X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.ldap%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fldap%2Fjcr%2FJcrLdapSynchronizer.java;h=fa940f93d7370fae077686ac3876d54a6011ee5b;hb=0450e423bd759c9e27b43044670e659271392d71;hp=11e8e81998ea449960a1fe6e0a89f360372dd64d;hpb=1d5afdce3e91054f07ddd3c98309c363b4cf1d46;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java index 11e8e8199..fa940f93d 100644 --- a/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java +++ b/security/runtime/org.argeo.security.ldap/src/main/java/org/argeo/security/ldap/jcr/JcrLdapSynchronizer.java @@ -59,6 +59,7 @@ import org.argeo.ArgeoException; import org.argeo.jcr.ArgeoNames; import org.argeo.jcr.ArgeoTypes; import org.argeo.jcr.JcrUtils; +import org.argeo.security.jcr.JcrSecurityModel; import org.argeo.security.jcr.JcrUserDetails; import org.springframework.ldap.core.ContextExecutor; import org.springframework.ldap.core.ContextMapper; @@ -72,7 +73,7 @@ import org.springframework.security.providers.encoding.PasswordEncoder; import org.springframework.security.userdetails.UserDetails; import org.springframework.security.userdetails.ldap.UserDetailsContextMapper; -/** Guarantees that LDAP and JCR are in line. */ +/** Makes sure that LDAP and JCR are in line. */ public class JcrLdapSynchronizer implements UserDetailsContextMapper, ArgeoNames { private final static Log log = LogFactory.getLog(JcrLdapSynchronizer.class); @@ -101,12 +102,11 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, // JCR /** Admin session on the security workspace */ - private Session securitySession; + private Session nodeSession; private Repository repository; - private String securityWorkspace = "security"; - private JcrProfileListener jcrProfileListener; + private JcrSecurityModel jcrSecurityModel = new JcrSecurityModel(); // Mapping private Map propertyToAttributes = new HashMap(); @@ -117,7 +117,7 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, public void init() { try { - securitySession = repository.login(securityWorkspace); + nodeSession = repository.login(); synchronize(); @@ -141,22 +141,22 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, jcrProfileListener = new JcrProfileListener(); // noLocal is used so that we are not notified when we modify JCR // from LDAP - securitySession + nodeSession .getWorkspace() .getObservationManager() .addEventListener(jcrProfileListener, Event.PROPERTY_CHANGED | Event.NODE_ADDED, "/", true, null, nodeTypes, true); } catch (Exception e) { - JcrUtils.logoutQuietly(securitySession); + JcrUtils.logoutQuietly(nodeSession); throw new ArgeoException("Cannot initialize LDAP/JCR synchronizer", e); } } public void destroy() { - JcrUtils.removeListenerQuietly(securitySession, jcrProfileListener); - JcrUtils.logoutQuietly(securitySession); + JcrUtils.removeListenerQuietly(nodeSession, jcrProfileListener); + JcrUtils.logoutQuietly(nodeSession); try { rawLdapTemplate.executeReadOnly(new ContextExecutor() { public Object executeWithContext(DirContext ctx) @@ -190,7 +190,7 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, }); // disable accounts which are not in LDAP - Query query = securitySession + Query query = nodeSession .getWorkspace() .getQueryManager() .createQuery( @@ -206,17 +206,18 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, + " not found in LDAP, disabling user " + userProfile.getProperty(ArgeoNames.ARGEO_USER_ID) .getString()); - VersionManager versionManager = securitySession - .getWorkspace().getVersionManager(); + VersionManager versionManager = nodeSession.getWorkspace() + .getVersionManager(); versionManager.checkout(userProfile.getPath()); userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, false); - securitySession.save(); + nodeSession.save(); versionManager.checkin(userProfile.getPath()); } } } catch (Exception e) { - JcrUtils.discardQuietly(securitySession); - throw new ArgeoException("Cannot synchronized LDAP and JCR", e); + JcrUtils.discardQuietly(nodeSession); + log.error("Cannot synchronize LDAP and JCR", e); + // throw new ArgeoException("Cannot synchronize LDAP and JCR", e); } } @@ -225,8 +226,10 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, final String username, GrantedAuthority[] authorities) { if (ctx == null) throw new ArgeoException("No LDAP information for user " + username); - Node userProfile = JcrUtils.createUserProfileIfNeeded(securitySession, - username); + + // Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded( + // securitySession, username); + Node userProfile = jcrSecurityModel.sync(nodeSession, username); JcrUserDetails.checkAccountStatus(userProfile); // password @@ -256,36 +259,38 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, * @return path to user profile */ protected synchronized String mapLdapToJcr(DirContextAdapter ctx) { - Session session = securitySession; + Session session = nodeSession; try { // process String username = ctx.getStringAttribute(usernameAttribute); - Node userHome = JcrUtils.createUserHomeIfNeeded(session, username); - Node userProfile; // = userHome.getNode(ARGEO_PROFILE); - if (userHome.hasNode(ARGEO_PROFILE)) { - userProfile = userHome.getNode(ARGEO_PROFILE); - - // compatibility with legacy, will be removed - if (!userProfile.hasProperty(ARGEO_ENABLED)) { - session.getWorkspace().getVersionManager() - .checkout(userProfile.getPath()); - userProfile.setProperty(ARGEO_ENABLED, true); - userProfile.setProperty(ARGEO_ACCOUNT_NON_EXPIRED, true); - userProfile.setProperty(ARGEO_ACCOUNT_NON_LOCKED, true); - userProfile - .setProperty(ARGEO_CREDENTIALS_NON_EXPIRED, true); - session.save(); - session.getWorkspace().getVersionManager() - .checkin(userProfile.getPath()); - } - } else { - userProfile = JcrUtils.createUserProfile(securitySession, - username); - userProfile.getSession().save(); - userProfile.getSession().getWorkspace().getVersionManager() - .checkin(userProfile.getPath()); - } - + // Node userHome = SecurityJcrUtils.createUserHomeIfNeeded(session, + // username); + // Node userProfile; // = userHome.getNode(ARGEO_PROFILE); + // if (userHome.hasNode(ARGEO_PROFILE)) { + // userProfile = userHome.getNode(ARGEO_PROFILE); + // + // // compatibility with legacy, will be removed + // if (!userProfile.hasProperty(ARGEO_ENABLED)) { + // session.getWorkspace().getVersionManager() + // .checkout(userProfile.getPath()); + // userProfile.setProperty(ARGEO_ENABLED, true); + // userProfile.setProperty(ARGEO_ACCOUNT_NON_EXPIRED, true); + // userProfile.setProperty(ARGEO_ACCOUNT_NON_LOCKED, true); + // userProfile + // .setProperty(ARGEO_CREDENTIALS_NON_EXPIRED, true); + // session.save(); + // session.getWorkspace().getVersionManager() + // .checkin(userProfile.getPath()); + // } + // } else { + // userProfile = SecurityJcrUtils.createUserProfile( + // securitySession, username); + // userProfile.getSession().save(); + // userProfile.getSession().getWorkspace().getVersionManager() + // .checkin(userProfile.getPath()); + // } + + Node userProfile = jcrSecurityModel.sync(session, username); Map modifications = new HashMap(); for (String jcrProperty : propertyToAttributes.keySet()) ldapToJcr(userProfile, jcrProperty, ctx, modifications); @@ -373,8 +378,9 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, final JcrUserDetails jcrUserDetails = (JcrUserDetails) user; try { - Node userProfile = securitySession.getNode( - jcrUserDetails.getHomePath()).getNode(ARGEO_PROFILE); + Node userProfile = nodeSession + .getNode(jcrUserDetails.getHomePath()).getNode( + ARGEO_PROFILE); for (String jcrProperty : propertyToAttributes.keySet()) { if (userProfile.hasProperty(jcrProperty)) { ModificationItem mi = jcrToLdap(jcrProperty, userProfile @@ -455,10 +461,6 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, this.repository = repository; } - public void setSecurityWorkspace(String securityWorkspace) { - this.securityWorkspace = securityWorkspace; - } - public void setUserBase(String userBase) { this.userBase = userBase; } @@ -487,6 +489,10 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, this.passwordEncoder = passwordEncoder; } + public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) { + this.jcrSecurityModel = jcrSecurityModel; + } + /** Listen to LDAP */ class LdapUserListener implements ObjectChangeListener, NamespaceChangeListener, UnsolicitedNotificationListener { @@ -548,7 +554,7 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, Event event = events.nextEvent(); try { if (Event.PROPERTY_CHANGED == event.getType()) { - Property property = (Property) securitySession + Property property = (Property) nodeSession .getItem(event.getPath()); String propertyName = property.getName(); Node userProfile = property.getParent(); @@ -566,7 +572,7 @@ public class JcrLdapSynchronizer implements UserDetailsContextMapper, modifications.get(name).add(mi); } } else if (Event.NODE_ADDED == event.getType()) { - Node userProfile = securitySession.getNode(event + Node userProfile = nodeSession.getNode(event .getPath()); String username = userProfile.getProperty( ARGEO_USER_ID).getString();