org.argeo.ext.jackrabbit/src/org/argeo/security/jackrabbit/ArgeoSecurityManager.java

   1 /*
   2  * Copyright (C) 2007-2012 Argeo GmbH
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  *         http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16 package org.argeo.security.jackrabbit;
  17
  18 import java.security.Principal;
  19 import java.util.Set;
  20
  21 import javax.jcr.RepositoryException;
  22 import javax.jcr.Session;
  23 import javax.security.auth.Subject;
  24 import javax.security.auth.x500.X500Principal;
  25
  26 import org.apache.jackrabbit.api.security.user.UserManager;
  27 import org.apache.jackrabbit.core.DefaultSecurityManager;
  28 import org.apache.jackrabbit.core.security.AMContext;
  29 import org.apache.jackrabbit.core.security.AccessManager;
  30 import org.apache.jackrabbit.core.security.SecurityConstants;
  31 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
  32 import org.argeo.node.NodeConstants;
  33 import org.argeo.node.security.AnonymousPrincipal;
  34 import org.argeo.node.security.DataAdminPrincipal;
  35
  36 /** Integrates Spring Security and Jackrabbit Security users and roles. */
  37 public class ArgeoSecurityManager extends DefaultSecurityManager {
  38         @Override
  39         public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException {
  40                 synchronized (getSystemSession()) {
  41                         return super.getAccessManager(session, amContext);
  42                 }
  43         }
  44
  45         @Override
  46         public UserManager getUserManager(Session session) throws RepositoryException {
  47                 synchronized (getSystemSession()) {
  48                         return super.getUserManager(session);
  49                 }
  50         }
  51
  52         /**
  53          * Since this is called once when the session is created, we take the
  54          * opportunity to make sure that Jackrabbit users and groups reflect Spring
  55          * Security name and authorities.
  56          */
  57         @Override
  58         public String getUserID(Subject subject, String workspaceName) throws RepositoryException {
  59                 Set<AnonymousPrincipal> anonymousPrincipal = subject.getPrincipals(AnonymousPrincipal.class);
  60                 if (!anonymousPrincipal.isEmpty())
  61                         return NodeConstants.ROLE_ANONYMOUS;
  62                 Set<X500Principal> userPrincipal = subject.getPrincipals(X500Principal.class);
  63                 if (userPrincipal.isEmpty()) {
  64                         Set<DataAdminPrincipal> dataAdminPrincipal = subject.getPrincipals(DataAdminPrincipal.class);
  65                         if (!dataAdminPrincipal.isEmpty())
  66                                 return NodeConstants.ROLE_DATA_ADMIN;
  67                         throw new IllegalStateException("Subject is neither anonymous nor logged-in");
  68                 }
  69                 // return super.getUserID(subject, workspaceName);
  70                 if (userPrincipal.size() > 1) {
  71                         StringBuilder buf = new StringBuilder();
  72                         for (X500Principal principal : userPrincipal)
  73                                 buf.append(' ').append('\"').append(principal).append('\"');
  74                         throw new RuntimeException("Multiple user principals:" + buf);
  75                 }
  76                 return userPrincipal.iterator().next().getName();
  77                 // Authentication authentication = SecurityContextHolder.getContext()
  78                 // .getAuthentication();
  79                 // if (authentication != null)
  80                 // return authentication.getName();
  81                 // else
  82                 // return super.getUserID(subject, workspaceName);
  83         }
  84
  85         @Override
  86         protected WorkspaceAccessManager createDefaultWorkspaceAccessManager() {
  87                 WorkspaceAccessManager wam = super.createDefaultWorkspaceAccessManager();
  88                 return new ArgeoWorkspaceAccessManagerImpl(wam);
  89         }
  90
  91         private class ArgeoWorkspaceAccessManagerImpl implements SecurityConstants, WorkspaceAccessManager {
  92                 private final WorkspaceAccessManager wam;
  93
  94                 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam) {
  95                         super();
  96                         this.wam = wam;
  97                 }
  98
  99                 public void init(Session systemSession) throws RepositoryException {
 100                         wam.init(systemSession);
 101                 }
 102
 103                 public void close() throws RepositoryException {
 104                 }
 105
 106                 public boolean grants(Set<Principal> principals, String workspaceName) throws RepositoryException {
 107                         // TODO: implements finer access to workspaces
 108                         return true;
 109                 }
 110         }
 111
 112 }