2 * Copyright (C) 2007-2012 Argeo GmbH
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org
.argeo
.security
.jackrabbit
;
18 import java
.security
.Principal
;
21 import javax
.jcr
.RepositoryException
;
22 import javax
.jcr
.Session
;
23 import javax
.security
.auth
.Subject
;
24 import javax
.security
.auth
.x500
.X500Principal
;
26 import org
.apache
.jackrabbit
.api
.security
.user
.UserManager
;
27 import org
.apache
.jackrabbit
.core
.DefaultSecurityManager
;
28 import org
.apache
.jackrabbit
.core
.security
.AMContext
;
29 import org
.apache
.jackrabbit
.core
.security
.AccessManager
;
30 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
31 import org
.apache
.jackrabbit
.core
.security
.authorization
.WorkspaceAccessManager
;
32 import org
.argeo
.node
.NodeConstants
;
33 import org
.argeo
.node
.security
.AnonymousPrincipal
;
35 /** Integrates Spring Security and Jackrabbit Security users and roles. */
36 public class ArgeoSecurityManager
extends DefaultSecurityManager
{
38 public AccessManager
getAccessManager(Session session
, AMContext amContext
)
39 throws RepositoryException
{
40 synchronized (getSystemSession()) {
41 return super.getAccessManager(session
, amContext
);
46 public UserManager
getUserManager(Session session
)
47 throws RepositoryException
{
48 synchronized (getSystemSession()) {
49 return super.getUserManager(session
);
54 * Since this is called once when the session is created, we take the
55 * opportunity to make sure that Jackrabbit users and groups reflect Spring
56 * Security name and authorities.
59 public String
getUserID(Subject subject
, String workspaceName
)
60 throws RepositoryException
{
61 Set
<AnonymousPrincipal
> anonymousPrincipal
= subject
62 .getPrincipals(AnonymousPrincipal
.class);
63 if(!anonymousPrincipal
.isEmpty())
64 return NodeConstants
.ROLE_ANONYMOUS
;
65 Set
<X500Principal
> userPrincipal
= subject
66 .getPrincipals(X500Principal
.class);
67 if (userPrincipal
.isEmpty())
68 throw new IllegalStateException("Subject is neither anonymous nor logged-in");
69 // return super.getUserID(subject, workspaceName);
70 if (userPrincipal
.size() > 1) {
71 StringBuilder buf
= new StringBuilder();
72 for (X500Principal principal
: userPrincipal
)
73 buf
.append(' ').append('\"').append(principal
).append('\"');
74 throw new RuntimeException("Multiple user principals:" + buf
);
76 return userPrincipal
.iterator().next().getName();
77 // Authentication authentication = SecurityContextHolder.getContext()
78 // .getAuthentication();
79 // if (authentication != null)
80 // return authentication.getName();
82 // return super.getUserID(subject, workspaceName);
86 protected WorkspaceAccessManager
createDefaultWorkspaceAccessManager() {
87 WorkspaceAccessManager wam
= super
88 .createDefaultWorkspaceAccessManager();
89 return new ArgeoWorkspaceAccessManagerImpl(wam
);
92 private class ArgeoWorkspaceAccessManagerImpl
implements SecurityConstants
,
93 WorkspaceAccessManager
{
94 private final WorkspaceAccessManager wam
;
96 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam
) {
101 public void init(Session systemSession
) throws RepositoryException
{
102 wam
.init(systemSession
);
105 public void close() throws RepositoryException
{
108 public boolean grants(Set
<Principal
> principals
, String workspaceName
)
109 throws RepositoryException
{
110 // TODO: implements finer access to workspaces