You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2011/02/18 19:26:48 UTC
svn commit: r1072095 - in
/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core:
./ observation/ security/ security/principal/ security/user/
Author: angela
Date: Fri Feb 18 18:26:47 2011
New Revision: 1072095
URL: http://svn.apache.org/viewvc?rev=1072095&view=rev
Log:
JCR-2886 : Add SessionImpl#isAdminOrSystem
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java Fri Feb 18 18:26:47 2011
@@ -65,6 +65,8 @@ import org.apache.commons.collections.It
import org.apache.commons.collections.map.ReferenceMap;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.AbstractSession;
import org.apache.jackrabbit.core.config.WorkspaceConfig;
@@ -77,8 +79,10 @@ import org.apache.jackrabbit.core.retent
import org.apache.jackrabbit.core.security.AMContext;
import org.apache.jackrabbit.core.security.AccessManager;
import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.SystemPrincipal;
import org.apache.jackrabbit.core.security.authentication.AuthContext;
import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.core.session.SessionContext;
import org.apache.jackrabbit.core.session.SessionItemOperation;
import org.apache.jackrabbit.core.session.SessionOperation;
@@ -378,6 +382,42 @@ public class SessionImpl extends Abstrac
}
/**
+ * Returns <code>true</code> if the subject contains a
+ * <code>SystemPrincipal</code>; <code>false</code> otherwise.
+ *
+ * @return <code>true</code> if this is an system session.
+ */
+ public boolean isSystem() {
+ // NOTE: for backwards compatibility evaluate subject for containing SystemPrincipal
+ // TODO: Q: shouldn't 'isSystem' rather be covered by instances of SystemSession only?
+ return (subject != null && !subject.getPrincipals(SystemPrincipal.class).isEmpty());
+ }
+
+ /**
+ * Returns <code>true</code> if this session has been created for the
+ * administrator. <code>False</code> otherwise.
+ *
+ * @return <code>true</code> if this is an admin session.
+ */
+ public boolean isAdmin() {
+ // NOTE: don't replace by getUserManager()
+ if (userManager != null) {
+ try {
+ Authorizable a = userManager.getAuthorizable(userId);
+ if (a != null && !a.isGroup()) {
+ return ((User) a).isAdmin();
+ }
+ } catch (RepositoryException e) {
+ // no user management -> use fallback
+ }
+
+ }
+ // fallback: user manager not yet initialized or user mgt not supported
+ // -> check for AdminPrincipal being present in the subject.
+ return (subject != null && !subject.getPrincipals(AdminPrincipal.class).isEmpty());
+ }
+
+ /**
* Creates a new session with the same subject as this sessions but to a
* different workspace. The returned session is a newly logged in session,
* with the same subject but a different workspace. Even if the given
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java Fri Feb 18 18:26:47 2011
@@ -17,7 +17,6 @@
package org.apache.jackrabbit.core;
import java.util.Collections;
-import java.util.HashSet;
import java.util.Set;
import java.security.Principal;
@@ -59,11 +58,8 @@ class SystemSession extends SessionImpl
RepositoryContext repositoryContext, WorkspaceConfig wspConfig)
throws RepositoryException {
// create subject with SystemPrincipal
- Set<SystemPrincipal> principals = new HashSet<SystemPrincipal>();
- principals.add(new SystemPrincipal());
- Subject subject =
- new Subject(true, principals, Collections.EMPTY_SET,
- Collections.EMPTY_SET);
+ Set<SystemPrincipal> principals = Collections.singleton(new SystemPrincipal());
+ Subject subject = new Subject(true, principals, Collections.emptySet(), Collections.emptySet());
return new SystemSession(repositoryContext, subject, wspConfig);
}
@@ -86,6 +82,7 @@ class SystemSession extends SessionImpl
*
* @return the name of <code>SystemPrincipal</code>.
*/
+ @Override
protected String retrieveUserId(Subject subject, String workspaceName) throws RepositoryException {
return new SystemPrincipal().getName();
}
@@ -105,6 +102,26 @@ class SystemSession extends SessionImpl
return new SystemAccessManager();
}
+ /**
+ * Always returns <code>true</code>.
+ *
+ * @return <code>true</code> as this is an system session instance.
+ */
+ @Override
+ public boolean isSystem() {
+ return true;
+ }
+
+ /**
+ * Always returns <code>false</code>.
+ *
+ * @return <code>false</code> as this is an system session instance.
+ */
+ @Override
+ public boolean isAdmin() {
+ return false;
+ }
+
//--------------------------------------------------------< inner classes >
/**
* An access manager that grants access to everything.
@@ -212,6 +229,7 @@ class SystemSession extends SessionImpl
/**
* @see AbstractAccessControlManager#checkInitialized()
*/
+ @Override
protected void checkInitialized() throws IllegalStateException {
// nop
}
@@ -219,6 +237,7 @@ class SystemSession extends SessionImpl
/**
* @see AbstractAccessControlManager#checkPermission(String,int)
*/
+ @Override
protected void checkPermission(String absPath, int permission) throws
AccessDeniedException, PathNotFoundException, RepositoryException {
// allow everything
@@ -235,6 +254,7 @@ class SystemSession extends SessionImpl
/**
* @see AbstractAccessControlManager#checkValidNodePath(String)
*/
+ @Override
protected void checkValidNodePath(String absPath)
throws PathNotFoundException, RepositoryException {
Path p = getQPath(absPath);
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java Fri Feb 18 18:26:47 2011
@@ -21,7 +21,6 @@ import org.apache.jackrabbit.core.id.Nod
import org.apache.jackrabbit.core.cluster.ClusterNode;
import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
import org.apache.jackrabbit.core.nodetype.NodeTypeManagerImpl;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.spi.commons.conversion.NameException;
import org.apache.jackrabbit.spi.Path;
import org.slf4j.Logger;
@@ -33,7 +32,6 @@ import javax.jcr.observation.EventJourna
import javax.jcr.observation.EventListener;
import javax.jcr.observation.EventListenerIterator;
import javax.jcr.observation.ObservationManager;
-import javax.security.auth.Subject;
/**
* Each <code>Session</code> instance has its own <code>ObservationManager</code>
@@ -79,10 +77,9 @@ public class ObservationManagerImpl impl
* @param dispatcher observation dispatcher
* @param session the <code>Session</code> this ObservationManager
* belongs to.
- * @param itemMgr {@link org.apache.jackrabbit.core.ItemManager} of the passed
- * <code>Session</code>.
+ * @param clusterNode
* @throws NullPointerException if <code>dispatcher</code>, <code>session</code>
- * or <code>itemMgr</code> is <code>null</code>.
+ * or <code>clusterNode</code> is <code>null</code>.
*/
public ObservationManagerImpl(
ObservationDispatcher dispatcher, SessionImpl session,
@@ -248,10 +245,8 @@ public class ObservationManagerImpl impl
"Event journal is only available in cluster deployments");
}
- Subject subject = session.getSubject();
- if (subject.getPrincipals(AdminPrincipal.class).isEmpty()) {
- throw new RepositoryException("Only administrator session may " +
- "access EventJournal");
+ if (!session.isAdmin()) {
+ throw new RepositoryException("Only administrator session may access EventJournal");
}
EventFilter filter = createEventFilter(
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Fri Feb 18 18:26:47 2011
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.core.secur
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.core.HierarchyManager;
+import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.ItemId;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
@@ -26,7 +27,6 @@ import org.apache.jackrabbit.core.securi
import org.apache.jackrabbit.core.security.authorization.Permission;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
@@ -38,6 +38,7 @@ import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
+import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
@@ -58,8 +59,8 @@ import java.util.Set;
* Please note the following exceptional situations:<br>
* This manager allows all privileges for a particular item if
* <ul>
- * <li>the Session's Subject contains a {@link SystemPrincipal} <i>or</i>
- * an {@link AdminPrincipal}</li>
+ * <li>the Session's represents a system session or a session associated with
+ * the repository's administrator</li>
* </ul>
* <p/>
* It allows to access all available workspaces if
@@ -137,7 +138,7 @@ public class DefaultAccessManager extend
principals = subject.getPrincipals();
}
- wspAccess = new WorkspaceAccess(wspAccessManager, isSystemOrAdmin(subject));
+ wspAccess = new WorkspaceAccess(wspAccessManager, isSystemOrAdmin(amContext.getSession()));
privilegeRegistry = new PrivilegeRegistry(resolver);
if (acProvider != null) {
@@ -491,15 +492,15 @@ public class DefaultAccessManager extend
}
/**
- * @param subject The subject associated with the session.
