You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by ju...@apache.org on 2009/09/08 18:09:45 UTC
svn commit: r812570 [12/24] - in /jackrabbit/sandbox/JCR-1456: ./
jackrabbit-api/ jackrabbit-api/src/main/appended-resources/
jackrabbit-api/src/main/appended-resources/META-INF/
jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/ jackrabb...
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Tue Sep 8 16:09:28 2009
@@ -16,37 +16,37 @@
*/
package org.apache.jackrabbit.core.security.authorization.acl;
-import org.apache.commons.collections.map.ListOrderedMap;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.NodeIterator;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplate;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
import org.apache.jackrabbit.core.security.authorization.Permission;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.core.security.principal.UnknownPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.NodeIterator;
-import javax.jcr.PropertyType;
-import javax.jcr.RepositoryException;
-import javax.jcr.Value;
-import javax.jcr.ValueFactory;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlException;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.Privilege;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
/**
* Implementation of the {@link org.apache.jackrabbit.api.security.JackrabbitAccessControlList} interface that
* is detached from the effective access control content. Consequently, any
@@ -54,21 +54,16 @@
* {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy) reapplied}
* to the <code>AccessControlManager</code> and the changes are saved.
*/
-class ACLTemplate implements JackrabbitAccessControlList {
+class ACLTemplate extends AbstractACLTemplate {
private static final Logger log = LoggerFactory.getLogger(ACLTemplate.class);
/**
- * Path of the node this ACL template has been created for.
- */
- private final String path;
-
- /**
* Map containing the entries of this ACL Template using the principal
* name as key. The value represents a List containing maximal one grant
* and one deny ACE per principal.
*/
- private final Map entries = new ListOrderedMap();
+ private final Map<String, List<Entry>> entries = new LinkedHashMap<String, List<Entry>>();
/**
* The principal manager used for validation checks
@@ -81,41 +76,35 @@
private final PrivilegeRegistry privilegeRegistry;
/**
- * The value factory
- */
- private final ValueFactory valueFactory;
-
- /**
* Construct a new empty {@link ACLTemplate}.
*
- * @param path
- * @param privilegeRegistry
- * @param principalMgr
+ * @param path path
+ * @param privilegeRegistry registry
+ * @param valueFactory value factory
+ * @param principalMgr manager
*/
ACLTemplate(String path, PrincipalManager principalMgr,
PrivilegeRegistry privilegeRegistry, ValueFactory valueFactory) {
- this.path = path;
+ super(path, valueFactory);
this.principalMgr = principalMgr;
this.privilegeRegistry = privilegeRegistry;
- this.valueFactory = valueFactory;
}
/**
* Create a {@link ACLTemplate} that is used to edit an existing ACL
* node.
*
- * @param aclNode
- * @param privilegeRegistry
- * @throws RepositoryException
+ * @param aclNode node
+ * @param privilegeRegistry registry
+ * @throws RepositoryException if an error occurs
*/
ACLTemplate(NodeImpl aclNode, PrivilegeRegistry privilegeRegistry) throws RepositoryException {
+ super((aclNode != null) ? aclNode.getParent().getPath() : null, (aclNode != null) ? aclNode.getSession().getValueFactory() : null);
if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
throw new IllegalArgumentException("Node must be of type 'rep:ACL'");
}
SessionImpl sImpl = (SessionImpl) aclNode.getSession();
- path = aclNode.getParent().getPath();
principalMgr = sImpl.getPrincipalManager();
- valueFactory = sImpl.getValueFactory();
this.privilegeRegistry = privilegeRegistry;
@@ -126,14 +115,7 @@
NodeImpl aceNode = (NodeImpl) itr.nextNode();
try {
String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
- Principal princ = null;
- if (principalMgr.hasPrincipal(principalName)) {
- try {
- princ = principalMgr.getPrincipal(principalName);
- } catch (NoSuchPrincipalException e) {
- // should not get here.
- }
- }
+ Principal princ = principalMgr.getPrincipal(principalName);
if (princ == null) {
log.debug("Principal with name " + principalName + " unknown to PrincipalManager.");
princ = new PrincipalImpl(principalName);
@@ -163,12 +145,12 @@
* specified names and return a map consisting of principal name key
* and a list of ACEs as value.
*
- * @param aclNode
+ * @param aclNode acl node
* @param princToEntries Map of key = principalName and value = ArrayList
* to be filled with ACEs matching the principal names.
- * @throws RepositoryException
+ * @throws RepositoryException if an error occurs
*/
- static void collectEntries(NodeImpl aclNode, Map princToEntries)
+ static void collectEntries(NodeImpl aclNode, Map<String, List<AccessControlEntry>> princToEntries)
throws RepositoryException {
SessionImpl sImpl = (SessionImpl) aclNode.getSession();
PrincipalManager principalMgr = sImpl.getPrincipalManager();
@@ -180,14 +162,7 @@
String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
// only process aceNode if 'principalName' is contained in the given set
if (princToEntries.containsKey(principalName)) {
- Principal princ = null;
- if (principalMgr.hasPrincipal(principalName)) {
- try {
- princ = principalMgr.getPrincipal(principalName);
- } catch (NoSuchPrincipalException e) {
- // should not get here
- }
- }
+ Principal princ = principalMgr.getPrincipal(principalName);
if (princ == null) {
log.warn("Principal with name " + principalName + " unknown to PrincipalManager.");
princ = new PrincipalImpl(principalName);
@@ -205,31 +180,31 @@
aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE),
sImpl.getValueFactory());
// add it to the proper list (e.g. separated by principals)
- ((List) princToEntries.get(principalName)).add(ace);
+ princToEntries.get(principalName).add(ace);
}
}
}
- private List internalGetEntries() {
- List l = new ArrayList();
- for (Iterator it = entries.values().iterator(); it.hasNext();) {
- l.addAll((List) it.next());
+ private List<? extends AccessControlEntry> internalGetEntries() {
+ List<Entry> l = new ArrayList<Entry>();
+ for (List<Entry> o : entries.values()) {
+ l.addAll(o);
}
return l;
}
- private List internalGetEntries(Principal principal) {
+ private List<Entry> internalGetEntries(Principal principal) {
String principalName = principal.getName();
if (entries.containsKey(principalName)) {
- return (List) entries.get(principalName);
+ return entries.get(principalName);
} else {
- return new ArrayList(2);
+ return new ArrayList<Entry>(2);
}
}
private synchronized boolean internalAdd(Entry entry) throws AccessControlException {
Principal principal = entry.getPrincipal();
- List l = internalGetEntries(principal);
+ List<Entry> l = internalGetEntries(principal);
if (l.isEmpty()) {
// simple case: just add the new entry
l.add(entry);
@@ -240,9 +215,9 @@
// the same entry is already contained -> no modification
return false;
}
- // ev. need to adjust existing entries
+ // check if need to adjust existing entries
Entry complementEntry = null;
- Entry[] entries = (Entry[]) l.toArray(new Entry[l.size()]);
+ Entry[] entries = l.toArray(new Entry[l.size()]);
for (int i = 0; i < entries.length; i++) {
if (entry.isAllow() == entries[i].isAllow()) {
int existingPrivs = entries[i].getPrivilegeBits();
@@ -253,7 +228,7 @@
}
// remove the existing entry and create a new that includes
- // both the new privileges and the existing onces.
