<property name="rawLdapTemplate" ref="rawLdapTemplate" />
<!-- JCR -->
<property name="repository" ref="nodeRepository" />
- <property name="securityWorkspace" value="${argeo.node.repo.securityWorkspace}" />
+ <property name="jcrSecurityModel" ref="jcrSecurityModel" />
<property name="propertyToAttributes" ref="propertyToAttributes" />
</bean>
+ <bean name="jcrSecurityModel" class="org.argeo.security.jackrabbit.JackrabbitSecurityModel" />
+
<!-- LDAP / JCR mapping -->
<util:map id="propertyToAttributes">
<entry value="cn">
<property name="userAdminDao" ref="userAdminDao" />
<property name="passwordEncoder" ref="passwordEncoder" />
<property name="passwordAttributeName" value="${argeo.ldap.passwordAttribute}" />
+ <property name="superUsername" value="${argeo.security.superUsername}" />
</bean>
<bean id="userAdminDao" class="org.argeo.security.ldap.ArgeoUserAdminDaoLdap">
-argeo.node.repo.securityWorkspace=security
-
argeo.security.defaultRole=ROLE_USER
argeo.security.rolePrefix=ROLE_
argeo.security.systemKey=argeo
+argeo.security.superUsername=root
argeo.ldap.rootdn=dc=demo,dc=argeo,dc=org
argeo.ldap.protocol=ldap
<bean id="osJcrAuthenticationProvider" class="org.argeo.security.jcr.OsJcrAuthenticationProvider"
init-method="init" destroy-method="destroy" depends-on="argeoDataModel">
<property name="repository" ref="nodeRepository" />
+ <property name="jcrSecurityModel" ref="jcrSecurityModel" />
</bean>
+ <bean name="jcrSecurityModel" class="org.argeo.security.jackrabbit.JackrabbitSecurityModel" />
+
<bean id="authByAdapterProvider"
class="org.springframework.security.adapters.AuthByAdapterProvider">
<description><![CDATA[System authentication]]></description>
</bean>\r
\r
<bean id="session" class="org.argeo.security.jcr.SecureThreadBoundSession">\r
- <property name="workspace" value="${argeo.node.repo.securityWorkspace}" />\r
<property name="repository" ref="nodeRepository" />\r
</bean>\r
</beans>
\ No newline at end of file
-argeo.node.repo.securityWorkspace=security
import javax.jcr.Session;
import org.argeo.security.UserAdminService;
+import org.argeo.security.jcr.JcrSecurityModel;
import org.argeo.security.ui.admin.wizards.NewUserWizard;
import org.eclipse.core.commands.AbstractHandler;
import org.eclipse.core.commands.ExecutionEvent;
public class NewUser extends AbstractHandler {
private Session session;
private UserAdminService userAdminService;
+ private JcrSecurityModel jcrSecurityModel;
public Object execute(ExecutionEvent event) throws ExecutionException {
try {
NewUserWizard newUserWizard = new NewUserWizard(session,
- userAdminService);
+ userAdminService,jcrSecurityModel);
WizardDialog dialog = new WizardDialog(
HandlerUtil.getActiveShell(event), newUserWizard);
dialog.open();
this.userAdminService = userAdminService;
}
+ public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+ this.jcrSecurityModel = jcrSecurityModel;
+ }
+
}
import org.argeo.eclipse.ui.ErrorFeedback;
import org.argeo.jcr.JcrUtils;
import org.argeo.jcr.UserJcrUtils;
-import org.argeo.jcr.security.SecurityJcrUtils;
import org.argeo.security.UserAdminService;
+import org.argeo.security.jcr.JcrSecurityModel;
import org.argeo.security.jcr.JcrUserDetails;
import org.eclipse.jface.wizard.Wizard;
import org.springframework.security.GrantedAuthority;
private final static Log log = LogFactory.getLog(NewUserWizard.class);
private Session session;
private UserAdminService userAdminService;
+ private JcrSecurityModel jcrSecurityModel;
// pages
private MainUserInfoWizardPage mainUserInfo;
- public NewUserWizard(Session session, UserAdminService userAdminService) {
+ public NewUserWizard(Session session, UserAdminService userAdminService,
+ JcrSecurityModel jcrSecurityModel) {
this.session = session;
this.userAdminService = userAdminService;
+ this.jcrSecurityModel = jcrSecurityModel;
}
@Override
String username = mainUserInfo.getUsername();
try {
- Node userProfile = SecurityJcrUtils.createUserProfile(session, username);
+ // Node userProfile = SecurityJcrUtils.createUserProfile(session,
+ // username);
+ Node userProfile = jcrSecurityModel.sync(session, username);
// session.getWorkspace().getVersionManager()
// .checkout(userProfile.getPath());
mainUserInfo.mapToProfileNode(userProfile);
--- /dev/null
+package org.argeo.security.jcr;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.security.Privilege;
+import javax.jcr.version.VersionManager;
+
+import org.argeo.ArgeoException;
+import org.argeo.jcr.ArgeoJcrConstants;
+import org.argeo.jcr.ArgeoNames;
+import org.argeo.jcr.ArgeoTypes;
+import org.argeo.jcr.JcrUtils;
+import org.argeo.jcr.UserJcrUtils;
+
+/**
+ * Manages data expected by the Argeo security model, such as user home and
+ * profile.
