
+ *
+ * See canRead(Triple t)
+ *
+ * @param t The fronted triple to check
+ * @return true if the triple can be deleted.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canDelete(FrontsTriple t) throws AuthenticationRequiredException;
+
+ /**
+ * @return true if the securedModel allows items to be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canRead() throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the triple can be read. If any s,p or o is SecNode.ANY then
+ * this method must return false if there are any restrictions where the
+ * remaining nodes and held constant and the ANY node is allowed to vary.
+ *
+ * (S, P, O) check if S,P,O can be read. (S, P, ANY) check if there are any
+ * S,P,x restrictions. (S, ANY, P) check if there are any S,x,P restrictions.
+ * (ANY, ANY, ANY) check if there are any restrictions on reading.
+ *
+ * @param t The triple to check
+ * @return true if the triple can be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canRead(Triple t) throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the fronted triple can be read.
+ *
+ * @param t The frontedtriple to check
+ * @return true if the triple can be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canRead(FrontsTriple t) throws AuthenticationRequiredException;
+
+ /**
+ * @return true if the securedModel allows items to be updated.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canUpdate() throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the triple can be updated. If any s,p or o is SecNode.ANY then
+ * this method must return false if there are any restrictions where the
+ * remaining nodes and held constant and the ANY node is allowed to vary.
+ *
+ * See canRead(Triple t)
+ *
+ * @param from The triple that will be changed
+ * @param to The resulting triple.
+ * @return true if the from triple can be updated as the to triple.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canUpdate(Triple from, Triple to) throws AuthenticationRequiredException;
+
+ /**
+ * Return true if the fronted triple can be updated.
+ *
+ *
+ * See canUpdate(Triple from, Triple to)
+ *
+ * @param from The fronted triple that will be changed
+ * @param to The resulting fronted triple.
+ * @return true if the from triple can be updated as the to triple.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean canUpdate(FrontsTriple from, FrontsTriple to) throws AuthenticationRequiredException;
+
+ @Override
+ public boolean equals(Object o);
+
+ /**
+ * @return the base item that is being secured.
+ */
+ public Object getBaseItem();
+
+ /**
+ * @return The IRI of the securedModel that the item belongs to.
+ */
+ public String getModelIRI();
+
+ /**
+ * @return The node representation of the securedModel IRI.
+ */
+ public Node getModelNode();
+
+ /**
+ * The SecurityEvaluator implementation that is being used to determine access.
+ *
+ * @return The SecurityEvaluator implementation.
+ */
+ public SecurityEvaluator getSecurityEvaluator();
+
+ /**
+ * Return true if this secured item is equivalent to another secured item.
+ * Generally implemented by calling SecuredItem.Util.isEquivalent
+ *
+ * @param securedItem the other secured item.
+ * @return True if they are equivalent, false otherwise.
+ */
+ public boolean isEquivalent(SecuredItem securedItem);
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluator.java b/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluator.java
index b617560..38a72ac 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluator.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluator.java
@@ -17,404 +17,369 @@
*/
package org.apache.jena.permissions;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
import org.apache.jena.graph.Node;
import org.apache.jena.graph.NodeFactory;
import org.apache.jena.graph.Triple;
import org.apache.jena.shared.AuthenticationRequiredException;
-import java.util.*;
-
/**
* SecurityEvaluator.
* <p>
- * The security evaluator is the link between the graph security system and an external
- * security system. This interface specifies the methods that are required by the graph
- * security system. It is assumed that the implementation will handle tracking the current
- * user and will query some underlying data source to determine what actions the user can
- * and can not take.
+ * The security evaluator is the link between the graph security system and an
+ * external security system. This interface specifies the methods that are
+ * required by the graph security system. It is assumed that the implementation
+ * will handle tracking the current user and will query some underlying data
+ * source to determine what actions the user can and can not take.
* </p>
* <p>
- * All questions of white listing or black listing will be handled in the concrete
- * implementation.
+ * All questions of white listing or black listing will be handled in the
+ * concrete implementation.
* </p>
* <p>
- * Implementations of this class should probably cache any evaluate calculations as the
- * evaluate methods are called frequently. However, the underlying classes do cache
- * results within a single method check.
+ * Implementations of this class should probably cache any evaluate calculations
+ * as the evaluate methods are called frequently. However, the underlying
+ * classes do cache results within a single method check.
* </p>
* <p>
* <dl>
* <dt>Secured operations</dt>
- * <dd>The security system recognizes and secures each of the CRUD (Create, Read, Update
- * and Delete) operations as represented by the Action enumeration.</dd>
+ * <dd>The security system recognizes and secures each of the CRUD (Create,
+ * Read, Update and Delete) operations as represented by the Action
+ * enumeration.</dd>
* <dt>Levels of security</dt>
- * <dd>The security interfaces operates at two (2) levels: graph (or Model) and triple.
+ * <dd>The security interfaces operates at two (2) levels: graph (or Model) and
+ * triple.
* <p>
- * At the the graph level the security evaluator may restrict CRUD access to the graph or
- * model as a whole. When evaluating the restriction, if the user it not permitted to
- * perform the operation on the graph or model access is denied. If the user is permitted
- * any triple restrictions are evaluated.
+ * At the the graph level the security evaluator may restrict CRUD access to the
+ * graph or model as a whole. When evaluating the restriction, if the user it
+ * not permitted to perform the operation on the graph or model access is
+ * denied. If the user is permitted any triple restrictions are evaluated.
* </p>
* <p>
- * At the triple level the security evaluator may restrict CRUD access to specific
- * triples. In order to skip potentially expensive triple security checks the system will
- * generally ask if the user is permitted the CRUD action on any triple. This is
- * represented by the SecTriple <code>(ANY, ANY, ANY)</code>.
+ * At the triple level the security evaluator may restrict CRUD access to
+ * specific triples. In order to skip potentially expensive triple security
+ * checks the system will generally ask if the user is permitted the CRUD action
+ * on any triple. This is represented by the SecTriple
+ * <code>(ANY, ANY, ANY)</code>.
* </p>
* <ul>
- * <li>If the system does not support triple level security the system should always
- * return <code>true</code>.</li> If the system does support triple level security and is
- * unable to verify that the user can execute the CRUD action against any arbitrary triple
- * the system should return <code>false</code>.</li>
+ * <li>If the system does not support triple level security the system should
+ * always return <code>true</code>.</li> If the system does support triple level
+ * security and is unable to verify that the user can execute the CRUD action
+ * against any arbitrary triple the system should return
+ * <code>false</code>.</li>
* <li>See <code>Node.ANY</code>, <code>SecurityEvaluator.FUTURE</code>, and
- * <code>SecurityEvaluator.VARIABLE</code> for discussion of specifics of their respective
- * usages.</li>
+ * <code>SecurityEvaluator.VARIABLE</code> for discussion of specifics of their
+ * respective usages.</li>
* </ul>
* </dd>
* </dl>
*/
public interface SecurityEvaluator {
- /**
- * Identifies a sepcific CRUD actions.
- */
- static enum Action {
- /**
- * Allow creation of the object in question.
- */
- Create,
- /**
- * Allow the user to read the object in question.
- */
- Read,
- /**
- * Allow the user to update the object in question
- */
- Update,
- /**
- * Allow the user to delete the object in question.
- */
- Delete
+ /**
+ * Identifies a sepcific CRUD actions.
+ */
+ static enum Action {
+ /**
+ * Allow creation of the object in question.
+ */
+ Create,
+ /**
+ * Allow the user to read the object in question.
+ */
+ Read,
+ /**
+ * Allow the user to update the object in question
+ */
+ Update,
+ /**
+ * Allow the user to delete the object in question.
+ */
+ Delete
+
+ }
- }
+ /**
+ * A collection of utility functions for the SecurityEvaluator implementations.
+ */
+ public static class Util {
+ /**
+ * Return an array of actions as a set.
+ * <p>
+ * The order of the collection is preserved
+ * </p>
+ *
+ * @param actions The actions.
+ * @return The set of actions.
+ */
+ public static Set<Action> asSet(final Action[] actions) {
+ return Util.asSet(Arrays.asList(actions));
+ }
- /**
- * A collection of utility functions for the SecurityEvaluator
- * implementations.
- */
- public static class Util {
- /**
- * Return an array of actions as a set.
- * <p>
- * The order of the collection is preserved
- * </p>
- *
- * @param actions
- * The actions.
- * @return The set of actions.
- */
- public static Set<Action> asSet(final Action[] actions) {
- return Util.asSet(Arrays.asList(actions));
- }
+ /**
+ * Return a collection of actions as a set.
+ * <p>
+ * The order of the collection is preserved
+ * </p>
+ *
+ * @param actions The collection of actions.
+ * @return The set of actions.
+ */
+ public static Set<Action> asSet(final Collection<Action> actions) {
+ if (actions instanceof Set) {
+ return (Set<Action>) actions;
+ }
+ return new LinkedHashSet<>(actions);
+ }
+ }
- /**
- * Return a collection of actions as a set.
- * <p>
- * The order of the collection is preserved
- * </p>
- *
- * @param actions
- * The collection of actions.
- * @return The set of actions.
- */
- public static Set<Action> asSet(final Collection<Action> actions) {
- if (actions instanceof Set) {
- return (Set<Action>) actions;
- } else {
- return new LinkedHashSet<>(actions);
- }
- }
- }
+ /**
+ * Indicates a variable in the triple.
+ * <p>
+ * </p>
+ * This differs from <code>ANY</code> in that the system is asking if there are
+ * any prohibitions not if the user may perform. Thus queries with the VARIABLE
+ * type node should return <code>true</code> where <code>ANY</code> returns
+ * <code>false</code>. In general this type is used in the query to determine if
+ * triple level filtering of results must be performed.
+ * <p>
+ * </p>
+ * <p>
+ * <dl>
+ * <dt><code>(VARIABLE, X, Y )</code></dt>
+ * <dd>Asks if there are any prohibitions against the user seeing all subjects
+ * that have property X and object Y.</dd>
+ * <dt><code>(X, VARIABLE, Y )</code></dt>
+ * <dd>Asks if there are any prohibitions against the user seeing all predicates
+ * that have subject X and object Y.</dd>
+ * <dt><code>(X, Y, VARIABLE)</code></dt>
+ * <dd>Asks if there are any prohibitions against the user seeing all objects
+ * that have subject X and predicate Y.</dd>
+ * </dl>
+ * The <code>VARIABLE</code> may occur multiple times and may occur with the
+ * <code>ANY</code> node.
+ * </p>
+ *
+ */
+ public static final Node VARIABLE = NodeFactory.createBlankNode("urn:jena-permissions:VARIABLE");
- /**
- * Indicates a variable in the triple.
- * <p>
- * </p>
- * This differs from <code>ANY</code> in that the system is asking if there
- * are any prohibitions not if the user may perform. Thus queries with the
- * VARIABLE type node should return <code>true</code> where <code>ANY</code>
- * returns <code>false</code>. In general this type is used in the query to
- * determine if triple level filtering of results must be performed.
- * <p>
- * </p>
- * <p>
- * <dl>
- * <dt><code>(VARIABLE, X, Y )</code></dt>
- * <dd>
- * Asks if there are any prohibitions against the user seeing all subjects
- * that have property X and object Y.</dd>
- * <dt>
- * <code>(X, VARIABLE, Y )</code></dt>
- * <dd>
- * Asks if there are any prohibitions against the user seeing all predicates
- * that have subject X and object Y.</dd>
- * <dt>
- * <code>(X, Y, VARIABLE)</code></dt>
- * <dd>
- * Asks if there are any prohibitions against the user seeing all objects
- * that have subject X and predicate Y.</dd>
- * </dl>
- * The <code>VARIABLE</code> may occur multiple times and may occur with the
- * <code>ANY</code> node.
- * </p>
- *
- */
- public static final Node VARIABLE = NodeFactory
- .createBlankNode("urn:jena-permissions:VARIABLE");
+ /**
+ * This is a blank (anonymous) node that will be created in the future.
+ * <p>
+ * FUTURE is used to check that a blank node may be created in as specific
+ * position in a triple.
+ * </p>
+ * <p>
+ * <dl>
+ * <dt><code>(FUTURE, X, Y )</code></dt>
+ * <dd>Asks if there the user may create a blank node that has property X and
+ * object Y.</dd>
+ * <dt><code>(X, Y, FUTURE)</code></dt>
+ * <dd>Asks if there the user may create a blank node that has subject X and
+ * property Y.</dd>
+ * </dl>
+ * The <code>FUTURE</code> may occur multiple times and may occur with the
+ * <code>ANY</code> node.
+ * </p>
+ */
+ public static final Node FUTURE = NodeFactory.createBlankNode("urn:jena-permissions:FUTURE");
- /**
- * This is a blank (anonymous) node that will be created in the future.
- * <p>
- * FUTURE is used to check that a blank node may be created in as specific
- * position in a triple.
- * </p>
- * <p>
- * <dl>
- * <dt><code>(FUTURE, X, Y )</code></dt>
- * <dd>
- * Asks if there the user may create a blank node that has property X and
- * object Y.</dd>
- * <dt>
- * <code>(X, Y, FUTURE)</code></dt>
- * <dd>
- * Asks if there the user may create a blank node that has subject X and
- * property Y.</dd>
- * </dl>
- * The <code>FUTURE</code> may occur multiple times and may occur with the
- * <code>ANY</code> node.
- * </p>
- */
- public static final Node FUTURE = NodeFactory
- .createBlankNode("urn:jena-permissions:FUTURE");
+ /**
+ * Determine if the action is allowed on the graph.
+ *
+ * @param principal The principal that is attempting the action.
+ *
+ * @param action The action to perform
+ * @param graphIRI The IRI of the graph to check
+ * @return true if the action is allowed, false otherwise.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean evaluate(Object principal, Action action, Node graphIRI) throws AuthenticationRequiredException;
- /**
- * Determine if the action is allowed on the graph.
- *
- * @param principal
- * The principal that is attempting the action.
- *
- * @param action
- * The action to perform
- * @param graphIRI
- * The IRI of the graph to check
- * @return true if the action is allowed, false otherwise.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean evaluate(Object principal, Action action, Node graphIRI)
- throws AuthenticationRequiredException;
+ /**
+ * Determine if the action is allowed on the triple within the graph.
+ * <p>
+ * The evaluation should be performed in the following order:
+ * <ol>
+ * <li>If the triple contains a <code>VARIABLE</code> then this method must
+ * return <code>true</code> if there are any restrictions where the remaining
+ * nodes are either constants or <code>ANY</code> nodes. This will force the
+ * system to use subsequent checks to verify access by substituting the value of
+ * the <code>VARIABLE</code>s. <em>If the system can not quickly verify the
+ * solution it is always acceptable to return <code>true</code>.</em>
+ * <li>Except as specified in the above check, if the triple contains an
+ * <code>ANY</code> then this method must return <code>false</code> if there are
+ * any restrictions where the remaining nodes are held constant and the ANY node
+ * is allowed to vary. This checks is used to avoid subsequent explicit triple
+ * checks. <em>If the system can not quickly verify the solution it is always
+ * acceptable to return <code>false</code>.</em></li>
+ * <li>All other triples are explicit triples and the system must determine if
+ * the user is permitted to perform the action on the triple. If the triple
+ * contains a <code>FUTURE</code> node that node should be considered as an
+ * anonymous or blank node that is not yet created. It should only be used with
+ * <code>Create</code> actions and is asking if the user may create a blank node
+ * in that position in the triple.</li>
+ * </ol>
+ * </p>
+ *
+ * @param principal The principal that is attempting the action.
+ *
+ * @param action The action to perform
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @param triple The triple to check
+ * @return true if the action is allowed, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public boolean evaluate(Object principal, Action action, Node graphIRI, Triple triple)
+ throws AuthenticationRequiredException;
- /**
- * Determine if the action is allowed on the triple within the graph.
- * <p>
- * The evaluation should be performed in the following order:
- * <ol>
- * <li>
- * If the triple contains a <code>VARIABLE</code> then this method must
- * return <code>true</code> if there are any restrictions where the
- * remaining nodes are either constants or <code>ANY</code> nodes. This will
- * force the system to use subsequent checks to verify access by
- * substituting the value of the <code>VARIABLE</code>s.
- * <em>If the system can not quickly verify the solution
- * it is always acceptable to return <code>true</code>.</em>
- * <li>
- * Except as specified in the above check, if the triple contains an
- * <code>ANY</code> then this method must return <code>false</code> if there
- * are any restrictions where the remaining nodes are held constant and the
- * ANY node is allowed to vary. This checks is used to avoid subsequent
- * explicit triple checks.
- * <em>If the system can not quickly verify the solution it is always
- * acceptable to return <code>false</code>.</em></li>
- * <li>All other triples are explicit triples and the system must determine
- * if the user is permitted to perform the action on the triple. If the
- * triple contains a <code>FUTURE</code> node that node should be considered
- * as an anonymous or blank node that is not yet created. It should only be
- * used with <code>Create</code> actions and is asking if the user may
- * create a blank node in that position in the triple.</li>
- * </ol>
- * </p>
- *
- * @param principal
- * The principal that is attempting the action.
- *
- * @param action
- * The action to perform
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @param triple
- * The triple to check
- * @return true if the action is allowed, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public boolean evaluate(Object principal, Action action, Node graphIRI,
- Triple triple) throws AuthenticationRequiredException;
+ /**
+ * Determine if all actions are allowed on the graph.
+ *
+ * @param principal The principal that is attempting the action.
+ *
+ * @param actions The set of actions to perform
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @return true if all the actions are allowed, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public default boolean evaluate(Object principal, Set<Action> actions, Node graphIRI)
+ throws AuthenticationRequiredException {
+ return actions.stream().allMatch(action -> evaluate(principal, action, graphIRI));
+ }
- /**
- * Determine if all actions are allowed on the graph.
- *
- * @param principal
- * The principal that is attempting the action.
- *
- * @param actions
- * The set of actions to perform
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @return true if all the actions are allowed, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public default boolean evaluate(Object principal, Set<Action> actions, Node graphIRI)
- throws AuthenticationRequiredException {
- return actions.stream().allMatch(action -> evaluate(principal, action, graphIRI));
- }
+ /**
+ * Determine if all the actions are allowed on the triple within the graph.
+ * <p>
+ * See evaluate( Action, Node, Triple ) for discussion of evaluation strategy.
+ * </p>
+ *
+ * @param actions The actions to perform.
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @param triple The triple to check
+ * @return true if all the actions are allowed, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public default boolean evaluate(Object principal, Set<Action> actions, Node graphIRI, Triple triple)
+ throws AuthenticationRequiredException {
+ return actions.stream().allMatch(action -> evaluate(principal, action, graphIRI));
+ }
- /**
- * Determine if all the actions are allowed on the triple within the graph.
- * <p>
- * See evaluate( Action, Node, Triple ) for discussion of evaluation
- * strategy.
- * </p>
- *
- * @param actions
- * The actions to perform.
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @param triple
- * The triple to check
- * @return true if all the actions are allowed, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public default boolean evaluate(Object principal, Set<Action> actions,
- Node graphIRI, Triple triple)
- throws AuthenticationRequiredException {
- return actions.stream().allMatch(action -> evaluate(principal, action, graphIRI));
- }
+ /**
+ * Determine if any of the actions are allowed on the graph.
+ *
+ * @param principal The principal that is attempting the action.
+ *
+ * @param actions The actions to perform
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @return true true if any the actions are allowed, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public default boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI)
+ throws AuthenticationRequiredException {
+ return actions.stream().anyMatch(action -> evaluate(principal, action, graphIRI));
+ }
- /**
- * Determine if any of the actions are allowed on the graph.
- *
- * @param principal
- * The principal that is attempting the action.
- *
- * @param actions
- * The actions to perform
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @return true true if any the actions are allowed, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public default boolean evaluateAny(Object principal, Set<Action> actions,
- Node graphIRI) throws AuthenticationRequiredException {
- return actions.stream().anyMatch(action -> evaluate(principal, action, graphIRI));
- }
+ /**
+ * Determine if any of the actions are allowed on the triple within the graph.
+ * <p>
+ * See evaluate( Action, Node, Triple ) for discussion of evaluation strategy.
+ * </p>
+ *
+ * @param principal The principal that is attempting the action.
+ *
+ * @param actions The actions to check.
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @param triple The triple to check
+ * @return true if any the actions are allowed, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public default boolean evaluateAny(Object principal, Set<Action> actions, Node graphIRI, Triple triple)
+ throws AuthenticationRequiredException {
+ return actions.stream().anyMatch(action -> evaluate(principal, action, graphIRI, triple));
+ }
- /**
- * Determine if any of the actions are allowed on the triple within the
- * graph.
- * <p>
- * See evaluate( Action, Node, Triple ) for discussion of evaluation
- * strategy.
- * </p>
- *
- * @param principal
- * The principal that is attempting the action.
- *
- * @param actions
- * The actions to check.
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @param triple
- * The triple to check
- * @return true if any the actions are allowed, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public default boolean evaluateAny(Object principal, Set<Action> actions,
- Node graphIRI, Triple triple)
- throws AuthenticationRequiredException {
- return actions.stream().anyMatch(action -> evaluate(principal, action, graphIRI, triple));
- }
+ /**
+ * Determine if the user is allowed to update the "from" triple to the "to"
+ * triple.
+ * <p>
+ * Update is a special case since it modifies one triple to be another. So the
+ * user must have permissions to change the "from" triple into the "to" triple.
+ *
+ * @param principal The principal that is attempting the action.
+ * @param graphIRI The IRI of the graph to the action is being taken upon. May
+ * be <code>ANY</code>.
+ * @param from The triple to be changed
+ * @param to The value to change it to.
+ * @return true if the user may make the change, false otherwise.
+ * @throws IllegalArgumentException if any argument is null.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ public default boolean evaluateUpdate(Object principal, Node graphIRI, Triple from, Triple to)
+ throws AuthenticationRequiredException {
+ return evaluate(principal, Action.Delete, graphIRI, from) && evaluate(principal, Action.Create, graphIRI, to);
+ }
- /**
- * Determine if the user is allowed to update the "from" triple to the "to"
- * triple.
- * <p>
- * Update is a special case since it modifies one triple to be another. So
- * the user must have permissions to change the "from" triple into the "to"
- * triple.
- *
- * @param principal
- * The principal that is attempting the action.
- * @param graphIRI
- * The IRI of the graph to the action is being taken upon. May be
- * <code>ANY</code>.
- * @param from
- * The triple to be changed
- * @param to
- * The value to change it to.
- * @return true if the user may make the change, false otherwise.
- * @throws IllegalArgumentException
- * if any argument is null.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public default boolean evaluateUpdate(Object principal, Node graphIRI, Triple from,
- Triple to) throws AuthenticationRequiredException {
- return evaluate(principal, Action.Delete, graphIRI, from) && evaluate(principal, Action.Create, graphIRI, to);
- }
+ /**
+ * returns the current principal or null if there is no current principal.
+ *
+ * All security evaluation methods use this method to determine who the call is
+ * being executed as. This allows subsystems (like the listener system) to
+ * capture the current user and evaluate later calls in terms of that user.
+ *
+ * @return The current principal
+ */
+ public Object getPrincipal();
- /**
- * returns the current principal or null if there is no current principal.
- *
- * All security evaluation methods use this method to determine who the call
- * is being executed as. This allows subsystems (like the listener system)
- * to capture the current user and evaluate later calls in terms of that
- * user.
- *
- * @return The current principal
- */
- public Object getPrincipal();
+ /**
+ * Returns true if the principal is recognized as an authenticated principal by
+ * the underlying authentication mechanism.
+ *
+ * This is to handle the case where an authentication mechanism returns a
+ * non-null object to indicate a non-authenticated principal. (e.g. Shiro).
+ *
+ * The principal is guaranteed to have been the return value from an earlier
+ * getPrincipal() call.
+ *
+ * @param principal The principal to check.
+ * @return true if authenticated, false if not.
+ */
+ public boolean isPrincipalAuthenticated(Object principal);
- /**
- * Returns true if the principal is recognized as an authenticated principal
- * by the underlying authentication mechanism.
- *
- * This is to handle the case where an authentication mechanism returns a
- * non-null object to indicate a non-authenticated principal. (e.g. Shiro).
- *
- * The principal is guaranteed to have been the return value from an earlier
- * getPrincipal() call.
- *
- * @param principal
- * The principal to check.
- * @return true if authenticated, false if not.
- */
- public boolean isPrincipalAuthenticated(Object principal);
+ /**
+ * Returns true if reads blocked by permissions should throw exceptions. If set
+ * false then:
+ * <ul>
+ * <li>For iterators return empty iterators.</li>
+ * <li>For existential checks return false.</li>
+ * <li>For counts return 0.</li>
+ * </ul>
+ *
+ * @return true if reads blocked by permissions should throw an exception.
+ */
+ public default boolean isHardReadError() {
+ return false;
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluatorAssembler.java b/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluatorAssembler.java
index 7ef923f..288d113 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluatorAssembler.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/SecurityEvaluatorAssembler.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -22,162 +22,153 @@ import java.lang.reflect.InvocationTargetException;
import java.util.ArrayList;
import java.util.List;
-import org.apache.jena.assembler.Assembler ;
-import org.apache.jena.assembler.Mode ;
-import org.apache.jena.assembler.assemblers.AssemblerBase ;
-import org.apache.jena.assembler.exceptions.AssemblerException ;
-import org.apache.jena.rdf.model.* ;
+import org.apache.jena.assembler.Assembler;
+import org.apache.jena.assembler.Mode;
+import org.apache.jena.assembler.assemblers.AssemblerBase;
+import org.apache.jena.assembler.exceptions.AssemblerException;
+import org.apache.jena.rdf.model.Literal;
+import org.apache.jena.rdf.model.NodeIterator;
+import org.apache.jena.rdf.model.RDFNode;
+import org.apache.jena.rdf.model.Resource;
+import org.apache.jena.rdf.model.Seq;
/**
* A simple assembler for a SecurityEvaluator
- * <p>
- * This assembler load the specified class, locates the first constructor that accepts
- * the number of arguments in the assembler file, and calls it passing the arguments.
- * Generally the result of this assembler is passed to a sec:Model construction.
- * @see SecuredAssembler
- * </p>
- * <ul>
- * <li>The evaluator must have one and only one public constructor
- * that takes the number of arguments specified in the assembler file.
- * </li>
- *
- * <li>
- * The evaluator may have more constructors but they may not have the same
- * number of arguments as specified in the assembler file.
- * </li>
- *
- * <li>
- * The arguments must be specified in the assembler file in the order that they
- * should be passed to the constructor.
- * </li>
- * </ul>
- *
* <p>
- * Literal arguments are converted to their data type before calling the constructor. For example
- * "13"^^xsd:int will be converted to an Integer with the value of 13.
- * </p>
- * The assembler file should include the following
- * <code><pre>
- * @prefix xsd: <http://www.w3.org/2001/XMLSchema#>
- *
- * <>; ja:loadClass "org.apache.jena.security.SecuredAssembler" .
- *
+ * This assembler load the specified class, locates the first constructor that
+ * accepts the number of arguments in the assembler file, and calls it passing
+ * the arguments. Generally the result of this assembler is passed to a
+ * sec:Model construction.
+ *
+ * @see SecuredAssembler
+ * </p>
+ * <ul>
+ * <li>The evaluator must have one and only one public constructor that
+ * takes the number of arguments specified in the assembler file.</li>
+ *
+ * <li>The evaluator may have more constructors but they may not have the
+ * same number of arguments as specified in the assembler file.</li>
+ *
+ * <li>The arguments must be specified in the assembler file in the order
+ * that they should be passed to the constructor.</li>
+ * </ul>
+ *
+ * <p>
+ * Literal arguments are converted to their data type before calling the
+ * constructor. For example "13"^^xsd:int will be converted to an Integer
+ * with the value of 13.
+ * </p>
+ * The assembler file should include the following <code><pre>
+ * prefix xsd: <http://www.w3.org/2001/XMLSchema#>
+ *
+ * <> ja:loadClass "org.apache.jena.security.SecuredAssembler" .
+ *
* sec:Model rdfs:subClassOf ja:NamedModel .
- *
+ *
* </pre></code>
- *
- * The model definition should include something like.
- *
- * <code><pre>
+ *
+ * The model definition should include something like.
+ *
+ * <code><pre>
* ex:myEvaluator a sec:Evaluator ;
* sec:args [ rdf:_1 "argument 1 for my evaluator constructor" ;
- * rdf:_2 "13"^^xsd:int ; ];
+ * rdf:_2 "13"^^xsd:int ; ];
* sec:evaluatorClass "evaluatorClassname";
* .
* </pre></code>
- *
- * Terms used in above example:
- *
- * <dl>
- * <dt>my:secEvaluator</dt>
- * <dd>The security evaluator as referenced in the assembler file.</dd>
- *
- * <dt>sec:Evaluator</dt>
- * <dd>Identifies my:secEvaluator as a SecurityEvaluator</dd>
- *
- * <dt>sec:args</dt>
- * <dd>Identifies the argument list</dd>
- *
- * <dt>rdf:_1</dt>
- * <dd>The first argument</dd>
- *
- * <dt>rdf:_2</dt>
- * <dd>The second argument (an integer in this case</dd>
- *
- * <dt>sec:evaluatorClass</dt>
- * <dd>The fully qualified name of the SecurityEvaluator class to call. This class must extend
- * SecurityEvaluator, and must have one and only one constructor that takes the number of arguments
- * specified in sec:args</dd>
- *
- * </p>
- *
+ *
+ * Terms used in above example:
+ *
+ * <dl>
+ * <dt>my:secEvaluator</dt>
+ * <dd>The security evaluator as referenced in the assembler file.</dd>
+ *
+ * <dt>sec:Evaluator</dt>
+ * <dd>Identifies my:secEvaluator as a SecurityEvaluator</dd>
+ *
+ * <dt>sec:args</dt>
+ * <dd>Identifies the argument list</dd>
+ *
+ * <dt>rdf:_1</dt>
+ * <dd>The first argument</dd>
+ *
+ * <dt>rdf:_2</dt>
+ * <dd>The second argument (an integer in this case</dd>
+ *
+ * <dt>sec:evaluatorClass</dt>
+ * <dd>The fully qualified name of the SecurityEvaluator class to call.
+ * This class must extend SecurityEvaluator, and must have one and only one
+ * constructor that takes the number of arguments specified in
+ * sec:args</dd>
+ *
+ * </p>
+ *
*/
public class SecurityEvaluatorAssembler extends AssemblerBase implements Assembler, AssemblerConstants {
- // initialization and registration is performed by SecuredAssembler
-
- @Override
- public SecurityEvaluator open(Assembler a, Resource root, Mode mode) {
-
- Literal className = getUniqueLiteral( root, EVALUATOR_CLASS );
- if (className == null)
- {
- throw new AssemblerException( root, String.format( NO_X_PROVIDED, EVALUATOR_CLASS, root ));
- }
-
- Class<?> clazz;
- try {
- clazz = Class.forName(className.getString());
- } catch (ClassNotFoundException e1) {
- throw new AssemblerException( root, String.format( "Can not locate class %s as specified by %s in %s", className, EVALUATOR_CLASS, root ));
- }
- if ( ! SecurityEvaluator.class.isAssignableFrom( clazz ))
- {
- throw new AssemblerException( root, String.format( "Class %s as specified by %s in %s does not implement SecurityEvaluator", className, EVALUATOR_CLASS, root ));
- }
-
- // get the arguments as specified.
- List<Object> args = new ArrayList<>();
- Resource argRes = getUniqueResource( root, ARGUMENT_LIST );
- if (argRes != null)
- {
- Seq seq = argRes.as( Seq.class );
- NodeIterator iter = seq.iterator();
- RDFNode n = null;
- while (iter.hasNext())
- {
- n = iter.next();
- if (n.isLiteral())
- {
- args.add( n.asLiteral().getValue());
- }
- else if (n.isResource())
- {
- args.add( a.open( a, n.asResource(), mode ) );
- }
- else
- {
- throw new AssemblerException( root, String.format( "%s must be a literal or a resource", n ));
- }
- }
- }
-
- for (Constructor<?> c : clazz.getConstructors())
- {
- if (c.getParameterTypes().length == args.size())
- {
- try {
- if (args.size() == 0)
- {
- return (SecurityEvaluator) c.newInstance();
- }
- else
- {
- return (SecurityEvaluator) c.newInstance( args.toArray() );
- }
- } catch (InstantiationException e) {
- throw new AssemblerException( root, e.getMessage(), e );
- } catch (IllegalAccessException e) {
- throw new AssemblerException( root, e.getMessage(), e );
- } catch (IllegalArgumentException e) {
- throw new AssemblerException( root, e.getMessage(), e );
- } catch (InvocationTargetException e) {
- throw new AssemblerException( root, e.getMessage(), e );
- }
- }
-
- }
- throw new AssemblerException( root, String.format( "Class %s does not have a %s argument constructor", className, args.size() ));
-
- }
+ // initialization and registration is performed by SecuredAssembler
+
+ @Override
+ public SecurityEvaluator open(Assembler a, Resource root, Mode mode) {
+
+ Literal className = getUniqueLiteral(root, EVALUATOR_CLASS);
+ if (className == null) {
+ throw new AssemblerException(root, String.format(NO_X_PROVIDED, EVALUATOR_CLASS, root));
+ }
+
+ Class<?> clazz;
+ try {
+ clazz = Class.forName(className.getString());
+ } catch (ClassNotFoundException e1) {
+ throw new AssemblerException(root, String.format("Can not locate class %s as specified by %s in %s",
+ className, EVALUATOR_CLASS, root));
+ }
+ if (!SecurityEvaluator.class.isAssignableFrom(clazz)) {
+ throw new AssemblerException(root,
+ String.format("Class %s as specified by %s in %s does not implement SecurityEvaluator", className,
+ EVALUATOR_CLASS, root));
+ }
+
+ // get the arguments as specified.
+ List<Object> args = new ArrayList<>();
+ Resource argRes = getUniqueResource(root, ARGUMENT_LIST);
+ if (argRes != null) {
+ Seq seq = argRes.as(Seq.class);
+ NodeIterator iter = seq.iterator();
+ RDFNode n = null;
+ while (iter.hasNext()) {
+ n = iter.next();
+ if (n.isLiteral()) {
+ args.add(n.asLiteral().getValue());
+ } else if (n.isResource()) {
+ args.add(a.open(a, n.asResource(), mode));
+ } else {
+ throw new AssemblerException(root, String.format("%s must be a literal or a resource", n));
+ }
+ }
+ }
+
+ for (Constructor<?> c : clazz.getConstructors()) {
+ if (c.getParameterTypes().length == args.size()) {
+ try {
+ if (args.size() == 0) {
+ return (SecurityEvaluator) c.newInstance();
+ }
+ return (SecurityEvaluator) c.newInstance(args.toArray());
+ } catch (InstantiationException e) {
+ throw new AssemblerException(root, e.getMessage(), e);
+ } catch (IllegalAccessException e) {
+ throw new AssemblerException(root, e.getMessage(), e);
+ } catch (IllegalArgumentException e) {
+ throw new AssemblerException(root, e.getMessage(), e);
+ } catch (InvocationTargetException e) {
+ throw new AssemblerException(root, e.getMessage(), e);
+ }
+ }
+
+ }
+ throw new AssemblerException(root,
+ String.format("Class %s does not have a %s argument constructor", className, args.size()));
+
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredCapabilities.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredCapabilities.java
index e694c65..921ba21 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredCapabilities.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredCapabilities.java
@@ -17,7 +17,7 @@
*/
package org.apache.jena.permissions.graph;
-import org.apache.jena.graph.Capabilities ;
+import org.apache.jena.graph.Capabilities;
import org.apache.jena.graph.Node;
import org.apache.jena.graph.NodeFactory;
import org.apache.jena.permissions.SecurityEvaluator;
@@ -27,62 +27,53 @@ import org.apache.jena.permissions.SecurityEvaluator.Action;
* The interface for secured Capabilities instances.
*
*/
-public class SecuredCapabilities implements Capabilities
-{
- // the security evaluator in use
- private final SecurityEvaluator securityEvaluator;
- // the graphIRI that the capabilities belong to.
- private final Node graphIRI;
- // the unsecured capabilities.
- private final Capabilities capabilities;
+public class SecuredCapabilities implements Capabilities {
+ // the security evaluator in use
+ private final SecurityEvaluator securityEvaluator;
+ // the graphIRI that the capabilities belong to.
+ private final Node graphIRI;
+ // the unsecured capabilities.
+ private final Capabilities capabilities;
- /**
- * Constructor.
- *
- * @param securityEvaluator
- * The security evaluator in use.
- * @param graphURI
- * The graphIRI that the capabilities describe.
- * @param capabilities
- * The unsecured capabilities.
- */
- public SecuredCapabilities( final SecurityEvaluator securityEvaluator,
- final String graphURI, final Capabilities capabilities )
- {
- this.securityEvaluator = securityEvaluator;
- this.graphIRI = NodeFactory.createURI(graphURI);
- this.capabilities = capabilities;
- }
+ /**
+ * Constructor.
+ *
+ * @param securityEvaluator The security evaluator in use.
+ * @param graphURI The graphIRI that the capabilities describe.
+ * @param capabilities The unsecured capabilities.
+ */
+ public SecuredCapabilities(final SecurityEvaluator securityEvaluator, final String graphURI,
+ final Capabilities capabilities) {
+ this.securityEvaluator = securityEvaluator;
+ this.graphIRI = NodeFactory.createURI(graphURI);
+ this.capabilities = capabilities;
+ }
- /**
- * @sec.graph Update
- */
- @Override
- public boolean addAllowed()
- {
- return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
- && capabilities.addAllowed();
- }
+ /**
+ * @sec.graph Update
+ */
+ @Override
+ public boolean addAllowed() {
+ return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
+ && capabilities.addAllowed();
+ }
- /**
- * @sec.graph Update
- */
- @Override
- public boolean deleteAllowed()
- {
- return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
- && capabilities.deleteAllowed();
- }
+ /**
+ * @sec.graph Update
+ */
+ @Override
+ public boolean deleteAllowed() {
+ return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
+ && capabilities.deleteAllowed();
+ }
- @Override
- public boolean handlesLiteralTyping()
- {
- return capabilities.handlesLiteralTyping();
- }
+ @Override
+ public boolean handlesLiteralTyping() {
+ return capabilities.handlesLiteralTyping();
+ }
- @Override
- public boolean sizeAccurate()
- {
- return capabilities.sizeAccurate();
- }
+ @Override
+ public boolean sizeAccurate() {
+ return capabilities.sizeAccurate();
+ }
}
\ No newline at end of file
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraph.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraph.java
index 8e08e50..147c48d 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraph.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraph.java
@@ -17,175 +17,17 @@
*/
package org.apache.jena.permissions.graph;
-import org.apache.jena.graph.*;
+import org.apache.jena.graph.Graph;
import org.apache.jena.permissions.SecuredItem;
-import org.apache.jena.permissions.SecurityEvaluator;
-import org.apache.jena.shared.AddDeniedException;
-import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.shared.DeleteDeniedException;
-import org.apache.jena.shared.ReadDeniedException;
-import org.apache.jena.shared.UpdateDeniedException;
-import org.apache.jena.util.iterator.ExtendedIterator;
/**
* The interface for secured Graph instances.
*
* Use the SecuredGraph.Factory to create instances
+ *
+ *
+ * {@link org.apache.jena.permissions.graph.impl.SecuredGraphImpl} for javadocs
*/
public interface SecuredGraph extends Graph, SecuredItem {
- /**
- * @sec.graph Update
- * @sec.triple Create
- * @throws AddDeniedException
- * @throws UpdateDeniedException
- * if the graph can not be updated.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public void add(final Triple t) throws AddDeniedException,
- UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Node s, final Node p, final Node o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Triple t) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Delete
- * @throws DeleteDeniedException
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public void delete(final Triple t) throws DeleteDeniedException,
- UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean dependsOn(final Graph other) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read, otherwise filtered from iterator.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public ExtendedIterator<Triple> find(final Node s, final Node p,
- final Node o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read, otherwise filtered from iterator.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public ExtendedIterator<Triple> find(final Triple triple)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredCapabilities getCapabilities();
-
- @Override
- public SecuredGraphEventManager getEventManager();
-
- /**
- * Return the name of the graph.
- *
- * @return The name of the graph as a node.
- */
- @Override
- public Node getModelNode();
-
- @Override
- public SecuredPrefixMapping getPrefixMapping();
-
- @Override
- public SecurityEvaluator getSecurityEvaluator();
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean isEmpty() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean isIsomorphicWith(final Graph g) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public int size() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Delete for every triple
- * @throws DeleteDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public void clear() throws DeleteDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Delete (s, p, o )
- * @throws DeleteDeniedException
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public void remove(Node s, Node p, Node o) throws DeleteDeniedException,
- UpdateDeniedException, AuthenticationRequiredException;
-
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraphEventManager.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraphEventManager.java
index ea7404a..0bb5463 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraphEventManager.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredGraphEventManager.java
@@ -47,558 +47,476 @@ import org.apache.jena.util.iterator.WrappedIterator;
* message is first seen and send it to the underlying graph if necessary.
*/
public class SecuredGraphEventManager implements GraphEventManager {
- private class SecuredGraphListener implements GraphListener {
- private final GraphListener wrapped;
- private final Object runAs;
-
- SecuredGraphListener(final GraphListener wrapped) {
- if (wrapped == null) {
- throw new IllegalArgumentException(
- "Wrapped listener may not be null");
- }
- this.wrapped = wrapped;
- this.runAs = securedGraph.getSecurityEvaluator().getPrincipal();
- }
-
- private Triple[] getArray(final Graph g, final Triple[] triples,
- final Set<Action> perms) throws AuthenticationRequiredException {
- Triple[] retval = triples;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs, perms, sg.getModelNode())) {
- if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(),
- Triple.ANY)) {
- final List<Triple> list = wrapPermIterator(sg,
- Arrays.asList(triples).iterator(), perms)
- .toList();
- retval = list.toArray(new Triple[list.size()]);
- } else {
- retval = triples;
- }
- } else {
- retval = new Triple[0];
- }
- }
- return retval;
- }
-
- @Override
- public void notifyAddArray(final Graph g, final Triple[] triples)
- throws AuthenticationRequiredException {
- final Triple[] added = getArray(g, triples,
- SecuredGraphEventManager.ADD);
-
- if (added.length > 0) {
- wrapped.notifyAddArray(g, added);
- }
- }
-
- @Override
- public void notifyAddGraph(final Graph g, final Graph added)
- throws AuthenticationRequiredException {
- Graph addGraph = added;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
- sg.getModelNode())) {
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.ADD, sg.getModelNode(),
- Triple.ANY)) {
- final List<Triple> lst = added.find(Triple.ANY)
- .toList();
- addGraph = new CollectionGraph(Arrays.asList(getArray(
- g, lst.toArray(new Triple[lst.size()]),
- SecuredGraphEventManager.ADD)));
- } else {
- addGraph = added;
- }
- } else {
- addGraph = new CollectionGraph(
- Collections.<Triple> emptyList());
- }
- }
- if (addGraph.size() > 0) {
- wrapped.notifyAddGraph(g, addGraph);
-
- }
- }
-
- @Override
- public void notifyAddIterator(final Graph g, final Iterator<Triple> it)
- throws AuthenticationRequiredException {
-
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- // only report if we can write to the graph
- if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
- sg.getModelNode())) {
- final ExtendedIterator<Triple> iter = wrapPermIterator(sg,
- it, SecuredGraphEventManager.ADD);
- try {
- wrapped.notifyAddIterator(g, iter);
- } finally {
- iter.close();
- }
- }
- } else {
- wrapped.notifyAddIterator(g, it);
- }
-
- }
-
- @Override
- public void notifyAddList(final Graph g, final List<Triple> triples)
- throws AuthenticationRequiredException {
- List<Triple> list = triples;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
- sg.getModelNode())) {
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.ADD, sg.getModelNode(),
- Triple.ANY)) {
- list = wrapPermIterator(sg, triples.iterator(),
- SecuredGraphEventManager.ADD).toList();
- } else {
- list = triples;
- }
- } else {
- list = Collections.emptyList();
- }
- }
-
- if (list.size() > 0) {
-
- wrapped.notifyAddList(g, list);
- }
- }
-
- @Override
- public void notifyAddTriple(final Graph g, final Triple t)
- throws AuthenticationRequiredException {
- boolean notify = false;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- notify = evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.ADD, sg.getModelNode());
- if (notify) {
- notify = evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.ADD, sg.getModelNode(), t);
- }
- } else {
- notify = true;
- }
- if (notify) {
- wrapped.notifyAddTriple(g, t);
- }
- }
-
- @Override
- public void notifyDeleteArray(final Graph g, final Triple[] triples)
- throws AuthenticationRequiredException {
- Triple[] deleted = triples;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode())) {
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode(),
- Triple.ANY)) {
- final List<Triple> list = wrapPermIterator(sg,
- Arrays.asList(triples).iterator(),
- SecuredGraphEventManager.DELETE).toList();
- deleted = list.toArray(new Triple[list.size()]);
- } else {
- deleted = triples;
- }
- } else {
- deleted = new Triple[0];
- }
- }
-
- if (deleted.length > 0) {
- wrapped.notifyDeleteArray(g, deleted);
- }
- }
-
- @Override
- public void notifyDeleteGraph(final Graph g, final Graph removed)
- throws AuthenticationRequiredException {
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode())) {
- Graph g2 = removed;
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode(),
- Triple.ANY)) {
- g2 = new CollectionGraph(
- removed.find(Triple.ANY)
- .filterKeep(
- new PermTripleFilter(
- SecuredGraphEventManager.DELETE,
- sg, evaluator))
- .toList());
-
- }
- wrapped.notifyDeleteGraph(g, g2);
- } else {
- // do nothing.
- }
- } else {
- wrapped.notifyDeleteGraph(g, removed);
- }
- }
-
- @Override
- public void notifyDeleteIterator(final Graph g,
- final Iterator<Triple> it)
- throws AuthenticationRequiredException {
- Iterator<Triple> iter = it;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode())) {
-
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode(),
- Triple.ANY)) {
- iter = WrappedIterator.create(it).filterKeep(
- new PermTripleFilter(
- SecuredGraphEventManager.DELETE, sg,
- evaluator));
- }
- // else use the default list as all can bee seen
- wrapped.notifyDeleteIterator(g, iter);
- } else {
- // do nothing.
- }
- } else {
- wrapped.notifyDeleteIterator(g, iter);
- }
-
- }
-
- @Override
- public void notifyDeleteList(final Graph g, final List<Triple> triples)
- throws AuthenticationRequiredException {
- List<Triple> list = triples;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode())) {
- if (!evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode(),
- Triple.ANY)) {
- list = WrappedIterator
- .create(triples.iterator())
- .filterKeep(
- new PermTripleFilter(
- SecuredGraphEventManager.DELETE,
- sg, evaluator)).toList();
- }
- // else use the default list as all can bee seen
- } else {
- list = Collections.emptyList();
- }
- }
-
- if (list.size() > 0) {
- wrapped.notifyDeleteList(g, list);
- }
- }
-
- @Override
- public void notifyDeleteTriple(final Graph g, final Triple t)
- throws AuthenticationRequiredException {
- boolean notify = false;
- if (g instanceof SecuredGraph) {
- final SecuredGraph sg = (SecuredGraph) g;
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- notify = evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode());
- if (notify) {
- notify = evaluator.evaluateAny(runAs,
- SecuredGraphEventManager.DELETE, sg.getModelNode(),
- t);
- }
- } else {
- notify = true;
- }
- if (notify) {
- wrapped.notifyDeleteTriple(g, t);
- }
- }
-
- @Override
- public void notifyEvent(final Graph source, final Object value) {
- wrapped.notifyEvent(source, value);
- }
-
- private ExtendedIterator<Triple> wrapPermIterator(
- final SecuredGraph sg, final Iterator<Triple> it,
- final Set<Action> perms) throws AuthenticationRequiredException {
- final SecurityEvaluator evaluator = new CachedSecurityEvaluator(
- sg.getSecurityEvaluator(), runAs);
- if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(),
- Triple.ANY)) {
- // nope so wrap the iterator with security iterator
- return WrappedIterator.create(it).filterKeep(
- new PermTripleFilter(perms, sg, evaluator));
- }
- return WrappedIterator.create(it);
- }
-
- }
-
- // the security evaluator in use
- private final SecuredGraph securedGraph;
- private final Graph baseGraph;
- private final Map<GraphListener, Stack<SecuredGraphListener>> listenerMap = new HashMap<>();
- private static Set<Action> DELETE;
- private static Set<Action> ADD;
-
- static {
- SecuredGraphEventManager.ADD = new HashSet<Action>( Arrays.asList(Action.Create, Action.Read));
- SecuredGraphEventManager.DELETE = new HashSet<Action>(Arrays.asList(Action.Delete, Action.Read));
- }
-
- public SecuredGraphEventManager(final SecuredGraph securedGraph,
- final Graph baseGraph, final GraphEventManager manager) {
- this.securedGraph = securedGraph;
- this.baseGraph = baseGraph;
- manager.register(this);
- }
-
- private synchronized Collection<SecuredGraphListener> getListenerCollection() {
- ExtendedIterator<SecuredGraphListener> retval = NiceIterator
- .emptyIterator();
- for (final Collection<SecuredGraphListener> coll : listenerMap.values()) {
- retval = retval.andThen(coll.iterator());
- }
- return retval.toList();
- }
-
- @Override
- public boolean listening() {
- return !listenerMap.isEmpty();
- }
-
- @Override
- public void notifyAddArray(final Graph g, final Triple[] triples)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyAddArray(securedGraph, triples);
- } else {
- sgl.notifyAddArray(g, triples);
- }
- }
- }
-
- @Override
- public void notifyAddGraph(final Graph g, final Graph added)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyAddGraph(securedGraph, added);
- } else {
- sgl.notifyAddGraph(g, added);
- }
- }
- }
-
- @Override
- public void notifyAddIterator(final Graph g, final Iterator<Triple> it)
- throws AuthenticationRequiredException {
- notifyAddIterator(g, WrappedIterator.create(it).toList());
- baseGraph.equals(g);
- }
-
- @Override
- public void notifyAddIterator(final Graph g, final List<Triple> triples)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyAddIterator(securedGraph, triples.iterator());
- } else {
- sgl.notifyAddIterator(g, triples.iterator());
- }
- }
- }
-
- @Override
- public void notifyAddList(final Graph g, final List<Triple> triples)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyAddList(securedGraph, triples);
- } else {
- sgl.notifyAddList(g, triples);
- }
- }
- }
-
- @Override
- public void notifyAddTriple(final Graph g, final Triple t)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyAddTriple(securedGraph, t);
- } else {
- sgl.notifyAddTriple(g, t);
- }
- }
- }
-
- @Override
- public void notifyDeleteArray(final Graph g, final Triple[] triples)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyDeleteArray(securedGraph, triples);
- } else {
- sgl.notifyDeleteArray(g, triples);
- }
- }
- }
-
- @Override
- public void notifyDeleteGraph(final Graph g, final Graph removed)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyDeleteGraph(securedGraph, removed);
- } else {
- sgl.notifyDeleteGraph(g, removed);
- }
- }
- }
-
- @Override
- public void notifyDeleteIterator(final Graph g, final Iterator<Triple> it)
- throws AuthenticationRequiredException {
- notifyDeleteIterator(g, WrappedIterator.create(it).toList());
- }
-
- @Override
- public void notifyDeleteIterator(final Graph g, final List<Triple> triples)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyDeleteIterator(securedGraph, triples.iterator());
- } else {
- sgl.notifyDeleteIterator(g, triples.iterator());
- }
- }
- }
-
- @Override
- public void notifyDeleteList(final Graph g, final List<Triple> L)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyDeleteList(securedGraph, L);
- } else {
- sgl.notifyDeleteList(g, L);
- }
- }
- }
-
- @Override
- public void notifyDeleteTriple(final Graph g, final Triple t)
- throws AuthenticationRequiredException {
- final boolean wrap = baseGraph.equals(g);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyDeleteTriple(securedGraph, t);
- } else {
- sgl.notifyDeleteTriple(g, t);
- }
- }
- }
-
- @Override
- public void notifyEvent(final Graph source, final Object value)
- throws AuthenticationRequiredException {
- if ((source instanceof SecuredGraph) && securedGraph.equals(source)) {
- baseGraph.getEventManager().notifyEvent(baseGraph, value);
- } else {
-
- final boolean wrap = baseGraph.equals(source);
-
- for (final SecuredGraphListener sgl : getListenerCollection()) {
- if (wrap) {
- sgl.notifyEvent(securedGraph, value);
- } else {
- sgl.notifyEvent(source, value);
- }
- }
- }
- }
-
- @Override
- public synchronized GraphEventManager register(final GraphListener listener) {
- Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
- if (sgl == null) {
- sgl = new Stack<>();
- }
- sgl.push(new SecuredGraphListener(listener));
- listenerMap.put(listener, sgl);
- return this;
- }
-
- @Override
- public synchronized GraphEventManager unregister(
- final GraphListener listener) {
- final Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
- if (sgl != null) {
- if (sgl.size() == 1) {
- listenerMap.remove(listener);
- } else {
- sgl.pop();
- listenerMap.put(listener, sgl);
- }
- }
- return this;
- }
+ private class SecuredGraphListener implements GraphListener {
+ private final GraphListener wrapped;
+ private final Object runAs;
+
+ SecuredGraphListener(final GraphListener wrapped) {
+ if (wrapped == null) {
+ throw new IllegalArgumentException("Wrapped listener may not be null");
+ }
+ this.wrapped = wrapped;
+ this.runAs = securedGraph.getSecurityEvaluator().getPrincipal();
+ }
+
+ private Triple[] getArray(final Graph g, final Triple[] triples, final Set<Action> perms)
+ throws AuthenticationRequiredException {
+ Triple[] retval = triples;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, perms, sg.getModelNode())) {
+ if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(), Triple.ANY)) {
+ final List<Triple> list = wrapPermIterator(sg, Arrays.asList(triples).iterator(), perms)
+ .toList();
+ retval = list.toArray(new Triple[list.size()]);
+ } else {
+ retval = triples;
+ }
+ } else {
+ retval = new Triple[0];
+ }
+ }
+ return retval;
+ }
+
+ @Override
+ public void notifyAddArray(final Graph g, final Triple[] triples) throws AuthenticationRequiredException {
+ final Triple[] added = getArray(g, triples, SecuredGraphEventManager.ADD);
+
+ if (added.length > 0) {
+ wrapped.notifyAddArray(g, added);
+ }
+ }
+
+ @Override
+ public void notifyAddGraph(final Graph g, final Graph added) throws AuthenticationRequiredException {
+ Graph addGraph = added;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode())) {
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode(), Triple.ANY)) {
+ final List<Triple> lst = added.find(Triple.ANY).toList();
+ addGraph = new CollectionGraph(Arrays.asList(
+ getArray(g, lst.toArray(new Triple[lst.size()]), SecuredGraphEventManager.ADD)));
+ } else {
+ addGraph = added;
+ }
+ } else {
+ addGraph = new CollectionGraph(Collections.<Triple>emptyList());
+ }
+ }
+ if (addGraph.size() > 0) {
+ wrapped.notifyAddGraph(g, addGraph);
+
+ }
+ }
+
+ @Override
+ public void notifyAddIterator(final Graph g, final Iterator<Triple> it) throws AuthenticationRequiredException {
+
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ // only report if we can write to the graph
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode())) {
+ final ExtendedIterator<Triple> iter = wrapPermIterator(sg, it, SecuredGraphEventManager.ADD);
+ try {
+ wrapped.notifyAddIterator(g, iter);
+ } finally {
+ iter.close();
+ }
+ }
+ } else {
+ wrapped.notifyAddIterator(g, it);
+ }
+
+ }
+
+ @Override
+ public void notifyAddList(final Graph g, final List<Triple> triples) throws AuthenticationRequiredException {
+ List<Triple> list = triples;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode())) {
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode(), Triple.ANY)) {
+ list = wrapPermIterator(sg, triples.iterator(), SecuredGraphEventManager.ADD).toList();
+ } else {
+ list = triples;
+ }
+ } else {
+ list = Collections.emptyList();
+ }
+ }
+
+ if (list.size() > 0) {
+
+ wrapped.notifyAddList(g, list);
+ }
+ }
+
+ @Override
+ public void notifyAddTriple(final Graph g, final Triple t) throws AuthenticationRequiredException {
+ boolean notify = false;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode());
+ if (notify) {
+ notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode(), t);
+ }
+ } else {
+ notify = true;
+ }
+ if (notify) {
+ wrapped.notifyAddTriple(g, t);
+ }
+ }
+
+ @Override
+ public void notifyDeleteArray(final Graph g, final Triple[] triples) throws AuthenticationRequiredException {
+ Triple[] deleted = triples;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), Triple.ANY)) {
+ final List<Triple> list = wrapPermIterator(sg, Arrays.asList(triples).iterator(),
+ SecuredGraphEventManager.DELETE).toList();
+ deleted = list.toArray(new Triple[list.size()]);
+ } else {
+ deleted = triples;
+ }
+ } else {
+ deleted = new Triple[0];
+ }
+ }
+
+ if (deleted.length > 0) {
+ wrapped.notifyDeleteArray(g, deleted);
+ }
+ }
+
+ @Override
+ public void notifyDeleteGraph(final Graph g, final Graph removed) throws AuthenticationRequiredException {
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+ Graph g2 = removed;
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), Triple.ANY)) {
+ g2 = new CollectionGraph(removed.find(Triple.ANY)
+ .filterKeep(new PermTripleFilter(SecuredGraphEventManager.DELETE, sg, evaluator))
+ .toList());
+
+ }
+ wrapped.notifyDeleteGraph(g, g2);
+ } else {
+ // do nothing.
+ }
+ } else {
+ wrapped.notifyDeleteGraph(g, removed);
+ }
+ }
+
+ @Override
+ public void notifyDeleteIterator(final Graph g, final Iterator<Triple> it)
+ throws AuthenticationRequiredException {
+ Iterator<Triple> iter = it;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), Triple.ANY)) {
+ iter = WrappedIterator.create(it)
+ .filterKeep(new PermTripleFilter(SecuredGraphEventManager.DELETE, sg, evaluator));
+ }
+ // else use the default list as all can bee seen
+ wrapped.notifyDeleteIterator(g, iter);
+ } else {
+ // do nothing.
+ }
+ } else {
+ wrapped.notifyDeleteIterator(g, iter);
+ }
+
+ }
+
+ @Override
+ public void notifyDeleteList(final Graph g, final List<Triple> triples) throws AuthenticationRequiredException {
+ List<Triple> list = triples;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+ if (!evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), Triple.ANY)) {
+ list = WrappedIterator.create(triples.iterator())
+ .filterKeep(new PermTripleFilter(SecuredGraphEventManager.DELETE, sg, evaluator))
+ .toList();
+ }
+ // else use the default list as all can bee seen
+ } else {
+ list = Collections.emptyList();
+ }
+ }
+
+ if (list.size() > 0) {
+ wrapped.notifyDeleteList(g, list);
+ }
+ }
+
+ @Override
+ public void notifyDeleteTriple(final Graph g, final Triple t) throws AuthenticationRequiredException {
+ boolean notify = false;
+ if (g instanceof SecuredGraph) {
+ final SecuredGraph sg = (SecuredGraph) g;
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode());
+ if (notify) {
+ notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), t);
+ }
+ } else {
+ notify = true;
+ }
+ if (notify) {
+ wrapped.notifyDeleteTriple(g, t);
+ }
+ }
+
+ @Override
+ public void notifyEvent(final Graph source, final Object value) {
+ wrapped.notifyEvent(source, value);
+ }
+
+ private ExtendedIterator<Triple> wrapPermIterator(final SecuredGraph sg, final Iterator<Triple> it,
+ final Set<Action> perms) throws AuthenticationRequiredException {
+ final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+ if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(), Triple.ANY)) {
+ // nope so wrap the iterator with security iterator
+ return WrappedIterator.create(it).filterKeep(new PermTripleFilter(perms, sg, evaluator));
+ }
+ return WrappedIterator.create(it);
+ }
+
+ }
+
+ // the security evaluator in use
+ private final SecuredGraph securedGraph;
+ private final Graph baseGraph;
+ private final Map<GraphListener, Stack<SecuredGraphListener>> listenerMap = new HashMap<>();
+ private static Set<Action> DELETE;
+ private static Set<Action> ADD;
+
+ static {
+ SecuredGraphEventManager.ADD = new HashSet<Action>(Arrays.asList(Action.Create, Action.Read));
+ SecuredGraphEventManager.DELETE = new HashSet<Action>(Arrays.asList(Action.Delete, Action.Read));
+ }
+
+ public SecuredGraphEventManager(final SecuredGraph securedGraph, final Graph baseGraph,
+ final GraphEventManager manager) {
+ this.securedGraph = securedGraph;
+ this.baseGraph = baseGraph;
+ manager.register(this);
+ }
+
+ private synchronized Collection<SecuredGraphListener> getListenerCollection() {
+ ExtendedIterator<SecuredGraphListener> retval = NiceIterator.emptyIterator();
+ for (final Collection<SecuredGraphListener> coll : listenerMap.values()) {
+ retval = retval.andThen(coll.iterator());
+ }
+ return retval.toList();
+ }
+
+ @Override
+ public boolean listening() {
+ return !listenerMap.isEmpty();
+ }
+
+ @Override
+ public void notifyAddArray(final Graph g, final Triple[] triples) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyAddArray(securedGraph, triples);
+ } else {
+ sgl.notifyAddArray(g, triples);
+ }
+ }
+ }
+
+ @Override
+ public void notifyAddGraph(final Graph g, final Graph added) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyAddGraph(securedGraph, added);
+ } else {
+ sgl.notifyAddGraph(g, added);
+ }
+ }
+ }
+
+ @Override
+ public void notifyAddIterator(final Graph g, final Iterator<Triple> it) throws AuthenticationRequiredException {
+ notifyAddIterator(g, WrappedIterator.create(it).toList());
+ baseGraph.equals(g);
+ }
+
+ @Override
+ public void notifyAddIterator(final Graph g, final List<Triple> triples) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyAddIterator(securedGraph, triples.iterator());
+ } else {
+ sgl.notifyAddIterator(g, triples.iterator());
+ }
+ }
+ }
+
+ @Override
+ public void notifyAddList(final Graph g, final List<Triple> triples) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyAddList(securedGraph, triples);
+ } else {
+ sgl.notifyAddList(g, triples);
+ }
+ }
+ }
+
+ @Override
+ public void notifyAddTriple(final Graph g, final Triple t) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyAddTriple(securedGraph, t);
+ } else {
+ sgl.notifyAddTriple(g, t);
+ }
+ }
+ }
+
+ @Override
+ public void notifyDeleteArray(final Graph g, final Triple[] triples) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyDeleteArray(securedGraph, triples);
+ } else {
+ sgl.notifyDeleteArray(g, triples);
+ }
+ }
+ }
+
+ @Override
+ public void notifyDeleteGraph(final Graph g, final Graph removed) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyDeleteGraph(securedGraph, removed);
+ } else {
+ sgl.notifyDeleteGraph(g, removed);
+ }
+ }
+ }
+
+ @Override
+ public void notifyDeleteIterator(final Graph g, final Iterator<Triple> it) throws AuthenticationRequiredException {
+ notifyDeleteIterator(g, WrappedIterator.create(it).toList());
+ }
+
+ @Override
+ public void notifyDeleteIterator(final Graph g, final List<Triple> triples) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyDeleteIterator(securedGraph, triples.iterator());
+ } else {
+ sgl.notifyDeleteIterator(g, triples.iterator());
+ }
+ }
+ }
+
+ @Override
+ public void notifyDeleteList(final Graph g, final List<Triple> L) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyDeleteList(securedGraph, L);
+ } else {
+ sgl.notifyDeleteList(g, L);
+ }
+ }
+ }
+
+ @Override
+ public void notifyDeleteTriple(final Graph g, final Triple t) throws AuthenticationRequiredException {
+ final boolean wrap = baseGraph.equals(g);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyDeleteTriple(securedGraph, t);
+ } else {
+ sgl.notifyDeleteTriple(g, t);
+ }
+ }
+ }
+
+ @Override
+ public void notifyEvent(final Graph source, final Object value) throws AuthenticationRequiredException {
+ if ((source instanceof SecuredGraph) && securedGraph.equals(source)) {
+ baseGraph.getEventManager().notifyEvent(baseGraph, value);
+ } else {
+
+ final boolean wrap = baseGraph.equals(source);
+
+ for (final SecuredGraphListener sgl : getListenerCollection()) {
+ if (wrap) {
+ sgl.notifyEvent(securedGraph, value);
+ } else {
+ sgl.notifyEvent(source, value);
+ }
+ }
+ }
+ }
+
+ @Override
+ public synchronized GraphEventManager register(final GraphListener listener) {
+ Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
+ if (sgl == null) {
+ sgl = new Stack<>();
+ }
+ sgl.push(new SecuredGraphListener(listener));
+ listenerMap.put(listener, sgl);
+ return this;
+ }
+
+ @Override
+ public synchronized GraphEventManager unregister(final GraphListener listener) {
+ final Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
+ if (sgl != null) {
+ if (sgl.size() == 1) {
+ listenerMap.remove(listener);
+ } else {
+ sgl.pop();
+ listenerMap.put(listener, sgl);
+ }
+ }
+ return this;
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java
index 13d8fa4..6f8b165 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/SecuredPrefixMapping.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -27,139 +27,131 @@ import org.apache.jena.shared.UpdateDeniedException;
/**
* The interface for secured PrefixMapping instances.