+ // both the new privileges and the existing ones.
l.remove(i);
int mergedBits = entries[i].getPrivilegeBits() | entry.getPrivilegeBits();
Privilege[] mergedPrivs = privilegeRegistry.getPrivileges(mergedBits);
@@ -265,7 +240,7 @@
}
// make sure, that the complement entry (if existing) does not
- // grant/deny the same privileges -> remove privs that are now
+ // grant/deny the same privileges -> remove privileges that are now
// denied/granted.
if (complementEntry != null) {
int complPrivs = complementEntry.getPrivilegeBits();
@@ -288,22 +263,22 @@
}
}
+ //------------------------------------------------< AbstractACLTemplate >---
/**
- *
- * @param principal
- * @param privileges
- * @param isAllow
- * @throws AccessControlException
+ * @see AbstractACLTemplate#checkValidEntry(java.security.Principal, javax.jcr.security.Privilege[], boolean, java.util.Map)
*/
- private void checkValidEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws AccessControlException {
+ protected void checkValidEntry(Principal principal, Privilege[] privileges,
+ boolean isAllow, Map<String, Value> restrictions)
+ throws AccessControlException {
+ if (restrictions != null && !restrictions.isEmpty()) {
+ throw new AccessControlException("This AccessControlList does not allow for additional restrictions.");
+ }
// validate principal
- if (!principalMgr.hasPrincipal(principal.getName())) {
+ if (principal instanceof UnknownPrincipal) {
+ log.debug("Consider fallback principal as valid: {}", principal.getName());
+ } else if (!principalMgr.hasPrincipal(principal.getName())) {
throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
}
- // additional validation: a group may not have 'denied' permissions
- if (!isAllow && principal instanceof Group) {
- throw new AccessControlException("For group principals permissions can only be added but not denied.");
- }
}
//--------------------------------------------------< AccessControlList >---
@@ -311,16 +286,8 @@
* @see javax.jcr.security.AccessControlList#getAccessControlEntries()
*/
public AccessControlEntry[] getAccessControlEntries() throws RepositoryException {
- List l = internalGetEntries();
- return (AccessControlEntry[]) l.toArray(new AccessControlEntry[l.size()]);
- }
-
- /**
- * @see javax.jcr.security.AccessControlList#addAccessControlEntry(Principal, Privilege[])
- */
- public boolean addAccessControlEntry(Principal principal, Privilege[] privileges)
- throws AccessControlException, RepositoryException {
- return addEntry(principal, privileges, true, Collections.EMPTY_MAP);
+ List<? extends AccessControlEntry> l = internalGetEntries();
+ return l.toArray(new AccessControlEntry[l.size()]);
}
/**
@@ -341,14 +308,7 @@
}
}
- //-----------------------------------------------------< JackrabbitAccessControlList >---
- /**
- * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getPath()
- */
- public String getPath() {
- return path;
- }
-
+ //----------------------------------------< JackrabbitAccessControlList >---
/**
* Returns an empty String array.
*
@@ -383,24 +343,12 @@
}
/**
- * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean)
- */
- public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow)
- throws AccessControlException, RepositoryException {
- return addEntry(principal, privileges, isAllow, null);
- }
-
- /**
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map)
*/
public boolean addEntry(Principal principal, Privilege[] privileges,
boolean isAllow, Map<String, Value> restrictions)
throws AccessControlException, RepositoryException {
- if (restrictions != null && !restrictions.isEmpty()) {
- throw new AccessControlException("This AccessControlList does not allow for additional restrictions.");
- }
-
- checkValidEntry(principal, privileges, isAllow);
+ checkValidEntry(principal, privileges, isAllow, restrictions);
Entry ace = new Entry(principal, privileges, isAllow, valueFactory);
return internalAdd(ace);
}
@@ -442,8 +390,9 @@
*/
static class Entry extends AccessControlEntryImpl {
- Entry(Principal principal, Privilege[] privileges, boolean allow, ValueFactory valueFactory) throws AccessControlException {
- super(principal, privileges, allow, Collections.EMPTY_MAP, valueFactory);
+ Entry(Principal principal, Privilege[] privileges, boolean allow, ValueFactory valueFactory)
+ throws AccessControlException {
+ super(principal, privileges, allow, Collections.<String, Value>emptyMap(), valueFactory);
}
}
}
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java Tue Sep 8 16:09:28 2009
@@ -49,8 +49,8 @@
*/
public AccessControlPolicy[] getPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
List<AccessControlPolicy> templates = new ArrayList<AccessControlPolicy>();
- for (int i = 0; i < editors.length; i++) {
- AccessControlPolicy[] ts = editors[i].getPolicies(nodePath);
+ for (AccessControlEditor editor : editors) {
+ AccessControlPolicy[] ts = editor.getPolicies(nodePath);
if (ts != null && ts.length > 0) {
templates.addAll(Arrays.asList(ts));
}
@@ -63,8 +63,8 @@
*/
public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessControlException, RepositoryException {
List<JackrabbitAccessControlPolicy> templates = new ArrayList<JackrabbitAccessControlPolicy>();
- for (int i = 0; i < editors.length; i++) {
- JackrabbitAccessControlPolicy[] ts = editors[i].getPolicies(principal);
+ for (AccessControlEditor editor : editors) {
+ JackrabbitAccessControlPolicy[] ts = editor.getPolicies(principal);
if (ts != null && ts.length > 0) {
templates.addAll(Arrays.asList(ts));
}
@@ -77,9 +77,9 @@
*/
public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
List<AccessControlPolicy> templates = new ArrayList<AccessControlPolicy>();
- for (int i = 0; i < editors.length; i++) {
+ for (AccessControlEditor editor : editors) {
try {
- templates.addAll(Arrays.asList(editors[i].editAccessControlPolicies(nodePath)));
+ templates.addAll(Arrays.asList(editor.editAccessControlPolicies(nodePath)));
} catch (AccessControlException e) {
log.debug(e.getMessage());
// ignore.
@@ -93,9 +93,9 @@
*/
public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
List<JackrabbitAccessControlPolicy> templates = new ArrayList<JackrabbitAccessControlPolicy>();
- for (int i = 0; i < editors.length; i++) {
+ for (AccessControlEditor editor : editors) {
try {
- templates.addAll(Arrays.asList(editors[i].editAccessControlPolicies(principal)));
+ templates.addAll(Arrays.asList(editor.editAccessControlPolicies(principal)));
} catch (AccessControlException e) {
log.debug(e.getMessage());
// ignore.
@@ -108,12 +108,12 @@
* @see AccessControlEditor#setPolicy(String,AccessControlPolicy)
*/
public void setPolicy(String nodePath, AccessControlPolicy template) throws AccessControlException, PathNotFoundException, RepositoryException {
- for (int i = 0; i < editors.length; i++) {
+ for (AccessControlEditor editor : editors) {
try {
// return as soon as the first editor successfully handled the
// specified template
- editors[i].setPolicy(nodePath, template);
- log.debug("Set template " + template + " using " + editors[i]);
+ editor.setPolicy(nodePath, template);
+ log.debug("Set template " + template + " using " + editor);
return;
} catch (AccessControlException e) {
log.debug(e.getMessage());
@@ -130,12 +130,12 @@
*/
public void removePolicy(String nodePath,
AccessControlPolicy policy) throws AccessControlException, PathNotFoundException, RepositoryException {
- for (int i = 0; i < editors.length; i++) {
+ for (AccessControlEditor editor : editors) {
try {
// return as soon as the first editor successfully handled the
// specified template
- editors[i].removePolicy(nodePath, policy);
- log.debug("Removed template " + policy + " using " + editors[i]);
+ editor.removePolicy(nodePath, policy);
+ log.debug("Removed template " + policy + " using " + editor);
return;
} catch (AccessControlException e) {
log.debug(e.getMessage());
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java Tue Sep 8 16:09:28 2009
@@ -41,6 +41,7 @@
import java.util.HashMap;
import java.util.Arrays;
import java.util.Iterator;
+import java.security.Principal;
/**
* <code>CombinedProvider</code>...
