Big cleanup of the security layers

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.jackrabbit / src / main / java / org / argeo / security / jackrabbit / ArgeoSecurityManager.java
diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java

index c68a0c9785637d14693b932c0ffc40ffc87ef5cb..2153e0e94025c7d96ab3daad787df5612a4be228 100644 (file)
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -14,8 +14,6 @@ import javax.jcr.RepositoryException;
  import javax.jcr.Session;
  import javax.jcr.Value;
  import javax.jcr.ValueFactory;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
  import javax.jcr.security.Privilege;
  import javax.security.auth.Subject;
  
@@ -38,8 +36,6 @@ import org.springframework.security.GrantedAuthority;
  
  /** Intermediary class in order to have a consistent naming in config files. */
  public class ArgeoSecurityManager extends DefaultSecurityManager {
-       public final static String HOME_BASE_PATH = "/home";
-
         private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
  
         @Override
@@ -48,6 +44,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                         throws RepositoryException {
                 long begin = System.currentTimeMillis();
  
+               // skip Jackrabbit system user
                 if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
                         return super.getUserID(subject, workspaceName);
  
@@ -60,6 +57,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                 else
                         authen = authens.iterator().next();
  
+               // skip argeo system authenticated
+               // if (authen instanceof SystemAuthentication)
+               // return super.getUserID(subject, workspaceName);
+
                 UserManager systemUm = getSystemUserManager(workspaceName);
  
                 String userId = authen.getName();
@@ -70,7 +71,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                         log.info(userId + " added as " + user);
                 }
  
-               setHomeNodeAuthorizations(user);
+               //setHomeNodeAuthorizations(user);
  
                 // process groups
                 List<String> userGroupIds = new ArrayList<String>();
@@ -83,7 +84,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                         if (!group.isMember(user))
                                 group.addMember(user);
                         userGroupIds.add(ga.getAuthority());
-
                 }
  
                 // check if user has not been removed from some groups
@@ -93,6 +93,36 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                                 group.removeMember(user);
                 }
  
+               // write roles in profile for easy access
+//             if (!(authen instanceof SystemAuthentication)) {
+//                     Node userProfile = JcrUtils.getUserProfile(getSystemSession(),
+//                                     userId);
+//                     boolean writeRoles = false;
+//                     if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) {
+//                             Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES)
+//                                             .getValues();
+//                             if (roles.length != userGroupIds.size())
+//                                     writeRoles = true;
+//                             else
+//                                     for (int i = 0; i < roles.length; i++)
+//                                             if (!roles[i].getString().equals(userGroupIds.get(i)))
+//                                                     writeRoles = true;
+//                     } else
+//                             writeRoles = true;
+//
+//                     if (writeRoles) {
+//                             userProfile.getSession().getWorkspace().getVersionManager()
+//                                             .checkout(userProfile.getPath());
+//                             String[] roleIds = userGroupIds.toArray(new String[userGroupIds
+//                                             .size()]);
+//                             userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds);
+//                             JcrUtils.updateLastModified(userProfile);
+//                             userProfile.getSession().save();
+//                             userProfile.getSession().getWorkspace().getVersionManager()
+//                                             .checkin(userProfile.getPath());
+//                     }
+//             }
+
                 if (log.isTraceEnabled())
                         log.trace("Spring and Jackrabbit Security synchronized for user "
                                         + userId + " in " + (System.currentTimeMillis() - begin)
@@ -100,7 +130,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                 return userId;
         }
  
-       protected void setHomeNodeAuthorizations(User user) {
+       protected synchronized void setHomeNodeAuthorizations(User user) {
                 // give all privileges on user home
                 // FIXME: fails on an empty repo
                 String userId = "<not yet set>";
@@ -109,9 +139,11 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                         Node userHome = null;
                         try {
                                 userHome = JcrUtils.getUserHome(getSystemSession(), userId);
-                               if (userHome == null)
-                                       userHome = JcrUtils.createUserHome(getSystemSession(),
-                                                       HOME_BASE_PATH, userId);
+                               if (userHome == null) {
+                                       userHome = JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId);
+                                       //log.warn("No home available for user "+userId);
+                                       return;
+                               }
                         } catch (Exception e) {
                                 // silent
                         }
@@ -125,7 +157,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
                                 JackrabbitAccessControlPolicy[] ps = acm
                                                 .getApplicablePolicies(principal);
                                 if (ps.length == 0) {
-                                       log.warn("No ACL found for " + user);
+                                       // log.warn("No ACL found for " + user);
                                         return;
                                 }