/*
- * Copyright (C) 2007-2012 Mathieu Baudier
+ * Copyright (C) 2007-2012 Argeo GmbH
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.DefaultSecurityManager;
+import org.apache.jackrabbit.core.security.AMContext;
+import org.apache.jackrabbit.core.security.AccessManager;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
+import org.springframework.security.context.SecurityContextHolder;
/** Integrates Spring Security and Jackrabbit Security users and roles. */
public class ArgeoSecurityManager extends DefaultSecurityManager {
+ /** Legacy security sync */
+ final static String PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1 = "argeo.jackarabbit.securitySync.1.1";
+
private final static Log log = LogFactory
.getLog(ArgeoSecurityManager.class);
+ private static Boolean synchronize = Boolean.parseBoolean(System
+ .getProperty(PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1, "false"));
+
/** TODO? use a bounded buffer */
private Map<String, String> userRolesCache = Collections
.synchronizedMap(new HashMap<String, String>());
+ @Override
+ public AccessManager getAccessManager(Session session, AMContext amContext)
+ throws RepositoryException {
+ synchronized (getSystemSession()) {
+ return super.getAccessManager(session, amContext);
+ }
+ }
+
+ @Override
+ public UserManager getUserManager(Session session)
+ throws RepositoryException {
+ synchronized (getSystemSession()) {
+ return super.getUserManager(session);
+ }
+ }
+
/**
* Since this is called once when the session is created, we take the
* opportunity to make sure that Jackrabbit users and groups reflect Spring
@Override
public String getUserID(Subject subject, String workspaceName)
throws RepositoryException {
+ if (!synchronize) {
+ Authentication authentication = SecurityContextHolder.getContext()
+ .getAuthentication();
+ if (authentication != null)
+ return authentication.getName();
+ else
+ return super.getUserID(subject, workspaceName);
+ }
+
if (log.isTraceEnabled())
log.trace(subject);
// skip anonymous user (no rights)
Authentication authen;
Set<Authentication> authens = subject
.getPrincipals(Authentication.class);
- String userId;
+ String userId = super.getUserID(subject, workspaceName);
if (authens.size() == 0) {
// make sure that logged-in user has a Principal, useful for testing
// using an admin user
- userId = super.getUserID(subject, workspaceName);
UserManager systemUm = getSystemUserManager(null);
if (systemUm.getAuthorizable(userId) == null)
systemUm.createUser(userId, "");
} else {// Spring Security
authen = authens.iterator().next();
- userId = authen.getName();
+ if (!userId.equals(authen.getName()))
+ log.warn("User ID is '" + userId + "' but authen is "
+ + authen.getName());
StringBuffer roles = new StringBuffer("");
GrantedAuthority[] authorities = authen.getAuthorities();
for (GrantedAuthority ga : authorities) {
* Make sure that the Jackrabbit security model contains this user and its
* granted authorities
*/
- static void syncSpringAndJackrabbitSecurity(UserManager systemUm,
+ static private void syncSpringAndJackrabbitSecurity(UserManager systemUm,
Authentication authen) throws RepositoryException {
long begin = System.currentTimeMillis();