@@ -56,8 +57,8 @@
* @see AccessControlUtils#isAcItem(Path)
*/
public boolean isAcItem(Path absPath) throws RepositoryException {
- for (int i = 0; i < providers.length; i++) {
- if (providers[i] instanceof AccessControlUtils && ((AccessControlUtils) providers[i]).isAcItem(absPath)) {
+ for (AccessControlProvider provider : providers) {
+ if (provider instanceof AccessControlUtils && ((AccessControlUtils) provider).isAcItem(absPath)) {
return true;
}
}
@@ -68,8 +69,8 @@
* @see AccessControlUtils#isAcItem(ItemImpl)
*/
public boolean isAcItem(ItemImpl item) throws RepositoryException {
- for (int i = 0; i < providers.length; i++) {
- if (providers[i] instanceof AccessControlUtils && ((AccessControlUtils) providers[i]).isAcItem(item)) {
+ for (AccessControlProvider provider : providers) {
+ if (provider instanceof AccessControlUtils && ((AccessControlUtils) provider).isAcItem(item)) {
return true;
}
}
@@ -81,8 +82,8 @@
* @see AccessControlProvider#close()
*/
public void close() {
- for (int i = 0; i < providers.length; i++) {
- providers[i].close();
+ for (AccessControlProvider provider : providers) {
+ provider.close();
}
super.close();
}
@@ -93,11 +94,11 @@
public void init(Session systemSession, Map configuration) throws RepositoryException {
super.init(systemSession, configuration);
- // this provider combines the result of 2 (currently hardcoded) AC-providers
+ // this provider combines the result of 2 (currently hard coded) AC-providers
// TODO: make this configurable
providers = new AccessControlProvider[2];
- // 1) a resource-based ACL provider, that is not inited with default
+ // 1) a resource-based ACL provider, that is not initialized with default
// permissions and should only be used to overrule the permissions
// granted or denied by the default provider (see 2).
providers[0] = new org.apache.jackrabbit.core.security.authorization.acl.ACLProvider();
@@ -117,11 +118,11 @@
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath)
throws ItemNotFoundException, RepositoryException {
- List l = new ArrayList();
- for (int i = 0; i < providers.length; i++) {
- l.addAll(Arrays.asList(providers[i].getEffectivePolicies(absPath)));
+ List<AccessControlPolicy> l = new ArrayList<AccessControlPolicy>();
+ for (AccessControlProvider provider : providers) {
+ l.addAll(Arrays.asList(provider.getEffectivePolicies(absPath)));
}
- return (AccessControlPolicy[]) l.toArray(new AccessControlPolicy[l.size()]);
+ return l.toArray(new AccessControlPolicy[l.size()]);
}
/**
@@ -129,17 +130,17 @@
*/
public AccessControlEditor getEditor(Session editingSession) {
checkInitialized();
- List editors = new ArrayList();
- for (int i = 0; i < providers.length; i++) {
+ List<AccessControlEditor> editors = new ArrayList<AccessControlEditor>();
+ for (AccessControlProvider provider : providers) {
try {
- editors.add(providers[i].getEditor(editingSession));
+ editors.add(provider.getEditor(editingSession));
} catch (RepositoryException e) {
log.debug(e.getMessage());
// ignore.
}
}
if (!editors.isEmpty()) {
- return new CombinedEditor((AccessControlEditor[]) editors.toArray(new AccessControlEditor[editors.size()]));
+ return new CombinedEditor(editors.toArray(new AccessControlEditor[editors.size()]));
} else {
log.debug("None of the derived access control providers supports editing.");
return null;
@@ -149,7 +150,7 @@
/**
* @see AccessControlProvider#compilePermissions(Set)
*/
- public CompiledPermissions compilePermissions(Set principals) throws RepositoryException {
+ public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException {
checkInitialized();
if (isAdminOrSystem(principals)) {
return getAdminPermissions();
@@ -161,7 +162,7 @@
/**
* @see AccessControlProvider#canAccessRoot(Set)
*/
- public boolean canAccessRoot(Set principals) throws RepositoryException {
+ public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
checkInitialized();
if (isAdminOrSystem(principals)) {
return true;
@@ -182,20 +183,21 @@
*/
private class CompiledPermissionImpl extends AbstractCompiledPermissions {
- private final List cPermissions;
+ private final List<AbstractCompiledPermissions> cPermissions;
/**
- * @param principals
+ * @param principals the principals
+ * @throws RepositoryException if an error occurs
*/
- private CompiledPermissionImpl(Set principals) throws
+ private CompiledPermissionImpl(Set<Principal> principals) throws
RepositoryException {
- this.cPermissions = new ArrayList();
- for (int i = 0; i < providers.length; i++) {
- CompiledPermissions cp = providers[i].compilePermissions(principals);
+ this.cPermissions = new ArrayList<AbstractCompiledPermissions>();
+ for (AccessControlProvider provider : providers) {
+ CompiledPermissions cp = provider.compilePermissions(principals);
if (cp instanceof AbstractCompiledPermissions) {
- cPermissions.add(cp);
+ cPermissions.add((AbstractCompiledPermissions) cp);
} else {
- // TODO: deal with other impls.
+ // TODO: deal with other implementations
log.warn("AbstractCompiledPermissions expected. Found " + cp.getClass().getName() + " -> ignore.");
}
}
@@ -207,8 +209,7 @@
*/
protected Result buildResult(Path absPath) throws RepositoryException {
Result res = null;
- for (Iterator it = cPermissions.iterator(); it.hasNext();) {
- AbstractCompiledPermissions acp = (AbstractCompiledPermissions) it.next();
+ for (AbstractCompiledPermissions acp : cPermissions) {
Result other = acp.getResult(absPath);
res = (res == null) ? other : res.combine(other);
}
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java Tue Sep 8 16:09:28 2009
@@ -29,7 +29,7 @@
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.Permission;
-import org.apache.jackrabbit.core.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
@@ -54,6 +54,7 @@
public class ACLEditor extends ProtectedItemModifier implements AccessControlEditor, AccessControlConstants {
private static Logger log = LoggerFactory.getLogger(ACLEditor.class);
+
/**
* Default name for ace nodes
*/
@@ -63,6 +64,7 @@
* the editing session
*/
private final SessionImpl session;
+
private final String acRootPath;
ACLEditor(SessionImpl session, Path acRootPath) throws RepositoryException {
@@ -142,7 +144,7 @@
} // else: acl has already been set before -> use getPolicies instead
}
- // nodePath not below rep:accesscontrol -> not editable
+ // nodePath not below rep:policy -> not editable
// or policy has been set before in which case getPolicies should be used instead.