- *
+ *
* Use the SecuredPrefixMapping.Factory to create instances
*/
public interface SecuredPrefixMapping extends PrefixMapping, SecuredItem {
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String expandPrefix(final String prefixed)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Map<String, String> getNsPrefixMap() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getNsPrefixURI(final String prefix)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getNsURIPrefix(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping lock() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String qnameFor(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping removeNsPrefix(final String prefix)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean samePrefixMappingAs(final PrefixMapping other)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping setNsPrefix(final String prefix,
- final String uri) throws UpdateDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping setNsPrefixes(final Map<String, String> map)
- throws UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping setNsPrefixes(final PrefixMapping other)
- throws UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String shortForm(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredPrefixMapping withDefaultMappings(final PrefixMapping map)
- throws UpdateDeniedException, AuthenticationRequiredException;
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public String expandPrefix(final String prefixed) throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public Map<String, String> getNsPrefixMap() throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public String getNsPrefixURI(final String prefix) throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public String getNsURIPrefix(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping lock() throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public String qnameFor(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping removeNsPrefix(final String prefix)
+ throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean samePrefixMappingAs(final PrefixMapping other)
+ throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping setNsPrefix(final String prefix, final String uri)
+ throws UpdateDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping setNsPrefixes(final Map<String, String> map)
+ throws UpdateDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping setNsPrefixes(final PrefixMapping other)
+ throws UpdateDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public String shortForm(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
+
+ /**
+ * @sec.graph Update
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public PrefixMapping withDefaultMappings(final PrefixMapping map)
+ throws UpdateDeniedException, AuthenticationRequiredException;
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java
index f658426..17fd0a2 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/Factory.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,77 +17,59 @@
*/
package org.apache.jena.permissions.graph.impl;
-import org.apache.jena.graph.Graph ;
+import org.apache.jena.graph.Graph;
import org.apache.jena.permissions.SecurityEvaluator;
import org.apache.jena.permissions.graph.SecuredGraph;
import org.apache.jena.permissions.graph.SecuredPrefixMapping;
import org.apache.jena.permissions.impl.ItemHolder;
import org.apache.jena.permissions.impl.SecuredItemInvoker;
-import org.apache.jena.shared.PrefixMapping ;
+import org.apache.jena.shared.PrefixMapping;
-public class Factory
-{
+public class Factory {
- /**
- * Create an instance of SecuredPrefixMapping
- *
- * @param graph
- * The SecuredGraph that contains the prefixmapping.
- * @param prefixMapping
- * The prefixmapping returned from the base graph.
- * @return The SecuredPrefixMapping.
- */
- static SecuredPrefixMapping getInstance( final SecuredGraphImpl graph,
- final PrefixMapping prefixMapping )
- {
+ /**
+ * Create an instance of SecuredPrefixMapping
+ *
+ * @param graph The SecuredGraph that contains the prefixmapping.
+ * @param prefixMapping The prefixmapping returned from the base graph.
+ * @return The SecuredPrefixMapping.
+ */
+ static SecuredPrefixMapping getInstance(final SecuredGraphImpl graph, final PrefixMapping prefixMapping) {
- final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder = new ItemHolder<>(prefixMapping);
- final SecuredPrefixMappingImpl checker = new SecuredPrefixMappingImpl(
- graph, holder);
- // if we are going to create a duplicate proxy just return this one.
- if (prefixMapping instanceof SecuredPrefixMapping)
- {
- if (checker.isEquivalent((SecuredPrefixMapping) prefixMapping))
- {
- return (SecuredPrefixMapping) prefixMapping;
- }
- }
+ final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder = new ItemHolder<>(prefixMapping);
+ final SecuredPrefixMappingImpl checker = new SecuredPrefixMappingImpl(graph, holder);
+ // if we are going to create a duplicate proxy just return this one.
+ if (prefixMapping instanceof SecuredPrefixMapping) {
+ if (checker.isEquivalent((SecuredPrefixMapping) prefixMapping)) {
+ return (SecuredPrefixMapping) prefixMapping;
+ }
+ }
- return holder.setSecuredItem(new SecuredItemInvoker(prefixMapping
- .getClass(), checker));
- }
+ return holder.setSecuredItem(new SecuredItemInvoker(prefixMapping.getClass(), checker));
+ }
- /**
- * Create an instance of the SecuredGraph
- *
- * @param securityEvaluator
- * The security evaluator to use
- * @param graphIRI
- * The IRI for the graph.
- * @param graph
- * The graph that we are wrapping.
- * @return the secured graph
- */
- public static SecuredGraph getInstance(
- final SecurityEvaluator securityEvaluator, final String graphIRI,
- final Graph graph )
- {
+ /**
+ * Create an instance of the SecuredGraph
+ *
+ * @param securityEvaluator The security evaluator to use
+ * @param graphIRI The IRI for the graph.
+ * @param graph The graph that we are wrapping.
+ * @return the secured graph
+ */
+ public static SecuredGraph getInstance(final SecurityEvaluator securityEvaluator, final String graphIRI,
+ final Graph graph) {
- final ItemHolder<Graph, SecuredGraphImpl> holder = new ItemHolder<>(graph);
- final SecuredGraphImpl checker = new SecuredGraphImpl(
- securityEvaluator, graphIRI, holder) {
- };
+ final ItemHolder<Graph, SecuredGraphImpl> holder = new ItemHolder<>(graph);
+ final SecuredGraphImpl checker = new SecuredGraphImpl(securityEvaluator, graphIRI, holder) {
+ };
- // If we going to create a duplicate proxy return this one.
- if (graph instanceof SecuredGraphImpl)
- {
- if (checker.isEquivalent((SecuredGraphImpl) graph))
- {
- return (SecuredGraph) graph;
- }
- }
- return holder.setSecuredItem(new SecuredItemInvoker(graph.getClass(),
- checker));
- }
+ // If we going to create a duplicate proxy return this one.
+ if (graph instanceof SecuredGraphImpl) {
+ if (checker.isEquivalent((SecuredGraphImpl) graph)) {
+ return (SecuredGraph) graph;
+ }
+ }
+ return holder.setSecuredItem(new SecuredItemInvoker(graph.getClass(), checker));
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java
index 4757b09..a3a1589 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredGraphImpl.java
@@ -17,11 +17,17 @@
*/
package org.apache.jena.permissions.graph.impl;
-import org.apache.jena.graph.*;
-import org.apache.jena.permissions.SecuredItem;
+import org.apache.jena.ext.com.google.common.collect.Iterators;
+import org.apache.jena.graph.Graph;
+import org.apache.jena.graph.Node;
+import org.apache.jena.graph.TransactionHandler;
+import org.apache.jena.graph.Triple;
import org.apache.jena.permissions.SecurityEvaluator;
import org.apache.jena.permissions.SecurityEvaluator.Action;
-import org.apache.jena.permissions.graph.*;
+import org.apache.jena.permissions.graph.SecuredCapabilities;
+import org.apache.jena.permissions.graph.SecuredGraph;
+import org.apache.jena.permissions.graph.SecuredGraphEventManager;
+import org.apache.jena.permissions.graph.SecuredPrefixMapping;
import org.apache.jena.permissions.impl.ItemHolder;
import org.apache.jena.permissions.impl.SecuredItemImpl;
import org.apache.jena.permissions.utils.PermTripleFilter;
@@ -37,217 +43,317 @@ import org.apache.jena.util.iterator.ExtendedIterator;
*/
public class SecuredGraphImpl extends SecuredItemImpl implements SecuredGraph {
- // the prefixMapping for this graph.
- private SecuredPrefixMapping prefixMapping;
- // the item holder that contains this SecuredGraph
- private final ItemHolder<Graph, SecuredGraphImpl> holder;
-
- private final SecuredGraphEventManager eventManager;
-
- /**
- * Constructor
- *
- * @param securityEvaluator
- * The security evaluator to use
- * @param graphIRI
- * The IRI for the graph
- * @param holder
- * The item holder that will contain this SecuredGraph.
- */
- SecuredGraphImpl(final SecuredItem securedItem,
- final ItemHolder<Graph, SecuredGraphImpl> holder) {
- super(securedItem, holder);
- this.holder = holder;
- this.eventManager = new SecuredGraphEventManager(this,
- holder.getBaseItem(), holder.getBaseItem().getEventManager());
- }
-
- SecuredGraphImpl(final SecurityEvaluator securityEvaluator,
- final String modelURI,
- final ItemHolder<Graph, SecuredGraphImpl> holder) {
- super(securityEvaluator, modelURI, holder);
- this.holder = holder;
- this.eventManager = new SecuredGraphEventManager(this,
- holder.getBaseItem(), holder.getBaseItem().getEventManager());
- }
-
- @Override
- public void add(final Triple t) throws AddDeniedException,
- UpdateDeniedException, AuthenticationRequiredException {
- checkUpdate();
- checkCreate(t);
- holder.getBaseItem().add(t);
- }
-
- @Override
- public void close() {
- holder.getBaseItem().close();
- }
-
- @Override
- public boolean contains(final Node s, final Node p, final Node o)
- throws ReadDeniedException, AuthenticationRequiredException {
- return contains(new Triple(s, p, o));
- }
-
- @Override
- public boolean contains(final Triple t) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- if (canRead(t)) {
- return holder.getBaseItem().contains(t);
- }
- final ExtendedIterator<Triple> iter = holder.getBaseItem().find(t);
- try {
- while (iter.hasNext()) {
- if (canRead(iter.next())) {
- return true;
- }
- }
- return false;
- } finally {
- iter.close();
- }
-
- }
-
- private synchronized void createPrefixMapping() {
- if (prefixMapping == null) {
- prefixMapping = org.apache.jena.permissions.graph.impl.Factory
- .getInstance(this, holder.getBaseItem().getPrefixMapping());
- }
- }
-
- @Override
- public void delete(final Triple t) throws DeleteDeniedException,
- AuthenticationRequiredException {
- checkUpdate();
- checkDelete(t);
- holder.getBaseItem().delete(t);
- }
-
- @Override
- public boolean dependsOn(final Graph other) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- if (other.equals(holder.getBaseItem())) {
- return true;
- }
- return holder.getBaseItem().dependsOn(other);
- }
-
- @Override
- public ExtendedIterator<Triple> find(final Node s, final Node p,
- final Node o) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- ExtendedIterator<Triple> retval = holder.getBaseItem().find(s, p, o);
- if (!canRead(Triple.ANY)) {
- retval = retval.filterKeep(new PermTripleFilter(Action.Read, this));
- }
- return retval;
- }
-
- @Override
- public ExtendedIterator<Triple> find(final Triple m)
- throws ReadDeniedException, AuthenticationRequiredException {
- checkRead();
- ExtendedIterator<Triple> retval = holder.getBaseItem().find(m);
- if (!canRead(Triple.ANY)) {
- retval = retval.filterKeep(new PermTripleFilter(Action.Read, this));
- }
- return retval;
- }
-
- @Override
- public SecuredCapabilities getCapabilities() {
- return new SecuredCapabilities(getSecurityEvaluator(), getModelIRI(),
- holder.getBaseItem().getCapabilities());
- }
-
- @Override
- public SecuredGraphEventManager getEventManager() {
- return eventManager;
- }
-
- @Override
- public SecuredPrefixMapping getPrefixMapping() {
- if (prefixMapping == null) {
- createPrefixMapping();
- }
- return prefixMapping;
- }
-
- @Override
- public TransactionHandler getTransactionHandler() {
- return holder.getBaseItem().getTransactionHandler();
- }
-
- @Override
- public boolean isClosed() {
- return holder.getBaseItem().isClosed();
- }
-
- @Override
- public boolean isEmpty() throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().isEmpty();
- }
-
- @Override
- public boolean isIsomorphicWith(final Graph g) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- if (g.size() != holder.getBaseItem().size()) {
- return false;
- }
- final Triple t = new Triple(Node.ANY, Node.ANY, Node.ANY);
- if (!canRead(t)) {
- final ExtendedIterator<Triple> iter = g.find(t);
- while (iter.hasNext()) {
- checkRead(iter.next());
- }
- }
- return holder.getBaseItem().isIsomorphicWith(g);
- }
-
- @Override
- public int size() throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().size();
- }
-
- @Override
- public void clear() throws UpdateDeniedException,
- AuthenticationRequiredException {
- checkUpdate();
- if (!canDelete(Triple.ANY)) {
- ExtendedIterator<Triple> iter = holder.getBaseItem().find(
- Triple.ANY);
- while (iter.hasNext()) {
- checkDelete(iter.next());
- }
- }
- holder.getBaseItem().clear();
- }
-
- @Override
- public void remove(Node s, Node p, Node o) throws UpdateDeniedException,
- DeleteDeniedException, AuthenticationRequiredException {
- checkUpdate();
- Triple t = new Triple(s, p, o);
- if (t.isConcrete()) {
- checkDelete(t);
- } else {
- ExtendedIterator<Triple> iter = holder.getBaseItem().find(
- Triple.ANY);
- while (iter.hasNext()) {
- checkDelete(iter.next());
- }
- }
- holder.getBaseItem().remove(s, p, o);
- }
+ // the prefixMapping for this graph.
+ private SecuredPrefixMapping prefixMapping;
+ // the item holder that contains this SecuredGraph
+ private final ItemHolder<Graph, SecuredGraphImpl> holder;
+
+ private final SecuredGraphEventManager eventManager;
+
+ /**
+ * Constructor
+ *
+ * @param securityEvaluator The security evaluator to use
+ * @param graphIRI The IRI for the graph
+ * @param holder The item holder that will contain this SecuredGraph.
+ */
+ SecuredGraphImpl(final SecurityEvaluator securityEvaluator, final String modelURI,
+ final ItemHolder<Graph, SecuredGraphImpl> holder) {
+ super(securityEvaluator, modelURI, holder);
+ this.holder = holder;
+ this.eventManager = new SecuredGraphEventManager(this, holder.getBaseItem(),
+ holder.getBaseItem().getEventManager());
+ }
+
+ /**
+ * @sec.graph Update
+ * @sec.triple Create
+ * @throws AddDeniedException
+ * @throws UpdateDeniedException if the graph can not be updated.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public void add(final Triple t) throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ checkCreate(t);
+ holder.getBaseItem().add(t);
+ }
+
+ /**
+ * @sec.graph Update
+ * @sec.triple Delete for every triple
+ * @throws DeleteDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public void clear() throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ if (!canDelete(Triple.ANY)) {
+ ExtendedIterator<Triple> iter = holder.getBaseItem().find(Triple.ANY);
+ while (iter.hasNext()) {
+ checkDelete(iter.next());
+ }
+ }
+ holder.getBaseItem().clear();
+ }
+
+ @Override
+ public void close() {
+ holder.getBaseItem().close();
+ }
+
+ /**
+ * @sec.graph Read
+ * @sec.triple Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean contains(final Node s, final Node p, final Node o)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ return contains(new Triple(s, p, o));
+ }
+
+ /**
+ * @sec.graph Read
+ * @sec.triple Read
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean contains(final Triple t) throws ReadDeniedException, AuthenticationRequiredException {
+ if (checkSoftRead()) {
+ if (canRead(t)) {
+ return holder.getBaseItem().contains(t);
+ }
+ final ExtendedIterator<Triple> iter = holder.getBaseItem().find(t);
+ try {
+ while (iter.hasNext()) {
+ if (canRead(iter.next())) {
+ return true;
+ }
+ }
+ return false;
+ } finally {
+ iter.close();
+ }
+ }
+ return false;
+ }
+
+ /**
+ * @sec.graph Update
+ * @sec.triple Delete
+ * @throws DeleteDeniedException
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public void delete(final Triple t) throws DeleteDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ checkDelete(t);
+ holder.getBaseItem().delete(t);
+ }
+
+ /**
+ * @sec.graph Read
+ *
+ * if {@link SecurityEvaluator#isHardReadError()} is true then this
+ * method returns false.
+ *
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean dependsOn(final Graph other) throws ReadDeniedException, AuthenticationRequiredException {
+ if (checkSoftRead()) {
+ if (other.equals(holder.getBaseItem())) {
+ return true;
+ }
+ return holder.getBaseItem().dependsOn(other);
+ }
+ return false;
+ }
+
+ /**
+ * @sec.graph Read
+ * @sec.triple Read, otherwise filtered from iterator.
+ *
+ * if {@link SecurityEvaluator#isHardReadError()} is true and the
+ * user does not have read access then an empty iterator will be
+ * returned.
+ *
+ * @throws ReadDeniedException on read not allowed
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public ExtendedIterator<Triple> find() throws ReadDeniedException, AuthenticationRequiredException {
+ return createIterator(() -> holder.getBaseItem().find(Triple.ANY),
+ () -> new PermTripleFilter(Action.Read, this));
+ }
+
+ /**
+ * @sec.graph Read
+ * @sec.triple Read, otherwise filtered from iterator.
+ *
+ * if {@link SecurityEvaluator#isHardReadError()} is true and the
+ * user does not have read access then an empty iterator will be
+ * returned.
+ *
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public ExtendedIterator<Triple> find(final Node s, final Node p, final Node o)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ return createIterator(() -> holder.getBaseItem().find(s, p, o), () -> new PermTripleFilter(Action.Read, this));
+ }
+
+ /**
+ * @sec.graph Read
+ * @sec.triple Read, otherwise filtered from iterator.
+ *
+ * if {@link SecurityEvaluator#isHardReadError()} is true then an
+ * empty iterator will be returned.
+ *
+ * @throws ReadDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public ExtendedIterator<Triple> find(final Triple t) throws ReadDeniedException, AuthenticationRequiredException {
+ return createIterator(() -> holder.getBaseItem().find(t), () -> new PermTripleFilter(Action.Read, this));
+ }
+
+ @Override
+ public SecuredCapabilities getCapabilities() {
+ return new SecuredCapabilities(getSecurityEvaluator(), getModelIRI(), holder.getBaseItem().getCapabilities());
+ }
+
+ @Override
+ public SecuredGraphEventManager getEventManager() {
+ return eventManager;
+ }
+
+ @Override
+ public SecuredPrefixMapping getPrefixMapping() {
+ if (prefixMapping == null) {
+ synchronized (this) {
+ if (prefixMapping == null) {
+ prefixMapping = org.apache.jena.permissions.graph.impl.Factory.getInstance(this,
+ holder.getBaseItem().getPrefixMapping());
+ }
+ }
+ }
+ return prefixMapping;
+ }
+
+ @Override
+ public TransactionHandler getTransactionHandler() {
+ return holder.getBaseItem().getTransactionHandler();
+ }
+
+ @Override
+ public boolean isClosed() {
+ return holder.getBaseItem().isClosed();
+ }
+
+ /**
+ * @sec.graph Read
+ *
+ * If {@link SecurityEvaluator#isHardReadError()} is false then this
+ * method will return 0.
+ *
+ * @throws ReadDeniedException if graph can not be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean isEmpty() throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().isEmpty() : true;
+ }
+
+ /**
+ * @sec.graph Read
+ *
+ * If {@link SecurityEvaluator#isHardReadError()} is false then this
+ * method will return false unless {@code g} is empty.
+ *
+ * @throws ReadDeniedException if graph can not be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public boolean isIsomorphicWith(final Graph g) throws ReadDeniedException, AuthenticationRequiredException {
+ if (checkSoftRead()) {
+ if (g.size() != holder.getBaseItem().size()) {
+ return false;
+ }
+ final Triple t = new Triple(Node.ANY, Node.ANY, Node.ANY);
+ if (!canRead(t)) {
+ final ExtendedIterator<Triple> iter = g.find(t);
+ while (iter.hasNext()) {
+ if (!checkRead(iter.next())) {
+ return false;
+ }
+ }
+ }
+ return holder.getBaseItem().isIsomorphicWith(g);
+ }
+ return g.isEmpty();
+ }
+
+ /**
+ * @sec.graph Update
+ * @sec.triple Delete (s, p, o )
+ * @throws DeleteDeniedException
+ * @throws UpdateDeniedException
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public void remove(Node s, Node p, Node o)
+ throws UpdateDeniedException, DeleteDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ Triple t = new Triple(s, p, o);
+ if (t.isConcrete()) {
+ checkDelete(t);
+ } else {
+ ExtendedIterator<Triple> iter = holder.getBaseItem().find(t);
+ while (iter.hasNext()) {
+ checkDelete(iter.next());
+ }
+ }
+ holder.getBaseItem().remove(s, p, o);
+ }
+
+ /**
+ * @sec.graph Read
+ *
+ * If {@link SecurityEvaluator#isHardReadError()} is false then this
+ * method will return 0.
+ *
+ * @throws ReadDeniedException if graph can not be read.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ @Override
+ public int size() throws ReadDeniedException, AuthenticationRequiredException {
+ if (checkSoftRead()) {
+ if (canRead(Triple.ANY)) {
+ return holder.getBaseItem().size();
+ }
+ return Iterators.size(find(Triple.ANY));
+ }
+ return 0;
+ }
}
\ No newline at end of file
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java
index da27768..6806ee4 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/impl/SecuredPrefixMappingImpl.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,6 +17,7 @@
*/
package org.apache.jena.permissions.graph.impl;
+import java.util.Collections;
import java.util.Map;
import java.util.Map.Entry;
@@ -33,155 +34,134 @@ import org.apache.jena.shared.impl.PrefixMappingImpl;
* Implementation of SecuredPrefixMapping to be used by a SecuredItemInvoker
* proxy.
*/
-public class SecuredPrefixMappingImpl extends SecuredItemImpl implements
- SecuredPrefixMapping {
- // the item holder that holds this SecuredPrefixMapping
- private final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder;
-
- /**
- * Constructor
- *
- * @param graph
- * The Secured graph this mapping is for.
- * @param holder
- * The item holder that will contain this SecuredPrefixMapping.
- */
- SecuredPrefixMappingImpl(final SecuredGraphImpl graph,
- final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder) {
- super(graph, holder);
- this.holder = holder;
- }
-
- @Override
- public String expandPrefix(final String prefixed)
- throws ReadDeniedException, AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().expandPrefix(prefixed);
- }
-
- @Override
- public Map<String, String> getNsPrefixMap() throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().getNsPrefixMap();
- }
-
- @Override
- public String getNsPrefixURI(final String prefix)
- throws ReadDeniedException, AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().getNsPrefixURI(prefix);
- }
-
- @Override
- public String getNsURIPrefix(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().getNsURIPrefix(uri);
- }
-
- @Override
- public SecuredPrefixMapping lock() throws UpdateDeniedException,
- AuthenticationRequiredException {
- checkUpdate();
- holder.getBaseItem().lock();
- return holder.getSecuredItem();
- }
-
- @Override
- public String qnameFor(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().qnameFor(uri);
- }
-
- @Override
- public SecuredPrefixMapping removeNsPrefix(final String prefix)
- throws UpdateDeniedException, AuthenticationRequiredException {
- checkUpdate();
- holder.getBaseItem().removeNsPrefix(prefix);
- return holder.getSecuredItem();
- }
-
- @Override
+public class SecuredPrefixMappingImpl extends SecuredItemImpl implements SecuredPrefixMapping {
+ // the item holder that holds this SecuredPrefixMapping
+ private final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder;
+
+ /**
+ * Constructor
+ *
+ * @param graph The Secured graph this mapping is for.
+ * @param holder The item holder that will contain this SecuredPrefixMapping.
+ */
+ SecuredPrefixMappingImpl(final SecuredGraphImpl graph,
+ final ItemHolder<PrefixMapping, SecuredPrefixMapping> holder) {
+ super(graph, holder);
+ this.holder = holder;
+ }
+
+ @Override
+ public String expandPrefix(final String prefixed) throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().expandPrefix(prefixed) : prefixed;
+ }
+
+ @Override
+ public Map<String, String> getNsPrefixMap() throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().getNsPrefixMap() : Collections.emptyMap();
+ }
+
+ @Override
+ public String getNsPrefixURI(final String prefix) throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().getNsPrefixURI(prefix) : null;
+ }
+
+ @Override
+ public String getNsURIPrefix(final String uri) throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().getNsURIPrefix(uri) : null;
+ }
+
+ @Override
+ public SecuredPrefixMapping lock() throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ holder.getBaseItem().lock();
+ return holder.getSecuredItem();
+ }
+
+ @Override
+ public String qnameFor(final String uri) throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().qnameFor(uri) : null;
+ }
+
+ @Override
+ public SecuredPrefixMapping removeNsPrefix(final String prefix)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ holder.getBaseItem().removeNsPrefix(prefix);
+ return holder.getSecuredItem();
+ }
+
+ @Override
public PrefixMapping clearNsPrefixMap() {
- checkUpdate();
- holder.getBaseItem().clearNsPrefixMap() ;
+ checkUpdate();
+ holder.getBaseItem().clearNsPrefixMap();
+ return holder.getSecuredItem();
+ }
+
+ @Override
+ public boolean samePrefixMappingAs(final PrefixMapping other)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().samePrefixMappingAs(other) : false;
+ }
+
+ @Override
+ public SecuredPrefixMapping setNsPrefix(final String prefix, final String uri)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ holder.getBaseItem().setNsPrefix(prefix, uri);
+ return holder.getSecuredItem();
+ }
+
+ @Override
+ public SecuredPrefixMapping setNsPrefixes(final Map<String, String> map)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ holder.getBaseItem().setNsPrefixes(map);
+ return holder.getSecuredItem();
+ }
+
+ @Override
+ public SecuredPrefixMapping setNsPrefixes(final PrefixMapping other)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ holder.getBaseItem().setNsPrefixes(other);
return holder.getSecuredItem();
}
@Override
- public boolean samePrefixMappingAs(final PrefixMapping other)
- throws ReadDeniedException, AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().samePrefixMappingAs(other);
- }
-
- @Override
- public SecuredPrefixMapping setNsPrefix(final String prefix,
- final String uri) throws UpdateDeniedException,
- AuthenticationRequiredException {
- checkUpdate();
- holder.getBaseItem().setNsPrefix(prefix, uri);
- return holder.getSecuredItem();
- }
-
- @Override
- public SecuredPrefixMapping setNsPrefixes(final Map<String, String> map)
- throws UpdateDeniedException, AuthenticationRequiredException {
- checkUpdate();
- holder.getBaseItem().setNsPrefixes(map);
- return holder.getSecuredItem();
- }
-
- @Override
- public SecuredPrefixMapping setNsPrefixes(final PrefixMapping other)
- throws UpdateDeniedException, AuthenticationRequiredException {
- checkUpdate();
- holder.getBaseItem().setNsPrefixes(other);
- return holder.getSecuredItem();
- }
-
- @Override
- public String shortForm(final String uri) throws ReadDeniedException,
- AuthenticationRequiredException {
- checkRead();
- return holder.getBaseItem().shortForm(uri);
- }
-
+ public String shortForm(final String uri) throws ReadDeniedException, AuthenticationRequiredException {
+ return checkSoftRead() ? holder.getBaseItem().shortForm(uri) : uri;
+ }
+
@Override
public boolean hasNoMappings() {
- checkRead();
- return holder.getBaseItem().hasNoMappings();
+ return checkSoftRead() ? holder.getBaseItem().hasNoMappings() : true;
}
@Override
public int numPrefixes() {
- checkRead();
- return holder.getBaseItem().numPrefixes();
- }
-
- @Override
- public SecuredPrefixMapping withDefaultMappings(final PrefixMapping map)
- throws UpdateDeniedException, AuthenticationRequiredException {
- // mapping only updates if there are map entries to add. Since this gets
- // called
- // when we are doing deep triple checks while writing we need to attempt
- // the
- // update only if there are new updates to add.
-
- PrefixMapping m = holder.getBaseItem();
- PrefixMappingImpl pm = new PrefixMappingImpl();
- for (Entry<String, String> e : map.getNsPrefixMap().entrySet()) {
- if (m.getNsPrefixURI(e.getKey()) == null
- && m.getNsURIPrefix(e.getValue()) == null) {
- pm.setNsPrefix(e.getKey(), e.getValue());
- }
- }
- if (!pm.getNsPrefixMap().isEmpty()) {
- checkUpdate();
- holder.getBaseItem().withDefaultMappings(pm);
- }
- return holder.getSecuredItem();
- }
+ return checkSoftRead() ? holder.getBaseItem().numPrefixes() : 0;
+ }
+
+ @Override
+ public SecuredPrefixMapping withDefaultMappings(final PrefixMapping map)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ // mapping only updates if there are map entries to add. Since this gets
+ // called
+ // when we are doing deep triple checks while writing we need to attempt
+ // the
+ // update only if there are new updates to add.
+
+ PrefixMapping m = holder.getBaseItem();
+ PrefixMappingImpl pm = new PrefixMappingImpl();
+ for (Entry<String, String> e : map.getNsPrefixMap().entrySet()) {
+ if (m.getNsPrefixURI(e.getKey()) == null && m.getNsURIPrefix(e.getValue()) == null) {
+ pm.setNsPrefix(e.getKey(), e.getValue());
+ }
+ }
+ if (!pm.getNsPrefixMap().isEmpty()) {
+ checkUpdate();
+ holder.getBaseItem().withDefaultMappings(pm);
+ }
+ return holder.getSecuredItem();
+ }
}
\ No newline at end of file
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java
index 35cf67c..eeaa3e6 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/graph/package-info.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,33 +18,39 @@
/**
* Secured implementation of the Graph interface and associated classes.
* <p>
- *
- * The SecurityEvaluator class must be implemented. This class provides the interface to the
- * authentication results (e.g. getPrincipal())) and the authorization system.
- * </p><p>
- * Create a SecuredGraph by calling Factory.getInstance( SecurityEvaluator, String, Graph );
- * Create a SecuredModel by calling Factory.getInstance( SecurityEvaluator, String, Model )
- * or ModelFactory.createModelForGraph( SecuredGraph );
- * </p><p>
- * NOTE: when creating a model by wrapping a secured graph (e.g.
- * ModelFactory.createModelForGraph( SecuredGraph );) the resulting Model does not
- * have the same security requirements that the standard secured model does.
- * </p><p>
- * For instance when creating a list on a secured model calling model.createList( RDFNode[] );
- * The standard secured model verifies that the user
- * has the right to update the triples and allows or denies the entire operation accordingly.
- * The wrapped secured graph does not have visibility
- * to the createList() command and can only operate on the instructions issued by the
- * model.createList() implementation. In the standard implementation
- * the model requests the graph to delete one triple and then insert another.
- * Thus the user must have delete and add permissions, not the update permission.
- * </p><p>
- * There are several other cases where the difference in the layer can trip up the security system.
- * In all known cases the result is a tighter
- * security definition than was requested. For simplicity sake we recommend that the wrapped
- * secured graph only be used in cases where access to the
- * graph as a whole is granted/denied. In these cases the user either has all CRUD capabilities or
- * none.
+ *
+ * The SecurityEvaluator class must be implemented. This class provides the
+ * interface to the authentication results (e.g. getPrincipal())) and the
+ * authorization system.
+ * </p>
+ * <p>
+ * Create a SecuredGraph by calling Factory.getInstance( SecurityEvaluator,
+ * String, Graph ); Create a SecuredModel by calling Factory.getInstance(
+ * SecurityEvaluator, String, Model ) or ModelFactory.createModelForGraph(
+ * SecuredGraph );
+ * </p>
+ * <p>
+ * NOTE: when creating a model by wrapping a secured graph (e.g.
+ * ModelFactory.createModelForGraph( SecuredGraph );) the resulting Model does
+ * not have the same security requirements that the standard secured model does.
+ * </p>
+ * <p>
+ * For instance when creating a list on a secured model calling
+ * model.createList( RDFNode[] ); The standard secured model verifies that the
+ * user has the right to update the triples and allows or denies the entire
+ * operation accordingly. The wrapped secured graph does not have visibility to
+ * the createList() command and can only operate on the instructions issued by
+ * the model.createList() implementation. In the standard implementation the
+ * model requests the graph to delete one triple and then insert another. Thus
+ * the user must have delete and add permissions, not the update permission.
+ * </p>
+ * <p>
+ * There are several other cases where the difference in the layer can trip up
+ * the security system. In all known cases the result is a tighter security
+ * definition than was requested. For simplicity sake we recommend that the
+ * wrapped secured graph only be used in cases where access to the graph as a
+ * whole is granted/denied. In these cases the user either has all CRUD
+ * capabilities or none.
* </p>
*/
package org.apache.jena.permissions.graph;
\ No newline at end of file
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java
index 41ee222..f3ce7c2 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/CachedSecurityEvaluator.java
@@ -28,75 +28,69 @@ import org.apache.jena.shared.AuthenticationRequiredException;
* A SecurityEvaluator that can be cached for later use.
*/
public class CachedSecurityEvaluator implements SecurityEvaluator {
- private final SecurityEvaluator wrapped;
- private final Object origPrincipal;
+ private final SecurityEvaluator wrapped;
+ private final Object origPrincipal;
- /**
- *
- * @param wrapped
- * @param runAs
- */
- public CachedSecurityEvaluator(final SecurityEvaluator wrapped,
- final Object runAs) {
- this.origPrincipal = runAs;
- this.wrapped = wrapped;
- }
+ /**
+ *
+ * @param wrapped
+ * @param runAs
+ */
+ public CachedSecurityEvaluator(final SecurityEvaluator wrapped, final Object runAs) {
+ this.origPrincipal = runAs;
+ this.wrapped = wrapped;
+ }
- @Override
- public boolean evaluate(final Object principal, final Action action,
- final Node graphIRI) throws AuthenticationRequiredException {
- return wrapped.evaluate(principal, action, graphIRI);
- }
+ @Override
+ public boolean evaluate(final Object principal, final Action action, final Node graphIRI)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluate(principal, action, graphIRI);
+ }
- @Override
- public boolean evaluate(final Object principal, final Action action,
- final Node graphIRI, final Triple triple)
- throws AuthenticationRequiredException {
- return wrapped.evaluate(principal, action, graphIRI, triple);
- }
+ @Override
+ public boolean evaluate(final Object principal, final Action action, final Node graphIRI, final Triple triple)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluate(principal, action, graphIRI, triple);
+ }
- @Override
- public boolean evaluate(final Object principal, final Set<Action> actions,
- final Node graphIRI) throws AuthenticationRequiredException {
- return wrapped.evaluate(principal, actions, graphIRI);
- }
+ @Override
+ public boolean evaluate(final Object principal, final Set<Action> actions, final Node graphIRI)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluate(principal, actions, graphIRI);
+ }
- @Override
- public boolean evaluate(final Object principal, final Set<Action> actions,
- final Node graphIRI, final Triple triple)
- throws AuthenticationRequiredException {
- return wrapped.evaluate(principal, actions, graphIRI, triple);
- }
+ @Override
+ public boolean evaluate(final Object principal, final Set<Action> actions, final Node graphIRI, final Triple triple)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluate(principal, actions, graphIRI, triple);
+ }
- @Override
- public boolean evaluateAny(final Object principal,
- final Set<Action> actions, final Node graphIRI)
- throws AuthenticationRequiredException {
- return wrapped.evaluateAny(principal, actions, graphIRI);
- }
+ @Override
+ public boolean evaluateAny(final Object principal, final Set<Action> actions, final Node graphIRI)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluateAny(principal, actions, graphIRI);
+ }
- @Override
- public boolean evaluateAny(final Object principal,
- final Set<Action> actions, final Node graphIRI, final Triple triple)
- throws AuthenticationRequiredException {
- return wrapped.evaluateAny(principal, actions, graphIRI, triple);
- }
+ @Override
+ public boolean evaluateAny(final Object principal, final Set<Action> actions, final Node graphIRI,
+ final Triple triple) throws AuthenticationRequiredException {
+ return wrapped.evaluateAny(principal, actions, graphIRI, triple);
+ }
- @Override
- public boolean evaluateUpdate(final Object principal, final Node graphIRI,
- final Triple from, final Triple to)
- throws AuthenticationRequiredException {
- return wrapped.evaluateUpdate(principal, graphIRI, from, to);
- }
+ @Override
+ public boolean evaluateUpdate(final Object principal, final Node graphIRI, final Triple from, final Triple to)
+ throws AuthenticationRequiredException {
+ return wrapped.evaluateUpdate(principal, graphIRI, from, to);
+ }
- @Override
- public Object getPrincipal() {
- return origPrincipal;
- }
+ @Override
+ public Object getPrincipal() {
+ return origPrincipal;
+ }
- @Override
- public boolean isPrincipalAuthenticated(Object principal) {
- return wrapped.isPrincipalAuthenticated(principal);
- }
+ @Override
+ public boolean isPrincipalAuthenticated(Object principal) {
+ return wrapped.isPrincipalAuthenticated(principal);
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java
index b2b86d5..bab4183 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/ItemHolder.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -26,91 +26,78 @@ import org.apache.jena.permissions.SecuredItem;
/**
* A class that holds the original item and the secured version of it.
- *
+ *
* This class is used by the Invoker to return secured versions of the object
- * during
- * calls that return the called class for cascading.
- *
- * @param <Base>
- * The base class that is being secured
- * @param <Secured>
- * The implementation (proxy) of the secured class.
+ * during calls that return the called class for cascading.
+ *
+ * @param <Base> The base class that is being secured
+ * @param <Secured> The implementation (proxy) of the secured class.
*/
-public class ItemHolder<Base, Secured extends SecuredItem>
-{
- /**
- * The base item that is being secured
- */
- private final Base baseItem;
- /**
- * The proxy to the base class that implements the security.
- */
- private Secured securedItem;
+public class ItemHolder<Base, Secured extends SecuredItem> {
+ /**
+ * The base item that is being secured
+ */
+ private final Base baseItem;
+ /**
+ * The proxy to the base class that implements the security.
+ */
+ private Secured securedItem;
- /**
- * Constructor.
- *
- * @param baseItem
- * The base item.
- */
- public ItemHolder( final Base baseItem )
- {
- super();
- this.baseItem = baseItem;
- }
+ /**
+ * Constructor.
+ *
+ * @param baseItem The base item.
+ */
+ public ItemHolder(final Base baseItem) {
+ super();
+ this.baseItem = baseItem;
+ }
- /**
- * Get the base item.
- *
- * This method is used in the proxy to get call to the underlying instance.
- *
- * @return The instance that is being protected.
- */
- public Base getBaseItem()
- {
- return baseItem;
- }
+ /**
+ * Get the base item.
+ *
+ * This method is used in the proxy to get call to the underlying instance.
+ *
+ * @return The instance that is being protected.
+ */
+ public Base getBaseItem() {
+ return baseItem;
+ }
- /**
- * Get the secured item.
- *
- * This method is used in the invocation handler to get the instance of the
- * proxy on which a method call was made. Generally used in returning the original
- * object to support cascading.
- *
- * @return the proxy.
- */
- public Secured getSecuredItem()
- {
- return securedItem;
- }
+ /**
+ * Get the secured item.
+ *
+ * This method is used in the invocation handler to get the instance of the
+ * proxy on which a method call was made. Generally used in returning the
+ * original object to support cascading.
+ *
+ * @return the proxy.
+ */
+ public Secured getSecuredItem() {
+ return securedItem;
+ }
- /**
- * Creates the proxy, saves it as the securedItem and returns it.
- *
- * @param handler
- * The SecuredItemInvoker to create the proxy with.
- * @return The proxy.
- */
- @SuppressWarnings( "unchecked" )
- public final Secured setSecuredItem( final SecuredItemInvoker handler )
- {
- final Set<Class<?>> ifac = new LinkedHashSet<>();
- if (baseItem.getClass().isInterface())
- {
- ifac.add(baseItem.getClass());
- }
- ifac.addAll(ClassUtils.getAllInterfaces(baseItem.getClass()));
- if (handler.securedItem.getClass().isInterface())
- {
- ifac.add(handler.securedItem.getClass());
- }
- ifac.addAll(ClassUtils.getAllInterfaces(handler.securedItem.getClass()));
+ /**
+ * Creates the proxy, saves it as the securedItem and returns it.
+ *
+ * @param handler The SecuredItemInvoker to create the proxy with.
+ * @return The proxy.
+ */
+ @SuppressWarnings("unchecked")
+ public final Secured setSecuredItem(final SecuredItemInvoker handler) {
+ final Set<Class<?>> ifac = new LinkedHashSet<>();
+ if (baseItem.getClass().isInterface()) {
+ ifac.add(baseItem.getClass());
+ }
+ ifac.addAll(ClassUtils.getAllInterfaces(baseItem.getClass()));
+ if (handler.securedItem.getClass().isInterface()) {
+ ifac.add(handler.securedItem.getClass());
+ }
+ ifac.addAll(ClassUtils.getAllInterfaces(handler.securedItem.getClass()));
- securedItem = (Secured) Proxy.newProxyInstance(
- SecuredItemImpl.class.getClassLoader(),
- ifac.toArray(new Class<?>[ifac.size()]), handler);
- return securedItem;
- }
+ securedItem = (Secured) Proxy.newProxyInstance(SecuredItemImpl.class.getClassLoader(),
+ ifac.toArray(new Class<?>[ifac.size()]), handler);
+ return securedItem;
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java
index fd9a03e..34ab639 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemImpl.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,6 +18,8 @@
package org.apache.jena.permissions.impl;
import java.lang.reflect.Proxy;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
import org.apache.commons.collections4.map.LRUMap;
import org.apache.commons.lang3.StringUtils;
@@ -37,6 +39,7 @@ import org.apache.jena.shared.UpdateDeniedException;
import org.apache.jena.sparql.expr.Expr;
import org.apache.jena.sparql.util.NodeUtils;
import org.apache.jena.util.iterator.ExtendedIterator;
+import org.apache.jena.util.iterator.NullIterator;
import org.apache.jena.vocabulary.RDF;
/**
@@ -46,799 +49,811 @@ import org.apache.jena.vocabulary.RDF;
* ensures that during a single operation the specific check is only evaluated
* once by caching the result.
* </p>
- *
+ *
*/
public abstract class SecuredItemImpl implements SecuredItem {
- // a key for the secured item.
- private class CacheKey implements Comparable<CacheKey> {
- private final Action action;
+ // a key for the secured item.
