X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=2153e0e94025c7d96ab3daad787df5612a4be228;hb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;hp=c68a0c9785637d14693b932c0ffc40ffc87ef5cb;hpb=afd41f657b0eecb1e9a1db85af8bff0cc7bc4804;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index c68a0c978..2153e0e94 100644 --- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -14,8 +14,6 @@ import javax.jcr.RepositoryException; import javax.jcr.Session; import javax.jcr.Value; import javax.jcr.ValueFactory; -import javax.jcr.security.AccessControlPolicy; -import javax.jcr.security.AccessControlPolicyIterator; import javax.jcr.security.Privilege; import javax.security.auth.Subject; @@ -38,8 +36,6 @@ import org.springframework.security.GrantedAuthority; /** Intermediary class in order to have a consistent naming in config files. */ public class ArgeoSecurityManager extends DefaultSecurityManager { - public final static String HOME_BASE_PATH = "/home"; - private Log log = LogFactory.getLog(ArgeoSecurityManager.class); @Override @@ -48,6 +44,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { throws RepositoryException { long begin = System.currentTimeMillis(); + // skip Jackrabbit system user if (!subject.getPrincipals(SystemPrincipal.class).isEmpty()) return super.getUserID(subject, workspaceName); @@ -60,6 +57,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { else authen = authens.iterator().next(); + // skip argeo system authenticated + // if (authen instanceof SystemAuthentication) + // return super.getUserID(subject, workspaceName); + UserManager systemUm = getSystemUserManager(workspaceName); String userId = authen.getName(); @@ -70,7 +71,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { log.info(userId + " added as " + user); } - setHomeNodeAuthorizations(user); + //setHomeNodeAuthorizations(user); // process groups List userGroupIds = new ArrayList(); @@ -83,7 +84,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { if (!group.isMember(user)) group.addMember(user); userGroupIds.add(ga.getAuthority()); - } // check if user has not been removed from some groups @@ -93,6 +93,36 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { group.removeMember(user); } + // write roles in profile for easy access +// if (!(authen instanceof SystemAuthentication)) { +// Node userProfile = JcrUtils.getUserProfile(getSystemSession(), +// userId); +// boolean writeRoles = false; +// if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) { +// Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES) +// .getValues(); +// if (roles.length != userGroupIds.size()) +// writeRoles = true; +// else +// for (int i = 0; i < roles.length; i++) +// if (!roles[i].getString().equals(userGroupIds.get(i))) +// writeRoles = true; +// } else +// writeRoles = true; +// +// if (writeRoles) { +// userProfile.getSession().getWorkspace().getVersionManager() +// .checkout(userProfile.getPath()); +// String[] roleIds = userGroupIds.toArray(new String[userGroupIds +// .size()]); +// userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds); +// JcrUtils.updateLastModified(userProfile); +// userProfile.getSession().save(); +// userProfile.getSession().getWorkspace().getVersionManager() +// .checkin(userProfile.getPath()); +// } +// } + if (log.isTraceEnabled()) log.trace("Spring and Jackrabbit Security synchronized for user " + userId + " in " + (System.currentTimeMillis() - begin) @@ -100,7 +130,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { return userId; } - protected void setHomeNodeAuthorizations(User user) { + protected synchronized void setHomeNodeAuthorizations(User user) { // give all privileges on user home // FIXME: fails on an empty repo String userId = ""; @@ -109,9 +139,11 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { Node userHome = null; try { userHome = JcrUtils.getUserHome(getSystemSession(), userId); - if (userHome == null) - userHome = JcrUtils.createUserHome(getSystemSession(), - HOME_BASE_PATH, userId); + if (userHome == null) { + userHome = JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId); + //log.warn("No home available for user "+userId); + return; + } } catch (Exception e) { // silent } @@ -125,7 +157,7 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { JackrabbitAccessControlPolicy[] ps = acm .getApplicablePolicies(principal); if (ps.length == 0) { - log.warn("No ACL found for " + user); + // log.warn("No ACL found for " + user); return; }