X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=1109980696d61d110aab683ddbde53f937286d4b;hb=1d5afdce3e91054f07ddd3c98309c363b4cf1d46;hp=2153e0e94025c7d96ab3daad787df5612a4be228;hpb=484dcb1507e4e35cc282e50522ea7eac7e99a7f9;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
index 2153e0e94..110998069 100644
--- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
+++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2007-2012 Mathieu Baudier
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.argeo.security.jackrabbit;
 
 import java.security.Principal;
@@ -26,8 +41,8 @@ import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.DefaultSecurityManager;
+import org.apache.jackrabbit.core.security.AnonymousPrincipal;
 import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
 import org.argeo.ArgeoException;
 import org.argeo.jcr.JcrUtils;
@@ -38,14 +53,23 @@ import org.springframework.security.GrantedAuthority;
 public class ArgeoSecurityManager extends DefaultSecurityManager {
 	private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
 
+	/**
+	 * Since this is called once when the session is created, we take the
+	 * opportunity to make sure that Jackrabbit users and groups reflect Spring
+	 * Security name and authorities.
+	 */
 	@Override
-	/** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/
 	public String getUserID(Subject subject, String workspaceName)
 			throws RepositoryException {
 		long begin = System.currentTimeMillis();
 
-		// skip Jackrabbit system user
-		if (!subject.getPrincipals(SystemPrincipal.class).isEmpty())
+		if (log.isTraceEnabled())
+			log.trace(subject);
+		// skip anonymous user (no rights)
+		if (!subject.getPrincipals(AnonymousPrincipal.class).isEmpty())
+			return super.getUserID(subject, workspaceName);
+		// skip Jackrabbit system user (all rights)
+		if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty())
 			return super.getUserID(subject, workspaceName);
 
 		Authentication authen;
@@ -57,10 +81,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		else
 			authen = authens.iterator().next();
 
-		// skip argeo system authenticated
-		// if (authen instanceof SystemAuthentication)
-		// return super.getUserID(subject, workspaceName);
-
 		UserManager systemUm = getSystemUserManager(workspaceName);
 
 		String userId = authen.getName();
@@ -68,11 +88,12 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		if (user == null) {
 			user = systemUm.createUser(userId, authen.getCredentials()
 					.toString(), authen, null);
+			JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId);
+			getSystemSession().save();
+			setSecurityHomeAuthorizations(user);
 			log.info(userId + " added as " + user);
 		}
 
-		//setHomeNodeAuthorizations(user);
-
 		// process groups
 		List<String> userGroupIds = new ArrayList<String>();
 		for (GrantedAuthority ga : authen.getAuthorities()) {
@@ -93,36 +114,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 				group.removeMember(user);
 		}
 
-		// write roles in profile for easy access
-//		if (!(authen instanceof SystemAuthentication)) {
-//			Node userProfile = JcrUtils.getUserProfile(getSystemSession(),
-//					userId);
-//			boolean writeRoles = false;
-//			if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) {
-//				Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES)
-//						.getValues();
-//				if (roles.length != userGroupIds.size())
-//					writeRoles = true;
-//				else
-//					for (int i = 0; i < roles.length; i++)
-//						if (!roles[i].getString().equals(userGroupIds.get(i)))
-//							writeRoles = true;
-//			} else
-//				writeRoles = true;
-//
-//			if (writeRoles) {
-//				userProfile.getSession().getWorkspace().getVersionManager()
-//						.checkout(userProfile.getPath());
-//				String[] roleIds = userGroupIds.toArray(new String[userGroupIds
-//						.size()]);
-//				userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds);
-//				JcrUtils.updateLastModified(userProfile);
-//				userProfile.getSession().save();
-//				userProfile.getSession().getWorkspace().getVersionManager()
-//						.checkin(userProfile.getPath());
-//			}
-//		}
-
 		if (log.isTraceEnabled())
 			log.trace("Spring and Jackrabbit Security synchronized for user "
 					+ userId + " in " + (System.currentTimeMillis() - begin)
@@ -130,54 +121,45 @@ public class ArgeoSecurityManager extends DefaultSecurityManager {
 		return userId;
 	}
 
-	protected synchronized void setHomeNodeAuthorizations(User user) {
-		// give all privileges on user home
-		// FIXME: fails on an empty repo
+	protected synchronized void setSecurityHomeAuthorizations(User user) {
+		// give read privileges on user security home
 		String userId = "<not yet set>";
 		try {
 			userId = user.getID();
-			Node userHome = null;
-			try {
-				userHome = JcrUtils.getUserHome(getSystemSession(), userId);
-				if (userHome == null) {
-					userHome = JcrUtils.createUserHomeIfNeeded(getSystemSession(), userId);
-					//log.warn("No home available for user "+userId);
-					return;
-				}
-			} catch (Exception e) {
-				// silent
+			Node userHome = JcrUtils.getUserHome(getSystemSession(), userId);
+			if (userHome == null)
+				throw new ArgeoException("No security home available for user "
+						+ userId);
+
+			String path = userHome.getPath();
+			Principal principal = user.getPrincipal();
+
+			JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession()
+					.getAccessControlManager();
+			JackrabbitAccessControlPolicy[] ps = acm
+					.getApplicablePolicies(principal);
+			if (ps.length == 0) {
+				// log.warn("No ACL found for " + user);
+				return;
 			}
 
-			if (userHome != null) {
-				String path = userHome.getPath();
-				Principal principal = user.getPrincipal();
-
-				JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession()
-						.getAccessControlManager();
-				JackrabbitAccessControlPolicy[] ps = acm
-						.getApplicablePolicies(principal);
-				if (ps.length == 0) {
-					// log.warn("No ACL found for " + user);
-					return;
-				}
-
-				JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
-
-				// add entry
-				Privilege[] privileges = new Privilege[] { acm
-						.privilegeFromName(Privilege.JCR_ALL) };
-				Map<String, Value> restrictions = new HashMap<String, Value>();
-				ValueFactory vf = getSystemSession().getValueFactory();
-				restrictions.put("rep:nodePath",
-						vf.createValue(path, PropertyType.PATH));
-				restrictions.put("rep:glob", vf.createValue("*"));
-				list.addEntry(principal, privileges, true /* allow or deny */,
-						restrictions);
-			}
+			JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
+
+			// add entry
+			Privilege[] privileges = new Privilege[] { acm
+					.privilegeFromName(Privilege.JCR_READ) };
+			Map<String, Value> restrictions = new HashMap<String, Value>();
+			ValueFactory vf = getSystemSession().getValueFactory();
+			restrictions.put("rep:nodePath",
+					vf.createValue(path, PropertyType.PATH));
+			restrictions.put("rep:glob", vf.createValue("*"));
+			list.addEntry(principal, privileges, true /* allow or deny */,
+					restrictions);
 		} catch (Exception e) {
 			e.printStackTrace();
-			log.warn("Cannot set authorization on user node for " + userId
-					+ ": " + e.getMessage());
+			throw new ArgeoException(
+					"Cannot set authorization on security home for " + userId
+							+ ": " + e.getMessage());
 		}
 
 	}