1 package org
.argeo
.security
.jackrabbit
;
3 import java
.security
.Principal
;
4 import java
.util
.ArrayList
;
5 import java
.util
.Iterator
;
9 import javax
.jcr
.RepositoryException
;
10 import javax
.jcr
.Session
;
11 import javax
.security
.auth
.Subject
;
13 import org
.apache
.commons
.logging
.Log
;
14 import org
.apache
.commons
.logging
.LogFactory
;
15 import org
.apache
.jackrabbit
.api
.security
.user
.Group
;
16 import org
.apache
.jackrabbit
.api
.security
.user
.User
;
17 import org
.apache
.jackrabbit
.api
.security
.user
.UserManager
;
18 import org
.apache
.jackrabbit
.core
.DefaultSecurityManager
;
19 import org
.apache
.jackrabbit
.core
.security
.SecurityConstants
;
20 import org
.apache
.jackrabbit
.core
.security
.SystemPrincipal
;
21 import org
.apache
.jackrabbit
.core
.security
.authorization
.WorkspaceAccessManager
;
22 import org
.argeo
.ArgeoException
;
23 import org
.springframework
.security
.Authentication
;
24 import org
.springframework
.security
.GrantedAuthority
;
26 /** Intermediary class in order to have a consistent naming in config files. */
27 public class ArgeoSecurityManager
extends DefaultSecurityManager
{
28 private Log log
= LogFactory
.getLog(ArgeoSecurityManager
.class);
31 /** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/
32 public String
getUserID(Subject subject
, String workspaceName
)
33 throws RepositoryException
{
34 long begin
= System
.currentTimeMillis();
36 if (!subject
.getPrincipals(SystemPrincipal
.class).isEmpty())
37 return super.getUserID(subject
, workspaceName
);
39 Authentication authen
;
40 Set
<Authentication
> authens
= subject
41 .getPrincipals(Authentication
.class);
42 if (authens
.size() == 0)
43 throw new ArgeoException("No Spring authentication found in "
46 authen
= authens
.iterator().next();
48 UserManager systemUm
= getSystemUserManager(workspaceName
);
50 String userId
= authen
.getName();
51 User user
= (User
) systemUm
.getAuthorizable(userId
);
53 user
= systemUm
.createUser(userId
, authen
.getCredentials()
54 .toString(), authen
, null);
55 log
.info(userId
+ " added as " + user
);
58 List
<String
> userGroupIds
= new ArrayList
<String
>();
59 for (GrantedAuthority ga
: authen
.getAuthorities()) {
60 Group group
= (Group
) systemUm
.getAuthorizable(ga
.getAuthority());
62 group
= systemUm
.createGroup(ga
.getAuthority(),
63 new GrantedAuthorityPrincipal(ga
), null);
64 log
.info(ga
.getAuthority() + " added as " + group
);
66 if (!group
.isMember(user
))
67 group
.addMember(user
);
68 userGroupIds
.add(ga
.getAuthority());
71 // check if user has not been removed from some groups
72 for (Iterator
<Group
> it
= user
.declaredMemberOf(); it
.hasNext();) {
73 Group group
= it
.next();
74 if (!userGroupIds
.contains(group
.getID()))
75 group
.removeMember(user
);
78 if (log
.isTraceEnabled())
79 log
.trace("Spring and Jackrabbit Security synchronized for user "
80 + userId
+ " in " + (System
.currentTimeMillis() - begin
)
86 protected WorkspaceAccessManager
createDefaultWorkspaceAccessManager() {
87 WorkspaceAccessManager wam
= super
88 .createDefaultWorkspaceAccessManager();
89 return new ArgeoWorkspaceAccessManagerImpl(wam
);
92 private class ArgeoWorkspaceAccessManagerImpl
implements SecurityConstants
,
93 WorkspaceAccessManager
{
94 private final WorkspaceAccessManager wam
;
95 //private String defaultWorkspace;
97 public ArgeoWorkspaceAccessManagerImpl(WorkspaceAccessManager wam
) {
102 public void init(Session systemSession
) throws RepositoryException
{
103 wam
.init(systemSession
);
104 // defaultWorkspace = ((RepositoryImpl) getRepository()).getConfig()
105 // .getDefaultWorkspaceName();
108 public void close() throws RepositoryException
{
111 public boolean grants(Set
<Principal
> principals
, String workspaceName
)
112 throws RepositoryException
{
113 // everybody has access to all workspaces
114 // TODO: implements finer access to workspaces
117 // anonymous has access to the default workspace (required for
118 // remoting which does a default login when initializing the
120 // Boolean anonymous = false;
121 // for (Principal principal : principals)
122 // if (principal instanceof AnonymousPrincipal)
125 // if (anonymous && workspaceName.equals(defaultWorkspace))
128 // return wam.grants(principals, workspaceName);