--- /dev/null
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.jcr.security;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
+import org.argeo.ArgeoException;
+import org.argeo.jcr.JcrUtils;
+import org.argeo.util.security.SimplePrincipal;
+
+/** Apply authorizations to a JCR repository. */
+public class JcrAuthorizations implements Runnable {
+ // private final static Log log =
+ // LogFactory.getLog(JcrAuthorizations.class);
+
+ private Repository repository;
+ private String workspace = null;
+
+ private String securityWorkspace = "security";
+
+ /**
+ * key := privilege1,privilege2/path/to/node<br/>
+ * value := group1,group2,user1
+ */
+ private Map<String, String> principalPrivileges = new HashMap<String, String>();
+
+ public void run() {
+ String currentWorkspace = workspace;
+ Session session = null;
+ try {
+ if (workspace != null && workspace.equals("*")) {
+ session = repository.login();
+ String[] workspaces = session.getWorkspace()
+ .getAccessibleWorkspaceNames();
+ JcrUtils.logoutQuietly(session);
+ for (String wksp : workspaces) {
+ currentWorkspace = wksp;
+ if (currentWorkspace.equals(securityWorkspace))
+ continue;
+ session = repository.login(currentWorkspace);
+ initAuthorizations(session);
+ JcrUtils.logoutQuietly(session);
+ }
+ } else {
+ session = repository.login(workspace);
+ initAuthorizations(session);
+ }
+ } catch (Exception e) {
+ JcrUtils.discardQuietly(session);
+ throw new ArgeoException(
+ "Cannot set authorizations " + principalPrivileges
+ + " on workspace " + currentWorkspace, e);
+ } finally {
+ JcrUtils.logoutQuietly(session);
+ }
+ }
+
+ protected void processWorkspace(String workspace) {
+ Session session = null;
+ try {
+ session = repository.login(workspace);
+ initAuthorizations(session);
+ } catch (Exception e) {
+ JcrUtils.discardQuietly(session);
+ throw new ArgeoException("Cannot set authorizations "
+ + principalPrivileges + " on repository " + repository, e);
+ } finally {
+ JcrUtils.logoutQuietly(session);
+ }
+ }
+
+ /** @deprecated call {@link #run()} instead. */
+ @Deprecated
+ public void init() {
+ run();
+ }
+
+ protected void initAuthorizations(Session session)
+ throws RepositoryException {
+ AccessControlManager acm = session.getAccessControlManager();
+
+ for (String privileges : principalPrivileges.keySet()) {
+ String path = null;
+ int slashIndex = privileges.indexOf('/');
+ if (slashIndex == 0) {
+ throw new ArgeoException("Privilege " + privileges
+ + " badly formatted it starts with /");
+ } else if (slashIndex > 0) {
+ path = privileges.substring(slashIndex);
+ privileges = privileges.substring(0, slashIndex);
+ }
+
+ if (path == null)
+ path = "/";
+
+ List<Privilege> privs = new ArrayList<Privilege>();
+ for (String priv : privileges.split(",")) {
+ privs.add(acm.privilegeFromName(priv));
+ }
+
+ String principalNames = principalPrivileges.get(privileges);
+ for (String principalName : principalNames.split(",")) {
+ Principal principal = getOrCreatePrincipal(session,
+ principalName);
+ JcrUtils.addPrivileges(session, path, principal, privs);
+ // if (log.isDebugEnabled()) {
+ // StringBuffer privBuf = new StringBuffer();
+ // for (Privilege priv : privs)
+ // privBuf.append(priv.getName());
+ // log.debug("Added privileges " + privBuf + " to "
+ // + principal.getName() + " on " + path + " in '"
+ // + session.getWorkspace().getName() + "'");
+ // }
+ }
+ }
+
+ // if (log.isDebugEnabled())
+ // log.debug("JCR authorizations applied on '"
+ // + session.getWorkspace().getName() + "'");
+ }
+
+ /**
+ * Returns a {@link SimplePrincipal}, does not check whether it exists since
+ * such capabilities is not provided by the standard JCR API. Can be
+ * overridden to provide smarter handling
+ */
+ protected Principal getOrCreatePrincipal(Session session,
+ String principalName) throws RepositoryException {
+ return new SimplePrincipal(principalName);
+ }
+
+ // public static void addPrivileges(Session session, Principal principal,
+ // String path, List<Privilege> privs) throws RepositoryException {
+ // AccessControlManager acm = session.getAccessControlManager();
+ // // search for an access control list
+ // AccessControlList acl = null;
+ // AccessControlPolicyIterator policyIterator = acm
+ // .getApplicablePolicies(path);
+ // if (policyIterator.hasNext()) {
+ // while (policyIterator.hasNext()) {
+ // AccessControlPolicy acp = policyIterator
+ // .nextAccessControlPolicy();
+ // if (acp instanceof AccessControlList)
+ // acl = ((AccessControlList) acp);
+ // }
+ // } else {
+ // AccessControlPolicy[] existingPolicies = acm.getPolicies(path);
+ // for (AccessControlPolicy acp : existingPolicies) {
+ // if (acp instanceof AccessControlList)
+ // acl = ((AccessControlList) acp);
+ // }
+ // }
+ //
+ // if (acl != null) {
+ // acl.addAccessControlEntry(principal,
+ // privs.toArray(new Privilege[privs.size()]));
+ // acm.setPolicy(path, acl);
+ // session.save();
+ // if (log.isDebugEnabled()) {
+ // StringBuffer buf = new StringBuffer("");
+ // for (int i = 0; i < privs.size(); i++) {
+ // if (i != 0)
+ // buf.append(',');
+ // buf.append(privs.get(i).getName());
+ // }
+ // log.debug("Added privilege(s) '" + buf + "' to '"
+ // + principal.getName() + "' on " + path
+ // + " from workspace '"
+ // + session.getWorkspace().getName() + "'");
+ // }
+ // } else {
+ // throw new ArgeoException("Don't know how to apply privileges "
+ // + privs + " to " + principal + " on " + path
+ // + " from workspace '" + session.getWorkspace().getName()
+ // + "'");
+ // }
+ // }
+
+ @Deprecated
+ public void setGroupPrivileges(Map<String, String> groupPrivileges) {
+ this.principalPrivileges = groupPrivileges;
+ }
+
+ public void setPrincipalPrivileges(Map<String, String> principalPrivileges) {
+ this.principalPrivileges = principalPrivileges;
+ }
+
+ public void setRepository(Repository repository) {
+ this.repository = repository;
+ }
+
+ public void setWorkspace(String workspace) {
+ this.workspace = workspace;
+ }
+
+ public void setSecurityWorkspace(String securityWorkspace) {
+ this.securityWorkspace = securityWorkspace;
+ }
+
+}