projects
/
lgpl
/
argeo-commons.git
/ commitdiff
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
3388d1b
)
Make user/anonymous semantics more consistent with Authorization
author
Mathieu Baudier <mbaudier@argeo.org>
Sun, 4 Feb 2018 10:11:09 +0000
(11:11 +0100)
committer
Mathieu Baudier <mbaudier@argeo.org>
Sun, 4 Feb 2018 10:11:09 +0000
(11:11 +0100)
org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
patch
|
blob
|
history
org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
patch
|
blob
|
history
org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
patch
|
blob
|
history
org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
patch
|
blob
|
history
diff --git
a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index dadcc4dbcb109e23a604cbd8b4265eb8f3fe34bf..661cc6905fb9a33753348cfa1e81d5b47a508e47 100644
(file)
--- a/
org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/
org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@
-65,13
+65,13
@@
class CmsAuthUtils {
name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
userPrincipal = new AnonymousPrincipal();
principals.add(userPrincipal);
name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
userPrincipal = new AnonymousPrincipal();
principals.add(userPrincipal);
- // principals.add(new AnonymousPrincipal());
} else {
name = new LdapName(authName);
NodeSecurityUtils.checkUserName(name);
userPrincipal = new X500Principal(name.toString());
principals.add(userPrincipal);
} else {
name = new LdapName(authName);
NodeSecurityUtils.checkUserName(name);
userPrincipal = new X500Principal(name.toString());
principals.add(userPrincipal);
- principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal));
+ // principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME,
+ // userPrincipal));
}
// Add roles provided by authorization
}
// Add roles provided by authorization
@@
-79,6
+79,8
@@
class CmsAuthUtils {
LdapName roleName = new LdapName(role);
if (roleName.equals(name)) {
// skip
LdapName roleName = new LdapName(role);
if (roleName.equals(name)) {
// skip
+ } else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) {
+ // skip
} else {
NodeSecurityUtils.checkImpliedPrincipalName(roleName);
principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
} else {
NodeSecurityUtils.checkImpliedPrincipalName(roleName);
principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
diff --git
a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index 436d30058839cb330d6471e67f277180cbbb8b19..077a1f8a7286bf76568fb3547ab53e791e75d258 100644
(file)
--- a/
org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/
org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@
-14,6
+14,7
@@
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
+import java.util.Set;
import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
@@
-58,6
+59,7
@@
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedServiceFactory;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedServiceFactory;
+import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.UserAdmin;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.service.useradmin.UserAdmin;
import org.osgi.util.tracker.ServiceTracker;
@@
-161,6
+163,17
@@
class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
public String getName() {
return "Node User Admin";
}
public String getName() {
return "Node User Admin";
}
+
+
+
+ @Override
+ protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
+ if(rawAuthorization.getName()==null) {
+ sysRoles.add(NodeConstants.ROLE_ANONYMOUS);
+ }else {
+ sysRoles.add(NodeConstants.ROLE_USER);
+ }
+ }
protected void postAdd(AbstractUserDirectory userDirectory) {
// JTA
protected void postAdd(AbstractUserDirectory userDirectory) {
// JTA
diff --git
a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
index 2b2ca0c513ba6028e76679f505b63637ccdc76d8..d2054416bba2703e1a1a4aeebff261da9d87beee 100644
(file)
--- a/
org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
+++ b/
org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
@@
-90,11
+90,20
@@
public class AggregatingUserAdmin implements UserAdmin {
Authorization auth = systemRoles.getAuthorization((User) userAdmin.getRole(role));
sysRoles.addAll(Arrays.asList(auth.getRoles()));
}
Authorization auth = systemRoles.getAuthorization((User) userAdmin.getRole(role));
sysRoles.addAll(Arrays.asList(auth.getRoles()));
}
+ addAbstractSystemRoles(rawAuthorization, sysRoles);
Authorization authorization = new AggregatingAuthorization(rawAuthorization.getName(),
rawAuthorization.toString(), sysRoles, rawAuthorization.getRoles());
return authorization;
}
Authorization authorization = new AggregatingAuthorization(rawAuthorization.getName(),
rawAuthorization.toString(), sysRoles, rawAuthorization.getRoles());
return authorization;
}
+ /**
+ * Enrich with application-specific roles which are strictly programmatic, such
+ * as anonymous/user semantics.
+ */
+ protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
+
+ }
+
//
// USER ADMIN AGGREGATOR
//
//
// USER ADMIN AGGREGATOR
//
@@
-181,8
+190,8
@@
public class AggregatingUserAdmin implements UserAdmin {
}
/**
}
/**
- * Called before each user directory is destroyed, so that additional
- *
actions
can be performed.
+ * Called before each user directory is destroyed, so that additional
actions
+ * can be performed.
*/
protected void preDestroy(AbstractUserDirectory userDirectory) {
}
*/
protected void preDestroy(AbstractUserDirectory userDirectory) {
}
diff --git
a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
index fd01cc6c6c63a6c0a56483230278334220016429..7c784b0dc39f6032840989e94e5f8670c5e57d4b 100644
(file)
--- a/
org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
+++ b/
org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
@@
-33,8
+33,8
@@
public class NodeSecurityUtils {
}
public static void checkImpliedPrincipalName(LdapName roleName) throws IllegalArgumentException {
}
public static void checkImpliedPrincipalName(LdapName roleName) throws IllegalArgumentException {
-
if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
-
throw new IllegalArgumentException(roleName + " cannot be listed as role");
+
//
if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
+
//
throw new IllegalArgumentException(roleName + " cannot be listed as role");
}
}
}
}