X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=00c674580076d7bcbf7d6bdef5b2a343fc47ca6e;hb=a39a9b0e7ad6a44b4fab9db2d2a2224badd4062d;hp=4af5d3f3d5a53997b79418e7a019d7c0f8e8cc4c;hpb=2c4852dcd20d4cde88776c527ae935f242ae1e77;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index 4af5d3f3d..00c674580 100644 --- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -17,8 +17,11 @@ package org.argeo.security.jackrabbit; import java.security.Principal; import java.util.ArrayList; +import java.util.Collections; +import java.util.HashMap; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.Set; import javax.jcr.RepositoryException; @@ -34,13 +37,17 @@ import org.apache.jackrabbit.core.DefaultSecurityManager; import org.apache.jackrabbit.core.security.AnonymousPrincipal; import org.apache.jackrabbit.core.security.SecurityConstants; import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager; -import org.argeo.ArgeoException; import org.springframework.security.Authentication; import org.springframework.security.GrantedAuthority; /** Integrates Spring Security and Jackrabbit Security user and roles. */ public class ArgeoSecurityManager extends DefaultSecurityManager { - private Log log = LogFactory.getLog(ArgeoSecurityManager.class); + private final static Log log = LogFactory + .getLog(ArgeoSecurityManager.class); + + /** TODO? use a bounded buffer */ + private Map userRolesCache = Collections + .synchronizedMap(new HashMap()); /** * Since this is called once when the session is created, we take the @@ -64,29 +71,46 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { Authentication authen; Set authens = subject .getPrincipals(Authentication.class); - if (authens.size() == 0) - throw new ArgeoException("No Spring authentication found in " - + subject); - else + String userId; + if (authens.size() == 0) { + // make sure that logged-in user has a Principal, useful for testing + // using an admin user + userId = super.getUserID(subject, workspaceName); + UserManager systemUm = getSystemUserManager(null); + if (systemUm.getAuthorizable(userId) == null) + systemUm.createUser(userId, ""); + } else {// Spring Security authen = authens.iterator().next(); - // sync Spring and Jackrabbit - syncSpringAndJackrabbitSecurity(authen); + userId = authen.getName(); + StringBuffer roles = new StringBuffer(""); + GrantedAuthority[] authorities = authen.getAuthorities(); + for (GrantedAuthority ga : authorities) { + roles.append(ga.toString()); + } + + // do not sync if not changed + if (userRolesCache.containsKey(userId) + && userRolesCache.get(userId).equals(roles.toString())) + return userId; - return authen.getName(); + // sync Spring and Jackrabbit + // workspace is irrelevant here + UserManager systemUm = getSystemUserManager(null); + syncSpringAndJackrabbitSecurity(systemUm, authen); + userRolesCache.put(userId, roles.toString()); + } + return userId; } /** * Make sure that the Jackrabbit security model contains this user and its * granted authorities */ - protected void syncSpringAndJackrabbitSecurity(Authentication authen) - throws RepositoryException { + static void syncSpringAndJackrabbitSecurity(UserManager systemUm, + Authentication authen) throws RepositoryException { long begin = System.currentTimeMillis(); - // workspace is irrelevant here - UserManager systemUm = getSystemUserManager(null); - String userId = authen.getName(); User user = (User) systemUm.getAuthorizable(userId); if (user == null) {