org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java

   1 /*
   2  * Copyright (C) 2007-2012 Argeo GmbH
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *         http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16 package org.argeo.security.jackrabbit;
  17
  18 import java.security.Principal;
  19 import java.util.Set;
  20
  21 import javax.jcr.RepositoryException;
  22 import javax.jcr.Session;
  23 import javax.security.auth.Subject;
  24 import javax.security.auth.x500.X500Principal;
  25
  26 import org.apache.jackrabbit.api.security.user.UserManager;
  27 import org.apache.jackrabbit.core.DefaultSecurityManager;
  28 import org.apache.jackrabbit.core.security.AMContext;
  29 import org.apache.jackrabbit.core.security.AccessManager;
  30 import org.apache.jackrabbit.core.security.SecurityConstants;
  31 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
  32 import org.argeo.node.NodeConstants;
  33 import org.argeo.node.security.AnonymousPrincipal;
  34
  35 /** Integrates Spring Security and Jackrabbit Security users and roles. */
  36 public class ArgeoSecurityManager extends DefaultSecurityManager {
  37         @Override
  38         public AccessManager getAccessManager(Session session, AMContext amContext)
  39                         throws RepositoryException {
  40                 synchronized (getSystemSession()) {
  41                         return super.getAccessManager(session, amContext);
  42                 }
  43         }
  44
  45         @Override
  46         public UserManager getUserManager(Session session)
  47                         throws RepositoryException {
  48                 synchronized (getSystemSession()) {
  49                         return super.getUserManager(session);
  50                 }
  51         }
  52
  53         /**
  54          * Since this is called once when the session is created, we take the
  55          * opportunity to make sure that Jackrabbit users and groups reflect Spring
  56          * Security name and authorities.
  57          */
  58         @Override
  59         public String getUserID(Subject subject, String workspaceName)
  60                         throws RepositoryException {
  61                 Set<AnonymousPrincipal> anonymousPrincipal = subject
  62                                 .getPrincipals(AnonymousPrincipal.class);
  63                 if(!anonymousPrincipal.isEmpty())
  64                         return NodeConstants.ROLE_ANONYMOUS;
  65                 Set<X500Principal> userPrincipal = subject
  66                                 .getPrincipals(X500Principal.class);
  67                 if (userPrincipal.isEmpty())
  68                         throw new IllegalStateException("Subject is neither anonymous nor logged-in");
  69 //                      return super.getUserID(subject, workspaceName);
  70                 if (userPrincipal.size() > 1) {
  71                         StringBuilder buf = new StringBuilder();
  72                         for (X500Principal principal : userPrincipal)
  73                                 buf.append(' ').append('\"').append(principal).append('\"');
  74                         throw new RuntimeException("Multiple user principals:" + buf);
  75                 }
  76                 return userPrincipal.iterator().next().getName();
  77                 // Authentication authentication = SecurityContextHolder.getContext()
  78                 // .getAuthentication();
  79                 // if (authentication != null)
  80                 // return authentication.getName();
  81                 // else
  82                 // return super.getUserID(subject, workspaceName);
  83         }
  84
  85         @Override
  86         protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
  87                 WorkspaceAccessManager wam = super
  88                                 .createDefaultWorkspaceAccessManager();
  89                 return new ArgeoWorkspaceAccessManagerImpl(wam);
  90         }
  91
  92         private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants,
  93                         WorkspaceAccessManager {
  94                 private final WorkspaceAccessManager wam;
  95
  96                 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
  97                         super();
  98                         this.wam = wam;
  99                 }
 100
 101                 public void init(Session systemSession) throws RepositoryException {
 102                         wam.init(systemSession);
 103                 }
 104
 105                 public void close() throws RepositoryException {
 106                 }
 107
 108                 public boolean grants(Set<Principal> principals, String workspaceName)
 109                                 throws RepositoryException {
 110                         // TODO: implements finer access to workspaces
 111                         return true;
 112                 }
 113         }
 114
 115 }