1 package org
.argeo
.security
.jackrabbit
;
3 import java
.security
.Principal
;
4 import java
.util
.ArrayList
;
5 import java
.util
.Iterator
;
9 import javax
.jcr
.RepositoryException
;
10 import javax
.jcr
.Session
;
11 import javax
.security
.auth
.Subject
;
13 import org
.apache
.commons
.logging
.Log
;
14 import org
.apache
.commons
.logging
.LogFactory
;
15 import org
.apache
.jackrabbit
.api
.security
.user
.Group
;
16 import org
.apache
.jackrabbit
.api
.security
.user
.User
;
17 import org
.apache
.jackrabbit
.api
.security
.user
.UserManager
;
18 import org
.apache
.jackrabbit
.core
.DefaultSecurityManager
;
19 import org
.apache
.jackrabbit
.core
.RepositoryImpl
;
20 import org
.apache
.jackrabbit
.core
.security
.AnonymousPrincipal
;
21 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
22 import org
.apache
.jackrabbit
.core
.security
.SystemPrincipal
;
23 import org
.apache
.jackrabbit
.core
.security
.authorization
.WorkspaceAccessManager
;
24 import org
.argeo
.ArgeoException
;
25 import org
.springframework
.security
.Authentication
;
26 import org
.springframework
.security
.GrantedAuthority
;
28 /** Intermediary class in order to have a consistent naming in config files. */
29 public class ArgeoSecurityManager
extends DefaultSecurityManager
{
30 private Log log
= LogFactory
.getLog(ArgeoSecurityManager
.class);
33 /** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/
34 public String
getUserID(Subject subject
, String workspaceName
)
35 throws RepositoryException
{
36 long begin
= System
.currentTimeMillis();
38 if (!subject
.getPrincipals(SystemPrincipal
.class).isEmpty())
39 return super.getUserID(subject
, workspaceName
);
41 Authentication authen
;
42 Set
<Authentication
> authens
= subject
43 .getPrincipals(Authentication
.class);
44 if (authens
.size() == 0)
45 throw new ArgeoException("No Spring authentication found in "
48 authen
= authens
.iterator().next();
50 UserManager systemUm
= getSystemUserManager(workspaceName
);
52 String userId
= authen
.getName();
53 User user
= (User
) systemUm
.getAuthorizable(userId
);
55 user
= systemUm
.createUser(userId
, authen
.getCredentials()
56 .toString(), authen
, null);
57 log
.info(userId
+ " added as " + user
);
60 List
<String
> userGroupIds
= new ArrayList
<String
>();
61 for (GrantedAuthority ga
: authen
.getAuthorities()) {
62 Group group
= (Group
) systemUm
.getAuthorizable(ga
.getAuthority());
64 group
= systemUm
.createGroup(ga
.getAuthority(),
65 new GrantedAuthorityPrincipal(ga
), null);
66 log
.info(ga
.getAuthority() + " added as " + group
);
68 if (!group
.isMember(user
))
69 group
.addMember(user
);
70 userGroupIds
.add(ga
.getAuthority());
73 // check if user has not been removed from some groups
74 for (Iterator
<Group
> it
= user
.declaredMemberOf(); it
.hasNext();) {
75 Group group
= it
.next();
76 if (!userGroupIds
.contains(group
.getID()))
77 group
.removeMember(user
);
80 if (log
.isTraceEnabled())
81 log
.trace("Spring and Jackrabbit Security synchronized for user "
82 + userId
+ " in " + (System
.currentTimeMillis() - begin
)
88 protected WorkspaceAccessManager
createDefaultWorkspaceAccessManager() {
89 WorkspaceAccessManager wam
= super
90 .createDefaultWorkspaceAccessManager();
91 return new ArgeoWorkspaceAccessManagerImpl(wam
);
94 private class ArgeoWorkspaceAccessManagerImpl
implements SecurityConstants
,
95 WorkspaceAccessManager
{
96 private final WorkspaceAccessManager wam
;
97 private String defaultWorkspace
;
99 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam
) {
104 public void init(Session systemSession
) throws RepositoryException
{
105 wam
.init(systemSession
);
106 defaultWorkspace
= ((RepositoryImpl
) getRepository()).getConfig()
107 .getDefaultWorkspaceName();
110 public void close() throws RepositoryException
{
113 public boolean grants(Set
<Principal
> principals
, String workspaceName
)
114 throws RepositoryException
{
115 // anonymous has access to the default workspace (required for
116 // remoting which does a default login when initializing the
118 Boolean anonymous
= false;
119 for (Principal principal
: principals
)
120 if (principal
instanceof AnonymousPrincipal
)
123 if (anonymous
&& workspaceName
.equals(defaultWorkspace
))
126 return wam
.grants(principals
, workspaceName
);