+ */
+public class JcrSecurityModel {
+ // ArgeoNames not implemented as interface in order to ease derivation by
+ // Jackrabbit bundles
+
+ /** The home base path. */
+ private String homeBasePath = "/home";
+
+ /**
+ * To be called before user details are loaded
+ *
+ * @return the user profile (whose parent is the user home)
+ */
+ public Node sync(Session session, String username) {
+ // TODO check user name validity (e.g. should not start by ROLE_)
+
+ try {
+ Node userHome = UserJcrUtils.getUserHome(session, username);
+ if (userHome == null) {
+ String homePath = generateUserPath(homeBasePath, username);
+ userHome = JcrUtils.mkdirs(session, homePath);
+ // userHome = JcrUtils.mkfolders(session, homePath);
+ userHome.addMixin(ArgeoTypes.ARGEO_USER_HOME);
+ userHome.setProperty(ArgeoNames.ARGEO_USER_ID, username);
+ session.save();
+
+ JcrUtils.clearAccesControList(session, homePath, username);
+ JcrUtils.addPrivilege(session, homePath, username,
+ Privilege.JCR_ALL);
+ }
+
+ Node userProfile = UserJcrUtils.getUserProfile(session, username);
+ if (userProfile == null) {
+ String personPath = generateUserPath(
+ ArgeoJcrConstants.PEOPLE_BASE_PATH, username);
+ Node personBase = JcrUtils.mkdirs(session, personPath);
+ userProfile = personBase.addNode(ArgeoNames.ARGEO_PROFILE);
+ userProfile.addMixin(ArgeoTypes.ARGEO_USER_PROFILE);
+ userProfile.setProperty(ArgeoNames.ARGEO_USER_ID, username);
+ userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, true);
+ userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_EXPIRED,
+ true);
+ userProfile.setProperty(ArgeoNames.ARGEO_ACCOUNT_NON_LOCKED,
+ true);
+ userProfile.setProperty(
+ ArgeoNames.ARGEO_CREDENTIALS_NON_EXPIRED, true);
+ session.save();
+
+ JcrUtils.clearAccesControList(session, userProfile.getPath(),
+ username);
+ JcrUtils.addPrivilege(session, userProfile.getPath(), username,
+ Privilege.JCR_READ);
+
+ VersionManager versionManager = session.getWorkspace()
+ .getVersionManager();
+ if (versionManager.isCheckedOut(userProfile.getPath()))
+ versionManager.checkin(userProfile.getPath());
+ }
+ return userProfile;
+ } catch (RepositoryException e) {
+ JcrUtils.discardQuietly(session);
+ throw new ArgeoException("Cannot sync node security model for "
+ + username, e);
+ }
+ }
+
+ /** Generate path for a new user home */
+ protected String generateUserPath(String base, String username) {
+ int atIndex = username.indexOf('@');
+ if (atIndex > 0) {
+ String domain = username.substring(0, atIndex);
+ String name = username.substring(atIndex + 1);
+ return base + '/' + JcrUtils.firstCharsToPath(domain, 2) + '/'
+ + domain + '/' + JcrUtils.firstCharsToPath(name, 2) + '/'
+ + name;
+ } else if (atIndex == 0 || atIndex == (username.length() - 1)) {
+ throw new ArgeoException("Unsupported username " + username);
+ } else {
+ return base + '/' + JcrUtils.firstCharsToPath(username, 2) + '/'
+ + username;
+ }
+ }
+
+ public void setHomeBasePath(String homeBasePath) {
+ this.homeBasePath = homeBasePath;
+ }
+
+}
import javax.jcr.Session;
import org.argeo.jcr.ArgeoNames;
-import org.argeo.jcr.security.SecurityJcrUtils;
+import org.argeo.jcr.UserJcrUtils;
import org.springframework.security.BadCredentialsException;
import org.springframework.security.DisabledException;
import org.springframework.security.GrantedAuthority;
*/
public JcrUserDetails(Session session, String username, String password,
GrantedAuthority[] authorities) throws RepositoryException {
- this(SecurityJcrUtils.getUserProfile(session, username),
+ this(UserJcrUtils.getUserProfile(session, username),
password != null ? password : "", authorities);
}
import org.argeo.ArgeoException;
import org.argeo.jcr.JcrUtils;
-import org.argeo.jcr.security.SecurityJcrUtils;
import org.argeo.security.OsAuthenticationToken;
import org.argeo.security.core.OsAuthenticationProvider;
import org.springframework.security.Authentication;
/** Relies on OS to authenticate and additionally setup JCR */
public class OsJcrAuthenticationProvider extends OsAuthenticationProvider {
private Repository repository;
- private String securityWorkspace = "security";
- private Session securitySession;
+ // private String securityWorkspace = "security";
+ // private Session securitySession;
private Session nodeSession;
private UserDetails userDetails;
+ private JcrSecurityModel jcrSecurityModel = new JcrSecurityModel();
public void init() {
try {
- securitySession = repository.login(securityWorkspace);
+ // securitySession = repository.login();
nodeSession = repository.login();
} catch (RepositoryException e) {
throw new ArgeoException("Cannot initialize", e);
}
public void destroy() {
- JcrUtils.logoutQuietly(securitySession);
+ // JcrUtils.logoutQuietly(securitySession);
JcrUtils.logoutQuietly(nodeSession);
}
// WARNING: at this stage we assume that the java properties
// will have the same value
String username = System.getProperty("user.name");
- Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded(
- securitySession, username);
+ Node userProfile = jcrSecurityModel.sync(nodeSession, username);
JcrUserDetails.checkAccountStatus(userProfile);
// each user should have a writable area in the default
// workspace of the node
- SecurityJcrUtils.createUserHomeIfNeeded(nodeSession, username);
+ // SecurityJcrUtils.createUserHomeIfNeeded(nodeSession,
+ // username);
userDetails = new JcrUserDetails(userProfile, authen
.getCredentials().toString(), getBaseAuthorities());
authen.setDetails(userDetails);
return authen;
} catch (RepositoryException e) {
- JcrUtils.discardQuietly(securitySession);
+ JcrUtils.discardQuietly(nodeSession);
throw new ArgeoException(
"Unexpected exception when synchronizing OS and JCR security ",
e);
} finally {
- JcrUtils.logoutQuietly(securitySession);
+ JcrUtils.logoutQuietly(nodeSession);
}
} else {
throw new ArgeoException("Unsupported authentication "
}
}
- public void setSecurityWorkspace(String securityWorkspace) {
- this.securityWorkspace = securityWorkspace;
- }
+ // public void setSecurityWorkspace(String securityWorkspace) {
+ // this.securityWorkspace = securityWorkspace;
+ // }
public void setRepository(Repository repository) {
this.repository = repository;
}
+ public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+ this.jcrSecurityModel = jcrSecurityModel;
+ }
+
@SuppressWarnings("rawtypes")
public boolean supports(Class authentication) {
return OsAuthenticationToken.class.isAssignableFrom(authentication)
import org.argeo.ArgeoException;
import org.argeo.jcr.JcrUtils;
-import org.argeo.jcr.security.SecurityJcrUtils;
+import org.argeo.jcr.UserJcrUtils;
import org.argeo.security.UserAdminService;
import org.springframework.dao.DataAccessException;
import org.springframework.security.userdetails.UserDetails;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
if (getSPropertyUsername().equals(username)) {
- Node userProfile = SecurityJcrUtils.getUserProfile(securitySession,
+ Node userProfile = UserJcrUtils.getUserProfile(securitySession,
username);
JcrUserDetails userDetails;
try {
/** Integrates Spring Security and Jackrabbit Security user and roles. */
public class ArgeoSecurityManager extends DefaultSecurityManager {
- private Log log = LogFactory.getLog(ArgeoSecurityManager.class);
+ private final static Log log = LogFactory
+ .getLog(ArgeoSecurityManager.class);
/**
* Since this is called once when the session is created, we take the
authen = authens.iterator().next();
// sync Spring and Jackrabbit
- syncSpringAndJackrabbitSecurity(authen);
+ // workspace is irrelevant here
+ UserManager systemUm = getSystemUserManager(null);
+ syncSpringAndJackrabbitSecurity(systemUm, authen);
return authen.getName();
}
* Make sure that the Jackrabbit security model contains this user and its
* granted authorities
*/
- protected void syncSpringAndJackrabbitSecurity(Authentication authen)
- throws RepositoryException {
+ static void syncSpringAndJackrabbitSecurity(UserManager systemUm,
+ Authentication authen) throws RepositoryException {
long begin = System.currentTimeMillis();
- // workspace is irrelevant here
- UserManager systemUm = getSystemUserManager(null);
-
String userId = authen.getName();
User user = (User) systemUm.getAuthorizable(userId);
if (user == null) {
--- /dev/null
+package org.argeo.security.jackrabbit;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.api.security.user.UserManager;
+import org.argeo.ArgeoException;
+import org.argeo.security.jcr.JcrSecurityModel;
+import org.argeo.util.security.SimplePrincipal;
+
+/** Make sure that user authorizable exists before syncing user directories. */
+public class JackrabbitSecurityModel extends JcrSecurityModel {
+
+ @Override
+ public Node sync(Session session, String username) {
+ try {
+ if (session instanceof JackrabbitSession) {
+ UserManager userManager = ((JackrabbitSession) session)
+ .getUserManager();
+ User user = (User) userManager
+ .getAuthorizable(new SimplePrincipal(username));
+ if (user == null)
+ userManager.createUser(username, "");
+ }
+ } catch (RepositoryException e) {
+ throw new ArgeoException(
+ "Cannot perform Jackrabbit specific operaitons", e);
+ }
+ return super.sync(session, username);
+ }
+
+}
import org.argeo.jcr.ArgeoNames;
import org.argeo.jcr.ArgeoTypes;
import org.argeo.jcr.JcrUtils;
-import org.argeo.jcr.security.SecurityJcrUtils;
+import org.argeo.security.jcr.JcrSecurityModel;
import org.argeo.security.jcr.JcrUserDetails;
import org.springframework.ldap.core.ContextExecutor;
import org.springframework.ldap.core.ContextMapper;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.ldap.UserDetailsContextMapper;
-/** Guarantees that LDAP and JCR are in line. */
+/** Makes sure that LDAP and JCR are in line. */
public class JcrLdapSynchronizer implements UserDetailsContextMapper,
ArgeoNames {
private final static Log log = LogFactory.getLog(JcrLdapSynchronizer.class);
// JCR
/** Admin session on the security workspace */
- private Session securitySession;
+ private Session nodeSession;
private Repository repository;
- private String securityWorkspace = "security";
-
private JcrProfileListener jcrProfileListener;
+ private JcrSecurityModel jcrSecurityModel = new JcrSecurityModel();
// Mapping
private Map<String, String> propertyToAttributes = new HashMap<String, String>();
public void init() {
try {
- securitySession = repository.login(securityWorkspace);
+ nodeSession = repository.login();
synchronize();
jcrProfileListener = new JcrProfileListener();
// noLocal is used so that we are not notified when we modify JCR
// from LDAP
- securitySession
+ nodeSession
.getWorkspace()
.getObservationManager()
.addEventListener(jcrProfileListener,
Event.PROPERTY_CHANGED | Event.NODE_ADDED, "/",
true, null, nodeTypes, true);
} catch (Exception e) {
- JcrUtils.logoutQuietly(securitySession);
+ JcrUtils.logoutQuietly(nodeSession);
throw new ArgeoException("Cannot initialize LDAP/JCR synchronizer",
e);
}
}
public void destroy() {
- JcrUtils.removeListenerQuietly(securitySession, jcrProfileListener);
- JcrUtils.logoutQuietly(securitySession);
+ JcrUtils.removeListenerQuietly(nodeSession, jcrProfileListener);
+ JcrUtils.logoutQuietly(nodeSession);
try {
rawLdapTemplate.executeReadOnly(new ContextExecutor() {
public Object executeWithContext(DirContext ctx)
});
// disable accounts which are not in LDAP
- Query query = securitySession
+ Query query = nodeSession
.getWorkspace()
.getQueryManager()
.createQuery(
+ " not found in LDAP, disabling user "
+ userProfile.getProperty(ArgeoNames.ARGEO_USER_ID)
.getString());
- VersionManager versionManager = securitySession
- .getWorkspace().getVersionManager();
+ VersionManager versionManager = nodeSession.getWorkspace()
+ .getVersionManager();
versionManager.checkout(userProfile.getPath());
userProfile.setProperty(ArgeoNames.ARGEO_ENABLED, false);
- securitySession.save();
+ nodeSession.save();
versionManager.checkin(userProfile.getPath());
}
}
} catch (Exception e) {
- JcrUtils.discardQuietly(securitySession);
- throw new ArgeoException("Cannot synchronized LDAP and JCR", e);
+ JcrUtils.discardQuietly(nodeSession);
+ log.error("Cannot synchronize LDAP and JCR", e);
+ // throw new ArgeoException("Cannot synchronize LDAP and JCR", e);
}
}
/** Called during authentication in order to retrieve user details */
public UserDetails mapUserFromContext(final DirContextOperations ctx,
final String username, GrantedAuthority[] authorities) {
- log.debug("mapUserFromContext");
if (ctx == null)
throw new ArgeoException("No LDAP information for user " + username);
- Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded(securitySession,
- username);
+
+ // Node userProfile = SecurityJcrUtils.createUserProfileIfNeeded(
+ // securitySession, username);
+ Node userProfile = jcrSecurityModel.sync(nodeSession, username);
JcrUserDetails.checkAccountStatus(userProfile);
// password
* @return path to user profile
*/
protected synchronized String mapLdapToJcr(DirContextAdapter ctx) {
- Session session = securitySession;
+ Session session = nodeSession;
try {
// process
String username = ctx.getStringAttribute(usernameAttribute);
- Node userHome = SecurityJcrUtils.createUserHomeIfNeeded(session, username);
- Node userProfile; // = userHome.getNode(ARGEO_PROFILE);
- if (userHome.hasNode(ARGEO_PROFILE)) {
- userProfile = userHome.getNode(ARGEO_PROFILE);
-
- // compatibility with legacy, will be removed
- if (!userProfile.hasProperty(ARGEO_ENABLED)) {
- session.getWorkspace().getVersionManager()
- .checkout(userProfile.getPath());
- userProfile.setProperty(ARGEO_ENABLED, true);
- userProfile.setProperty(ARGEO_ACCOUNT_NON_EXPIRED, true);
- userProfile.setProperty(ARGEO_ACCOUNT_NON_LOCKED, true);
- userProfile
- .setProperty(ARGEO_CREDENTIALS_NON_EXPIRED, true);
- session.save();
- session.getWorkspace().getVersionManager()
- .checkin(userProfile.getPath());
- }
- } else {
- userProfile = SecurityJcrUtils.createUserProfile(securitySession,
- username);
- userProfile.getSession().save();
- userProfile.getSession().getWorkspace().getVersionManager()
- .checkin(userProfile.getPath());
- }
-
+ // Node userHome = SecurityJcrUtils.createUserHomeIfNeeded(session,
+ // username);
+ // Node userProfile; // = userHome.getNode(ARGEO_PROFILE);
+ // if (userHome.hasNode(ARGEO_PROFILE)) {
+ // userProfile = userHome.getNode(ARGEO_PROFILE);
+ //
+ // // compatibility with legacy, will be removed
+ // if (!userProfile.hasProperty(ARGEO_ENABLED)) {
+ // session.getWorkspace().getVersionManager()
+ // .checkout(userProfile.getPath());
+ // userProfile.setProperty(ARGEO_ENABLED, true);
+ // userProfile.setProperty(ARGEO_ACCOUNT_NON_EXPIRED, true);
+ // userProfile.setProperty(ARGEO_ACCOUNT_NON_LOCKED, true);
+ // userProfile
+ // .setProperty(ARGEO_CREDENTIALS_NON_EXPIRED, true);
+ // session.save();
+ // session.getWorkspace().getVersionManager()
+ // .checkin(userProfile.getPath());
+ // }
+ // } else {
+ // userProfile = SecurityJcrUtils.createUserProfile(
+ // securitySession, username);
+ // userProfile.getSession().save();
+ // userProfile.getSession().getWorkspace().getVersionManager()
+ // .checkin(userProfile.getPath());
+ // }
+
+ Node userProfile = jcrSecurityModel.sync(session, username);
Map<String, String> modifications = new HashMap<String, String>();
for (String jcrProperty : propertyToAttributes.keySet())
ldapToJcr(userProfile, jcrProperty, ctx, modifications);
final JcrUserDetails jcrUserDetails = (JcrUserDetails) user;
try {
- Node userProfile = securitySession.getNode(
- jcrUserDetails.getHomePath()).getNode(ARGEO_PROFILE);
+ Node userProfile = nodeSession
+ .getNode(jcrUserDetails.getHomePath()).getNode(
+ ARGEO_PROFILE);
for (String jcrProperty : propertyToAttributes.keySet()) {
if (userProfile.hasProperty(jcrProperty)) {
ModificationItem mi = jcrToLdap(jcrProperty, userProfile
this.repository = repository;
}
- public void setSecurityWorkspace(String securityWorkspace) {
- this.securityWorkspace = securityWorkspace;
- }
-
public void setUserBase(String userBase) {
this.userBase = userBase;
}
this.passwordEncoder = passwordEncoder;
}
+ public void setJcrSecurityModel(JcrSecurityModel jcrSecurityModel) {
+ this.jcrSecurityModel = jcrSecurityModel;
+ }
+
/** Listen to LDAP */
class LdapUserListener implements ObjectChangeListener,
NamespaceChangeListener, UnsolicitedNotificationListener {
Event event = events.nextEvent();
try {
if (Event.PROPERTY_CHANGED == event.getType()) {
- Property property = (Property) securitySession
+ Property property = (Property) nodeSession
.getItem(event.getPath());
String propertyName = property.getName();
Node userProfile = property.getParent();
modifications.get(name).add(mi);
}
} else if (Event.NODE_ADDED == event.getType()) {
- Node userProfile = securitySession.getNode(event
+ Node userProfile = nodeSession.getNode(event
.getPath());
String username = userProfile.getProperty(
ARGEO_USER_ID).getString();
import org.argeo.jcr.JcrUtils;
import org.argeo.jcr.UserJcrUtils;
import org.argeo.jcr.security.JcrKeyring;
-import org.argeo.jcr.security.SecurityJcrUtils;
import org.argeo.jcr.ui.explorer.JcrExplorerConstants;
import org.eclipse.core.commands.AbstractHandler;
import org.eclipse.core.commands.ExecutionEvent;
Session nodeSession = keyring.getSession();
Node home = UserJcrUtils.getUserHome(nodeSession);
- // FIXME better deal with non existing home dir
- if (home == null)
- home = SecurityJcrUtils.createUserHomeIfNeeded(nodeSession,
- nodeSession.getUserID());
-
Node remote = home.hasNode(ARGEO_REMOTE) ? home
.getNode(ARGEO_REMOTE) : home.addNode(ARGEO_REMOTE);
if (remote.hasNode(name.getText()))
*/
package org.argeo.jcr;
-/** JCR related constants */
+/** Argeo model specific constants */
public interface ArgeoJcrConstants {
public final static String ARGEO_BASE_PATH = "/argeo:system";
public final static String DATA_MODELS_BASE_PATH = ARGEO_BASE_PATH
+ "/argeo:dataModels";
+ public final static String PEOPLE_BASE_PATH = ARGEO_BASE_PATH
+ + "/argeo:people";
// parameters (typically for call to a RepositoryFactory)
public final static String JCR_REPOSITORY_ALIAS = "argeo.jcr.repository.alias";
Principal principal, List<Privilege> privs)
throws RepositoryException {
AccessControlManager acm = session.getAccessControlManager();
+ AccessControlList acl = getAccessControlList(acm, path);
+ acl.addAccessControlEntry(principal,
+ privs.toArray(new Privilege[privs.size()]));
+ acm.setPolicy(path, acl);
+ if (log.isDebugEnabled()) {
+ StringBuffer privBuf = new StringBuffer();
+ for (Privilege priv : privs)
+ privBuf.append(priv.getName());
+ log.debug("Added privileges " + privBuf + " to " + principal
+ + " on " + path);
+ }
+ session.save();
+ }
+
+ /** Gets access control list for this path, throws exception if not found */
+ public static AccessControlList getAccessControlList(
+ AccessControlManager acm, String path) throws RepositoryException {
// search for an access control list
AccessControlList acl = null;
AccessControlPolicyIterator policyIterator = acm
acl = ((AccessControlList) acp);
}
}
+ if (acl != null)
+ return acl;
+ else
+ throw new ArgeoException("ACL not found at " + path);
+ }
- if (acl != null) {
- acl.addAccessControlEntry(principal,
- privs.toArray(new Privilege[privs.size()]));
- acm.setPolicy(path, acl);
- if (log.isDebugEnabled())
- log.debug("Added privileges " + privs + " to " + principal
- + " on " + path);
- } else {
- throw new ArgeoException("Don't know how to apply privileges "
- + privs + " to " + principal + " on " + path);
+ /** Clear authorizations for a user at this path */
+ public static void clearAccesControList(Session session, String path,
+ String username) throws RepositoryException {
+ AccessControlManager acm = session.getAccessControlManager();
+ AccessControlList acl = getAccessControlList(acm, path);
+ for (AccessControlEntry ace : acl.getAccessControlEntries()) {
+ if (ace.getPrincipal().getName().equals(username)) {
+ acl.removeAccessControlEntry(ace);
+ }
}
- session.save();
}
-
}
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.query.Query;
+import javax.jcr.query.qom.Constraint;
+import javax.jcr.query.qom.DynamicOperand;
+import javax.jcr.query.qom.QueryObjectModelFactory;
+import javax.jcr.query.qom.Selector;
+import javax.jcr.query.qom.StaticOperand;
import org.argeo.ArgeoException;
/** Utilities related to the user home and properties based on Argeo JCR model. */
public class UserJcrUtils {
/** The home base path. Not yet configurable */
- public final static String DEFAULT_HOME_BASE_PATH = "/argeo:home";
-
- private UserJcrUtils() {
- }
+ public final static String DEFAULT_HOME_BASE_PATH = "/home";
/**
- * Returns the home node of the session user or null if none was found.
+ * Returns the home node of the user or null if none was found.