return new AccessControlPolicy[0];
}
@@ -175,7 +177,8 @@
/**
* @see AccessControlEditor#setPolicy(String,AccessControlPolicy)
*/
- public void setPolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException, PathNotFoundException, RepositoryException {
+ public void setPolicy(String nodePath, AccessControlPolicy policy)
+ throws AccessControlException, PathNotFoundException, RepositoryException {
checkProtectsNode(nodePath);
checkValidPolicy(nodePath, policy);
@@ -201,8 +204,8 @@
/* add all new entries defined on the template */
AccessControlEntry[] aces = acl.getAccessControlEntries();
- for (int i = 0; i < aces.length; i++) {
- JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) aces[i];
+ for (AccessControlEntry ace1 : aces) {
+ JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) ace1;
// create the ACE node
Name nodeName = getUniqueNodeName(aclNode, "entry");
@@ -222,9 +225,9 @@
// store the restrictions:
String[] restrNames = ace.getRestrictionNames();
- for (int rnIndex = 0; rnIndex < restrNames.length; rnIndex++) {
- Name pName = session.getQName(restrNames[rnIndex]);
- Value value = ace.getRestriction(restrNames[rnIndex]);
+ for (String restrName : restrNames) {
+ Name pName = session.getQName(restrName);
+ Value value = ace.getRestriction(restrName);
setProperty(aceNode, pName, value);
}
}
@@ -257,16 +260,17 @@
//------------------------------------------------------------< private >---
/**
*
- * @param nodePath
- * @return
- * @throws PathNotFoundException
- * @throws RepositoryException
+ * @param nodePath the node path
+ * @return the node
+ * @throws PathNotFoundException if the node does not exist
+ * @throws RepositoryException if an error occurs
*/
- private NodeImpl getAcNode(String nodePath) throws PathNotFoundException, RepositoryException {
+ private NodeImpl getAcNode(String nodePath) throws PathNotFoundException,
+ RepositoryException {
if (Text.isDescendant(acRootPath, nodePath)) {
return (NodeImpl) session.getNode(nodePath);
} else {
- // node outside of rep:accesscontrol tree -> not handled by this editor.
+ // node outside of rep:policy tree -> not handled by this editor.
return null;
}
}
@@ -324,7 +328,7 @@
* defining content. It this case setting or modifying an AC-policy is
* obviously not possible.
*
- * @param nodePath
+ * @param nodePath the node path
* @throws AccessControlException If the given id identifies a Node that
* represents a ACL or ACE item.
* @throws RepositoryException
@@ -341,9 +345,9 @@
/**
* Check if the specified policy can be set or removed at nodePath.
*
- * @param nodePath
- * @param policy
- * @throws AccessControlException
+ * @param nodePath the node path
+ * @param policy the policy
+ * @throws AccessControlException if not allowed
*/
private void checkValidPolicy(String nodePath, AccessControlPolicy policy)
throws AccessControlException {
@@ -358,9 +362,9 @@
/**
*
- * @param principal
- * @return
- * @throws RepositoryException
+ * @param principal the principal
+ * @return the path
+ * @throws RepositoryException if an error occurs
*/
String getPathToAcNode(Principal principal) throws RepositoryException {
StringBuffer princPath = new StringBuffer(acRootPath);
@@ -376,11 +380,7 @@
private Principal getPrincipal(String pathToACNode) throws RepositoryException {
String name = getPrincipalName(pathToACNode);
PrincipalManager pMgr = session.getPrincipalManager();
- if (pMgr.hasPrincipal(name)) {
- return pMgr.getPrincipal(name);
- } else {
- return null;
- }
+ return pMgr.getPrincipal(name);
}
private static String getPrincipalName(String pathToACNode) {
@@ -389,9 +389,9 @@
/**
*
- * @param node
- * @return
- * @throws RepositoryException
+ * @param node the node
+ * @return <code>true</code> if access controlled
+ * @throws RepositoryException if an error occurs
*/
private static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
return node != null && node.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL) && node.hasNode(N_POLICY);
@@ -399,9 +399,9 @@
/**
*
- * @param acNode
- * @return
- * @throws RepositoryException
+ * @param acNode the acl node
+ * @return the polict
+ * @throws RepositoryException if an error occurs
*/
private JackrabbitAccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
if (!acNode.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL)) {
@@ -425,8 +425,8 @@
*
* @param node a name for the child is resolved
* @param name if missing the {@link #DEFAULT_ACE_NAME} is taken
- * @return
- * @throws RepositoryException
+ * @return the name
+ * @throws RepositoryException if an error occurs
*/
protected static Name getUniqueNodeName(Node node, String name) throws RepositoryException {
if (name == null) {
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java Tue Sep 8 16:09:28 2009
@@ -16,49 +16,49 @@
*/
package org.apache.jackrabbit.core.security.authorization.principalbased;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.Item;
+import javax.jcr.ItemNotFoundException;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.observation.Event;
+import javax.jcr.observation.EventIterator;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.core.ItemImpl;
+import org.apache.jackrabbit.core.NodeImpl;
+import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.observation.SynchronousEventListener;
+import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
+import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.Permission;
-import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.NodeImpl;
-import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.ItemImpl;
-import org.apache.jackrabbit.core.observation.SynchronousEventListener;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.Privilege;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlException;
-
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.Item;
-import javax.jcr.ItemNotFoundException;
-import javax.jcr.PropertyType;
-import javax.jcr.ValueFactory;
-import javax.jcr.observation.Event;
-import javax.jcr.observation.EventIterator;
-import java.util.Map;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.security.Principal;
-
/**
* <code>CombinedProvider</code>...
*/
@@ -70,6 +70,7 @@
private static final AccessControlPolicy effectivePolicy = EffectivePrincipalBasedPolicy.getInstance();
private ACLEditor editor;
+
private NodeImpl acRoot;
//-------------------------------------------------< AccessControlUtils >---
@@ -78,8 +79,8 @@
*/
public boolean isAcItem(Path absPath) throws RepositoryException {
Path.Element[] elems = absPath.getElements();
- for (int i = 0; i < elems.length; i++) {
- if (N_POLICY.equals(elems[i].getName())) {
+ for (Path.Element elem : elems) {
+ if (N_POLICY.equals(elem.getName())) {
return true;
}
}
@@ -117,7 +118,7 @@
log.debug("Install initial permissions: ...");
ValueFactory vf = session.getValueFactory();
- Map restrictions = new HashMap();
+ Map<String, Value> restrictions = new HashMap<String, Value>();
restrictions.put(session.getJCRName(ACLTemplate.P_NODE_PATH), vf.createValue(root.getPath(), PropertyType.PATH));
restrictions.put(session.getJCRName(ACLTemplate.P_GLOB), vf.createValue(GlobPattern.WILDCARD_ALL));
@@ -149,7 +150,11 @@
}
}
- private static void installDefaultPermissions(Principal principal, Privilege[] privs, Map restrictions, AccessControlEditor editor) throws RepositoryException, AccessControlException {
+ private static void installDefaultPermissions(Principal principal,
+ Privilege[] privs,
+ Map<String, Value> restrictions,
+ AccessControlEditor editor)
+ throws RepositoryException, AccessControlException {
AccessControlPolicy[] acls = editor.editAccessControlPolicies(principal);
if (acls.length > 0) {
ACLTemplate acl = (ACLTemplate) acls[0];
@@ -176,7 +181,7 @@
most nodes in the repository isn't available anyway) doesn't
provide the desired information.
As tmp. solution some default policy is returned indicating.
- TODO: add proper evalution and return a set of ACLs that take effect on the node at abspath
+ TODO: add proper evaluation and return a set of ACLs that take effect on the node at abs path
*/
return new AccessControlPolicy[] {effectivePolicy};
}
@@ -238,21 +243,22 @@
private List<AccessControlEntry> entries;
/**
- * @param principals
- * @throws RepositoryException
+ * @param principals the underlying principals
+ * @throws RepositoryException if an error occurs
*/
private CompiledPermissionImpl(Set<Principal> principals) throws RepositoryException {
this(principals, true);
}
/**
- * @param principals
- * @throws RepositoryException
+ * @param principals the underlying principals
+ * @param listenToEvents if <code>true</code> listens to events
+ * @throws RepositoryException if an error occurs
*/
private CompiledPermissionImpl(Set<Principal> principals, boolean listenToEvents) throws RepositoryException {
this.principals = principals;
- acPaths = new HashSet(principals.size());
+ acPaths = new HashSet<String>(principals.size());
entries = reload();
// TODO: describe
@@ -298,9 +304,9 @@
* evaluated or <code>null</code>.
* @param targetPath Path used for the evaluation; pointing to an
* existing or non-existing item.
- * @param isAcItem
- * @return
- * @throws RepositoryException
+ * @param isAcItem the item
+ * @return the result
+ * @throws RepositoryException if an error occurs
*/
private Result getResult(Item target,
String targetPath,
@@ -401,24 +407,23 @@
/**
*
- * @return
- * @throws RepositoryException
+ * @return the aces
+ * @throws RepositoryException if an error occurs
*/
private List<AccessControlEntry> reload() throws RepositoryException {
// reload the paths
acPaths.clear();
// acNodes must be ordered in the same order as the principals
- // in order to obtain proper acl-evalution in case the given
+ // in order to obtain proper acl-evaluation in case the given
// principal-set is ordered.
List<AccessControlEntry> allACEs = new ArrayList<AccessControlEntry>();
// build acl-hierarchy assuming that principal-order determines the
// acl-inheritance.
- for (Iterator it = principals.iterator(); it.hasNext();) {
- Principal princ = (Principal) it.next();
- ACLTemplate acl = editor.getACL(princ);
+ for (Principal p : principals) {
+ ACLTemplate acl = editor.getACL(p);
if (acl == null || acl.isEmpty()) {
- acPaths.add(editor.getPathToAcNode(princ));
+ acPaths.add(editor.getPathToAcNode(p));
} else {
// retrieve the ACEs from the node
AccessControlEntry[] aces = acl.getAccessControlEntries();
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java Tue Sep 8 16:09:28 2009
@@ -19,8 +19,8 @@
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
+import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplate;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.slf4j.Logger;
@@ -38,7 +38,6 @@
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import java.security.Principal;
-import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
@@ -53,7 +52,7 @@
* {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy) reapplied}
* to the <code>AccessControlManager</code> and the changes are saved.
*/
-class ACLTemplate implements JackrabbitAccessControlList, AccessControlConstants {
+class ACLTemplate extends AbstractACLTemplate {
private static Logger log = LoggerFactory.getLogger(ACLTemplate.class);
@@ -70,28 +69,28 @@
static final Name P_GLOB = NF.create(Name.NS_REP_URI, "glob");
private final Principal principal;
- private final String path;
- private final ValueFactory valueFactory;
- private final List entries = new ArrayList();
+ private final List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>();
private final String jcrNodePathName;
private final String jcrGlobName;
- ACLTemplate(Principal principal, String path, NamePathResolver resolver, ValueFactory vf) throws RepositoryException {
+ ACLTemplate(Principal principal, String path, NamePathResolver resolver, ValueFactory vf)
+ throws RepositoryException {
this(principal, path, null, resolver, vf);
}
ACLTemplate(Principal principal, NodeImpl acNode) throws RepositoryException {
- this(principal, acNode.getPath(), acNode, (SessionImpl) acNode.getSession(), acNode.getSession().getValueFactory());
+ this(principal, acNode.getPath(), acNode, (SessionImpl) acNode.getSession(),
+ acNode.getSession().getValueFactory());
}
private ACLTemplate(Principal principal, String path, NodeImpl acNode,
NamePathResolver resolver, ValueFactory vf)
throws RepositoryException {
+ super(path, vf);
+
this.principal = principal;
- this.path = path;
- this.valueFactory = vf;
jcrNodePathName = resolver.getJCRName(P_NODE_PATH);
jcrGlobName = resolver.getJCRName(P_GLOB);
@@ -114,7 +113,7 @@
privileges[i] = acMgr.privilegeFromName(pValues[i].getString());
}
// the restrictions:
- Map restrictions = new HashMap(2);
+ Map<String, Value> restrictions = new HashMap<String, Value>(2);
Property prop = aceNode.getProperty(P_NODE_PATH);
restrictions.put(prop.getName(), prop.getValue());
@@ -133,18 +132,9 @@
}
AccessControlEntry createEntry(Principal princ, Privilege[] privileges,
- boolean allow, Map<String, Value> restrictions) throws RepositoryException {
- if (!principal.equals(princ)) {
- throw new AccessControlException("Invalid principal. Expected: " + principal);
- }
- if (!allow && principal instanceof Group) {
- throw new AccessControlException("For group principals permissions can only be added but not denied.");
- }
-
- Set rNames = restrictions.keySet();
- if (!rNames.contains(jcrNodePathName)) {
- throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
- }
+ boolean allow, Map<String, Value> restrictions)
+ throws RepositoryException {
+ checkValidEntry(princ, privileges, allow, restrictions);
// make sure the nodePath restriction is of type PATH
Value v = restrictions.get(jcrNodePathName);
@@ -161,14 +151,24 @@
return new Entry(princ, privileges, allow, restrictions);
}
- //-----------------------------------------------------< JackrabbitAccessControlList >---
+ //------------------------------------------------< AbstractACLTemplate >---
/**
- * @see JackrabbitAccessControlList#getPath()
+ * @see AbstractACLTemplate#checkValidEntry(java.security.Principal, javax.jcr.security.Privilege[], boolean, java.util.Map)
*/
- public String getPath() {
- return path;
- }
+ protected void checkValidEntry(Principal principal, Privilege[] privileges,
+ boolean isAllow, Map<String, Value> restrictions)
+ throws AccessControlException {
+ if (!this.principal.equals(principal)) {
+ throw new AccessControlException("Invalid principal. Expected: " + principal);
+ }
+ Set<String> rNames = restrictions.keySet();
+ if (!rNames.contains(jcrNodePathName)) {
+ throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
+ }
+ }
+
+ //----------------------------------------< JackrabbitAccessControlList >---
/**
* @see JackrabbitAccessControlList#getRestrictionNames()
*/
@@ -204,14 +204,6 @@
}
/**
- * @see JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean)
- */
- public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow)
- throws AccessControlException, RepositoryException {
- return addEntry(principal, privileges, isAllow, null);
- }
-
- /**
* Known restrictions are:
* <pre>
* rep:nodePath (mandatory) value-type: PATH
@@ -221,7 +213,7 @@
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map)
*/
public boolean addEntry(Principal principal, Privilege[] privileges,
- boolean isAllow, Map restrictions)
+ boolean isAllow, Map<String, Value> restrictions)
throws AccessControlException, RepositoryException {
if (restrictions == null || restrictions.isEmpty()) {
log.debug("Restrictions missing. Using default: rep:nodePath = " + getPath() + "; rep:glob = null.");
@@ -246,16 +238,7 @@
*/
public AccessControlEntry[] getAccessControlEntries()
throws RepositoryException {
- return (AccessControlEntry[]) entries.toArray(new AccessControlEntry[entries.size()]);
- }
-
- /**
- * @see javax.jcr.security.AccessControlList#addAccessControlEntry(Principal, Privilege[])
- */
- public boolean addAccessControlEntry(Principal principal,
- Privilege[] privileges)
- throws AccessControlException, RepositoryException {
- return addEntry(principal, privileges, true, Collections.EMPTY_MAP);
+ return entries.toArray(new AccessControlEntry[entries.size()]);
}
/**
@@ -319,7 +302,8 @@
*/
private final GlobPattern pattern;
- private Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
+ private Entry(Principal principal, Privilege[] privileges, boolean allow,
+ Map<String, Value> restrictions)
throws AccessControlException, RepositoryException {
super(principal, privileges, allow, restrictions, valueFactory);
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java Tue Sep 8 16:09:28 2009
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.core.security.principal;
+import org.apache.jackrabbit.api.security.principal.JackrabbitPrincipal;
+
/**
* This principal represents the admin user as a distinct principal having all
* the access rights and is being authenticated (in contrast to the
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java Tue Sep 8 16:09:28 2009
@@ -16,9 +16,20 @@
*/
package org.apache.jackrabbit.core.security.principal;
+import java.security.Principal;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.observation.Event;
+import javax.jcr.observation.EventIterator;
+import javax.jcr.observation.EventListener;
+
import org.apache.commons.collections.iterators.IteratorChain;
import org.apache.commons.collections.map.LRUMap;
-import org.apache.commons.collections.set.ListOrderedSet;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
@@ -31,15 +42,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.observation.Event;
-import javax.jcr.observation.EventIterator;
-import javax.jcr.observation.EventListener;
-import java.security.Principal;
-import java.util.Iterator;
-import java.util.Set;
-
/**
* Provides principals for the users contained within the Repository.<p/>
* Each {@link Authorizable} accessible via {@link UserManager}
@@ -60,7 +62,7 @@
* a cache for group memberships: maps principal-name to a set of principals
* representing the members.
*/
- private final LRUMap membershipCache;
+ private final Map<String, Set<Principal>> membershipCache;
/**
* Principal-Base of this Provider
@@ -180,9 +182,9 @@
*/
public PrincipalIterator getGroupMembership(Principal userPrincipal) {
checkInitialized();
- Set mship;
+ Set<Principal> mship;
synchronized (membershipCache) {
- mship = (Set) membershipCache.get(userPrincipal.getName());
+ mship = membershipCache.get(userPrincipal.getName());
if (mship == null) {
// recursively collect group membership
mship = collectGroupMembership(userPrincipal);
@@ -275,15 +277,15 @@
* @return all Group principals the specified <code>princ</code> is member of
* including inherited membership.
*/
- private Set collectGroupMembership(Principal princ) {
- Set membership = new ListOrderedSet();
+ private Set<Principal> collectGroupMembership(Principal princ) {
+ Set<Principal> membership = new LinkedHashSet<Principal>();
try {
Authorizable auth = userManager.getAuthorizable(princ);
if (auth != null) {
addToCache(princ);
- Iterator itr = auth.memberOf();
+ Iterator<Group> itr = auth.memberOf();
while (itr.hasNext()) {
- Group group = (Group) itr.next();
+ Group group = itr.next();
Principal gp = group.getPrincipal();
addToCache(gp);
membership.add(gp);
@@ -324,7 +326,7 @@
try {
Iterator itr = userManager.findAuthorizables(pPrincipalName, simpleFilter, UserManager.SEARCH_TYPE_GROUP);
- // everyone will not be found by the usermanager -> extra test
+ // everyone will not be found by the user manager -> extra test
boolean addEveryone = everyonePrincipal.getName().matches(".*"+simpleFilter+".*");
return new PrincipalIteratorImpl(itr, addEveryone);
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java Tue Sep 8 16:09:28 2009
@@ -51,7 +51,7 @@
return !member.equals(this);
}
- public Enumeration members() {
+ public Enumeration<? extends Principal> members() {
throw new UnsupportedOperationException("Not implemented.");
}
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java Tue Sep 8 16:09:28 2009
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.core.security.principal;
+import org.apache.jackrabbit.api.security.principal.JackrabbitPrincipal;
+
import java.io.Serializable;
import java.security.Principal;
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java Tue Sep 8 16:09:28 2009
@@ -16,12 +16,6 @@
*/
package org.apache.jackrabbit.core.security.principal;
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
-import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
@@ -30,6 +24,13 @@
import java.util.Iterator;
import java.util.List;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+
/**
* This principal manager implementation uses the {@link DefaultPrincipalProvider}
* in order to dispatch the respective requests and assemble the required
@@ -49,8 +50,8 @@
/**
* Creates a new default principal manager implementation.
*
- * @param session
- * @param providers
+ * @param session the underlying session
+ * @param providers the providers
*/
public PrincipalManagerImpl(Session session, PrincipalProvider[] providers) {
this.session = session;
@@ -68,14 +69,8 @@
/**
* {@inheritDoc}
*/
- public Principal getPrincipal(String principalName) throws NoSuchPrincipalException {
- Principal p = internalGetPrincipal(principalName);
- if (p == null) {
- // not found (or access denied)
- throw new NoSuchPrincipalException("Unknown principal " + principalName);
- } else {
- return p;
- }
+ public Principal getPrincipal(String principalName) {
+ return internalGetPrincipal(principalName);
}
/**
@@ -83,9 +78,8 @@
*/
public PrincipalIterator findPrincipals(String simpleFilter) {
checkIsValid();
- List entries = new ArrayList(providers.length);
- for (int i = 0; i < providers.length; i++) {
- PrincipalProvider pp = providers[i];
+ List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+ for (PrincipalProvider pp : providers) {
PrincipalIterator it = pp.findPrincipals(simpleFilter);
if (it.hasNext()) {
entries.add(new CheckedIteratorEntry(it, pp));
@@ -99,9 +93,8 @@
*/
public PrincipalIterator findPrincipals(String simpleFilter, int searchType) {
checkIsValid();
- List entries = new ArrayList(providers.length);
- for (int i = 0; i < providers.length; i++) {
- PrincipalProvider pp = providers[i];
+ List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+ for (PrincipalProvider pp : providers) {
PrincipalIterator it = pp.findPrincipals(simpleFilter, searchType);
if (it.hasNext()) {
entries.add(new CheckedIteratorEntry(it, pp));
@@ -116,9 +109,8 @@
*/
public PrincipalIterator getPrincipals(int searchType) {
checkIsValid();
- List entries = new ArrayList(providers.length);
- for (int i = 0; i < providers.length; i++) {
- PrincipalProvider pp = providers[i];
+ List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+ for (PrincipalProvider pp : providers) {
PrincipalIterator it = pp.getPrincipals(searchType);
if (it.hasNext()) {
entries.add(new CheckedIteratorEntry(it, pp));
@@ -132,9 +124,8 @@
*/
public PrincipalIterator getGroupMembership(Principal principal) {
checkIsValid();
- List entries = new ArrayList(providers.length + 1);
- for (int i = 0; i < providers.length; i++) {
- PrincipalProvider pp = providers[i];
+ List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length + 1);
+ for (PrincipalProvider pp : providers) {
PrincipalIterator groups = pp.getGroupMembership(principal);
if (groups.hasNext()) {
entries.add(new CheckedIteratorEntry(groups, pp));
@@ -169,17 +160,17 @@
}
/**
- * @param principalName
+ * @param principalName the name of the principal
* @return The principal with the given name or <code>null</code> if none
* of the providers knows that principal of if the Session is not allowed
* to see it.
*/
private Principal internalGetPrincipal(String principalName) {
checkIsValid();
- for (int i = 0; i < providers.length; i++) {
- Principal principal = providers[i].getPrincipal(principalName);
- if (principal != null && providers[i].canReadPrincipal(session, principal)) {
- return disguise(principal, providers[i]);
+ for (PrincipalProvider provider : providers) {
+ Principal principal = provider.getPrincipal(principalName);
+ if (principal != null && provider.canReadPrincipal(session, principal)) {
+ return disguise(principal, provider);
}
}
// nothing found or not allowed to see it.
@@ -187,7 +178,8 @@
}
/**
- * @param principal
+ * @param principal the principal
+ * @param provider the provider
* @return A group that only reveals those members that are visible to the
* current session or the specified principal if its not a group or the
* everyone principal.
@@ -237,15 +229,15 @@
return delegatee.isMember(member);
}
- public Enumeration members() {
+ public Enumeration<? extends Principal> members() {
Iterator it = Collections.list(delegatee.members()).iterator();
- final Iterator members = new CheckedPrincipalIterator(it, provider);
- return new Enumeration() {
+ final PrincipalIterator members = new CheckedPrincipalIterator(it, provider);
+ return new Enumeration<Principal>() {
public boolean hasMoreElements() {
return members.hasNext();
}
- public Object nextElement() {
- return members.next();
+ public Principal nextElement() {
+ return members.nextPrincipal();
}
};
}
@@ -290,16 +282,16 @@
*/
private class CheckedPrincipalIterator extends AbstractPrincipalIterator {
- private final List entries;
+ private final List<CheckedIteratorEntry> entries;
private CheckedPrincipalIterator(Iterator it, PrincipalProvider provider) {
- entries = new ArrayList(1);
+ entries = new ArrayList<CheckedIteratorEntry>(1);
entries.add(new CheckedIteratorEntry(it, provider));
next = seekNext();
}
- private CheckedPrincipalIterator(List entries) {
- this.entries = new ArrayList(entries);
+ private CheckedPrincipalIterator(List<CheckedIteratorEntry> entries) {
+ this.entries = new ArrayList<CheckedIteratorEntry>(entries);
next = seekNext();
}
@@ -308,8 +300,8 @@
*/
protected final Principal seekNext() {
while (!entries.isEmpty()) {
- // first test if current-itr has more elements
- CheckedIteratorEntry current = (CheckedIteratorEntry) entries.get(0);
+ // first test if current iterator has more elements
+ CheckedIteratorEntry current = entries.get(0);
Iterator iterator = current.iterator;
while (iterator.hasNext()) {
Principal chk = (Principal) iterator.next();
@@ -318,7 +310,7 @@
return disguise(chk, current.provider);
}
}
- // ino more elements in current-itr -> move to next iterator.
+ // no more elements in current iterator -> move to next iterator.
entries.remove(0);
}
return null;
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java Tue Sep 8 16:09:28 2009
@@ -16,17 +16,18 @@
*/
package org.apache.jackrabbit.core.security.principal;
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.jcr.RepositoryException;
+
import org.apache.jackrabbit.core.config.BeanConfig;
import org.apache.jackrabbit.core.config.LoginModuleConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.RepositoryException;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
-
/**
* This is the default implementation of the {@link PrincipalProviderRegistry}
* interface.
@@ -37,7 +38,7 @@
private static final Logger log = LoggerFactory.getLogger(ProviderRegistryImpl.class);
private final PrincipalProvider defaultPrincipalProvider;
- private final Map providers = new HashMap();
+ private final Map<String, PrincipalProvider> providers = new LinkedHashMap<String, PrincipalProvider>();
/**
* Create an instance of <code>ProviderRegistryImpl</code> with the given
@@ -82,7 +83,7 @@
*/
public PrincipalProvider getProvider(String className) {
synchronized (providers) {
- return (PrincipalProvider) providers.get(className);
+ return providers.get(className);
}
}
@@ -91,8 +92,8 @@
*/
public PrincipalProvider[] getProviders() {
synchronized (providers) {
- Collection pps = providers.values();
- return (PrincipalProvider[]) pps.toArray(new PrincipalProvider[pps.size()]);
+ Collection<PrincipalProvider> pps = providers.values();
+ return pps.toArray(new PrincipalProvider[pps.size()]);
}
}
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java Tue Sep 8 16:09:28 2009
@@ -38,6 +38,8 @@
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.security.auth.Subject;
+import java.security.Principal;
+import java.util.Set;
/**
* <code>SimpleAccessManager</code> ...
@@ -295,4 +297,44 @@
throw new PathNotFoundException(absPath);
}
}
+
+ /**
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#hasPrivileges(String, Set, Privilege[])
+ */
+ public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges) throws PathNotFoundException, RepositoryException {
+ if (anonymous) {
+ // anonymous doesn't have READ_AC privilege
+ throw new AccessDeniedException();
+ }
+
+ if (principals.size() == 1) {
+ Principal princ = principals.iterator().next();
+ if (princ instanceof AnonymousPrincipal) {
+ return privileges.length == 1 && privileges[0].equals(privilegeRegistry.getPrivilege(Privilege.JCR_READ));
+ }
+ }
+
+ // @todo check permission based on principals
+ return true;
+ }
+
+ /**
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivileges(String, Set)
+ */
+ public Privilege[] getPrivileges(String absPath, Set<Principal> principals) throws PathNotFoundException, RepositoryException {
+ if (anonymous) {
+ // anonymous doesn't have READ_AC privilege
+ throw new AccessDeniedException();
+ }
+
+ if (principals.size() == 1) {
+ Principal princ = principals.iterator().next();
+ if (princ instanceof AnonymousPrincipal) {
+ return new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_READ)};
+ }
+ }
+
+ // @todo check permission based on principals
+ return new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_ALL)};
+ }
}
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java Tue Sep 8 16:09:28 2009
@@ -75,8 +75,8 @@
}
/**
- * Uses the configured {@link PrincipalProvider} to retrieve the principal.
- * It takes the {@link PrincipalProvider#getPrincipal(String)} for the User-ID
+ * Uses the configured {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider} to retrieve the principal.
+ * It takes the {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider#getPrincipal(String)} for the User-ID
* resolved by {@link #getUserID(Credentials)}, assuming that
* User-ID and the corresponding principal name are always identical.
*
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java Tue Sep 8 16:09:28 2009
@@ -16,6 +16,25 @@
*/
package org.apache.jackrabbit.core.security.simple;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Credentials;
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.security.auth.Subject;
+
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.UserManager;
@@ -24,14 +43,17 @@
import org.apache.jackrabbit.core.config.AccessManagerConfig;
import org.apache.jackrabbit.core.config.LoginModuleConfig;
import org.apache.jackrabbit.core.config.SecurityConfig;
+import org.apache.jackrabbit.core.config.SecurityManagerConfig;
import org.apache.jackrabbit.core.security.AMContext;
import org.apache.jackrabbit.core.security.AccessManager;
-import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
-import org.apache.jackrabbit.core.security.UserPrincipal;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.UserPrincipal;
import org.apache.jackrabbit.core.security.authentication.AuthContext;
import org.apache.jackrabbit.core.security.authentication.AuthContextProvider;
+import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
+import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.core.security.principal.PrincipalIteratorAdapter;
@@ -42,24 +64,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jcr.AccessDeniedException;
-import javax.jcr.Credentials;
-import javax.jcr.Repository;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.UnsupportedRepositoryOperationException;
-import javax.jcr.SimpleCredentials;
-import javax.security.auth.Subject;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.Iterator;
-
/**
* <code>SimpleSecurityManager</code>: simple implementation ignoring both
* configuration entries for 'principalProvider' and for 'workspaceAccessManager'.
@@ -85,6 +89,11 @@
private PrincipalProviderRegistry principalProviderRegistry;
/**
+ * The workspace access manager
+ */
+ private WorkspaceAccessManager workspaceAccessManager;
+
+ /**
* factory for login-context {@see Repository#login())
*/
private AuthContextProvider authCtxProvider;
@@ -92,6 +101,20 @@
private String adminID;
private String anonymID;
+ /**
+ * Always returns <code>null</code>. AccessControlProvider configuration
+ * is ignored with this security manager. Subclasses may overwrite this
+ * lazy behavior that originates from the <code>SimpleAccessManager</code>.
+ *
+ * @param systemSession The system session used to init the security manager.
+ * @param workspaceName The name of the workspace for which the provider
+ * should be retrieved.
+ * @return Always returns <code>null</code>.
+ */
+ protected AccessControlProvider getAccessControlProvider(Session systemSession, String workspaceName) {
+ return null;
+ }
+
//------------------------------------------< JackrabbitSecurityManager >---
/**
* @see JackrabbitSecurityManager#init(Repository, Session)
@@ -122,13 +145,13 @@
Properties[] moduleConfig = authCtxProvider.getModuleConfig();
- // retrieve default-ids (admin and anomymous) from login-module-configuration.
- for (int i = 0; i < moduleConfig.length; i++) {
- if (moduleConfig[i].containsKey(LoginModuleConfig.PARAM_ADMIN_ID)) {
- adminID = moduleConfig[i].getProperty(LoginModuleConfig.PARAM_ADMIN_ID);
+ // retrieve default-ids (admin and anonymous) from login-module-configuration.
+ for (Properties aModuleConfig1 : moduleConfig) {
+ if (aModuleConfig1.containsKey(LoginModuleConfig.PARAM_ADMIN_ID)) {
+ adminID = aModuleConfig1.getProperty(LoginModuleConfig.PARAM_ADMIN_ID);
}
- if (moduleConfig[i].containsKey(LoginModuleConfig.PARAM_ANONYMOUS_ID)) {
- anonymID = moduleConfig[i].getProperty(LoginModuleConfig.PARAM_ANONYMOUS_ID);
+ if (aModuleConfig1.containsKey(LoginModuleConfig.PARAM_ANONYMOUS_ID)) {
+ anonymID = aModuleConfig1.getProperty(LoginModuleConfig.PARAM_ANONYMOUS_ID);
}
}
// fallback:
@@ -147,9 +170,19 @@
// skip init of provider (nop)
principalProviderRegistry = new ProviderRegistryImpl(principalProvider);
// register all configured principal providers.
- for (int i = 0; i < moduleConfig.length; i++) {
- principalProviderRegistry.registerProvider(moduleConfig[i]);
+ for (Properties aModuleConfig : moduleConfig) {
+ principalProviderRegistry.registerProvider(aModuleConfig);
+ }
+
+ SecurityManagerConfig smc = config.getSecurityManagerConfig();
+ if (smc != null && smc.getWorkspaceAccessConfig() != null) {
+ workspaceAccessManager = (WorkspaceAccessManager) smc.getWorkspaceAccessConfig().newInstance();
+ } else {
+ // fallback -> the default simple implementation
+ log.debug("No WorkspaceAccessManager configured; using default.");
+ workspaceAccessManager = new SimpleWorkspaceAccessManager();
}
+ workspaceAccessManager.init(systemSession);
initialized = true;
}
@@ -175,6 +208,9 @@
public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException {
checkInitialized();
try {
+ String wspName = session.getWorkspace().getName();
+ AccessControlProvider acP = getAccessControlProvider(systemSession, wspName);
+
AccessManagerConfig amc = config.getAccessManagerConfig();
AccessManager accessMgr;
if (amc == null) {
@@ -182,7 +218,7 @@
} else {
accessMgr = (AccessManager) amc.newInstance();
}
- accessMgr.init(amContext);
+ accessMgr.init(amContext, acP, workspaceAccessManager);
return accessMgr;
} catch (AccessDeniedException ade) {
// re-throw
@@ -223,9 +259,9 @@
public String getUserID(Subject subject) throws RepositoryException {
String uid = null;
// if SimpleCredentials are present, the UserID can easily be retrieved.
- Iterator creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
+ Iterator<SimpleCredentials> creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
if (creds.hasNext()) {
- SimpleCredentials sc = (SimpleCredentials) creds.next();
+ SimpleCredentials sc = creds.next();
uid = sc.getUserID();
} else if (anonymID != null && !subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) {
uid = anonymID;
@@ -233,8 +269,7 @@
// assume that UserID and principal name
// are the same (not totally correct) and thus return the name
// of the first non-group principal.
- for (Iterator it = subject.getPrincipals().iterator(); it.hasNext();) {
- Principal p = (Principal) it.next();
+ for (Principal p : subject.getPrincipals()) {
if (!(p instanceof Group)) {
uid = p.getName();
break;
@@ -271,7 +306,7 @@
*/
private class SimplePrincipalProvider implements PrincipalProvider {
- private final Map principals = new HashMap();
+ private final Map<String, Principal> principals = new HashMap<String, Principal>();
private SimplePrincipalProvider() {
if (adminID != null) {
@@ -287,7 +322,7 @@
public Principal getPrincipal(String principalName) {
if (principals.containsKey(principalName)) {
- return (Principal) principals.get(principalName);
+ return principals.get(principalName);
} else {
return new UserPrincipal(principalName);
}
@@ -316,7 +351,7 @@
it = new PrincipalIteratorAdapter(Collections.singletonList(EveryonePrincipal.getInstance()));
break;
case PrincipalManager.SEARCH_TYPE_NOT_GROUP:
- Set set = new HashSet(principals.values());
+ Set<Principal> set = new HashSet<Principal>(principals.values());
set.remove(EveryonePrincipal.getInstance());
it = new PrincipalIteratorAdapter(set);
break;