]> git.argeo.org Git - lgpl/argeo-commons.git/blob - ArgeoSecurityManager.java
projects / lgpl / argeo-commons.git / blob


72479128c4daab4b4ebef81c397e611653f4df57
[lgpl/argeo-commons.git] / ArgeoSecurityManager.java
1 package org.argeo.security.jackrabbit;
2
3 import java.security.Principal;
4 import java.util.ArrayList;
5 import java.util.Iterator;
6 import java.util.List;
7 import java.util.Set;
8
9 import javax.jcr.RepositoryException;
10 import javax.jcr.Session;
11 import javax.security.auth.Subject;
12
13 import org.apache.commons.logging.Log;
14 import org.apache.commons.logging.LogFactory;
15 import org.apache.jackrabbit.api.security.user.Group;
16 import org.apache.jackrabbit.api.security.user.User;
17 import org.apache.jackrabbit.api.security.user.UserManager;
18 import org.apache.jackrabbit.core.DefaultSecurityManager;
19 import org.apache.jackrabbit.core.security.SecurityConstants;
20 import org.apache.jackrabbit.core.security.SystemPrincipal;
21 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
22 import org.argeo.ArgeoException;
23 import org.springframework.security.Authentication;
24 import org.springframework.security.GrantedAuthority;
25
26 /** Intermediary class in order to have a consistent naming in config files. */
27 public class ArgeoSecurityManager extends DefaultSecurityManager {
28 private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
29
30 @Override
31 /** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/
32 public String getUserID(Subject subject, String workspaceName)
33 throws RepositoryException {
34 long begin = System.currentTimeMillis();
35
36 if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
37 return super.getUserID(subject, workspaceName);
38
39 Authentication authen;
40 Set<Authentication> authens = subject
41 .getPrincipals(Authentication.class);
42 if (authens.size() == 0)
43 throw new ArgeoException("No Spring authentication found in "
44 + subject);
45 else
46 authen = authens.iterator().next();
47
48 UserManager systemUm = getSystemUserManager(workspaceName);
49
50 String userId = authen.getName();
51 User user = (User) systemUm.getAuthorizable(userId);
52 if (user == null) {
53 user = systemUm.createUser(userId, authen.getCredentials()
54 .toString(), authen, null);
55 log.info(userId + " added as " + user);
56 }
57
58 List<String> userGroupIds = new ArrayList<String>();
59 for (GrantedAuthority ga : authen.getAuthorities()) {
60 Group group = (Group) systemUm.getAuthorizable(ga.getAuthority());
61 if (group == null) {
62 group = systemUm.createGroup(ga.getAuthority(),
63 new GrantedAuthorityPrincipal(ga), null);
64 log.info(ga.getAuthority() + " added as " + group);
65 }
66 if (!group.isMember(user))
67 group.addMember(user);
68 userGroupIds.add(ga.getAuthority());
69 }
70
71 // check if user has not been removed from some groups
72 for (Iterator<Group> it = user.declaredMemberOf(); it.hasNext();) {
73 Group group = it.next();
74 if (!userGroupIds.contains(group.getID()))
75 group.removeMember(user);
76 }
77
78 if (log.isTraceEnabled())
79 log.trace("Spring and Jackrabbit Security synchronized for user "
80 + userId + " in " + (System.currentTimeMillis() - begin)
81 + " ms");
82 return userId;
83 }
84
85 @Override
86 protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
87 WorkspaceAccessManager wam = super
88 .createDefaultWorkspaceAccessManager();
89 return new ArgeoWorkspaceAccessManagerImpl(wam);
90 }
91
92 private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants,
93 WorkspaceAccessManager {
94 private final WorkspaceAccessManager wam;
95 //private String defaultWorkspace;
96
97 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
98 super();
99 this.wam = wam;
100 }
101
102 public void init(Session systemSession) throws RepositoryException {
103 wam.init(systemSession);
104 // defaultWorkspace = ((RepositoryImpl) getRepository()).getConfig()
105 // .getDefaultWorkspaceName();
106 }
107
108 public void close() throws RepositoryException {
109 }
110
111 public boolean grants(Set<Principal> principals, String workspaceName)
112 throws RepositoryException {
113 // everybody has access to all workspaces
114 // TODO: implements finer access to workspaces
115 return true;
116
117 // anonymous has access to the default workspace (required for
118 // remoting which does a default login when initializing the
119 // repository)
120 // Boolean anonymous = false;
121 // for (Principal principal : principals)
122 // if (principal instanceof AnonymousPrincipal)
123 // anonymous = true;
124 //
125 // if (anonymous && workspaceName.equals(defaultWorkspace))
126 // return true;
127 // else
128 // return wam.grants(principals, workspaceName);
129 }
130 }
131
132 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi