+++ /dev/null
-/*
- * Copyright (C) 2007-2012 Argeo GmbH
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.argeo.security.jackrabbit;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.security.auth.Subject;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.jackrabbit.api.security.user.Group;
-import org.apache.jackrabbit.api.security.user.User;
-import org.apache.jackrabbit.api.security.user.UserManager;
-import org.apache.jackrabbit.core.DefaultSecurityManager;
-import org.apache.jackrabbit.core.security.AMContext;
-import org.apache.jackrabbit.core.security.AccessManager;
-import org.apache.jackrabbit.core.security.AnonymousPrincipal;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
-import org.springframework.security.Authentication;
-import org.springframework.security.GrantedAuthority;
-import org.springframework.security.context.SecurityContextHolder;
-
-/** Integrates Spring Security and Jackrabbit Security users and roles. */
-public class ArgeoSecurityManager extends DefaultSecurityManager {
- /** Legacy security sync */
- final static String PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1 = "argeo.jackarabbit.securitySync.1.1";
-
- private final static Log log = LogFactory
- .getLog(ArgeoSecurityManager.class);
-
- private static Boolean synchronize = Boolean.parseBoolean(System
- .getProperty(PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1, "false"));
-
- /** TODO? use a bounded buffer */
- private Map<String, String> userRolesCache = Collections
- .synchronizedMap(new HashMap<String, String>());
-
- @Override
- public AccessManager getAccessManager(Session session, AMContext amContext)
- throws RepositoryException {
- synchronized (getSystemSession()) {
- return super.getAccessManager(session, amContext);
- }
- }
-
- @Override
- public UserManager getUserManager(Session session)
- throws RepositoryException {
- synchronized (getSystemSession()) {
- return super.getUserManager(session);
- }
- }
-
- /**
- * Since this is called once when the session is created, we take the
- * opportunity to make sure that Jackrabbit users and groups reflect Spring
- * Security name and authorities.
- */
- @Override
- public String getUserID(Subject subject, String workspaceName)
- throws RepositoryException {
- if (!synchronize) {
- Authentication authentication = SecurityContextHolder.getContext()
- .getAuthentication();
- if (authentication != null)
- return authentication.getName();
- else
- return super.getUserID(subject, workspaceName);
- }
-
- if (log.isTraceEnabled())
- log.trace(subject);
- // skip anonymous user (no rights)
- if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
- return super.getUserID(subject, workspaceName);
- // skip Jackrabbit system user (all rights)
- if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty())
- return super.getUserID(subject, workspaceName);
-
- // retrieve Spring authentication from JAAS
- // TODO? use Spring Security context holder
- Authentication authen;
- Set<Authentication> authens = subject
- .getPrincipals(Authentication.class);
- String userId = super.getUserID(subject, workspaceName);
- if (authens.size() == 0) {
- // make sure that logged-in user has a Principal, useful for testing
- // using an admin user
- UserManager systemUm = getSystemUserManager(null);
- if (systemUm.getAuthorizable(userId) == null)
- systemUm.createUser(userId, "");
- } else {// Spring Security
- authen = authens.iterator().next();
-
- if (!userId.equals(authen.getName()))
- log.warn("User ID is '" + userId + "' but authen is "
- + authen.getName());
- StringBuffer roles = new StringBuffer("");
- GrantedAuthority[] authorities = authen.getAuthorities();
- for (GrantedAuthority ga : authorities) {
- roles.append(ga.toString());
- }
-
- // do not sync if not changed
- if (userRolesCache.containsKey(userId)
- && userRolesCache.get(userId).equals(roles.toString()))
- return userId;
-
- // sync Spring and Jackrabbit
- // workspace is irrelevant here
- UserManager systemUm = getSystemUserManager(null);
- syncSpringAndJackrabbitSecurity(systemUm, authen);
- userRolesCache.put(userId, roles.toString());
- }
- return userId;
- }
-
- /**
- * Make sure that the Jackrabbit security model contains this user and its
- * granted authorities
- */
- static private void syncSpringAndJackrabbitSecurity(UserManager systemUm,
- Authentication authen) throws RepositoryException {
- long begin = System.currentTimeMillis();
-
- String userId = authen.getName();
- User user = (User) systemUm.getAuthorizable(userId);
- if (user == null) {
- user = systemUm.createUser(userId, authen.getCredentials()
- .toString(), authen, null);
- log.info(userId + " added as " + user);
- }
-
- // process groups
- List<String> userGroupIds = new ArrayList<String>();
- for (GrantedAuthority ga : authen.getAuthorities()) {
- Group group = (Group) systemUm.getAuthorizable(ga.getAuthority());
- if (group == null) {
- group = systemUm.createGroup(ga.getAuthority());
- log.info(ga.getAuthority() + " added as " + group);
- }
- if (!group.isMember(user))
- group.addMember(user);
- userGroupIds.add(ga.getAuthority());
- }
-
- // check if user has not been removed from some groups
- for (Iterator<Group> it = user.declaredMemberOf(); it.hasNext();) {
- Group group = it.next();
- if (!userGroupIds.contains(group.getID()))
- group.removeMember(user);
- }
-
- if (log.isTraceEnabled())
- log.trace("Spring and Jackrabbit Security synchronized for user "
- + userId + " in " + (System.currentTimeMillis() - begin)
- + " ms");
- }
-
- @Override
- protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
- WorkspaceAccessManager wam = super
- .createDefaultWorkspaceAccessManager();
- return new ArgeoWorkspaceAccessManagerImpl(wam);
- }
-
- private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants,
- WorkspaceAccessManager {
- private final WorkspaceAccessManager wam;
-
- public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
- super();
- this.wam = wam;
- }
-
- public void init(Session systemSession) throws RepositoryException {
- wam.init(systemSession);
- }
-
- public void close() throws RepositoryException {
- }
-
- public boolean grants(Set<Principal> principals, String workspaceName)
- throws RepositoryException {
- // TODO: implements finer access to workspaces
- return true;
- }
- }
-
-}
projects / lgpl / argeo-commons.git / blobdiff