+ * @param s the session
* @return if created with system-privileges
*/
- private static boolean isSystemOrAdmin(Subject subject) {
- if (subject == null) {
+ private static boolean isSystemOrAdmin(Session s) {
+ if (s == null || !(s instanceof SessionImpl)) {
return false;
} else {
- return !(subject.getPrincipals(SystemPrincipal.class).isEmpty() &&
- subject.getPrincipals(AdminPrincipal.class).isEmpty());
+ SessionImpl sImpl = (SessionImpl) s;
+ return sImpl.isSystem() || sImpl.isAdmin();
}
}
@@ -513,16 +514,16 @@ public class DefaultAccessManager extend
private final WorkspaceAccessManager wspAccessManager;
- private final boolean isAdmin;
+ private final boolean alwaysAllowed;
// TODO: entries must be cleared if access permission to wsp changes.
private final List <String>allowed;
private final List<String> denied;
private WorkspaceAccess(WorkspaceAccessManager wspAccessManager,
- boolean isAdmin) {
+ boolean alwaysAllowed) {
this.wspAccessManager = wspAccessManager;
- this.isAdmin = isAdmin;
- if (!isAdmin) {
+ this.alwaysAllowed = alwaysAllowed;
+ if (!alwaysAllowed) {
allowed = new ArrayList<String>(5);
denied = new ArrayList<String>(5);
} else {
@@ -531,7 +532,7 @@ public class DefaultAccessManager extend
}
private boolean canAccess(String workspaceName) throws RepositoryException {
- if (isAdmin || wspAccessManager == null || allowed.contains(workspaceName)) {
+ if (alwaysAllowed || wspAccessManager == null || allowed.contains(workspaceName)) {
return true;
} else if (denied.contains(workspaceName)) {
return false;
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java Fri Feb 18 18:26:47 2011
@@ -24,7 +24,6 @@ import org.apache.jackrabbit.api.securit
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.observation.SynchronousEventListener;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
import org.apache.jackrabbit.core.security.user.UserManagerImpl;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.util.Text;
@@ -36,7 +35,6 @@ import javax.jcr.Session;
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import javax.jcr.observation.EventListener;
-import javax.security.auth.Subject;
import java.security.Principal;
import java.util.Iterator;
import java.util.LinkedHashSet;
@@ -224,9 +222,7 @@ public class DefaultPrincipalProvider ex
// given principal
if (session instanceof SessionImpl) {
SessionImpl sImpl = (SessionImpl) session;
- Subject subject = sImpl.getSubject();
- if (!subject.getPrincipals(SystemPrincipal.class).isEmpty()
- || !subject.getPrincipals(AdminPrincipal.class).isEmpty()) {
+ if (sImpl.isAdmin() || sImpl.isSystem()) {
return true;
}
try {
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java Fri Feb 18 18:26:47 2011
@@ -29,7 +29,6 @@ import org.apache.jackrabbit.core.Protec
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.SessionListener;
import org.apache.jackrabbit.core.id.NodeId;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.core.session.SessionOperation;
@@ -250,11 +249,6 @@ public class UserManagerImpl extends Pro
private final boolean compatibleJR16;
/**
- * boolean flag indicating whether the editing session is a system session.
- */
- private final boolean isSystemUserManager;
-
- /**
* Maximum number of properties on the group membership node structure under
* {@link UserConstants#N_MEMBERS} until additional intermediate nodes are inserted.
* If 0 (default), {@link UserConstants#P_MEMBERS} is used to record group
@@ -341,17 +335,6 @@ public class UserManagerImpl extends Pro
}
authResolver = nr;
authResolver.setSearchRoots(usersPath, groupsPath);
-
- /**
- * evaluate if the editing session is a system session. since the
- * SystemSession class is package protected the session object cannot
- * be checked for the property instance.
- *
- * workaround: compare the class name and check if the subject contains
- * the system principal.
- */
- isSystemUserManager = "org.apache.jackrabbit.core.SystemSession".equals(session.getClass().getName()) &&
- !session.getSubject().getPrincipals(SystemPrincipal.class).isEmpty();
}
/**
@@ -412,7 +395,7 @@ public class UserManagerImpl extends Pro
* node an explicit test for the current editing session being
* a system session is performed.
*/
- if (a == null && adminId.equals(id) && isSystemUserManager) {
+ if (a == null && adminId.equals(id) && session.isSystem()) {
log.info("Admin user does not exist.");
a = createAdmin();
}