Better protect access to Jackrabbit user manager

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.core / src / main / java / org / argeo / security / jcr / OsJcrUserAdminService.java

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrUserAdminService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrUserAdminService.java
index 44521f1bd8aa9df32a04caecbf05153d09139451..37dca4b1ebaf1f59624cd3ad53cd103e2e529c51 100644 (file)
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrUserAdminService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/OsJcrUserAdminService.java
@@ -21,21 +21,20 @@ import org.springframework.security.userdetails.UsernameNotFoundException;
  * desktop). TODO integrate with JCR user / groups
  */
 public class OsJcrUserAdminService implements UserAdminService {
-       private String securityWorkspace = "security";
        private Repository repository;
 
-       private Session securitySession;
+       // private Session adminSession;
 
        public void init() {
-               try {
-                       securitySession = repository.login(securityWorkspace);
-               } catch (RepositoryException e) {
-                       throw new ArgeoException("Cannot initialize", e);
-               }
+               // try {
+               // adminSession = repository.login();
+               // } catch (RepositoryException e) {
+               // throw new ArgeoException("Cannot initialize", e);
+               // }
        }
 
        public void destroy() {
-               JcrUtils.logoutQuietly(securitySession);
+               // JcrUtils.logoutQuietly(adminSession);
        }
 
        /** <b>Unsupported</b> */
@@ -68,15 +67,19 @@ public class OsJcrUserAdminService implements UserAdminService {
        public UserDetails loadUserByUsername(String username)
                        throws UsernameNotFoundException, DataAccessException {
                if (getSPropertyUsername().equals(username)) {
-                       Node userProfile = UserJcrUtils.getUserProfile(securitySession,
-                                       username);
                        JcrUserDetails userDetails;
+                       Session adminSession = null;
                        try {
+                               adminSession = repository.login();
+                               Node userProfile = UserJcrUtils.getUserProfile(adminSession,
+                                               username);
                                userDetails = new JcrUserDetails(userProfile, "",
                                                OsJcrAuthenticationProvider.getBaseAuthorities());
                        } catch (RepositoryException e) {
                                throw new ArgeoException("Cannot retrieve user profile for "
                                                + username, e);
+                       } finally {
+                               JcrUtils.logoutQuietly(adminSession);
                        }
                        return userDetails;
                } else {
@@ -122,9 +125,4 @@ public class OsJcrUserAdminService implements UserAdminService {
        public void setRepository(Repository repository) {
                this.repository = repository;
        }
-
-       public void setSecurityWorkspace(String securityWorkspace) {
-               this.securityWorkspace = securityWorkspace;
-       }
-
 }