+ private class CacheKey implements Comparable<CacheKey> {
+ private final Action action;
private final Node mNode;
- private final Triple from;
- private final Triple to;
- private Integer hashCode;
-
- public CacheKey(final Action action, final Node modelNode) {
- this(action, modelNode, null, null);
- }
-
- public CacheKey(final Action action, final Node modelNode,
- final Triple to) {
- this(action, modelNode, to, null);
- }
-
- public CacheKey(final Action action, final Node modelNode,
- final Triple to, final Triple from) {
- this.action = action;
- this.mNode = modelNode;
- this.to = to;
- this.from = from;
- }
-
- private int compare(Node n1, Node n2) {
- if (Node.ANY.equals(n1)) {
- if (Node.ANY.equals(n2)) {
- return Expr.CMP_EQUAL;
- }
- return Expr.CMP_LESS;
- }
- if (Node.ANY.equals(n2)) {
- return Expr.CMP_GREATER;
- }
- return NodeUtils.compareRDFTerms(n1, n2);
- }
-
- private int compare(Triple t1, Triple t2) {
- if (t1 == null) {
- if (t2 == null) {
- return Expr.CMP_EQUAL;
- }
- return Expr.CMP_LESS;
- }
- if (t2 == null) {
- return Expr.CMP_GREATER;
- }
- int retval = compare(t1.getSubject(), t2.getSubject());
- if (retval == Expr.CMP_EQUAL) {
- retval = compare(t1.getPredicate(), t2.getPredicate());
- }
- if (retval == Expr.CMP_EQUAL) {
- retval = compare(t1.getObject(), t2.getObject());
- }
- return retval;
- }
-
- @Override
- public int compareTo(final CacheKey other) {
- int retval = this.action.compareTo(other.action);
- if (retval == Expr.CMP_EQUAL) {
- retval = NodeUtils.compareRDFTerms(this.mNode,
- other.mNode);
- }
- if (retval == Expr.CMP_EQUAL) {
- retval = compare(this.to, other.to);
- }
- if (retval == Expr.CMP_EQUAL) {
- retval = compare(this.from, other.from);
- }
- return retval;
- }
-
- @Override
- public boolean equals(final Object o) {
- if (o instanceof CacheKey) {
- return this.compareTo((CacheKey) o) == 0;
- }
- return false;
- }
-
- @Override
- public int hashCode() {
- if (hashCode == null) {
- hashCode = new HashCodeBuilder().append(action)
- .append(mNode).append(from).append(to).toHashCode();
- }
- return hashCode;
- }
- }
-
- // the maximum size of the cache
- public static int MAX_CACHE = 100;
- // the cache for this thread.
- public static final ThreadLocal<LRUMap<CacheKey, Boolean>> CACHE = new ThreadLocal<>();
- // the number of times this thread has recursively called the constructor.
- public static final ThreadLocal<Integer> COUNT = new ThreadLocal<>();
-
- /**
- * May Convert a Jena Node object into the SecurityEvaluator.VARIABLE
- * instance.
- *
- * @param jenaNode
- * The Jena node to convert.
- * @return The Node that represents the jenaNode.
- */
- private static Node convert(final Node jenaNode) {
-
- if (jenaNode.isVariable()) {
- return SecurityEvaluator.VARIABLE;
- }
- return jenaNode;
- }
-
- /**
- * Convert a Jena Triple into a SecTriple.
- *
- * @param jenaTriple
- * The Jena Triple to convert.
- * @return The SecTriple that represents the jenaTriple.
- */
- private static Triple convert(final Triple jenaTriple) {
- if (jenaTriple.getSubject().isVariable()
- || jenaTriple.getPredicate().isVariable()
- || jenaTriple.getObject().isVariable()) {
- return new Triple(SecuredItemImpl.convert(jenaTriple.getSubject()),
- SecuredItemImpl.convert(jenaTriple.getPredicate()),
- SecuredItemImpl.convert(jenaTriple.getObject()));
- }
- return jenaTriple;
- }
-
- /**
- * Decrement the number of instances of SecuredItem.
- */
- public static void decrementUse() {
- final Integer i = SecuredItemImpl.COUNT.get();
- if (i == null) {
- throw new IllegalStateException("No count on exit");
- }
- if (i < 1) {
- throw new IllegalStateException("No count less than 1");
- }
- if (i == 1) {
- SecuredItemImpl.CACHE.remove();
- SecuredItemImpl.COUNT.remove();
- } else {
- SecuredItemImpl.COUNT.set(i - 1);
- }
- }
-
- /**
- * Increment the number of instances of SecuredItem.
- */
- public static void incrementUse() {
- final Integer i = SecuredItemImpl.COUNT.get();
- if (i == null) {
- SecuredItemImpl.CACHE.set(new LRUMap<CacheKey, Boolean>(Math.max(
- SecuredItemImpl.MAX_CACHE, 100)));
- SecuredItemImpl.COUNT.set(1);
- } else {
- SecuredItemImpl.COUNT.set(i + 1);
- }
- }
-
- // the evaluator we are using
- private final SecurityEvaluator securityEvaluator;
-
- // the secured node for that names the graph.
- private final Node modelNode;
-
- // the item holder that we are evaluating.
- private final ItemHolder<?, ?> itemHolder;
-
- /**
- * Create the SecuredItemImpl.
- *
- * @param securedItem
- * The securedItem.
- * @param holder
- * The Item holder for the securedItem.
- * @throws IllegalArgumentException
- * if securedItem is null or securedItem.getSecurityEvaluator()
- * returns null, or the holder is null.
- */
- protected SecuredItemImpl(final SecuredItem securedItem,
- final ItemHolder<?, ?> holder) {
- if (securedItem == null) {
- throw new IllegalArgumentException("Secured item may not be null");
- }
- if (securedItem.getSecurityEvaluator() == null) {
- throw new IllegalArgumentException(
- "Security evaluator in secured item may not be null");
- }
- if (holder == null) {
- throw new IllegalArgumentException("ItemHolder may not be null");
- }
- this.securityEvaluator = securedItem.getSecurityEvaluator();
- this.modelNode = securedItem.getModelNode();
- this.itemHolder = holder;
- }
-
- /**
- * Create the SecuredItemImpl.
- *
- * @param securityEvaluator
- * the secured evaluator to use.
- * @param modelURI
- * the URI for the model.
- * @param holder
- * The holder to use.
- * @throws IllegalArgumentException
- * if security evaluator is null, modelURI is null or empty, or
- * holder is null.
- */
- protected SecuredItemImpl(final SecurityEvaluator securityEvaluator,
- final String modelURI, final ItemHolder<?, ?> holder) {
- if (securityEvaluator == null) {
- throw new IllegalArgumentException(
- "Security evaluator may not be null");
- }
- if (StringUtils.isEmpty(modelURI)) {
- throw new IllegalArgumentException(
- "ModelURI may not be empty or null");
- }
- if (holder == null) {
- throw new IllegalArgumentException("ItemHolder may not be null");
- }
- this.securityEvaluator = securityEvaluator;
- this.modelNode = NodeFactory.createURI(modelURI);
- this.itemHolder = holder;
- }
-
- @Override
- public String toString() throws AuthenticationRequiredException {
- if (canRead()) {
- return itemHolder.getBaseItem().toString();
- }
- return super.toString();
- }
-
- /**
- * get the cached value.
- *
- * @param key
- * The key to look for.
- * @return the value of the security check or <code>null</code> if the value
- * has not been cached.
- */
- private Boolean cacheGet(final CacheKey key) {
- final LRUMap<CacheKey, Boolean> cache = SecuredItemImpl.CACHE.get();
- return (cache == null) ? null : (Boolean) cache.get(key);
- }
-
- /**
- * set the cache value.
- *
- * @param key
- * The key to set the value for.
- * @param value
- * The value to set.
- */
- private void cachePut(final CacheKey key, final boolean value) {
- final LRUMap<CacheKey, Boolean> cache = SecuredItemImpl.CACHE.get();
- if (cache != null) {
- cache.put(key, value);
- SecuredItemImpl.CACHE.set(cache);
- }
- }
-
- @Override
- public boolean canCreate() throws AuthenticationRequiredException {
- final CacheKey key = new CacheKey(Action.Create, modelNode);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Create, modelNode);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canCreate(final Triple triple)
- throws AuthenticationRequiredException {
- Triple t = convert(triple);
- final CacheKey key = new CacheKey(Action.Create, modelNode, t);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Create, modelNode,
- t);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canCreate(final FrontsTriple frontsTriple)
- throws AuthenticationRequiredException {
- return canCreate(frontsTriple.asTriple());
- }
-
- @Override
- public boolean canDelete() throws AuthenticationRequiredException {
- final CacheKey key = new CacheKey(Action.Delete, modelNode);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Delete, modelNode);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canDelete(final Triple triple)
- throws AuthenticationRequiredException {
- Triple t = convert(triple);
- final CacheKey key = new CacheKey(Action.Delete, modelNode, t);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Delete, modelNode,
- t);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canDelete(final FrontsTriple frontsTriple)
- throws AuthenticationRequiredException {
- return canDelete(frontsTriple.asTriple());
- }
-
- @Override
- public boolean canRead() throws AuthenticationRequiredException {
- final CacheKey key = new CacheKey(Action.Read, modelNode);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Read, modelNode);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canRead(final Triple triple)
- throws AuthenticationRequiredException {
- Triple t = convert(triple);
- final CacheKey key = new CacheKey(Action.Read, modelNode, t);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator
- .evaluate(securityEvaluator.getPrincipal(), Action.Read,
- modelNode, t);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canRead(final FrontsTriple frontsTriple)
- throws AuthenticationRequiredException {
- return canRead(frontsTriple.asTriple());
- }
-
- @Override
- public boolean canUpdate() throws AuthenticationRequiredException {
- final CacheKey key = new CacheKey(Action.Update, modelNode);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluate(
- securityEvaluator.getPrincipal(), Action.Update, modelNode);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canUpdate(final Triple f, final Triple t)
- throws AuthenticationRequiredException {
- Triple from = convert(f);
- Triple to = convert(t);
- final CacheKey key = new CacheKey(Action.Update, modelNode, from, to);
- Boolean retval = cacheGet(key);
- if (retval == null) {
- retval = securityEvaluator.evaluateUpdate(
- securityEvaluator.getPrincipal(), modelNode, from, to);
- cachePut(key, retval);
- }
- return retval;
- }
-
- @Override
- public boolean canUpdate(final FrontsTriple from, final FrontsTriple to)
- throws AuthenticationRequiredException {
- return canUpdate(from.asTriple(), to.asTriple());
- }
-
- /**
- * check that create on the securedModel is allowed,
- *
- * @throws AddDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreate() throws AddDeniedException,
- AuthenticationRequiredException {
- if (!canCreate()) {
- throw new AddDeniedException(
- SecuredItem.Util.modelPermissionMsg(modelNode));
- }
- }
-
- /**
- * check that the triple can be created in the securedModel.,
- *
- * @throws AddDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreate(final Triple t) throws AddDeniedException,
- AuthenticationRequiredException {
- if (!canCreate(t)) {
- throw new AddDeniedException(
- SecuredItem.Util.triplePermissionMsg(modelNode), t);
- }
- }
-
- /**
- * check that the statement can be created.
- *
- * @param s
- * The statement.
- * @throws AddDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreate(final FrontsTriple frontsTriple)
- throws AddDeniedException, AuthenticationRequiredException {
- checkCreate(frontsTriple.asTriple());
- }
-
- /**
- * Check that a triple can be reified.
- *
- * @param uri
- * The URI for the reification subject. May be null.
- * @param front
- * the frontstriple that is to be reified.
- * @throws AddDeniedException
- * on failure to add triple
- * @throws UpdateDeniedException
- * if the updates of the graph are not allowed.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreateReified(final String uri, final FrontsTriple front)
- throws AddDeniedException, UpdateDeniedException,
- AuthenticationRequiredException {
- checkUpdate();
- Triple t = front.asTriple();
- final Node n = uri == null ? SecurityEvaluator.FUTURE : NodeFactory
- .createURI(uri);
- checkCreate(new Triple(n, RDF.subject.asNode(), t.getSubject()));
- checkCreate(new Triple(n, RDF.predicate.asNode(), t.getPredicate()));
- checkCreate(new Triple(n, RDF.object.asNode(), t.getObject()));
- }
-
- /**
- * Check that all the triples can be created.
- *
- * @param FrontsTripleIter
- * an iterator of FrontsTriple objects.
- * @throws AddDeniedException
- * if a triple can not be added.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreateFrontsTriples(
- final ExtendedIterator<? extends FrontsTriple> FrontsTripleIter)
- throws AddDeniedException, AuthenticationRequiredException {
- if (!canCreate(Triple.ANY)) {
- try {
- while (FrontsTripleIter.hasNext()) {
- checkCreate(FrontsTripleIter.next());
- }
- } finally {
- FrontsTripleIter.close();
- }
- }
- }
-
- /**
- * Check that all the triples can be created.
- *
- * @param triples
- * an iterator of triples.
- * @throws AddDeniedException
- * if a triple can not be added.
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkCreateTriples(final ExtendedIterator<Triple> triples)
- throws AddDeniedException, AuthenticationRequiredException {
- if (!canCreate(Triple.ANY)) {
- try {
- while (triples.hasNext()) {
- checkCreate(triples.next());
- }
- } finally {
- triples.close();
- }
- }
- }
-
- /**
- * check that delete on the securedModel is allowed,
- *
- * @throws DeleteDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkDelete() throws DeleteDeniedException,
- AuthenticationRequiredException {
- if (!canDelete()) {
- throw new DeleteDeniedException(
- SecuredItem.Util.modelPermissionMsg(modelNode));
- }
- }
-
- /**
- * check that the triple can be deleted in the securedModel.,
- *
- * @param triple
- * The triple to check.
- * @throws DeleteDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkDelete(final Triple triple)
- throws DeleteDeniedException, AuthenticationRequiredException {
- if (!canDelete(triple)) {
- throw new DeleteDeniedException(
- SecuredItem.Util.triplePermissionMsg(modelNode), triple);
- }
- }
-
- /**
- * check that the triple can be deleted in the securedModel.,
- *
- * @param frontsTriple
- * An object fronting the triple to check.
- * @throws DeleteDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkDelete(final FrontsTriple frontsTriple)
- throws DeleteDeniedException, AuthenticationRequiredException {
- checkDelete(frontsTriple.asTriple());
- }
-
- /**
- * check that the triples can be deleted in the securedModel.,
- *
- * @param frontsTripleIter
- * An iterator of objects fronting triples to check.
- * @throws DeleteDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkDeleteFrontsTriples(
- final ExtendedIterator<? extends FrontsTriple> frontsTriplesIter)
- throws DeleteDeniedException, AuthenticationRequiredException {
- if (!canDelete(Triple.ANY)) {
- try {
- while (frontsTriplesIter.hasNext()) {
- checkDelete(frontsTriplesIter.next());
- }
- } finally {
- frontsTriplesIter.close();
- }
- }
- }
-
- /**
- * check that the triples can be deleted in the securedModel.,
- *
- * @param triples
- * An iterator of triples to check.
- * @throws DeleteDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkDeleteTriples(final ExtendedIterator<Triple> triples)
- throws DeleteDeniedException, AuthenticationRequiredException {
- if (!canDelete(Triple.ANY)) {
- try {
- while (triples.hasNext()) {
- checkDelete(triples.next());
- }
- } finally {
- triples.close();
- }
- }
- }
-
- /**
- * check that read on the securedModel is allowed,
- *
- * @throws ReadDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkRead() throws ReadDeniedException,
- AuthenticationRequiredException {
- if (!canRead()) {
- throw new ReadDeniedException(
- SecuredItem.Util.modelPermissionMsg(modelNode));
- }
- }
-
- /**
- * check that the triple can be read in the securedModel.,
- *
- * @param triple
- * The triple to check.
- * @throws ReadDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkRead(final Triple triple) throws ReadDeniedException,
- AuthenticationRequiredException {
- if (!canRead(triple)) {
- throw new ReadDeniedException(
- SecuredItem.Util.triplePermissionMsg(modelNode), triple);
- }
- }
-
- /**
- * check that the triple can be read in the securedModel.,
- *
- * @param frontsTriple
- * The object fronting the triple to check.
- * @throws ReadDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkRead(final FrontsTriple frontsTriple)
- throws ReadDeniedException, AuthenticationRequiredException {
- checkRead(frontsTriple.asTriple());
- }
-
- /**
- * check that the triple can be read in the securedModel.,
- *
- * @param frontsTripleIter
- * The iterator of fronts triple objects to check.
- * @throws ReadDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkReadFrontsTriples(
- final ExtendedIterator<FrontsTriple> frontsTripleIter)
- throws ReadDeniedException, AuthenticationRequiredException {
- try {
- while (frontsTripleIter.hasNext()) {
- checkRead(frontsTripleIter.next());
- }
- } finally {
- frontsTripleIter.close();
- }
- }
-
- /**
- * check that the triple can be read in the securedModel.,
- *
- * @param triples
- * The iterator of triples to check.
- * @throws ReadDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkReadTriples(final ExtendedIterator<Triple> triples)
- throws ReadDeniedException, AuthenticationRequiredException {
- try {
- while (triples.hasNext()) {
- checkRead(triples.next());
- }
- } finally {
- triples.close();
- }
- }
-
- /**
- * check that update on the securedModel is allowed,
- *
- * @throws UpdateDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkUpdate() throws UpdateDeniedException,
- AuthenticationRequiredException {
- if (!canUpdate()) {
- throw new UpdateDeniedException(
- SecuredItem.Util.modelPermissionMsg(modelNode));
- }
- }
-
- /**
- * check that the triple can be updated in the securedModel.,
- *
- * @param from
- * the starting triple
- * @param to
- * the final triple.
- * @throws UpdateDeniedException
- * on failure
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- protected void checkUpdate(final Triple from, final Triple to)
- throws UpdateDeniedException, AuthenticationRequiredException {
- if (!canUpdate(from, to)) {
- throw new UpdateDeniedException(String.format("%s: %s to %s",
- SecuredItem.Util.modelPermissionMsg(modelNode), from, to));
- }
- }
-
- @Override
- public boolean equals(final Object o) {
- if (Proxy.isProxyClass(o.getClass())) {
- return o.equals(itemHolder.getSecuredItem());
- } else {
- if (o instanceof SecuredItemImpl) {
- return itemHolder.getBaseItem().equals(
- ((SecuredItemImpl) o).getBaseItem());
- }
- return false;
- }
- }
-
- @Override
- public int hashCode() {
- return itemHolder.getBaseItem().hashCode();
- }
-
- @Override
- public Object getBaseItem() {
- return itemHolder.getBaseItem();
- }
-
- @Override
- public String getModelIRI() {
- return modelNode.getURI();
- }
-
- /**
- * get the name of the model.
- */
- @Override
- public Node getModelNode() {
- return modelNode;
- }
-
- @Override
- public SecurityEvaluator getSecurityEvaluator() {
- return securityEvaluator;
- }
-
- @Override
- public boolean isEquivalent(final SecuredItem securedItem) {
- return SecuredItem.Util.isEquivalent(this, securedItem);
- }
+ private final Triple from;
+ private final Triple to;
+ private Integer hashCode;
+
+ public CacheKey(final Action action, final Node modelNode) {
+ this(action, modelNode, null, null);
+ }
+
+ public CacheKey(final Action action, final Node modelNode, final Triple to) {
+ this(action, modelNode, to, null);
+ }
+
+ public CacheKey(final Action action, final Node modelNode, final Triple to, final Triple from) {
+ this.action = action;
+ this.mNode = modelNode;
+ this.to = to;
+ this.from = from;
+ }
+
+ private int compare(Node n1, Node n2) {
+ if (Node.ANY.equals(n1)) {
+ if (Node.ANY.equals(n2)) {
+ return Expr.CMP_EQUAL;
+ }
+ return Expr.CMP_LESS;
+ }
+ if (Node.ANY.equals(n2)) {
+ return Expr.CMP_GREATER;
+ }
+ return NodeUtils.compareRDFTerms(n1, n2);
+ }
+
+ private int compare(Triple t1, Triple t2) {
+ if (t1 == null) {
+ if (t2 == null) {
+ return Expr.CMP_EQUAL;
+ }
+ return Expr.CMP_LESS;
+ }
+ if (t2 == null) {
+ return Expr.CMP_GREATER;
+ }
+ int retval = compare(t1.getSubject(), t2.getSubject());
+ if (retval == Expr.CMP_EQUAL) {
+ retval = compare(t1.getPredicate(), t2.getPredicate());
+ }
+ if (retval == Expr.CMP_EQUAL) {
+ retval = compare(t1.getObject(), t2.getObject());
+ }
+ return retval;
+ }
+
+ @Override
+ public int compareTo(final CacheKey other) {
+ int retval = this.action.compareTo(other.action);
+ if (retval == Expr.CMP_EQUAL) {
+ retval = NodeUtils.compareRDFTerms(this.mNode, other.mNode);
+ }
+ if (retval == Expr.CMP_EQUAL) {
+ retval = compare(this.to, other.to);
+ }
+ if (retval == Expr.CMP_EQUAL) {
+ retval = compare(this.from, other.from);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (o instanceof CacheKey) {
+ return this.compareTo((CacheKey) o) == 0;
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ if (hashCode == null) {
+ hashCode = new HashCodeBuilder().append(action).append(mNode).append(from).append(to).toHashCode();
+ }
+ return hashCode;
+ }
+ }
+
+ // the maximum size of the cache
+ public static int MAX_CACHE = 100;
+ // the cache for this thread.
+ public static final ThreadLocal<LRUMap<CacheKey, Boolean>> CACHE = new ThreadLocal<>();
+ // the number of times this thread has recursively called the constructor.
+ public static final ThreadLocal<Integer> COUNT = new ThreadLocal<>();
+
+ /**
+ * May Convert a Jena Node object into the SecurityEvaluator.VARIABLE instance.
+ *
+ * @param jenaNode The Jena node to convert.
+ * @return The Node that represents the jenaNode.
+ */
+ private static Node convert(final Node jenaNode) {
+
+ if (jenaNode.isVariable()) {
+ return SecurityEvaluator.VARIABLE;
+ }
+ return jenaNode;
+ }
+
+ /**
+ * Convert a Jena Triple into a SecTriple.
+ *
+ * @param jenaTriple The Jena Triple to convert.
+ * @return The SecTriple that represents the jenaTriple.
+ */
+ private static Triple convert(final Triple jenaTriple) {
+ if (jenaTriple.getSubject().isVariable() || jenaTriple.getPredicate().isVariable()
+ || jenaTriple.getObject().isVariable()) {
+ return new Triple(SecuredItemImpl.convert(jenaTriple.getSubject()),
+ SecuredItemImpl.convert(jenaTriple.getPredicate()),
+ SecuredItemImpl.convert(jenaTriple.getObject()));
+ }
+ return jenaTriple;
+ }
+
+ /**
+ * Decrement the number of instances of SecuredItem.
