<packaging>pom</packaging>
<properties>
<developmentCycle>0.2</developmentCycle>
- <version.argeo-distribution>1.1.3-SNAPSHOT</version.argeo-distribution>
+ <version.argeo-distribution>1.1.3</version.argeo-distribution>
<version.argeo-commons>0.2.3-SNAPSHOT</version.argeo-commons>
<version.argeo-ria>0.12.5</version.argeo-ria>
<version.equinox>3.6.1</version.equinox>
- <version.maven-argeo-osgi>0.1.31-SNAPSHOT</version.maven-argeo-osgi>
+ <version.maven-argeo-osgi>0.1.31</version.maven-argeo-osgi>
<version.maven-bundle-plugin>2.2.0</version.maven-bundle-plugin>
<version.maven-argeo-qooxdoo>1.1.1</version.maven-argeo-qooxdoo>
<site.repoBase>file:///srv/projects/www/commons/site</site.repoBase>
package org.argeo.security.core;
+import java.security.AccessController;
+
+import javax.security.auth.Subject;
+
import org.argeo.ArgeoException;
import org.argeo.security.SystemExecutionService;
import org.springframework.core.task.SimpleAsyncTaskExecutor;
.getContext();
Authentication currentAuth = securityContext
.getAuthentication();
- if (currentAuth != null) {
+ if (currentAuth != null)
throw new ArgeoException(
"System execution on an already authenticated thread: "
+ currentAuth + ", THREAD="
+ Thread.currentThread().getId());
- }
+
+ Subject subject = Subject.getSubject(AccessController
+ .getContext());
+ if (subject != null
+ && !subject.getPrincipals(Authentication.class)
+ .isEmpty())
+ throw new ArgeoException(
+ "There is already an authenticated subject: "
+ + subject);
+
Authentication auth = authenticationManager
.authenticate(new InternalAuthentication(
systemAuthenticationKey));
}
protected Set<Principal> getPrincipals() {
+ // clear already registered Jackrabbit principals
+ clearPrincipals(AdminPrincipal.class);
+ clearPrincipals(AnonymousPrincipal.class);
+ clearPrincipals(GrantedAuthorityPrincipal.class);
+
+ return syncPrincipals();
+ }
+
+ protected Set<Principal> syncPrincipals() {
// use linked HashSet instead of HashSet in order to maintain the order
// of principals (as in the Subject).
- Set<Principal> principals = new LinkedHashSet<Principal>();
- principals.add(principal);
-
org.springframework.security.Authentication authen = (org.springframework.security.Authentication) principal;
+ Set<Principal> principals = new LinkedHashSet<Principal>();
+ principals.add(authen);
+
if (authen instanceof SystemAuthentication)
principals.add(new AdminPrincipal(authen.getName()));
else if (authen instanceof AnonymousAuthenticationToken)
principals.add(new AdminPrincipal(authen.getName()));
}
+ // remove previous credentials
+ Set<SimpleCredentials> thisCredentials = subject
+ .getPublicCredentials(SimpleCredentials.class);
+ if (thisCredentials != null)
+ thisCredentials.clear();
// override credentials since we did not used the one passed to us
credentials = new SimpleCredentials(authen.getName(), authen
.getCredentials().toString().toCharArray());
clearPrincipals(AdminPrincipal.class);
clearPrincipals(AnonymousPrincipal.class);
clearPrincipals(GrantedAuthorityPrincipal.class);
- Set<SimpleCredentials> thisCredentials = subject
- .getPublicCredentials(SimpleCredentials.class);
- if (thisCredentials != null)
- thisCredentials.clear();
+
+ // we resync with Spring Security since the subject may have been reused
+ // in beetween
+ // TODO: check if this is clean
+ subject.getPrincipals().addAll(syncPrincipals());
+
return true;
}
import java.util.List;
import java.util.Set;
-import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
-import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
-import javax.jcr.UnsupportedRepositoryOperationException;
-import javax.jcr.lock.LockException;
-import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
-import javax.jcr.version.VersionException;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
return grantedAuthority.getAuthority();
}
+ @Override
+ public int hashCode() {
+ return getName().hashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (!(obj instanceof GrantedAuthorityPrincipal))
+ return false;
+ return getName().equals(((GrantedAuthorityPrincipal) obj).getName());
+ }
+
}
</command>
</menuContribution>
</extension>
+ <extension
+ point="org.eclipse.ui.activities">
+ <activity
+ description="Only for admins"
+ id="org.argeo.jcr.ui.explorer.adminActivity"
+ name="Admin">
+ <enabledWhen>
+ <with variable="roles">
+ <iterate ifEmpty="false" operator="or">
+ <equals value="ROLE_ADMIN" />
+ </iterate>
+ </with>
+ </enabledWhen>
+ </activity>
+ <!-- TODO: find a way to exclude evrything -->
+ <activityPatternBinding
+ activityId="org.argeo.jcr.ui.explorer.adminActivity"
+ isEqualityPattern="true"
+ pattern="org.argeo.jcr.ui.explorer/org.argeo.jcr.ui.explorer.perspective">
+ </activityPatternBinding>
+ </extension>
</plugin>