*
* @param session
* the session to use in order to perform the search, this can be
*/
public static Node getUserHome(Session session, String username) {
try {
- String homePath = UserJcrUtils.getUserHomePath(username);
- return session.itemExists(homePath) ? session.getNode(homePath)
- : null;
+ // String homePath = UserJcrUtils.getUserHomePath(username);
+ // return session.itemExists(homePath) ? session.getNode(homePath)
+ // : null;
// kept for example of QOM queries
- // QueryObjectModelFactory qomf = session.getWorkspace()
- // .getQueryManager().getQOMFactory();
- // Selector userHomeSel = qomf.selector(ArgeoTypes.ARGEO_USER_HOME,
- // "userHome");
- // DynamicOperand userIdDop = qomf.propertyValue("userHome",
- // ArgeoNames.ARGEO_USER_ID);
- // StaticOperand userIdSop = qomf.literal(session.getValueFactory()
- // .createValue(username));
- // Constraint constraint = qomf.comparison(userIdDop,
- // QueryObjectModelFactory.JCR_OPERATOR_EQUAL_TO, userIdSop);
- // Query query = qomf.createQuery(userHomeSel, constraint, null,
- // null);
- // Node userHome = JcrUtils.querySingleNode(query);
+ QueryObjectModelFactory qomf = session.getWorkspace()
+ .getQueryManager().getQOMFactory();
+ Selector userHomeSel = qomf.selector(ArgeoTypes.ARGEO_USER_HOME,
+ "userHome");
+ DynamicOperand userIdDop = qomf.propertyValue(
+ userHomeSel.getSelectorName(), ArgeoNames.ARGEO_USER_ID);
+ StaticOperand userIdSop = qomf.literal(session.getValueFactory()
+ .createValue(username));
+ Constraint constraint = qomf.comparison(userIdDop,
+ QueryObjectModelFactory.JCR_OPERATOR_EQUAL_TO, userIdSop);
+ Query query = qomf.createQuery(userHomeSel, constraint, null, null);
+ return JcrUtils.querySingleNode(query);
+ } catch (RepositoryException e) {
+ throw new ArgeoException("Cannot find home for user " + username, e);
+ }
+ }
+
+ public static Node getUserProfile(Session session, String username) {
+ try {
+ QueryObjectModelFactory qomf = session.getWorkspace()
+ .getQueryManager().getQOMFactory();
+ Selector userHomeSel = qomf.selector(ArgeoTypes.ARGEO_USER_PROFILE,
+ "userProfile");
+ DynamicOperand userIdDop = qomf.propertyValue(
+ userHomeSel.getSelectorName(), ArgeoNames.ARGEO_USER_ID);
+ StaticOperand userIdSop = qomf.literal(session.getValueFactory()
+ .createValue(username));
+ Constraint constraint = qomf.comparison(userIdDop,
+ QueryObjectModelFactory.JCR_OPERATOR_EQUAL_TO, userIdSop);
+ Query query = qomf.createQuery(userHomeSel, constraint, null, null);
+ return JcrUtils.querySingleNode(query);
} catch (RepositoryException e) {
throw new ArgeoException("Cannot find home for user " + username, e);
}
return getUserHome(session, userID);
}
- /** @deprecated Use {@link getUserHome} directly */
- @Deprecated
- static String getUserHomePath(String username) {
- String homeBasePath = DEFAULT_HOME_BASE_PATH;
- return homeBasePath + '/' + JcrUtils.firstCharsToPath(username, 2)
- + '/' + username;
+ private UserJcrUtils() {
}
}
import org.argeo.jcr.UserJcrUtils;
/** Utilities related to Argeo security model in JCR */
+@Deprecated
public class SecurityJcrUtils implements ArgeoJcrConstants {
/**
* Creates an Argeo user home, does nothing if it already exists. Session is
* NOT saved.
*/
- public static Node createUserHomeIfNeeded(Session session, String username) {
+ static Node createUserHomeIfNeeded(Session session, String username) {
try {
String homePath = generateUserHomePath(username);
if (session.itemExists(homePath))
Node userHome = JcrUtils.mkdirs(session, homePath);
userHome.addMixin(ArgeoTypes.ARGEO_USER_HOME);
userHome.setProperty(ArgeoNames.ARGEO_USER_ID, username);
-
- //JcrUtils.addPrivilege(session, homePath, username, "jcr:all");
+
+ // JcrUtils.addPrivilege(session, homePath, username,
+ // "jcr:all");
return userHome;
}
} catch (RepositoryException e) {
* is not saved and the node is in a checkedOut state (that is, it requires
* a subsequent checkin after saving the session).
*/
- public static Node createUserProfile(Session session, String username) {
+ static Node createUserProfile(Session session, String username) {
try {
Node userHome = createUserHomeIfNeeded(session, username);
if (userHome.hasNode(ArgeoNames.ARGEO_PROFILE))
*
* @return the user profile
*/
- public static Node createUserProfileIfNeeded(Session securitySession,
+ static Node createUserProfileIfNeeded(Session securitySession,
String username) {
try {
Node userHome = createUserHomeIfNeeded(securitySession, username);
/**
* @return null if not found *
*/
- public static Node getUserProfile(Session session, String username) {
+ static Node getUserProfile(Session session, String username) {
try {
Node userHome = UserJcrUtils.getUserHome(session, username);
if (userHome == null)