]> git.argeo.org Git - lgpl/argeo-commons.git/blob - server/runtime/org.argeo.server.jcr/src/main/java/org/argeo/jcr/security/JcrAuthorizations.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make add privilege smarter
[lgpl/argeo-commons.git] / server / runtime / org.argeo.server.jcr / src / main / java / org / argeo / jcr / security / JcrAuthorizations.java
1 /*
2 * Copyright (C) 2007-2012 Mathieu Baudier
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 package org.argeo.jcr.security;
17
18 import java.security.Principal;
19 import java.util.ArrayList;
20 import java.util.HashMap;
21 import java.util.List;
22 import java.util.Map;
23
24 import javax.jcr.Repository;
25 import javax.jcr.RepositoryException;
26 import javax.jcr.Session;
27 import javax.jcr.security.AccessControlManager;
28 import javax.jcr.security.Privilege;
29
30 import org.argeo.ArgeoException;
31 import org.argeo.jcr.JcrUtils;
32 import org.argeo.util.security.SimplePrincipal;
33
34 /** Apply authorizations to a JCR repository. */
35 public class JcrAuthorizations implements Runnable {
36 // private final static Log log =
37 // LogFactory.getLog(JcrAuthorizations.class);
38
39 private Repository repository;
40 private String workspace = null;
41
42 private String securityWorkspace = "security";
43
44 /**
45 * key := privilege1,privilege2/path/to/node<br/>
46 * value := group1,group2,user1
47 */
48 private Map<String, String> principalPrivileges = new HashMap<String, String>();
49
50 public void run() {
51 String currentWorkspace = workspace;
52 Session session = null;
53 try {
54 if (workspace != null && workspace.equals("*")) {
55 session = repository.login();
56 String[] workspaces = session.getWorkspace()
57 .getAccessibleWorkspaceNames();
58 JcrUtils.logoutQuietly(session);
59 for (String wksp : workspaces) {
60 currentWorkspace = wksp;
61 if (currentWorkspace.equals(securityWorkspace))
62 continue;
63 session = repository.login(currentWorkspace);
64 initAuthorizations(session);
65 JcrUtils.logoutQuietly(session);
66 }
67 } else {
68 session = repository.login(workspace);
69 initAuthorizations(session);
70 }
71 } catch (Exception e) {
72 JcrUtils.discardQuietly(session);
73 throw new ArgeoException(
74 "Cannot set authorizations " + principalPrivileges
75 + " on workspace " + currentWorkspace, e);
76 } finally {
77 JcrUtils.logoutQuietly(session);
78 }
79 }
80
81 protected void processWorkspace(String workspace) {
82 Session session = null;
83 try {
84 session = repository.login(workspace);
85 initAuthorizations(session);
86 } catch (Exception e) {
87 JcrUtils.discardQuietly(session);
88 throw new ArgeoException("Cannot set authorizations "
89 + principalPrivileges + " on repository " + repository, e);
90 } finally {
91 JcrUtils.logoutQuietly(session);
92 }
93 }
94
95 /** @deprecated call {@link #run()} instead. */
96 @Deprecated
97 public void init() {
98 run();
99 }
100
101 protected void initAuthorizations(Session session)
102 throws RepositoryException {
103 AccessControlManager acm = session.getAccessControlManager();
104
105 for (String privileges : principalPrivileges.keySet()) {
106 String path = null;
107 int slashIndex = privileges.indexOf('/');
108 if (slashIndex == 0) {
109 throw new ArgeoException("Privilege " + privileges
110 + " badly formatted it starts with /");
111 } else if (slashIndex > 0) {
112 path = privileges.substring(slashIndex);
113 privileges = privileges.substring(0, slashIndex);
114 }
115
116 if (path == null)
117 path = "/";
118
119 List<Privilege> privs = new ArrayList<Privilege>();
120 for (String priv : privileges.split(",")) {
121 privs.add(acm.privilegeFromName(priv));
122 }
123
124 String principalNames = principalPrivileges.get(privileges);
125 for (String principalName : principalNames.split(",")) {
126 Principal principal = getOrCreatePrincipal(session,
127 principalName);
128 JcrUtils.addPrivileges(session, path, principal, privs);
129 // if (log.isDebugEnabled()) {
130 // StringBuffer privBuf = new StringBuffer();
131 // for (Privilege priv : privs)
132 // privBuf.append(priv.getName());
133 // log.debug("Added privileges " + privBuf + " to "
134 // + principal.getName() + " on " + path + " in '"
135 // + session.getWorkspace().getName() + "'");
136 // }
137 }
138 }
139
140 // if (log.isDebugEnabled())
141 // log.debug("JCR authorizations applied on '"
142 // + session.getWorkspace().getName() + "'");
143 }
144
145 /**
146 * Returns a {@link SimplePrincipal}, does not check whether it exists since
147 * such capabilities is not provided by the standard JCR API. Can be
148 * overridden to provide smarter handling
149 */
150 protected Principal getOrCreatePrincipal(Session session,
151 String principalName) throws RepositoryException {
152 return new SimplePrincipal(principalName);
153 }
154
155 // public static void addPrivileges(Session session, Principal principal,
156 // String path, List<Privilege> privs) throws RepositoryException {
157 // AccessControlManager acm = session.getAccessControlManager();
158 // // search for an access control list
159 // AccessControlList acl = null;
160 // AccessControlPolicyIterator policyIterator = acm
161 // .getApplicablePolicies(path);
162 // if (policyIterator.hasNext()) {
163 // while (policyIterator.hasNext()) {
164 // AccessControlPolicy acp = policyIterator
165 // .nextAccessControlPolicy();
166 // if (acp instanceof AccessControlList)
167 // acl = ((AccessControlList) acp);
168 // }
169 // } else {
170 // AccessControlPolicy[] existingPolicies = acm.getPolicies(path);
171 // for (AccessControlPolicy acp : existingPolicies) {
172 // if (acp instanceof AccessControlList)
173 // acl = ((AccessControlList) acp);
174 // }
175 // }
176 //
177 // if (acl != null) {
178 // acl.addAccessControlEntry(principal,
179 // privs.toArray(new Privilege[privs.size()]));
180 // acm.setPolicy(path, acl);
181 // session.save();
182 // if (log.isDebugEnabled()) {
183 // StringBuffer buf = new StringBuffer("");
184 // for (int i = 0; i < privs.size(); i++) {
185 // if (i != 0)
186 // buf.append(',');
187 // buf.append(privs.get(i).getName());
188 // }
189 // log.debug("Added privilege(s) '" + buf + "' to '"
190 // + principal.getName() + "' on " + path
191 // + " from workspace '"
192 // + session.getWorkspace().getName() + "'");
193 // }
194 // } else {
195 // throw new ArgeoException("Don't know how to apply privileges "
196 // + privs + " to " + principal + " on " + path
197 // + " from workspace '" + session.getWorkspace().getName()
198 // + "'");
199 // }
200 // }
201
202 @Deprecated
203 public void setGroupPrivileges(Map<String, String> groupPrivileges) {
204 this.principalPrivileges = groupPrivileges;
205 }
206
207 public void setPrincipalPrivileges(Map<String, String> principalPrivileges) {
208 this.principalPrivileges = principalPrivileges;
209 }
210
211 public void setRepository(Repository repository) {
212 this.repository = repository;
213 }
214
215 public void setWorkspace(String workspace) {
216 this.workspace = workspace;
217 }
218
219 public void setSecurityWorkspace(String securityWorkspace) {
220 this.securityWorkspace = securityWorkspace;
221 }
222
223 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi