]> git.argeo.org Git - lgpl/argeo-commons.git/blob - JackrabbitSecurityModel.java
projects / lgpl / argeo-commons.git / blob


de7f72466ef3ceb71186997ae23ae3a5ceabee01
[lgpl/argeo-commons.git] / JackrabbitSecurityModel.java
1 /*
2 * Copyright (C) 2007-2012 Argeo GmbH
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.argeo.cms.internal.useradmin.jackrabbit;
17
18 import java.util.ArrayList;
19 import java.util.Iterator;
20 import java.util.List;
21
22 import javax.jcr.Node;
23 import javax.jcr.RepositoryException;
24 import javax.jcr.Session;
25
26 import org.apache.commons.logging.Log;
27 import org.apache.commons.logging.LogFactory;
28 import org.apache.jackrabbit.api.JackrabbitSession;
29 import org.apache.jackrabbit.api.security.user.Group;
30 import org.apache.jackrabbit.api.security.user.User;
31 import org.apache.jackrabbit.api.security.user.UserManager;
32 import org.argeo.ArgeoException;
33 import org.argeo.cms.internal.useradmin.SimpleJcrSecurityModel;
34 import org.argeo.jcr.ArgeoNames;
35
36 /** Make sure that user authorizable exists before syncing user directories. */
37 public class JackrabbitSecurityModel extends SimpleJcrSecurityModel {
38 private final static Log log = LogFactory
39 .getLog(JackrabbitSecurityModel.class);
40
41 @Override
42 public synchronized Node sync(Session session, String username,
43 List<String> roles) {
44 if (!(session instanceof JackrabbitSession))
45 return super.sync(session, username, roles);
46
47 try {
48 UserManager userManager = ((JackrabbitSession) session)
49 .getUserManager();
50 User user = (User) userManager.getAuthorizable(username);
51 if (user != null) {
52 String principalName = user.getPrincipal().getName();
53 if (!principalName.equals(username)) {
54 log.warn("Jackrabbit principal is '" + principalName
55 + "' but username is '" + username
56 + "'. Recreating...");
57 user.remove();
58 user = userManager.createUser(username, "");
59 }
60 } else {
61 // create new principal
62 user = userManager.createUser(username, "");
63 log.info(username + " added as Jackrabbit user " + user);
64 }
65
66 // generic JCR sync
67 Node userProfile = super.sync(session, username, roles);
68
69 Boolean enabled = userProfile.getProperty(ArgeoNames.ARGEO_ENABLED)
70 .getBoolean();
71 if (enabled && user.isDisabled())
72 user.disable(null);
73 else if (!enabled && !user.isDisabled())
74 user.disable(userProfile.getPath() + " is disabled");
75
76 // Sync Jackrabbit roles
77 if (roles != null)
78 syncRoles(userManager, user, roles);
79
80 return userProfile;
81 } catch (RepositoryException e) {
82 throw new ArgeoException(
83 "Cannot perform Jackrabbit specific operations", e);
84 }
85 }
86
87 /** Make sure Jackrabbit roles are in line with authentication */
88 void syncRoles(UserManager userManager, User user, List<String> roles)
89 throws RepositoryException {
90 List<String> userGroupIds = new ArrayList<String>();
91 for (String role : roles) {
92 Group group = (Group) userManager.getAuthorizable(role);
93 if (group == null) {
94 group = userManager.createGroup(role);
95 log.info(role + " added as " + group);
96 }
97 if (!group.isMember(user))
98 group.addMember(user);
99 userGroupIds.add(role);
100 }
101
102 // check if user has not been removed from some groups
103 for (Iterator<Group> it = user.declaredMemberOf(); it.hasNext();) {
104 Group group = it.next();
105 if (!userGroupIds.contains(group.getID()))
106 group.removeMember(user);
107 }
108 }
109 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi