You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ja...@apache.org on 2007/01/10 06:29:34 UTC
svn commit: r494718 - in /ofbiz/trunk/framework/service: dtd/ servicedef/
src/org/ofbiz/service/ src/org/ofbiz/service/security/
Author: jaz
Date: Tue Jan 9 21:29:30 2007
New Revision: 494718
URL: http://svn.apache.org/viewvc?view=rev&rev=494718
Log:
implemented new service based permission; removed the ServiceSecurity interface which this now replacess
Removed:
ofbiz/trunk/framework/service/src/org/ofbiz/service/security/
Modified:
ofbiz/trunk/framework/service/dtd/services.xsd
ofbiz/trunk/framework/service/servicedef/services.xml
ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java
ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java
Modified: ofbiz/trunk/framework/service/dtd/services.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/dtd/services.xsd (original)
+++ ofbiz/trunk/framework/service/dtd/services.xsd Tue Jan 9 21:29:30 2007
@@ -37,6 +37,7 @@
<xs:sequence>
<xs:element minOccurs="0" ref="description"/>
<xs:element minOccurs="0" ref="namespace"/>
+ <xs:element minOccurs="0" maxOccurs="1" ref="permission-service"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="required-permissions"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="implements"/>
<xs:choice maxOccurs="1" minOccurs="0">
@@ -108,12 +109,29 @@
</xs:simpleType>
</xs:attribute>
</xs:attributeGroup>
+ <xs:element name="permission-service">
+ <xs:complexType>
+ <xs:attributeGroup ref="attlist.permission-service"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:attributeGroup name="attlist.permission-service">
+ <xs:attribute type="xs:string" name="service-name" use="required"/>
+ <xs:attribute name="main-action" use="optional">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="CREATE"/>
+ <xs:enumeration value="UPDATE"/>
+ <xs:enumeration value="DELETE"/>
+ <xs:enumeration value="VIEW"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ </xs:attributeGroup>
<xs:element name="required-permissions">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="check-permission"/>
- <xs:element minOccurs="0" maxOccurs="unbounded" ref="check-role-member"/>
- <xs:element minOccurs="0" maxOccurs="unbounded" ref="service-security"/>
+ <xs:element minOccurs="0" maxOccurs="unbounded" ref="check-role-member"/>
</xs:sequence>
<xs:attributeGroup ref="attlist.required-permissions"/>
</xs:complexType>
Modified: ofbiz/trunk/framework/service/servicedef/services.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/servicedef/services.xml?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/servicedef/services.xml (original)
+++ ofbiz/trunk/framework/service/servicedef/services.xml Tue Jan 9 21:29:30 2007
@@ -51,19 +51,36 @@
</service>
<!-- Service Engine Interfaces -->
- <service name="serviceEcaConditionInterface" engine="interface" location="" invoke="">
+ <service name="permissionInterface" engine="interface">
+ <description>Interface to describe base parameters for Permission Services</description>
+ <attribute name="mainAction" type="String" mode="IN" optional="true"/>
+ <attribute name="hasPermission" type="Boolean" mode="OUT" optional="false"/>
+ <attribute name="failMessage" type="String" mode="OUT" optional="true"/>
+ </service>
+
+ <service name="authenticationInterface" engine="interface">
+ <description>Interface to describe authentication services</description>
+ <attribute name="login.username" type="String" mode="IN"/>
+ <attribute name="login.password" type="String" mode="IN"/>
+ <attribute name="visitId" type="String" mode="IN" optional="true"/>
+ <attribute name="isServiceAuth" type="Boolean" mode="IN" optional="true"/>
+ <attribute name="userLogin" type="org.ofbiz.entity.GenericValue" mode="OUT"/>
+ <attribute name="userLoginSession" type="java.util.Map" mode="OUT" optional="true"/>
+ </service>
+
+ <service name="serviceEcaConditionInterface" engine="interface">
<description>Interface to describe services which are used as SECA conditions</description>
<attribute name="serviceContext" type="Map" mode="IN"/>
<attribute name="serviceName" type="String" mode="IN"/>
<attribute name="conditionReply" type="Boolean" mode="OUT"/>
</service>
- <service name="serviceMcaConditionInterface" engine="interface" location="" invoke="">
+ <service name="serviceMcaConditionInterface" engine="interface">
<description>Interface to describe services which are used as SMCA conditions</description>
<attribute name="messageWrapper" type="org.ofbiz.service.mail.MimeMessageWrapper" mode="IN"/>
<attribute name="conditionReply" type="Boolean" mode="OUT"/>
</service>
- <service name="mailProcessInterface" engine="interface" location="" invoke="">
+ <service name="mailProcessInterface" engine="interface">
<description>Interface to describe services used to process incoming email</description>
<attribute name="messageWrapper" type="org.ofbiz.service.mail.MimeMessageWrapper" mode="IN"/>
</service>
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java Tue Jan 9 21:29:30 2007
@@ -15,19 +15,17 @@
*/
package org.ofbiz.service;
-import org.ofbiz.entity.GenericValue;
+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilMisc;
import org.ofbiz.entity.GenericDelegator;
import org.ofbiz.entity.GenericEntityException;
+import org.ofbiz.entity.GenericValue;
import org.ofbiz.entity.util.EntityUtil;
import org.ofbiz.security.Security;
-import org.ofbiz.base.util.UtilMisc;
-import org.ofbiz.base.util.Debug;
-import org.ofbiz.base.util.ObjectType;
-import org.ofbiz.service.security.ServiceSecurity;
+import java.io.Serializable;
import java.util.List;
import java.util.Map;
-import java.io.Serializable;
/**
* Service Permission Model Class
@@ -39,7 +37,6 @@
public static final int PERMISSION = 1;
public static final int ENTITY_PERMISSION = 2;
public static final int ROLE_MEMBER = 3;
- public static final int CUSTOM = 4;
public ModelService serviceModel = null;
public int permissionType = 0;
@@ -61,8 +58,6 @@
return evalEntityPermission(security, userLogin);
case ROLE_MEMBER:
return evalRoleMember(userLogin);
- case CUSTOM:
- return evalCustomPermission(dctx, context);
default:
Debug.logWarning("Invalid permission type [" + permissionType + "] for permission named : " + nameOrRole + " on service : " + serviceModel.name, module);
return false;
@@ -108,22 +103,5 @@
}
}
return false;
- }
-
- private boolean evalCustomPermission(DispatchContext dctx, Map context) {
- Object obj;
- try {
- obj = ObjectType.getInstance(clazz);
- } catch (Exception e) {
- Debug.logError(e, module);
- return false;
- }
-
- if (obj != null && (obj instanceof ServiceSecurity)) {
- ServiceSecurity sec = (ServiceSecurity) obj;
- return sec.hasPermission(dctx, context);
- } else {
- return false;
- }
}
}
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Tue Jan 9 21:29:30 2007
@@ -120,6 +120,12 @@
/** Sets the max number of times this service will retry when failed (persisted async only) */
public int maxRetry = -1;
+ /** Permission service name */
+ public String permissionServiceName;
+
+ /** Permission service main-action */
+ public String permissionMainAction;
+
/** Set of services this service implements */
public Set implServices = new ListOrderedSet();
@@ -744,12 +750,66 @@
}
/**
+ * Evaluates permission-service for this service.
+ * @param dctx DispatchContext from the invoked service
+ * @param context Map containing userLogin and context infromation
+ * @return result of permission service invocation
+ */
+ public Map evalPermission(DispatchContext dctx, Map context) {
+ if (UtilValidate.isNotEmpty(this.permissionServiceName)) {
+ ModelService permission;
+ try {
+ permission = dctx.getModelService(this.permissionServiceName);
+ } catch (GenericServiceException e) {
+ Map result = ServiceUtil.returnSuccess();
+ result.put("hasPermission", Boolean.FALSE);
+ result.put("failMessage", e.getMessage());
+ return result;
+ }
+ if (permission != null) {
+ Map ctx = permission.makeValid(context, ModelService.IN_PARAM);
+ if (UtilValidate.isNotEmpty(this.permissionMainAction)) {
+ ctx.put("mainAction", this.permissionMainAction);
+ }
+ LocalDispatcher dispatcher = dctx.getDispatcher();
+ Map resp;
+ try {
+ resp = dispatcher.runSync(permission.name, ctx, 300, true);
+ } catch (GenericServiceException e) {
+ Debug.logError(e, module);
+ Map result = ServiceUtil.returnSuccess();
+ result.put("hasPermission", Boolean.FALSE);
+ result.put("failMessage", e.getMessage());
+ return result;
+ }
+ if (ServiceUtil.isError(resp) || ServiceUtil.isFailure(resp)) {
+ Map result = ServiceUtil.returnSuccess();
+ result.put("hasPermission", Boolean.FALSE);
+ result.put("failMessage", ServiceUtil.getErrorMessage(resp));
+ return result;
+ }
+ return resp;
+ } else {
+ Map result = ServiceUtil.returnSuccess();
+ result.put("hasPermission", Boolean.FALSE);
+ result.put("failMessage", "No ModelService found with the name [" + this.permissionServiceName + "]");
+ return result;
+ }
+ } else {
+ Map result = ServiceUtil.returnSuccess();
+ result.put("hasPermission", Boolean.TRUE);
+ return result;
+ }
+ }
+
+ /**
* Evaluates permissions for a service.
* @param dctx DispatchContext from the invoked service
* @param context Map containing userLogin infromation
* @return true if all permissions evaluate true.
*/
public boolean evalPermissions(DispatchContext dctx, Map context) {
+ // old permission checking
if (this.containsPermissions()) {
Iterator i = this.permissionGroups.iterator();
while (i.hasNext()) {
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java Tue Jan 9 21:29:30 2007
@@ -330,6 +330,7 @@
// contruct the context
service.contextInfo = FastMap.newInstance();
+ this.createPermission(serviceElement, service);
this.createPermGroups(serviceElement, service);
this.createImplDefs(serviceElement, service);
this.createAutoAttrDefs(serviceElement, service);
@@ -357,6 +358,15 @@
return value;
}
+ protected void createPermission(Element baseElement, ModelService model) {
+ Element e = UtilXml.firstChildElement(baseElement, "permission-service");
+ if (e != null) {
+ model.permissionServiceName = e.getAttribute("service-name");
+ model.permissionMainAction = e.getAttribute("main-action");
+ model.auth = true; // auth is always required when permissions are set
+ }
+ }
+
protected void createPermGroups(Element baseElement, ModelService model) {
List permGroups = UtilXml.childElementList(baseElement, "required-permissions");
Iterator permIter = permGroups.iterator();
@@ -365,15 +375,14 @@
Element element = (Element) permIter.next();
ModelPermGroup group = new ModelPermGroup();
group.joinType = element.getAttribute("join-type");
- createPermissions(element, group, model);
+ createGroupPermissions(element, group, model);
model.permissionGroups.add(group);
}
}
- protected void createPermissions(Element baseElement, ModelPermGroup group, ModelService service) {
+ protected void createGroupPermissions(Element baseElement, ModelPermGroup group, ModelService service) {
List permElements = UtilXml.childElementList(baseElement, "check-permission");
- List rolePermElements = UtilXml.childElementList(baseElement, "check-role-member");
- List serviceSecurity = UtilXml.childElementList(baseElement, "service-security");
+ List rolePermElements = UtilXml.childElementList(baseElement, "check-role-member");
// create the simple permissions
Iterator si = permElements.iterator();
@@ -398,18 +407,6 @@
ModelPermission perm = new ModelPermission();
perm.permissionType = ModelPermission.ROLE_MEMBER;
perm.nameOrRole = element.getAttribute("role-type");
- perm.serviceModel = service;
- group.permissions.add(perm);
- }
-
- // create the custom permissions
- Iterator ci = serviceSecurity.iterator();
- while (ci.hasNext()) {
- Element element = (Element) ci.next();
- ModelPermission perm = new ModelPermission();
- perm.permissionType = ModelPermission.CUSTOM;
- perm.nameOrRole = element.getAttribute("name");
- perm.clazz = element.getAttribute("class");
perm.serviceModel = service;
group.permissions.add(perm);
}
Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java Tue Jan 9 21:29:30 2007
@@ -757,8 +757,23 @@
// evaluate permissions for the service or throw exception if fail.
DispatchContext dctx = this.getLocalContext(localName);
- if (!origService.evalPermissions(dctx, context)) {
- throw new ServiceAuthException("You do not have permission to invoke this service");
+ if (UtilValidate.isNotEmpty(origService.permissionServiceName)) {
+ Map permResp = origService.evalPermission(dctx, context);
+ Boolean hasPermission = (Boolean) permResp.get("hasPermission");
+ if (hasPermission.booleanValue()) {
+ context.putAll(permResp);
+ context = origService.makeValid(context, ModelService.IN_PARAM);
+ } else {
+ String message = (String) permResp.get("failMessage");
+ if (UtilValidate.isEmpty(message)) {
+ message = "You do not have permission to invoke this service";
+ }
+ throw new ServiceAuthException(message);
+ }
+ } else {
+ if (!origService.evalPermissions(dctx, context)) {
+ throw new ServiceAuthException("You do not have permission to invoke this service");
+ }
}
return context;