1 package org
.argeo
.security
.jackrabbit
;
3 import java
.security
.Principal
;
4 import java
.util
.HashSet
;
5 import java
.util
.Properties
;
8 import javax
.jcr
.Credentials
;
9 import javax
.jcr
.Repository
;
10 import javax
.jcr
.RepositoryException
;
11 import javax
.jcr
.Session
;
12 import javax
.security
.auth
.Subject
;
13 import javax
.security
.auth
.callback
.CallbackHandler
;
14 import javax
.security
.auth
.x500
.X500Principal
;
16 import org
.apache
.jackrabbit
.api
.security
.user
.UserManager
;
17 import org
.apache
.jackrabbit
.core
.DefaultSecurityManager
;
18 import org
.apache
.jackrabbit
.core
.security
.AMContext
;
19 import org
.apache
.jackrabbit
.core
.security
.AccessManager
;
20 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
21 import org
.apache
.jackrabbit
.core
.security
.SystemPrincipal
;
22 import org
.apache
.jackrabbit
.core
.security
.authentication
.AuthContext
;
23 import org
.apache
.jackrabbit
.core
.security
.authentication
.CallbackHandlerImpl
;
24 import org
.apache
.jackrabbit
.core
.security
.authorization
.WorkspaceAccessManager
;
25 import org
.apache
.jackrabbit
.core
.security
.principal
.AdminPrincipal
;
26 import org
.apache
.jackrabbit
.core
.security
.principal
.PrincipalProvider
;
27 import org
.argeo
.api
.cms
.AnonymousPrincipal
;
28 import org
.argeo
.api
.cms
.CmsConstants
;
29 import org
.argeo
.api
.cms
.CmsLog
;
30 import org
.argeo
.api
.cms
.DataAdminPrincipal
;
32 /** Customises Jackrabbit security. */
33 public class ArgeoSecurityManager
extends DefaultSecurityManager
{
34 private final static CmsLog log
= CmsLog
.getLog(ArgeoSecurityManager
.class);
36 // private BundleContext cmsBundleContext = null;
38 public ArgeoSecurityManager() {
39 // if (FrameworkUtil.getBundle(CmsSession.class) != null) {
40 // cmsBundleContext = FrameworkUtil.getBundle(CmsSession.class).getBundleContext();
44 public AuthContext
getAuthContext(Credentials creds
, Subject subject
, String workspaceName
)
45 throws RepositoryException
{
48 CallbackHandler cbHandler
= new CallbackHandlerImpl(creds
, getSystemSession(), getPrincipalProviderRegistry(),
49 adminId
, anonymousId
);
50 String appName
= "Jackrabbit";
51 return new ArgeoAuthContext(appName
, subject
, cbHandler
);
55 public AccessManager
getAccessManager(Session session
, AMContext amContext
) throws RepositoryException
{
56 synchronized (getSystemSession()) {
57 return super.getAccessManager(session
, amContext
);
62 public UserManager
getUserManager(Session session
) throws RepositoryException
{
63 synchronized (getSystemSession()) {
64 return super.getUserManager(session
);
69 protected PrincipalProvider
createDefaultPrincipalProvider(Properties
[] moduleConfig
) throws RepositoryException
{
70 return super.createDefaultPrincipalProvider(moduleConfig
);
73 /** Called once when the session is created */
75 public String
getUserID(Subject subject
, String workspaceName
) throws RepositoryException
{
76 boolean isAnonymous
= !subject
.getPrincipals(AnonymousPrincipal
.class).isEmpty();
77 boolean isDataAdmin
= !subject
.getPrincipals(DataAdminPrincipal
.class).isEmpty();
78 boolean isJackrabbitSystem
= !subject
.getPrincipals(SystemPrincipal
.class).isEmpty();
79 Set
<X500Principal
> userPrincipal
= subject
.getPrincipals(X500Principal
.class);
80 boolean isRegularUser
= !userPrincipal
.isEmpty();
81 // CmsSession cmsSession = null;
82 // if (cmsBundleContext != null) {
83 // cmsSession = CmsOsgiUtils.getCmsSession(cmsBundleContext, subject);
84 // if (log.isTraceEnabled())
85 // log.trace("Opening JCR session for CMS session " + cmsSession);
89 if (isDataAdmin
|| isJackrabbitSystem
|| isRegularUser
)
90 throw new IllegalStateException("Inconsistent " + subject
);
92 return CmsConstants
.ROLE_ANONYMOUS
;
93 } else if (isRegularUser
) {// must be before DataAdmin
94 if (isAnonymous
|| isJackrabbitSystem
)
95 throw new IllegalStateException("Inconsistent " + subject
);
97 if (userPrincipal
.size() > 1) {
98 StringBuilder buf
= new StringBuilder();
99 for (X500Principal principal
: userPrincipal
)
100 buf
.append(' ').append('\"').append(principal
).append('\"');
101 throw new RuntimeException("Multiple user principals:" + buf
);
103 return userPrincipal
.iterator().next().getName();
105 } else if (isDataAdmin
) {
106 if (isAnonymous
|| isJackrabbitSystem
|| isRegularUser
)
107 throw new IllegalStateException("Inconsistent " + subject
);
109 assert !subject
.getPrincipals(AdminPrincipal
.class).isEmpty();
110 return CmsConstants
.ROLE_DATA_ADMIN
;
112 } else if (isJackrabbitSystem
) {
113 if (isAnonymous
|| isDataAdmin
|| isRegularUser
)
114 throw new IllegalStateException("Inconsistent " + subject
);
116 return super.getUserID(subject
, workspaceName
);
118 throw new IllegalStateException("Unrecognized subject type: " + subject
);
123 protected WorkspaceAccessManager
createDefaultWorkspaceAccessManager() {
124 WorkspaceAccessManager wam
= super.createDefaultWorkspaceAccessManager();
125 ArgeoWorkspaceAccessManagerImpl workspaceAccessManager
= new ArgeoWorkspaceAccessManagerImpl(wam
);
126 if (log
.isTraceEnabled())
127 log
.trace("Created workspace access manager");
128 return workspaceAccessManager
;
131 private class ArgeoWorkspaceAccessManagerImpl
implements SecurityConstants
, WorkspaceAccessManager
{
132 private final WorkspaceAccessManager wam
;
134 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam
) {
139 public void init(Session systemSession
) throws RepositoryException
{
140 wam
.init(systemSession
);
141 Repository repository
= systemSession
.getRepository();
142 if (log
.isTraceEnabled())
143 log
.trace("Initialised workspace access manager on repository " + repository
144 + ", systemSession workspace: " + systemSession
.getWorkspace().getName());
147 public void close() throws RepositoryException
{
150 public boolean grants(Set
<Principal
> principals
, String workspaceName
) throws RepositoryException
{
151 // TODO: implements finer access to workspaces
152 if (log
.isTraceEnabled())
153 log
.trace("Grants " + new HashSet
<>(principals
) + " access to workspace '" + workspaceName
+ "'");
155 // return wam.grants(principals, workspaceName);