jcr/JcrAuthorizations.java

   1 package org.argeo.jcr;
   2
   3 import java.security.Principal;
   4 import java.util.ArrayList;
   5 import java.util.HashMap;
   6 import java.util.List;
   7 import java.util.Map;
   8
   9 import javax.jcr.Repository;
  10 import javax.jcr.RepositoryException;
  11 import javax.jcr.Session;
  12 import javax.jcr.security.AccessControlManager;
  13 import javax.jcr.security.Privilege;
  14 import javax.naming.InvalidNameException;
  15 import javax.naming.ldap.LdapName;
  16
  17 /** Apply authorizations to a JCR repository. */
  18 public class JcrAuthorizations implements Runnable {
  19         // private final static Log log =
  20         // LogFactory.getLog(JcrAuthorizations.class);
  21
  22         private Repository repository;
  23         private String workspace = null;
  24
  25         private String securityWorkspace = "security";
  26
  27         /**
  28          * key := privilege1,privilege2/path/to/node<br/>
  29          * value := group1,group2,user1
  30          */
  31         private Map<String, String> principalPrivileges = new HashMap<String, String>();
  32
  33         public void run() {
  34                 String currentWorkspace = workspace;
  35                 Session session = null;
  36                 try {
  37                         if (workspace != null && workspace.equals("*")) {
  38                                 session = repository.login();
  39                                 String[] workspaces = session.getWorkspace().getAccessibleWorkspaceNames();
  40                                 JcrUtils.logoutQuietly(session);
  41                                 for (String wksp : workspaces) {
  42                                         currentWorkspace = wksp;
  43                                         if (currentWorkspace.equals(securityWorkspace))
  44                                                 continue;
  45                                         session = repository.login(currentWorkspace);
  46                                         initAuthorizations(session);
  47                                         JcrUtils.logoutQuietly(session);
  48                                 }
  49                         } else {
  50                                 session = repository.login(workspace);
  51                                 initAuthorizations(session);
  52                         }
  53                 } catch (RepositoryException e) {
  54                         JcrUtils.discardQuietly(session);
  55                         throw new JcrException(
  56                                         "Cannot set authorizations " + principalPrivileges + " on workspace " + currentWorkspace, e);
  57                 } finally {
  58                         JcrUtils.logoutQuietly(session);
  59                 }
  60         }
  61
  62         protected void processWorkspace(String workspace) {
  63                 Session session = null;
  64                 try {
  65                         session = repository.login(workspace);
  66                         initAuthorizations(session);
  67                 } catch (RepositoryException e) {
  68                         JcrUtils.discardQuietly(session);
  69                         throw new JcrException(
  70                                         "Cannot set authorizations " + principalPrivileges + " on repository " + repository, e);
  71                 } finally {
  72                         JcrUtils.logoutQuietly(session);
  73                 }
  74         }
  75
  76         /** @deprecated call {@link #run()} instead. */
  77         @Deprecated
  78         public void init() {
  79                 run();
  80         }
  81
  82         protected void initAuthorizations(Session session) throws RepositoryException {
  83                 AccessControlManager acm = session.getAccessControlManager();
  84
  85                 for (String privileges : principalPrivileges.keySet()) {
  86                         String path = null;
  87                         int slashIndex = privileges.indexOf('/');
  88                         if (slashIndex == 0) {
  89                                 throw new IllegalArgumentException("Privilege " + privileges + " badly formatted it starts with /");
  90                         } else if (slashIndex > 0) {
  91                                 path = privileges.substring(slashIndex);
  92                                 privileges = privileges.substring(0, slashIndex);
  93                         }
  94
  95                         if (path == null)
  96                                 path = "/";
  97
  98                         List<Privilege> privs = new ArrayList<Privilege>();
  99                         for (String priv : privileges.split(",")) {
 100                                 privs.add(acm.privilegeFromName(priv));
 101                         }
 102
 103                         String principalNames = principalPrivileges.get(privileges);
 104                         try {
 105                                 new LdapName(principalNames);
 106                                 // TODO differentiate groups and users ?
 107                                 Principal principal = getOrCreatePrincipal(session, principalNames);
 108                                 JcrUtils.addPrivileges(session, path, principal, privs);
 109                         } catch (InvalidNameException e) {
 110                                 for (String principalName : principalNames.split(",")) {
 111                                         Principal principal = getOrCreatePrincipal(session, principalName);
 112                                         JcrUtils.addPrivileges(session, path, principal, privs);
 113                                         // if (log.isDebugEnabled()) {
 114                                         // StringBuffer privBuf = new StringBuffer();
 115                                         // for (Privilege priv : privs)
 116                                         // privBuf.append(priv.getName());
 117                                         // log.debug("Added privileges " + privBuf + " to "
 118                                         // + principal.getName() + " on " + path + " in '"
 119                                         // + session.getWorkspace().getName() + "'");
 120                                         // }
 121                                 }
 122                         }
 123                 }
 124
 125                 // if (log.isDebugEnabled())
 126                 // log.debug("JCR authorizations applied on '"
 127                 // + session.getWorkspace().getName() + "'");
 128         }
 129
 130         /**
 131          * Returns a {@link SimplePrincipal}, does not check whether it exists since
 132          * such capabilities is not provided by the standard JCR API. Can be
 133          * overridden to provide smarter handling
 134          */
 135         protected Principal getOrCreatePrincipal(Session session, String principalName) throws RepositoryException {
 136                 return new SimplePrincipal(principalName);
 137         }
 138
 139         // public static void addPrivileges(Session session, Principal principal,
 140         // String path, List<Privilege> privs) throws RepositoryException {
 141         // AccessControlManager acm = session.getAccessControlManager();
 142         // // search for an access control list
 143         // AccessControlList acl = null;
 144         // AccessControlPolicyIterator policyIterator = acm
 145         // .getApplicablePolicies(path);
 146         // if (policyIterator.hasNext()) {
 147         // while (policyIterator.hasNext()) {
 148         // AccessControlPolicy acp = policyIterator
 149         // .nextAccessControlPolicy();
 150         // if (acp instanceof AccessControlList)
 151         // acl = ((AccessControlList) acp);
 152         // }
 153         // } else {
 154         // AccessControlPolicy[] existingPolicies = acm.getPolicies(path);
 155         // for (AccessControlPolicy acp : existingPolicies) {
 156         // if (acp instanceof AccessControlList)
 157         // acl = ((AccessControlList) acp);
 158         // }
 159         // }
 160         //
 161         // if (acl != null) {
 162         // acl.addAccessControlEntry(principal,
 163         // privs.toArray(new Privilege[privs.size()]));
 164         // acm.setPolicy(path, acl);
 165         // session.save();
 166         // if (log.isDebugEnabled()) {
 167         // StringBuffer buf = new StringBuffer("");
 168         // for (int i = 0; i < privs.size(); i++) {
 169         // if (i != 0)
 170         // buf.append(',');
 171         // buf.append(privs.get(i).getName());
 172         // }
 173         // log.debug("Added privilege(s) '" + buf + "' to '"
 174         // + principal.getName() + "' on " + path
 175         // + " from workspace '"
 176         // + session.getWorkspace().getName() + "'");
 177         // }
 178         // } else {
 179         // throw new ArgeoJcrException("Don't know how to apply privileges "
 180         // + privs + " to " + principal + " on " + path
 181         // + " from workspace '" + session.getWorkspace().getName()
 182         // + "'");
 183         // }
 184         // }
 185
 186         @Deprecated
 187         public void setGroupPrivileges(Map<String, String> groupPrivileges) {
 188                 this.principalPrivileges = groupPrivileges;
 189         }
 190
 191         public void setPrincipalPrivileges(Map<String, String> principalPrivileges) {
 192                 this.principalPrivileges = principalPrivileges;
 193         }
 194
 195         public void setRepository(Repository repository) {
 196                 this.repository = repository;
 197         }
 198
 199         public void setWorkspace(String workspace) {
 200                 this.workspace = workspace;
 201         }
 202
 203         public void setSecurityWorkspace(String securityWorkspace) {
 204                 this.securityWorkspace = securityWorkspace;
 205         }
 206
 207 }