org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java

   1 /*
   2  * Copyright (C) 2007-2012 Argeo GmbH
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *         http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16 package org.argeo.security.jackrabbit;
  17
  18 import java.security.Principal;
  19 import java.util.Set;
  20
  21 import javax.jcr.RepositoryException;
  22 import javax.jcr.Session;
  23 import javax.security.auth.Subject;
  24 import javax.security.auth.x500.X500Principal;
  25
  26 import org.apache.jackrabbit.api.security.user.UserManager;
  27 import org.apache.jackrabbit.core.DefaultSecurityManager;
  28 import org.apache.jackrabbit.core.security.AMContext;
  29 import org.apache.jackrabbit.core.security.AccessManager;
  30 import org.apache.jackrabbit.core.security.SecurityConstants;
  31 import org.apache.jackrabbit.core.security.SystemPrincipal;
  32 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
  33 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
  34 import org.argeo.node.NodeConstants;
  35 import org.argeo.node.security.AnonymousPrincipal;
  36 import org.argeo.node.security.DataAdminPrincipal;
  37
  38 /** Customises Jackrabbit security. */
  39 public class ArgeoSecurityManager extends DefaultSecurityManager {
  40         @Override
  41         public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException {
  42                 synchronized (getSystemSession()) {
  43                         return super.getAccessManager(session, amContext);
  44                 }
  45         }
  46
  47         @Override
  48         public UserManager getUserManager(Session session) throws RepositoryException {
  49                 synchronized (getSystemSession()) {
  50                         return super.getUserManager(session);
  51                 }
  52         }
  53
  54         /** Called once when the session is created */
  55         @Override
  56         public String getUserID(Subject subject, String workspaceName) throws RepositoryException {
  57                 boolean isAnonymous = !subject.getPrincipals(AnonymousPrincipal.class).isEmpty();
  58                 boolean isDataAdmin = !subject.getPrincipals(DataAdminPrincipal.class).isEmpty();
  59                 boolean isJackrabbitSystem = !subject.getPrincipals(SystemPrincipal.class).isEmpty();
  60                 Set<X500Principal> userPrincipal = subject.getPrincipals(X500Principal.class);
  61                 boolean isRegularUser = !userPrincipal.isEmpty();
  62                 if (isAnonymous) {
  63                         if (isDataAdmin || isJackrabbitSystem || isRegularUser)
  64                                 throw new IllegalStateException("Inconsistent " + subject);
  65                         else
  66                                 return NodeConstants.ROLE_ANONYMOUS;
  67                 } else if (isRegularUser) {// must be before DataAdmin
  68                         if (isAnonymous || isJackrabbitSystem)
  69                                 throw new IllegalStateException("Inconsistent " + subject);
  70                         else {
  71                                 if (userPrincipal.size() > 1) {
  72                                         StringBuilder buf = new StringBuilder();
  73                                         for (X500Principal principal : userPrincipal)
  74                                                 buf.append(' ').append('\"').append(principal).append('\"');
  75                                         throw new RuntimeException("Multiple user principals:" + buf);
  76                                 }
  77                                 return userPrincipal.iterator().next().getName();
  78                         }
  79                 } else if (isDataAdmin) {
  80                         if (isAnonymous || isJackrabbitSystem || isRegularUser)
  81                                 throw new IllegalStateException("Inconsistent " + subject);
  82                         else {
  83                                 assert !subject.getPrincipals(AdminPrincipal.class).isEmpty();
  84                                 return NodeConstants.ROLE_DATA_ADMIN;
  85                         }
  86                 } else if (isJackrabbitSystem) {
  87                         if (isAnonymous || isDataAdmin || isRegularUser)
  88                                 throw new IllegalStateException("Inconsistent " + subject);
  89                         else
  90                                 return super.getUserID(subject, workspaceName);
  91                 } else {
  92                         throw new IllegalStateException("Unrecognized subject type: " + subject);
  93                 }
  94         }
  95
  96         @Override
  97         protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
  98                 WorkspaceAccessManager wam = super.createDefaultWorkspaceAccessManager();
  99                 return new ArgeoWorkspaceAccessManagerImpl(wam);
 100         }
 101
 102         private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants, WorkspaceAccessManager {
 103                 private final WorkspaceAccessManager wam;
 104
 105                 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
 106                         super();
 107                         this.wam = wam;
 108                 }
 109
 110                 public void init(Session systemSession) throws RepositoryException {
 111                         wam.init(systemSession);
 112                 }
 113
 114                 public void close() throws RepositoryException {
 115                 }
 116
 117                 public boolean grants(Set<Principal> principals, String workspaceName) throws RepositoryException {
 118                         // TODO: implements finer access to workspaces
 119                         return true;
 120                 }
 121         }
 122
 123 }