+ */
+ public static void decrementUse() {
+ final Integer i = SecuredItemImpl.COUNT.get();
+ if (i == null) {
+ throw new IllegalStateException("No count on exit");
+ }
+ if (i < 1) {
+ throw new IllegalStateException("No count less than 1");
+ }
+ if (i == 1) {
+ SecuredItemImpl.CACHE.remove();
+ SecuredItemImpl.COUNT.remove();
+ } else {
+ SecuredItemImpl.COUNT.set(i - 1);
+ }
+ }
+
+ /**
+ * Increment the number of instances of SecuredItem.
+ */
+ public static void incrementUse() {
+ final Integer i = SecuredItemImpl.COUNT.get();
+ if (i == null) {
+ SecuredItemImpl.CACHE.set(new LRUMap<CacheKey, Boolean>(Math.max(SecuredItemImpl.MAX_CACHE, 100)));
+ SecuredItemImpl.COUNT.set(1);
+ } else {
+ SecuredItemImpl.COUNT.set(i + 1);
+ }
+ }
+
+ // the evaluator we are using
+ private final SecurityEvaluator securityEvaluator;
+
+ // the secured node for that names the graph.
+ private final Node modelNode;
+
+ // the item holder that we are evaluating.
+ private final ItemHolder<?, ?> itemHolder;
+
+ /**
+ * Create the SecuredItemImpl.
+ *
+ * @param securedItem The securedItem.
+ * @param holder The Item holder for the securedItem.
+ * @throws IllegalArgumentException if securedItem is null or
+ * securedItem.getSecurityEvaluator() returns
+ * null, or the holder is null.
+ */
+ protected SecuredItemImpl(final SecuredItem securedItem, final ItemHolder<?, ?> holder) {
+ if (securedItem == null) {
+ throw new IllegalArgumentException("Secured item may not be null");
+ }
+ if (securedItem.getSecurityEvaluator() == null) {
+ throw new IllegalArgumentException("Security evaluator in secured item may not be null");
+ }
+ if (holder == null) {
+ throw new IllegalArgumentException("ItemHolder may not be null");
+ }
+ this.securityEvaluator = securedItem.getSecurityEvaluator();
+ this.modelNode = securedItem.getModelNode();
+ this.itemHolder = holder;
+ }
+
+ /**
+ * Create the SecuredItemImpl.
+ *
+ * @param securityEvaluator the secured evaluator to use.
+ * @param modelURI the URI for the model.
+ * @param holder The holder to use.
+ * @throws IllegalArgumentException if security evaluator is null, modelURI is
+ * null or empty, or holder is null.
+ */
+ protected SecuredItemImpl(final SecurityEvaluator securityEvaluator, final String modelURI,
+ final ItemHolder<?, ?> holder) {
+ if (securityEvaluator == null) {
+ throw new IllegalArgumentException("Security evaluator may not be null");
+ }
+ if (StringUtils.isEmpty(modelURI)) {
+ throw new IllegalArgumentException("ModelURI may not be empty or null");
+ }
+ if (holder == null) {
+ throw new IllegalArgumentException("ItemHolder may not be null");
+ }
+ this.securityEvaluator = securityEvaluator;
+ this.modelNode = NodeFactory.createURI(modelURI);
+ this.itemHolder = holder;
+ }
+
+ /**
+ * Return a string representation of the resource.
+ *
+ * Returns the URI of the resource unless the resource is anonymous in which
+ * case it returns the id of the resource enclosed in square brackets.
+ *
+ * If the user can not read the graph the toString() returns the hashcode in hex
+ *
+ * @return Return a string representation of the resource.
+ */
+ @Override
+ public final String toString() throws AuthenticationRequiredException {
+ Object o = itemHolder.getBaseItem();
+ boolean ok = canRead();
+ if (ok) {
+ if (o instanceof Triple) {
+ ok = canRead((Triple) o);
+ } else if (o instanceof FrontsTriple) {
+ ok = canRead(((FrontsTriple) o).asTriple());
+ }
+ }
+ return (ok) ? itemHolder.getBaseItem().toString()
+ : String.format("SecuredItem[0x%X]", itemHolder.getBaseItem().hashCode());
+ }
+
+ /**
+ * get the cached value.
+ *
+ * @param key The key to look for.
+ * @return the value of the security check or <code>null</code> if the value has
+ * not been cached.
+ */
+ private Boolean cacheGet(final CacheKey key) {
+ final LRUMap<CacheKey, Boolean> cache = SecuredItemImpl.CACHE.get();
+ return (cache == null) ? null : (Boolean) cache.get(key);
+ }
+
+ /**
+ * set the cache value.
+ *
+ * @param key The key to set the value for.
+ * @param value The value to set.
+ */
+ private void cachePut(final CacheKey key, final boolean value) {
+ final LRUMap<CacheKey, Boolean> cache = SecuredItemImpl.CACHE.get();
+ if (cache != null) {
+ cache.put(key, value);
+ SecuredItemImpl.CACHE.set(cache);
+ }
+ }
+
+ @Override
+ public boolean canCreate() throws AuthenticationRequiredException {
+ final CacheKey key = new CacheKey(Action.Create, modelNode);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Create, modelNode);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canCreate(final Triple triple) throws AuthenticationRequiredException {
+ Triple t = convert(triple);
+ final CacheKey key = new CacheKey(Action.Create, modelNode, t);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Create, modelNode, t);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canCreate(final FrontsTriple frontsTriple) throws AuthenticationRequiredException {
+ return canCreate(frontsTriple.asTriple());
+ }
+
+ @Override
+ public boolean canDelete() throws AuthenticationRequiredException {
+ final CacheKey key = new CacheKey(Action.Delete, modelNode);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Delete, modelNode);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canDelete(final Triple triple) throws AuthenticationRequiredException {
+ Triple t = convert(triple);
+ final CacheKey key = new CacheKey(Action.Delete, modelNode, t);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Delete, modelNode, t);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canDelete(final FrontsTriple frontsTriple) throws AuthenticationRequiredException {
+ return canDelete(frontsTriple.asTriple());
+ }
+
+ @Override
+ public boolean canRead() throws AuthenticationRequiredException {
+ final CacheKey key = new CacheKey(Action.Read, modelNode);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Read, modelNode);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canRead(final Triple triple) throws AuthenticationRequiredException {
+ Triple t = convert(triple);
+ final CacheKey key = new CacheKey(Action.Read, modelNode, t);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Read, modelNode, t);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canRead(final FrontsTriple frontsTriple) throws AuthenticationRequiredException {
+ return canRead(frontsTriple.asTriple());
+ }
+
+ @Override
+ public boolean canUpdate() throws AuthenticationRequiredException {
+ final CacheKey key = new CacheKey(Action.Update, modelNode);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, modelNode);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canUpdate(final Triple f, final Triple t) throws AuthenticationRequiredException {
+ Triple from = convert(f);
+ Triple to = convert(t);
+ final CacheKey key = new CacheKey(Action.Update, modelNode, from, to);
+ Boolean retval = cacheGet(key);
+ if (retval == null) {
+ retval = securityEvaluator.evaluateUpdate(securityEvaluator.getPrincipal(), modelNode, from, to);
+ cachePut(key, retval);
+ }
+ return retval;
+ }
+
+ @Override
+ public boolean canUpdate(final FrontsTriple from, final FrontsTriple to) throws AuthenticationRequiredException {
+ return canUpdate(from.asTriple(), to.asTriple());
+ }
+
+ /**
+ * check that create on the securedModel is allowed,
+ *
+ * @throws AddDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkCreate() throws AddDeniedException, AuthenticationRequiredException {
+ if (!canCreate()) {
+ throw new AddDeniedException(SecuredItem.Util.modelPermissionMsg(modelNode));
+ }
+ }
+
+ /**
+ * check that the triple can be created in the securedModel.,
+ *
+ * @throws AddDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkCreate(final Triple t) throws AddDeniedException, AuthenticationRequiredException {
+ if (!canCreate(t)) {
+ throw new AddDeniedException(SecuredItem.Util.triplePermissionMsg(modelNode), t);
+ }
+ }
+
+ /**
+ * check that the statement can be created.
+ *
+ * @param s The statement.
+ * @throws AddDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkCreate(final FrontsTriple frontsTriple)
+ throws AddDeniedException, AuthenticationRequiredException {
+ checkCreate(frontsTriple.asTriple());
+ }
+
+ /**
+ * Check that a triple can be reified.
+ *
+ * @param uri The URI for the reification subject. May be null.
+ * @param front the frontstriple that is to be reified.
+ * @throws AddDeniedException on failure to add triple
+ * @throws UpdateDeniedException if the updates of the graph are not
+ * allowed.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkCreateReified(final String uri, final FrontsTriple front)
+ throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException {
+ checkUpdate();
+ Triple t = front.asTriple();
+ final Node n = uri == null ? SecurityEvaluator.FUTURE : NodeFactory.createURI(uri);
+ checkCreate(new Triple(n, RDF.subject.asNode(), t.getSubject()));
+ checkCreate(new Triple(n, RDF.predicate.asNode(), t.getPredicate()));
+ checkCreate(new Triple(n, RDF.object.asNode(), t.getObject()));
+ }
+
+// /**
+// * Check that all the triples can be created.
+// *
+// * @param FrontsTripleIter
+// * an iterator of FrontsTriple objects.
+// * @throws AddDeniedException
+// * if a triple can not be added.
+// * @throws AuthenticationRequiredException
+// * if user is not authenticated and is required to be.
+// */
+// protected void checkCreateFrontsTriples(
+// final ExtendedIterator<? extends FrontsTriple> FrontsTripleIter)
+// throws AddDeniedException, AuthenticationRequiredException {
+// if (!canCreate(Triple.ANY)) {
+// try {
+// while (FrontsTripleIter.hasNext()) {
+// checkCreate(FrontsTripleIter.next());
+// }
+// } finally {
+// FrontsTripleIter.close();
+// }
+// }
+// }
+
+// /**
+// * Check that all the triples can be created.
+// *
+// * @param triples
+// * an iterator of triples.
+// * @throws AddDeniedException
+// * if a triple can not be added.
+// * @throws AuthenticationRequiredException
+// * if user is not authenticated and is required to be.
+// */
+// protected void checkCreateTriples(final ExtendedIterator<Triple> triples)
+// throws AddDeniedException, AuthenticationRequiredException {
+// if (!canCreate(Triple.ANY)) {
+// try {
+// while (triples.hasNext()) {
+// checkCreate(triples.next());
+// }
+// } finally {
+// triples.close();
+// }
+// }
+// }
+
+ /**
+ * Check that all the triples can be created.
+ *
+ * @param supplier the Suplier of the triple iterator.
+ * @throws AddDeniedException if a triple can not be added.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkCreate(Supplier<ExtendedIterator<Triple>> supplier)
+ throws AddDeniedException, AuthenticationRequiredException {
+ if (!canCreate(Triple.ANY)) {
+ ExtendedIterator<Triple> iter = supplier.get();
+ try {
+ while (iter.hasNext()) {
+ checkCreate(iter.next());
+ }
+ } finally {
+ iter.close();
+ }
+ }
+ }
+
+ /**
+ * check that delete on the securedModel is allowed,
+ *
+ * @throws DeleteDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkDelete() throws DeleteDeniedException, AuthenticationRequiredException {
+ if (!canDelete()) {
+ throw new DeleteDeniedException(SecuredItem.Util.modelPermissionMsg(modelNode));
+ }
+ }
+
+ /**
+ * check that the triple can be deleted in the securedModel.,
+ *
+ * @param triple The triple to check.
+ * @throws DeleteDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkDelete(final Triple triple) throws DeleteDeniedException, AuthenticationRequiredException {
+ if (!canDelete(triple)) {
+ throw new DeleteDeniedException(SecuredItem.Util.triplePermissionMsg(modelNode), triple);
+ }
+ }
+
+ /**
+ * check that the triple can be deleted in the securedModel.,
+ *
+ * @param frontsTriple An object fronting the triple to check.
+ * @throws DeleteDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkDelete(final FrontsTriple frontsTriple)
+ throws DeleteDeniedException, AuthenticationRequiredException {
+ checkDelete(frontsTriple.asTriple());
+ }
+
+ /**
+ * check that the triples can be deleted in the securedModel.,
+ *
+ * @param frontsTripleIter An iterator of objects fronting triples to check.
+ * @throws DeleteDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkDeleteFrontsTriples(final ExtendedIterator<? extends FrontsTriple> frontsTriplesIter)
+ throws DeleteDeniedException, AuthenticationRequiredException {
+ if (!canDelete(Triple.ANY)) {
+ try {
+ while (frontsTriplesIter.hasNext()) {
+ checkDelete(frontsTriplesIter.next());
+ }
+ } finally {
+ frontsTriplesIter.close();
+ }
+ }
+ }
+
+ /**
+ * check that the triples can be deleted in the securedModel.,
+ *
+ * @param triples An iterator of triples to check.
+ * @throws DeleteDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkDeleteTriples(final ExtendedIterator<Triple> triples)
+ throws DeleteDeniedException, AuthenticationRequiredException {
+ if (!canDelete(Triple.ANY)) {
+ try {
+ while (triples.hasNext()) {
+ checkDelete(triples.next());
+ }
+ } finally {
+ triples.close();
+ }
+ }
+ }
+
+ /**
+ * Checks that read on the securedModel/securedGraph is allowed.
+ *
+ * @throws ReadDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkRead() throws ReadDeniedException, AuthenticationRequiredException {
+ if (!canRead()) {
+ throw new ReadDeniedException(SecuredItem.Util.modelPermissionMsg(modelNode));
+ }
+ }
+
+ /**
+ * Checks that read on the securedModel/securedGraph is allowed.
+ * <ul>
+ * <li>If the securedModel/securedGraph can not be read and the
+ * {@code SecurityEvaluator.isHardReadError()} returns true, throws an
+ * exception.</li>
+ * <li>If the securedModel/securedGraph can not be read and the
+ * {@code SecurityEvaluator.isHardReadError()} returns false, returns false.
+ * </li>
+ * <li>Otherwise returns true.</li>
+ * </ul>
+ *
+ * @return true if the model/graph can be read.
+ * @throws ReadDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected boolean checkSoftRead() throws ReadDeniedException, AuthenticationRequiredException {
+ if (!canRead()) {
+ if (securityEvaluator.isHardReadError()) {
+ throw new ReadDeniedException(SecuredItem.Util.modelPermissionMsg(modelNode));
+ }
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * check that the triple can be read in the securedModel.,
+ *
+ * @param triple The triple to check.
+ * @returns True if the triple can be read, false if not.
+ * @throws ReadDeniedException on failure if HardReadErrors is true.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected boolean checkRead(final Triple triple) throws ReadDeniedException, AuthenticationRequiredException {
+ if (!canRead(triple)) {
+ if (securityEvaluator.isHardReadError()) {
+ throw new ReadDeniedException(SecuredItem.Util.triplePermissionMsg(modelNode), triple);
+ }
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * check that the triple can be read in the securedModel.,
+ *
+ * @returns True if the triple can be read, false if not.
+ * @param frontsTriple The object fronting the triple to check.
+ * @throws ReadDeniedException on failure if HardReadErrors are
+ * enabled.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected boolean checkRead(final FrontsTriple frontsTriple)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ return checkRead(frontsTriple.asTriple());
+ }
+
+ /**
+ * check that the triple can be read in the securedModel.,
+ *
+ * @param frontsTripleIter The iterator of fronts triple objects to check.
+ * @param returns true if all triples can be read, false if not.
+ * @throws ReadDeniedException on failure if HardReadErrors are
+ * enabled.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected boolean checkReadFrontsTriples(final ExtendedIterator<FrontsTriple> frontsTripleIter)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ try {
+ while (frontsTripleIter.hasNext()) {
+ if (!checkRead(frontsTripleIter.next())) {
+ return false;
+ }
+ }
+ return true;
+ } finally {
+ frontsTripleIter.close();
+ }
+ }
+
+ /**
+ * check that the triple can be read in the securedModel.,
+ *
+ * @param triples The iterator of triples to check.
+ * @returns true if all the triples can be read, false if not.
+ * @throws ReadDeniedException on failure if HardReadErrors is
+ * enabled.
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected boolean checkReadTriples(final ExtendedIterator<Triple> triples)
+ throws ReadDeniedException, AuthenticationRequiredException {
+ try {
+ while (triples.hasNext()) {
+ if (!checkRead(triples.next())) {
+ return false;
+ }
+ }
+ return true;
+ } finally {
+ triples.close();
+ }
+ }
+
+ /**
+ * check that update on the securedModel is allowed,
+ *
+ * @throws UpdateDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkUpdate() throws UpdateDeniedException, AuthenticationRequiredException {
+ if (!canUpdate()) {
+ throw new UpdateDeniedException(SecuredItem.Util.modelPermissionMsg(modelNode));
+ }
+ }
+
+ /**
+ * check that the triple can be updated in the securedModel.,
+ *
+ * @param from the starting triple
+ * @param to the final triple.
+ * @throws UpdateDeniedException on failure
+ * @throws AuthenticationRequiredException if user is not authenticated and is
+ * required to be.
+ */
+ protected void checkUpdate(final Triple from, final Triple to)
+ throws UpdateDeniedException, AuthenticationRequiredException {
+ if (!canUpdate(from, to)) {
+ throw new UpdateDeniedException(
+ String.format("%s: %s to %s", SecuredItem.Util.modelPermissionMsg(modelNode), from, to));
+ }
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (Proxy.isProxyClass(o.getClass())) {
+ return o.equals(itemHolder.getSecuredItem());
+ }
+ if (o instanceof SecuredItemImpl) {
+ return itemHolder.getBaseItem().equals(((SecuredItemImpl) o).getBaseItem());
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return itemHolder.getBaseItem().hashCode();
+ }
+
+ @Override
+ public Object getBaseItem() {
+ return itemHolder.getBaseItem();
+ }
+
+ @Override
+ public String getModelIRI() {
+ return modelNode.getURI();
+ }
+
+ /**
+ * get the name of the model.
+ */
+ @Override
+ public Node getModelNode() {
+ return modelNode;
+ }
+
+ @Override
+ public SecurityEvaluator getSecurityEvaluator() {
+ return securityEvaluator;
+ }
+
+ @Override
+ public boolean isEquivalent(final SecuredItem securedItem) {
+ return SecuredItem.Util.isEquivalent(this, securedItem);
+ }
+
+ /**
+ * Executes the find with permissions
+ *
+ * @param find
+ * @return
+ */
+ protected <T> ExtendedIterator<T> createIterator(Supplier<ExtendedIterator<T>> find,
+ Supplier<Predicate<T>> filter) {
+ if (checkSoftRead()) {
+ ExtendedIterator<T> retval = find.get();
+ if (!canRead(Triple.ANY)) {
+ retval = retval.filterKeep(filter.get());
+ }
+ return retval;
+ }
+ return NullIterator.instance();
+ }
+
}
\ No newline at end of file
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java
index be4055b..3d58641 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/impl/SecuredItemInvoker.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -24,125 +24,93 @@ import java.lang.reflect.Proxy;
import org.apache.jena.permissions.SecuredItem;
-
/**
* A generic InvocationHandler that handles the general invocation of the
* security methods.
*/
-public class SecuredItemInvoker implements InvocationHandler
-{
- // the equals() method
- private static Method EQUALS;
- // the toString() method
- private static Method TO_STRING;
- // the hashCode() method.
- private static Method HASH_CODE;
- // the instance of SecuredItem that this proxy is using. Must be
- // package-private for ItemHolder use.
- /* package-private */final SecuredItem securedItem;
+public class SecuredItemInvoker implements InvocationHandler {
+ // the equals() method
+ private static Method EQUALS;
+ // the toString() method
+ private static Method TO_STRING;
+ // the hashCode() method.
+ private static Method HASH_CODE;
+ // the instance of SecuredItem that this proxy is using. Must be
+ // package-private for ItemHolder use.
+ /* package-private */final SecuredItem securedItem;
+
+ final Class<?> securedClass;
+
+ // populate the static fields.
+ static {
+ try {
+ SecuredItemInvoker.EQUALS = Object.class.getMethod("equals", Object.class);
+ SecuredItemInvoker.TO_STRING = Object.class.getMethod("toString");
+ SecuredItemInvoker.HASH_CODE = Object.class.getMethod("hashCode");
+ } catch (final SecurityException e) {
+ throw new RuntimeException(e);
+ } catch (final NoSuchMethodException e) {
+ throw new RuntimeException(e);
+ }
+ }
- final Class<?> securedClass;
-
- // populate the static fields.
- static
- {
- try
- {
- SecuredItemInvoker.EQUALS = Object.class.getMethod("equals",
- Object.class);
- SecuredItemInvoker.TO_STRING = Object.class.getMethod("toString");
- SecuredItemInvoker.HASH_CODE = Object.class.getMethod("hashCode");
- }
- catch (final SecurityException e)
- {
- throw new RuntimeException(e);
- }
- catch (final NoSuchMethodException e)
- {
- throw new RuntimeException(e);
- }
- }
+ /**
+ * Constructor.
+ *
+ * @param securedClass The class of the object that is being protected.
+ * @param securedItem The implementation of the SecuredItem version of the
+ * object.
+ */
+ public SecuredItemInvoker(final Class<?> securedClass, final SecuredItem securedItem) {
+ this.securedItem = securedItem;
+ this.securedClass = securedClass;
+ }
- /**
- * Constructor.
- *
- * @param securedClass
- * The class of the object that is being protected.
- * @param securedItem
- * The implementation of the SecuredItem version of the object.
- */
- public SecuredItemInvoker( final Class<?> securedClass,
- final SecuredItem securedItem )
- {
- this.securedItem = securedItem;
- this.securedClass = securedClass;
- }
+ @Override
+ public Object invoke(final Object proxy, final Method method, final Object[] args) throws Throwable {
- @Override
- public Object invoke( final Object proxy, final Method method,
- final Object[] args ) throws Throwable
- {
+ // check for the special case methods
+ if (SecuredItemInvoker.EQUALS.equals(method)) {
+ if (Proxy.isProxyClass(args[0].getClass())) {
+ return args[0].equals(securedItem);
+ }
+ return securedItem.equals(args[0]);
- // check for the special case methods
- if (SecuredItemInvoker.EQUALS.equals(method))
- {
- if (Proxy.isProxyClass(args[0].getClass()))
- {
- return args[0].equals(securedItem);
- }
- else
- {
- return securedItem.equals(args[0]);
- }
- }
+ }
- if (SecuredItemInvoker.HASH_CODE.equals(method))
- {
- return securedItem.hashCode();
- }
+ if (SecuredItemInvoker.HASH_CODE.equals(method)) {
+ return securedItem.hashCode();
+ }
- if (SecuredItemInvoker.TO_STRING.equals(method))
- {
- return securedItem.toString();
- }
+ if (SecuredItemInvoker.TO_STRING.equals(method)) {
+ return securedItem.toString();
+ }
- try
- {
- final Method m = securedItem.getClass().getMethod(method.getName(),
- method.getParameterTypes());
- if (!Modifier.isAbstract(m.getModifiers()))
- {
- try
- {
- SecuredItemImpl.incrementUse();
- try
- {
- return m.invoke(securedItem, args);
- }
- finally
- {
- SecuredItemImpl.decrementUse();
- }
+ try {
+ final Method m = securedItem.getClass().getMethod(method.getName(), method.getParameterTypes());
+ if (!Modifier.isAbstract(m.getModifiers())) {
+ try {
+ SecuredItemImpl.incrementUse();
+ try {
+ return m.invoke(securedItem, args);
+ } finally {
+ SecuredItemImpl.decrementUse();
+ }
- }
- catch (final java.lang.reflect.InvocationTargetException e2)
- {
- if (e2.getTargetException() instanceof RuntimeException)
- {
- throw e2.getTargetException();
- }
- throw e2;
- }
- }
- }
- catch (final NoSuchMethodException e2)
- {
- // acceptable
- }
+ } catch (final java.lang.reflect.InvocationTargetException e2) {
+ if (e2.getTargetException() instanceof RuntimeException) {
+ throw e2.getTargetException();
+ }
+ throw e2;
+ }
+ }
+ } catch (final NoSuchMethodException e2) {
+ // acceptable
+ }
- // if we get here then the method is not being proxied so call the
- // original method on the base item.
- return method.invoke(securedItem.getBaseItem(), args);
+ // if we get here then the method is not being proxied so call the
+ // original method on the base item.
+ return method.invoke(securedItem.getBaseItem(), args);
- }
+ }
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java
index d479ffc..36a1ae3 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredAlt.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -18,319 +18,12 @@
package org.apache.jena.permissions.model;
import org.apache.jena.rdf.model.Alt;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.shared.AddDeniedException;
-import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.shared.ReadDeniedException;
-import org.apache.jena.shared.UpdateDeniedException;
/**
* The interface for secured Alt instances.
- *
+ *
* Use the SecuredAlt.Factory to create instances
*/
public interface SecuredAlt extends Alt, SecuredContainer {
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredRDFNode getDefault() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt getDefaultAlt() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredBag getDefaultBag() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean getDefaultBoolean() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public byte getDefaultByte() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public char getDefaultChar() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public double getDefaultDouble() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public float getDefaultFloat() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public int getDefaultInt() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getDefaultLanguage() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredLiteral getDefaultLiteral() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public long getDefaultLong() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource getDefaultResource() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredSeq getDefaultSeq() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public short getDefaultShort() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple(this, RDF.li(1), o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getDefaultString() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final boolean o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final char o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final double o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final float o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final long o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final Object o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final RDFNode o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final String o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
- * RDF.li(1), o )
- * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt setDefault(final String o, final String l)
- throws UpdateDeniedException, AddDeniedException,
- AuthenticationRequiredException;
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java
index c40f78f..9dbe45e 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredBag.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,13 +17,12 @@
*/
package org.apache.jena.permissions.model;
-import org.apache.jena.rdf.model.Bag ;
+import org.apache.jena.rdf.model.Bag;
/**
* The interface for secured Bag instances.
- *
+ *
* Use the SecuredBag.Factory to create instances
*/
-public interface SecuredBag extends Bag, SecuredContainer
-{
+public interface SecuredBag extends Bag, SecuredContainer {
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java
index b2ddae8..cd7cba7 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredContainer.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,280 +17,13 @@
*/
package org.apache.jena.permissions.model;
-import java.util.Set;
-
-import org.apache.jena.permissions.SecurityEvaluator.Action;
-import org.apache.jena.permissions.model.impl.SecuredNodeIterator;
import org.apache.jena.rdf.model.Container;
-import org.apache.jena.rdf.model.RDFNode;
-import org.apache.jena.rdf.model.Statement;
-import org.apache.jena.shared.AddDeniedException;
-import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.shared.DeleteDeniedException;
-import org.apache.jena.shared.ReadDeniedException;
-import org.apache.jena.shared.UpdateDeniedException;
/**
* The interface for secured Container instances.
- *
+ *
* Use one of the SecuredContainer derived class Factory methods to create
* instances
*/
public interface SecuredContainer extends Container, SecuredResource {
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final boolean o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final char o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final double o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final float o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final long o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final Object o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final RDFNode o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final String o) throws UpdateDeniedException,
- AddDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create SecTriple( this, RDF.li, o );
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer add(final String o, final String l)
- throws UpdateDeniedException, AddDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final boolean o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final char o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final double o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final float o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final long o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Object o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final RDFNode o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final String o) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read SecTriple( this, RDF.li, o );
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final String o, final String l)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read on each triple ( this, rdf:li_? node ) returned by
- * iterator;
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredNodeIterator<RDFNode> iterator() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @param perms
- * the Permissions required on each node returned
- * @sec.graph Read
- * @sec.triple Read + perms on each triple ( this, rdf:li_? node ) returned
- * by iterator;
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public SecuredNodeIterator<RDFNode> iterator(Set<Action> perms)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Delete s as triple;
- * @throws UpdateDeniedException
- * @throws DeleteDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredContainer remove(final Statement s)
- throws UpdateDeniedException, DeleteDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public int size() throws ReadDeniedException,
- AuthenticationRequiredException;
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java
index 10d0215..df11058 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredLiteral.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,201 +17,12 @@
*/
package org.apache.jena.permissions.model;
-import org.apache.jena.datatypes.DatatypeFormatException;
-import org.apache.jena.datatypes.RDFDatatype;
import org.apache.jena.rdf.model.Literal;
-import org.apache.jena.rdf.model.Model;
-import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.shared.ReadDeniedException;
/**
* The interface for secured Literal instances.
- *
+ *
* Use the SecuredLiteral.Factory to create instances
*/
public interface SecuredLiteral extends Literal, SecuredRDFNode {
-
- @Override
- public SecuredLiteral asLiteral();
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean getBoolean() throws ReadDeniedException,
- DatatypeFormatException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public byte getByte() throws ReadDeniedException, DatatypeFormatException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public char getChar() throws ReadDeniedException, DatatypeFormatException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public RDFDatatype getDatatype() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getDatatypeURI() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public double getDouble() throws ReadDeniedException,
- DatatypeFormatException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public float getFloat() throws ReadDeniedException,
- DatatypeFormatException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- * @throws DatatypeFormatException
- */
- @Override
- public int getInt() throws ReadDeniedException, DatatypeFormatException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getLanguage() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getLexicalForm() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public long getLong() throws ReadDeniedException, DatatypeFormatException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public short getShort() throws ReadDeniedException,
- DatatypeFormatException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws DatatypeFormatException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String getString() throws ReadDeniedException,
- DatatypeFormatException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Object getValue() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Literal inModel(final Model m) throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean isWellFormedXML() throws ReadDeniedException,
- AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean sameValueAs(final Literal other) throws ReadDeniedException,
- AuthenticationRequiredException;
-
}
diff --git a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredModel.java b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredModel.java
index c0ac6f1..cda5ee5 100644
--- a/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredModel.java
+++ b/jena-permissions/src/main/java/org/apache/jena/permissions/model/SecuredModel.java
@@ -6,9 +6,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,1890 +17,15 @@
*/
package org.apache.jena.permissions.model;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Reader;
-import java.io.Writer;
-import java.util.Calendar;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.jena.datatypes.RDFDatatype;
-import org.apache.jena.graph.Node;
-import org.apache.jena.graph.Triple;
-import org.apache.jena.permissions.graph.SecuredGraph;
+import org.apache.jena.permissions.SecuredItem;
import org.apache.jena.permissions.graph.SecuredPrefixMapping;
-import org.apache.jena.permissions.model.impl.SecuredNodeIterator;
-import org.apache.jena.permissions.model.impl.SecuredRSIterator;
-import org.apache.jena.permissions.model.impl.SecuredResIterator;
-import org.apache.jena.permissions.model.impl.SecuredStatementIterator;
-import org.apache.jena.rdf.model.*;
-import org.apache.jena.shared.AddDeniedException;
-import org.apache.jena.shared.AuthenticationRequiredException;
-import org.apache.jena.shared.DeleteDeniedException;
-import org.apache.jena.shared.PropertyNotFoundException;
-import org.apache.jena.shared.ReadDeniedException;
-import org.apache.jena.shared.UpdateDeniedException;
-import org.apache.jena.shared.PrefixMapping;
+import org.apache.jena.rdf.model.Model;
/**
* The interface for secured Model instances.
- *
+ *
* Use the SecuredModel.Factory to create instances
*/
-public interface SecuredModel extends Model, SecuredPrefixMapping {
-
- @Override
- public SecuredModel abort();
-
- /**
- * @sec.graph Update
- * @sec.triple Create for each statement as a triple.
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final List<Statement> statements)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create for each statement in the securedModel as a triple.
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Model m)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the triple Triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Resource s, final Property p, final RDFNode o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the triple Triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Resource s, final Property p, final String o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the triple Triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Resource s, final Property p, final String o, final boolean wellFormed)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the triple Triple(s,p,literal(lex,datatype))
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Resource s, final Property p, final String lex, final RDFDatatype datatype)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the triple Triple(s,p,literal(o,l,false))
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Resource s, final Property p, final String o, final String l)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create the statement as a triple
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Statement s)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create all the statements as triples.
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final Statement[] statements)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create all the statements as triples.
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel add(final StmtIterator iter)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final boolean o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final char o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final double o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final float o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final int o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final Literal o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredModel addLiteral(final Resource s, final Property p, final long o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create triple(s,p,o)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- @Deprecated
- public SecuredModel addLiteral(final Resource s, final Property p, final Object o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredRDFNode asRDFNode(final Node n);
-
- @Override
- /**
- * @sec.graph Read if t does exist
- * @sec.graph Update it t does not exist
- * @sec.triple Read if t does exist
- * @sec.triple Create if t does exist
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- public SecuredStatement asStatement(final Triple t)
- throws UpdateDeniedException, AddDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredModel begin();
-
- @Override
- public SecuredModel commit();
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, SecNode.ANY )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Resource s, final Property p)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Resource s, final Property p, final RDFNode o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, o )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Resource s, final Property p, final String o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o,l,null) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Resource s, final Property p, final String o, final String l)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read s as a triple with null replaced by SecNode.ANY
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean contains(final Statement s) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read every statement in securedModel.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsAll(final Model model) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read every statement
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsAll(final StmtIterator iter) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read any statement in securedModel to be included in check,
- * if no statement in securedModel can be read will return
- * false;
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsAny(final Model model) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read any statement in iter to be included in check, if no
- * statement in iter can be read will return false;
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsAny(final StmtIterator iter) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final boolean o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final char o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final double o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final float o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final int o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, literal(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final long o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, typedLiteral(o) )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsLiteral(final Resource s, final Property p, final Object o)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( s, p, resource) where Triple(s,p,resource) is in
- * the securedModel.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public boolean containsResource(final RDFNode r) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( SecNode.ANY, RDF.type, Rdf.Alt)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt createAlt() throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( uri, RDF.type, Rdf.Alt)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt createAlt(final String uri)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( SecNode.ANY, RDF.type, Rdf.Bag)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredBag createBag() throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( uri, RDF.type, Rdf.Bag)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredBag createBag(final String uri)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredRDFList createList()
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( RDF.nil, SecNode.IGNORE, SecNode.IGNORE)
- * @sec.triple Create for each member Triple(SecNode.ANY,
- * RDF.first.asNode(), member.asNode())
- * @sec.triple Create Triple(SecNode.ANY, RDF.rest.asNode(), SecNode.ANY)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredRDFList createList(final Iterator<? extends RDFNode> members)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( RDF.nil, SecNode.IGNORE, SecNode.IGNORE)
- * @sec.triple Create for each member Triple(SecNode.ANY,
- * RDF.first.asNode(), member.asNode())
- * @sec.triple Create Triple(SecNode.ANY, RDF.rest.asNode(), SecNode.ANY)
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredRDFList createList(final RDFNode...members)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final boolean o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final char o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final double o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final float o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final int o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final long o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s,p,o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createLiteralStatement(final Resource s, final Property p, final Object o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredProperty createProperty(final String uri);
-
- @Override
- public SecuredProperty createProperty(final String nameSpace, final String localName);
-
- /**
- * @sec.graph Update
- * @sec.triple Read s as a triple
- * @sec.triple create Triple( SecNode.Future, RDF.subject, t.getSubject() )
- * @sec.triple create Triple( SecNode.Future, RDF.subject, t.getPredicate()
- * )
- * @sec.triple create Triple( SecNode.Future, RDF.subject, t.getObject() )
- * @throws UpdateDeniedException
- * @throws ReadDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public ReifiedStatement createReifiedStatement(final Statement s)
- throws AddDeniedException, UpdateDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Read s as a triple
- * @sec.triple create Triple( uri, RDF.subject, t.getSubject() )
- * @sec.triple create Triple( uri, RDF.subject, t.getPredicate() )
- * @sec.triple create Triple( uri, RDF.subject, t.getObject() )
- * @throws UpdateDeniedException
- * @throws ReadDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public ReifiedStatement createReifiedStatement(final String uri, final Statement s)
- throws AddDeniedException, UpdateDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Read s as a triple
- * @sec.triple Create Triple( SecNode.FUTURE, SecNode.IGNORE, SecNode.IGNORE
- * )
- * @throws UpdateDeniedException
- * @throws ReadDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource createResource()
- throws AddDeniedException, UpdateDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Read s as a triple
- * @sec.triple Create Triple( Anonymous(id), SecNode.IGNORE, SecNode.IGNORE
- * )
- * @throws UpdateDeniedException
- * @throws ReadDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource createResource(final AnonId id)
- throws AddDeniedException, UpdateDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( SecNode.FUTURE, RDF.type, type )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource createResource(final Resource type)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- @Override
- @Deprecated
- public SecuredResource createResource(final ResourceF f);
-
- @Override
- public SecuredResource createResource(final String uri);
-
- /**
- * @sec.graph Update if uri exists
- * @sec.graph Create if uri does not exist
- * @sec.triple Read if Triple( uri, RDF.type, type ) exists
- * @sec.triple Create if Triple( uri, RDF.type, type ) does not exist
- * @throws UpdateDeniedException
- * @throws ReadDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource createResource(final String uri, final Resource type)
- throws AddDeniedException, UpdateDeniedException, ReadDeniedException, AuthenticationRequiredException;
-
- @Override
- @Deprecated
- public SecuredResource createResource(final String uri, final ResourceF f);
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( SecNode.FUTURE, RDF.type, RDF.Alt )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredSeq createSeq() throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( uri, RDF.type, RDF.Alt )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredSeq createSeq(final String uri)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s, p, o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createStatement(final Resource s, final Property p, final RDFNode o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s, p, o )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createStatement(final Resource s, final Property p, final String o)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s, p, o )
- * @throws AddDeniedException
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createStatement(final Resource s, final Property p, final String o,
- final boolean wellFormed) throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s, p, literal(o,l,false ))
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createStatement(final Resource s, final Property p, final String o, final String l)
- throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Update
- * @sec.triple Create Triple( s, p, literal(o,l,wellFormed )
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement createStatement(final Resource s, final Property p, final String o, final String l,
- final boolean wellFormed) throws AddDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredLiteral createTypedLiteral(final boolean v);
-
- @Override
- public Literal createTypedLiteral(final Calendar d);
-
- @Override
- public SecuredLiteral createTypedLiteral(final char v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final double v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final float v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final int v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final long v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final Object value);
-
- @Override
- public SecuredLiteral createTypedLiteral(final Object value, final RDFDatatype dtype);
-
- @Override
- public SecuredLiteral createTypedLiteral(final Object value, final String typeURI);
-
- @Override
- public SecuredLiteral createTypedLiteral(final String v);
-
- @Override
- public SecuredLiteral createTypedLiteral(final String lex, final RDFDatatype dtype);
-
- @Override
- public SecuredLiteral createTypedLiteral(final String lex, final String typeURI);
-
- /**
- * @sec.graph Read
- * @sec.triple Read for every triple contributed to the difference.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Model difference(final Model model) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read if read lock is requested
- * @sec.graph Update if write lock is requested
- * @throws ReadDeniedException
- * @throws UpdateDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public void enterCriticalSection(final boolean readLockRequested)
- throws ReadDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public String expandPrefix(final String prefixed) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( resource, RDF.type, RDF.alt )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt getAlt(final Resource r) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( uri, RDF.type, RDF.alt )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredAlt getAlt(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read if statement exists
- * @sec.graph Update if statement does not exist
- * @sec.triple Read s as a triple
- * @sec.triple Read Triple( result, RDF.subject, s.getSubject() ) if
- * reification existed
- * @sec.triple Read Triple( result, RDF.predicate, s.getPredicate() ) if
- * reification existed
- * @sec.triple Read Triple( result, RDF.object, s.getObject() ) if
- * reification existed
- * @sec.triple Create Triple( result, RDF.subject, s.getSubject() ) if
- * reification did not exist.
- * @sec.triple Create Triple( result, RDF.predicate, s.getPredicate() ) if
- * reification did not exist
- * @sec.triple Create Triple( result, RDF.object, s.getObject() ) if
- * reification did not exist
- * @throws ReadDeniedException
- * @throws UpdateDeniedException
- * @throws AddDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredResource getAnyReifiedStatement(final Statement s)
- throws AddDeniedException, ReadDeniedException, UpdateDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( resource, RDF.type, RDF.Bag )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredBag getBag(final Resource r) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @sec.triple Read Triple( uri, RDF.type, RDF.Bag )
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredBag getBag(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
-
- @Override
- public SecuredGraph getGraph();
-
- /**
- * @sec.graph Read
- * @sec.triple Read on the returned statement.
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement getProperty(final Resource s, final Property p)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Property getProperty(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public Property getProperty(final String nameSpace, final String localName)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement getProperty(final Resource s, final Property p, final String lang)
- throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * @sec.graph Read if the node exists
- * @sec.graph Update if the node does not exist
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public RDFNode getRDFNode(final Node n) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * . If the PropertyNotFoundException was thrown by the enclosed
- * securedModel and the user can not read Triple(s, p, SecNode.ANY)
- * AccessDeniedException is thrown, otherwise the PropertyNotFoundException
- * will be thrown.
- *
- * @sec.graph Read
- * @sec.triple Read on the returned statement
- * @sec.triple Read on Triple(s, p, SecNode.ANY) if
- * PropertyNotFoundException was thrown
- * @throws ReadDeniedException
- * @throws PropertyNotFoundException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement getRequiredProperty(final Resource s, final Property p)
- throws PropertyNotFoundException, ReadDeniedException, AuthenticationRequiredException;
-
- /**
- * . If the PropertyNotFoundException was thrown by the enclosed
- * securedModel and the user can not read Triple(s, p, SecNode.ANY)
- * AccessDeniedException is thrown, otherwise the PropertyNotFoundException
- * will be thrown.
- *
- * @sec.graph Read
- * @sec.triple Read on the returned statement
- * @sec.triple Read on Triple(s, p, SecNode.ANY) if
- * PropertyNotFoundException was thrown
- * @throws ReadDeniedException
- * @throws PropertyNotFoundException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredStatement getRequiredProperty(final Resource s, final Property p, String lang)
- throws ReadDeniedException, PropertyNotFoundException, AuthenticationRequiredException;
-
- @Override
- public SecuredResource getResource(final String uri);
-
- @Override
- @Deprecated
- public SecuredResource getResource(final String uri, final ResourceF f);
-
- /**
- *
- * @sec.graph Read
- * @sec.triple Read on Triple(resource, RDF.type, RDF.Seq)
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredSeq getSeq(final Resource r) throws ReadDeniedException, AuthenticationRequiredException;
-
- /**
- *
- * @sec.graph Read
- * @sec.triple Read on Triple(uri, RDF.type, RDF.Seq)
- * @throws ReadDeniedException
- * @throws AuthenticationRequiredException
- * if user is not authenticated and is required to be.
- */
- @Override
- public SecuredSeq getSeq(final String uri) throws ReadDeniedException, AuthenticationRequiredException;
-
- /** Return a RDF List instance in this model.
- *
- * <p>Subsequent operations on the returned list may modify this model.</p>
- * <p>The list is assumed to already exist in the model. If it does not,
- * <CODE>createList</CODE> should be used instead.</p>
- * @return a list instance
- * @param uri the URI of the list
- */
- @Override
- public SecuredRDFList getList(String uri) throws ReadDeniedException, AuthenticationRequiredException;
-
- /** Return a RDF List based on a given resource.
- *
- * <p> This method enables an application to treat any resource as a list.
- * It is in effect an unsafe downcast.</p>
- *
- * <p>Subsequent operations on the returned list may modify this model.</p>
- * <p>The list is assumed to already exist in the model. If it does not,
... 36899 lines suppressed ...