X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=1109980696d61d110aab683ddbde53f937286d4b;hb=1d5afdce3e91054f07ddd3c98309c363b4cf1d46;hp=1838dd05ef14741cc768eeea81a9d8062b52cf8b;hpb=a8233e9378854fc9ed1f4186095d06866cbea9f8;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
index 1838dd05e..110998069 100644
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -1,29 +1,48 @@
+/*
+ * Copyright (C) 2007-2012 Mathieu Baudier
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.jackrabbit;
 
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 import javax.jcr.Node;
+import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
-import javax.jcr.security.AccessControlList;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlPolicyIterator;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
 import javax.jcr.security.Privilege;
 import javax.security.auth.Subject;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.DefaultSecurityManager;
+import org.apache.jackrabbit.core.security.AnonymousPrincipal;
 import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
 import org.argeo.ArgeoException;
 import org.argeo.jcr.JcrUtils;
@@ -34,13 +53,23 @@ import org.springframework.security.GrantedAuthority;
 public class ArgeoSecurityManager extends DefaultSecurityManager {
 	private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
 
+	/**
+	 * Since this is called once when the session is created, we take the
+	 * opportunity to make sure that Jackrabbit users and groups reflect Spring
+	 * Security name and authorities.
+	 */
 	@Override
-	/** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/
 	public String getUserID(Subject subject, String workspaceName)
 			throws RepositoryException {
 		long begin = System.currentTimeMillis();
 
-		if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
+		if (log.isTraceEnabled())
+			log.trace(subject);
+		// skip anonymous user (no rights)
+		if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
+			return super.getUserID(subject, workspaceName);
+		// skip Jackrabbit system user (all rights)
+		if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty())
 			return super.getUserID(subject, workspaceName);
 
 		Authentication authen;
@@ -59,10 +88,11 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		if (user == null) {
 			user = systemUm.createUser(userId, authen.getCredentials()
 					.toString(), authen, null);
+			JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId);
+			getSystemSession().save();
+			setSecurityHomeAuthorizations(user);
 			log.info(userId + " added as " + user);
 		}
-		
-		setHomeNodeAuthorizations(user);
 
 		// process groups
 		List<String> userGroupIds = new ArrayList<String>();
@@ -75,7 +105,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 			if (!group.isMember(user))
 				group.addMember(user);
 			userGroupIds.add(ga.getAuthority());
-
 		}
 
 		// check if user has not been removed from some groups
@@ -92,38 +121,45 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		return userId;
 	}
 
-	protected void setHomeNodeAuthorizations(User user) {
-		// give all privileges on user home
-		// FIXME: fails on an empty repo
+	protected synchronized void setSecurityHomeAuthorizations(User user) {
+		// give read privileges on user security home
 		String userId = "<not yet set>";
 		try {
 			userId = user.getID();
 			Node userHome = JcrUtils.getUserHome(getSystemSession(), userId);
-			if (userHome != null) {
-				String path = userHome.getPath();
-				AccessControlPolicy policy = null;
-				AccessControlManager acm = getSystemSession()
-						.getAccessControlManager();
-				AccessControlPolicyIterator policyIterator = acm
-						.getApplicablePolicies(path);
-				if (policyIterator.hasNext()) {
-					policy = policyIterator.nextAccessControlPolicy();
-				} else {
-					AccessControlPolicy[] existingPolicies = acm
-							.getPolicies(path);
-					policy = existingPolicies[0];
-				}
-				if (policy instanceof AccessControlList) {
-					Privilege[] privileges = { acm
-							.privilegeFromName(Privilege.JCR_ALL) };
-					((AccessControlList) policy).addAccessControlEntry(
-							user.getPrincipal(), privileges);
-					acm.setPolicy(path, policy);
-				}
+			if (userHome == null)
+				throw new ArgeoException("No security home available for user "
+						+ userId);
+
+			String path = userHome.getPath();
+			Principal principal = user.getPrincipal();
+
+			JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession()
+					.getAccessControlManager();
+			JackrabbitAccessControlPolicy[] ps = acm
+					.getApplicablePolicies(principal);
+			if (ps.length == 0) {
+				// log.warn("No ACL found for " + user);
+				return;
 			}
+
+			JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
+
+			// add entry
+			Privilege[] privileges = new Privilege[] { acm
+					.privilegeFromName(Privilege.JCR_READ) };
+			Map<String, Value> restrictions = new HashMap<String, Value>();
+			ValueFactory vf = getSystemSession().getValueFactory();
+			restrictions.put("rep:nodePath",
+					vf.createValue(path, PropertyType.PATH));
+			restrictions.put("rep:glob", vf.createValue("*"));
+			list.addEntry(principal, privileges, true /* allow or deny */,
+					restrictions);
 		} catch (Exception e) {
-			log.warn("Cannot set authorization on user node for " + userId
-					+ ": " + e.getMessage());
+			e.printStackTrace();
+			throw new ArgeoException(
+					"Cannot set authorization on security home for " + userId
+							+ ": " + e.getMessage());
 		}
 
 	}