X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=org.argeo.ext.jackrabbit%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=fde490d2edb9273cdc62453225e40d2a849ebfdb;hb=9d0201c5b057929fb029f484f082d0e011e15673;hp=a1fe94cd870f683ade62070cc709429c00beee6a;hpb=a444205e81419d439635a9e0ff3382ae3f5d9947;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index a1fe94cd8..fde490d2e 100644 --- a/org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -28,12 +28,14 @@ import org.apache.jackrabbit.core.DefaultSecurityManager; import org.apache.jackrabbit.core.security.AMContext; import org.apache.jackrabbit.core.security.AccessManager; import org.apache.jackrabbit.core.security.SecurityConstants; +import org.apache.jackrabbit.core.security.SystemPrincipal; import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager; +import org.apache.jackrabbit.core.security.principal.AdminPrincipal; import org.argeo.node.NodeConstants; import org.argeo.node.security.AnonymousPrincipal; import org.argeo.node.security.DataAdminPrincipal; -/** Integrates Spring Security and Jackrabbit Security users and roles. */ +/** Customises Jackrabbit security. */ public class ArgeoSecurityManager extends DefaultSecurityManager { @Override public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException { @@ -49,37 +51,46 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { } } - /** - * Since this is called once when the session is created, we take the - * opportunity to make sure that Jackrabbit users and groups reflect Spring - * Security name and authorities. - */ + /** Called once when the session is created */ @Override public String getUserID(Subject subject, String workspaceName) throws RepositoryException { - Set anonymousPrincipal = subject.getPrincipals(AnonymousPrincipal.class); - if (!anonymousPrincipal.isEmpty()) - return NodeConstants.ROLE_ANONYMOUS; + boolean isAnonymous = !subject.getPrincipals(AnonymousPrincipal.class).isEmpty(); + boolean isDataAdmin = !subject.getPrincipals(DataAdminPrincipal.class).isEmpty(); + boolean isJackrabbitSystem = !subject.getPrincipals(SystemPrincipal.class).isEmpty(); Set userPrincipal = subject.getPrincipals(X500Principal.class); - if (userPrincipal.isEmpty()) { - Set dataAdminPrincipal = subject.getPrincipals(DataAdminPrincipal.class); - if (!dataAdminPrincipal.isEmpty()) + boolean isRegularUser = !userPrincipal.isEmpty(); + if (isAnonymous) { + if (isDataAdmin || isJackrabbitSystem || isRegularUser) + throw new IllegalStateException("Inconsistent " + subject); + else + return NodeConstants.ROLE_ANONYMOUS; + } else if (isDataAdmin) { + if (isAnonymous || isJackrabbitSystem || isRegularUser) + throw new IllegalStateException("Inconsistent " + subject); + else { + assert !subject.getPrincipals(AdminPrincipal.class).isEmpty(); return NodeConstants.ROLE_DATA_ADMIN; - throw new IllegalStateException("Subject is neither anonymous nor logged-in"); + } + } else if (isJackrabbitSystem) { + if (isAnonymous || isDataAdmin || isRegularUser) + throw new IllegalStateException("Inconsistent " + subject); + else + return super.getUserID(subject, workspaceName); + } else if (isRegularUser) { + if (isAnonymous || isDataAdmin || isJackrabbitSystem) + throw new IllegalStateException("Inconsistent " + subject); + else { + if (userPrincipal.size() > 1) { + StringBuilder buf = new StringBuilder(); + for (X500Principal principal : userPrincipal) + buf.append(' ').append('\"').append(principal).append('\"'); + throw new RuntimeException("Multiple user principals:" + buf); + } + return userPrincipal.iterator().next().getName(); + } + } else { + throw new IllegalStateException("Unrecognized subject type: " + subject); } - // return super.getUserID(subject, workspaceName); - if (userPrincipal.size() > 1) { - StringBuilder buf = new StringBuilder(); - for (X500Principal principal : userPrincipal) - buf.append(' ').append('\"').append(principal).append('\"'); - throw new RuntimeException("Multiple user principals:" + buf); - } - return userPrincipal.iterator().next().getName(); - // Authentication authentication = SecurityContextHolder.getContext() - // .getAuthentication(); - // if (authentication != null) - // return authentication.getName(); - // else - // return super.getUserID(subject, workspaceName); } @Override