X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=3450c75d8dbd51f9e9418814a82023e8cdd4a205;hb=3a3d316af102ba410d1d9e6de349d0c8f7ac044f;hp=2153e0e94025c7d96ab3daad787df5612a4be228;hpb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index 2153e0e94..3450c75d8 100644 --- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -1,67 +1,150 @@ +/* + * Copyright (C) 2007-2012 Argeo GmbH + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.jackrabbit; import java.security.Principal; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; -import javax.jcr.Node; -import javax.jcr.PropertyType; import javax.jcr.RepositoryException; import javax.jcr.Session; -import javax.jcr.Value; -import javax.jcr.ValueFactory; -import javax.jcr.security.Privilege; import javax.security.auth.Subject; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; -import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager; -import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; import org.apache.jackrabbit.api.security.user.Group; import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.core.DefaultSecurityManager; +import org.apache.jackrabbit.core.security.AMContext; +import org.apache.jackrabbit.core.security.AccessManager; +import org.apache.jackrabbit.core.security.AnonymousPrincipal; import org.apache.jackrabbit.core.security.SecurityConstants; -import org.apache.jackrabbit.core.security.SystemPrincipal; import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager; -import org.argeo.ArgeoException; -import org.argeo.jcr.JcrUtils; import org.springframework.security.Authentication; import org.springframework.security.GrantedAuthority; +import org.springframework.security.context.SecurityContextHolder; -/** Intermediary class in order to have a consistent naming in config files. */ +/** Integrates Spring Security and Jackrabbit Security users and roles. */ public class ArgeoSecurityManager extends DefaultSecurityManager { - private Log log = LogFactory.getLog(ArgeoSecurityManager.class); + /** Legacy security sync */ + final static String PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1 = "argeo.jackarabbit.securitySync.1.1"; + private final static Log log = LogFactory + .getLog(ArgeoSecurityManager.class); + + private static Boolean synchronize = Boolean.parseBoolean(System + .getProperty(PROPERTY_JACKRABBIT_SECURITY_SYNC_1_1, "false")); + + /** TODO? use a bounded buffer */ + private Map userRolesCache = Collections + .synchronizedMap(new HashMap()); + + @Override + public AccessManager getAccessManager(Session session, AMContext amContext) + throws RepositoryException { + synchronized (getSystemSession()) { + return super.getAccessManager(session, amContext); + } + } + + @Override + public UserManager getUserManager(Session session) + throws RepositoryException { + synchronized (getSystemSession()) { + return super.getUserManager(session); + } + } + + /** + * Since this is called once when the session is created, we take the + * opportunity to make sure that Jackrabbit users and groups reflect Spring + * Security name and authorities. + */ @Override - /** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/ public String getUserID(Subject subject, String workspaceName) throws RepositoryException { - long begin = System.currentTimeMillis(); + if (!synchronize) { + Authentication authentication = SecurityContextHolder.getContext() + .getAuthentication(); + if (authentication != null) + return authentication.getName(); + else + return super.getUserID(subject, workspaceName); + } - // skip Jackrabbit system user - if (!subject.getPrincipals(SystemPrincipal.class).isEmpty()) + if (log.isTraceEnabled()) + log.trace(subject); + // skip anonymous user (no rights) + if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) + return super.getUserID(subject, workspaceName); + // skip Jackrabbit system user (all rights) + if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) return super.getUserID(subject, workspaceName); + // retrieve Spring authentication from JAAS + // TODO? use Spring Security context holder Authentication authen; Set authens = subject .getPrincipals(Authentication.class); - if (authens.size() == 0) - throw new ArgeoException("No Spring authentication found in " - + subject); - else + String userId = super.getUserID(subject, workspaceName); + if (authens.size() == 0) { + // make sure that logged-in user has a Principal, useful for testing + // using an admin user + UserManager systemUm = getSystemUserManager(null); + if (systemUm.getAuthorizable(userId) == null) + systemUm.createUser(userId, ""); + } else {// Spring Security authen = authens.iterator().next(); - // skip argeo system authenticated - // if (authen instanceof SystemAuthentication) - // return super.getUserID(subject, workspaceName); + if (!userId.equals(authen.getName())) + log.warn("User ID is '" + userId + "' but authen is " + + authen.getName()); + StringBuffer roles = new StringBuffer(""); + GrantedAuthority[] authorities = authen.getAuthorities(); + for (GrantedAuthority ga : authorities) { + roles.append(ga.toString()); + } + + // do not sync if not changed + if (userRolesCache.containsKey(userId) + && userRolesCache.get(userId).equals(roles.toString())) + return userId; - UserManager systemUm = getSystemUserManager(workspaceName); + // sync Spring and Jackrabbit + // workspace is irrelevant here + UserManager systemUm = getSystemUserManager(null); + syncSpringAndJackrabbitSecurity(systemUm, authen); + userRolesCache.put(userId, roles.toString()); + } + return userId; + } + + /** + * Make sure that the Jackrabbit security model contains this user and its + * granted authorities + */ + static private void syncSpringAndJackrabbitSecurity(UserManager systemUm, + Authentication authen) throws RepositoryException { + long begin = System.currentTimeMillis(); String userId = authen.getName(); User user = (User) systemUm.getAuthorizable(userId); @@ -71,8 +154,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { log.info(userId + " added as " + user); } - //setHomeNodeAuthorizations(user); - // process groups List userGroupIds = new ArrayList(); for (GrantedAuthority ga : authen.getAuthorities()) { @@ -93,93 +174,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { group.removeMember(user); } - // write roles in profile for easy access -// if (!(authen instanceof SystemAuthentication)) { -// Node userProfile = JcrUtils.getUserProfile(getSystemSession(), -// userId); -// boolean writeRoles = false; -// if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) { -// Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES) -// .getValues(); -// if (roles.length != userGroupIds.size()) -// writeRoles = true; -// else -// for (int i = 0; i < roles.length; i++) -// if (!roles[i].getString().equals(userGroupIds.get(i))) -// writeRoles = true; -// } else -// writeRoles = true; -// -// if (writeRoles) { -// userProfile.getSession().getWorkspace().getVersionManager() -// .checkout(userProfile.getPath()); -// String[] roleIds = userGroupIds.toArray(new String[userGroupIds -// .size()]); -// userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds); -// JcrUtils.updateLastModified(userProfile); -// userProfile.getSession().save(); -// userProfile.getSession().getWorkspace().getVersionManager() -// .checkin(userProfile.getPath()); -// } -// } - if (log.isTraceEnabled()) log.trace("Spring and Jackrabbit Security synchronized for user " + userId + " in " + (System.currentTimeMillis() - begin) + " ms"); - return userId; - } - - protected synchronized void setHomeNodeAuthorizations(User user) { - // give all privileges on user home - // FIXME: fails on an empty repo - String userId = ""; - try { - userId = user.getID(); - Node userHome = null; - try { - userHome = JcrUtils.getUserHome(getSystemSession(), userId); - if (userHome == null) { - userHome = JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId); - //log.warn("No home available for user "+userId); - return; - } - } catch (Exception e) { - // silent - } - - if (userHome != null) { - String path = userHome.getPath(); - Principal principal = user.getPrincipal(); - - JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession() - .getAccessControlManager(); - JackrabbitAccessControlPolicy[] ps = acm - .getApplicablePolicies(principal); - if (ps.length == 0) { - // log.warn("No ACL found for " + user); - return; - } - - JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0]; - - // add entry - Privilege[] privileges = new Privilege[] { acm - .privilegeFromName(Privilege.JCR_ALL) }; - Map restrictions = new HashMap(); - ValueFactory vf = getSystemSession().getValueFactory(); - restrictions.put("rep:nodePath", - vf.createValue(path, PropertyType.PATH)); - restrictions.put("rep:glob", vf.createValue("*")); - list.addEntry(principal, privileges, true /* allow or deny */, - restrictions); - } - } catch (Exception e) { - e.printStackTrace(); - log.warn("Cannot set authorization on user node for " + userId - + ": " + e.getMessage()); - } - } @Override @@ -193,8 +191,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { WorkspaceAccessManager { private final WorkspaceAccessManager wam; - // private String defaultWorkspace; - public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) { super(); this.wam = wam; @@ -202,8 +198,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { public void init(Session systemSession) throws RepositoryException { wam.init(systemSession); - // defaultWorkspace = ((RepositoryImpl) getRepository()).getConfig() - // .getDefaultWorkspaceName(); } public void close() throws RepositoryException { @@ -211,22 +205,8 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { public boolean grants(Set principals, String workspaceName) throws RepositoryException { - // everybody has access to all workspaces // TODO: implements finer access to workspaces return true; - - // anonymous has access to the default workspace (required for - // remoting which does a default login when initializing the - // repository) - // Boolean anonymous = false; - // for (Principal principal : principals) - // if (principal instanceof AnonymousPrincipal) - // anonymous = true; - // - // if (anonymous && workspaceName.equals(defaultWorkspace)) - // return true; - // else - // return wam.grants(principals, workspaceName); } }