jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ste...@apache.org
Subject svn commit: r157086 - in incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core: RepositoryImpl.java SessionImpl.java SystemSession.java WorkspaceImpl.java XASessionImpl.java security/AMContext.java security/AccessManager.java security/SimpleAccessManager.java
Date Fri, 11 Mar 2005 14:44:15 GMT
Author: stefan
Date: Fri Mar 11 06:44:00 2005
New Revision: 157086

URL: http://svn.apache.org/viewcvs?view=rev&rev=157086
Log:
- AccessManager: added method canAccess(String wspName) to check authorization for specific
workspace

Modified:
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/RepositoryImpl.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SessionImpl.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SystemSession.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/WorkspaceImpl.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/XASessionImpl.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AMContext.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AccessManager.java
    incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/RepositoryImpl.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/RepositoryImpl.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/RepositoryImpl.java (original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/RepositoryImpl.java Fri
Mar 11 06:44:00 2005
@@ -26,6 +26,8 @@
 import org.apache.jackrabbit.core.fs.FileSystem;
 import org.apache.jackrabbit.core.fs.FileSystemException;
 import org.apache.jackrabbit.core.fs.FileSystemResource;
+import org.apache.jackrabbit.core.lock.LockManager;
+import org.apache.jackrabbit.core.lock.LockManagerImpl;
 import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
 import org.apache.jackrabbit.core.nodetype.NodeTypeRegistry;
 import org.apache.jackrabbit.core.observation.ObservationManagerFactory;
@@ -39,10 +41,9 @@
 import org.apache.jackrabbit.core.version.VersionManager;
 import org.apache.jackrabbit.core.version.VersionManagerImpl;
 import org.apache.jackrabbit.core.version.persistence.NativePVM;
-import org.apache.jackrabbit.core.lock.LockManager;
-import org.apache.jackrabbit.core.lock.LockManagerImpl;
 import org.apache.log4j.Logger;
 
+import javax.jcr.AccessDeniedException;
 import javax.jcr.Credentials;
 import javax.jcr.LoginException;
 import javax.jcr.NamespaceRegistry;
@@ -53,21 +54,21 @@
 import javax.jcr.observation.Event;
 import javax.jcr.observation.EventIterator;
 import javax.jcr.observation.EventListener;
-import javax.security.auth.login.LoginContext;
 import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Properties;
-import java.security.AccessControlContext;
-import java.security.AccessController;
 
 /**
  * A <code>RepositoryImpl</code> ...
@@ -479,10 +480,11 @@
     /**
      * Returns the {@link LockManager} for the workspace with name
      * <code>workspaceName</code>
+     *
      * @param workspaceName workspace name
      * @return <code>LockManager</code> for the workspace
      * @throws NoSuchWorkspaceException if such a workspace does not exist
-     * @throws RepositoryException if some other error occurs
+     * @throws RepositoryException      if some other error occurs
      */
     LockManager getLockManager(String workspaceName) throws
             NoSuchWorkspaceException, RepositoryException {
@@ -707,14 +709,20 @@
         if (credentials == null) {
             // null credentials, obtain the identity of the already-authenticated
             // user from access control context
-            AccessControlContext acc  = AccessController.getContext();
+            AccessControlContext acc = AccessController.getContext();
             Subject subject;
             try {
                 subject = Subject.getSubject(acc);
             } catch (SecurityException se) {
                 throw new LoginException(se.getMessage());
             }
-            Session ses = new XASessionImpl(this, subject, wspInfo.getConfig());
+            Session ses;
+            try {
+                ses = new XASessionImpl(this, subject, wspInfo.getConfig());
+            } catch (AccessDeniedException ade) {
+                // authenticated subject is not authorized for the specified workspace
+                throw new LoginException(ade.getMessage());
+            }
             activeSessions.put(ses, ses);
             return ses;
         }
@@ -729,9 +737,13 @@
             throw new LoginException(le.getMessage());
         }
 
-        // @todo check access rights for given workspace
-
-        Session ses = new XASessionImpl(this, lc, wspInfo.getConfig());
+        Session ses;
+        try {
+            ses = new XASessionImpl(this, lc, wspInfo.getConfig());
+        } catch (AccessDeniedException ade) {
+            // authenticated subject is not authorized for the specified workspace
+            throw new LoginException(ade.getMessage());
+        }
         activeSessions.put(ses, ses);
         return ses;
     }

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SessionImpl.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SessionImpl.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SessionImpl.java (original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SessionImpl.java Fri Mar
11 06:44:00 2005
@@ -73,11 +73,9 @@
 import java.io.PrintStream;
 import java.security.AccessControlException;
 import java.security.Principal;
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -178,10 +176,14 @@
      * @param rep
      * @param loginContext
      * @param wspConfig
+     * @throws AccessDeniedException if the subject of the given login context
+     *                               is not granted access to the specified
+     *                               workspace
+     * @throws RepositoryException   if another error occurs
      */
     protected SessionImpl(RepositoryImpl rep, LoginContext loginContext,
                           WorkspaceConfig wspConfig)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
         this(rep, loginContext.getSubject(), wspConfig);
         this.loginContext = loginContext;
     }
@@ -192,10 +194,13 @@
      * @param rep
      * @param subject
      * @param wspConfig
+     * @throws AccessDeniedException if the given subject is not granted access
+     *                               to the specified workspace
+     * @throws RepositoryException   if another error occurs
      */
     protected SessionImpl(RepositoryImpl rep, Subject subject,
                           WorkspaceConfig wspConfig)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
         alive = true;
         this.rep = rep;
         Set principals = subject.getPrincipals();
@@ -245,11 +250,13 @@
      * Create the access manager.
      *
      * @return access manager
-     * @throws RepositoryException if an error occurs
+     * @throws AccessDeniedException if the current subject is not granted access
+     *                               to the current workspace
+     * @throws RepositoryException   if the access manager cannot be instantiated
      */
     protected AccessManager createAccessManager(Subject subject,
                                                 HierarchyManager hierMgr)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
         AccessManagerConfig amConfig = rep.getConfig().getAccessManagerConfig();
         String className = amConfig.getClassName();
         Map params = amConfig.getParameters();
@@ -270,10 +277,15 @@
             AMContext ctx = new AMContext(new File(rep.getConfig().getHomeDir()),
                     rep.getConfig().getFileSystem(),
                     subject,
-                    hierMgr);
+                    hierMgr,
+                    wsp.getName());
             accessMgr.init(ctx);
             return accessMgr;
+        } catch (AccessDeniedException ade) {
+            // re-throw
+            throw ade;
         } catch (Exception e) {
+            // wrap in RepositoryException
             String msg = "failed to instantiate AccessManager implementation: " + className;
             log.error(msg, e);
             throw new RepositoryException(msg, e);

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SystemSession.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SystemSession.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SystemSession.java (original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/SystemSession.java Fri
Mar 11 06:44:00 2005
@@ -24,6 +24,7 @@
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.ItemNotFoundException;
+import javax.jcr.NoSuchWorkspaceException;
 import javax.jcr.RepositoryException;
 import javax.security.auth.Subject;
 import java.util.Collections;
@@ -69,14 +70,17 @@
     }
 
     /**
+     * {@inheritDoc}
+     * <p/>
      * Overridden in order to create custom access manager
      *
-     * @return access manager
-     * @throws RepositoryException
+     * @return access manager for system session
+     * @throws AccessDeniedException is never thrown
+     * @throws RepositoryException   is never thrown
      */
     protected AccessManager createAccessManager(Subject subject,
                                                 HierarchyManager hierMgr)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
         /**
          * use own AccessManager implementation rather than relying on
          * configurable AccessManager to handle SystemPrincipal privileges
@@ -95,6 +99,28 @@
         //----------------------------------------------------< AccessManager >
         /**
          * {@inheritDoc}
+         *
+         * @throws AccessDeniedException is never thrown
+         * @throws Exception             is never thrown
+         */
+        public void init(AMContext context)
+                throws AccessDeniedException, Exception {
+            // nop
+        }
+
+        /**
+         * {@inheritDoc}
+         */
+        public void close() throws Exception {
+            // nop
+        }
+
+        /**
+         * {@inheritDoc}
+         *
+         * @throws AccessDeniedException is never thrown
+         * @throws ItemNotFoundException is never thrown
+         * @throws RepositoryException   is never thrown
          */
         public void checkPermission(ItemId id, int permissions)
                 throws AccessDeniedException, ItemNotFoundException,
@@ -104,6 +130,10 @@
 
         /**
          * {@inheritDoc}
+         *
+         * @return always <code>true</code>
+         * @throws ItemNotFoundException is never thrown
+         * @throws RepositoryException   is never thrown
          */
         public boolean isGranted(ItemId id, int permissions)
                 throws ItemNotFoundException, RepositoryException {
@@ -113,16 +143,14 @@
 
         /**
          * {@inheritDoc}
+         *
+         * @return always <code>true</code>
+         * @throws NoSuchWorkspaceException is never thrown
+         * @throws RepositoryException      is never thrown
          */
-        public void init(AMContext context) throws Exception {
-            // nop
-        }
-
-        /**
-         * {@inheritDoc}
-         */
-        public void close() throws Exception {
-            // nop
+        public boolean canAccess(String workspaceName)
+                throws NoSuchWorkspaceException, RepositoryException {
+            return true;
         }
     }
 }

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/WorkspaceImpl.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/WorkspaceImpl.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/WorkspaceImpl.java (original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/WorkspaceImpl.java Fri
Mar 11 06:44:00 2005
@@ -68,6 +68,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.PrintStream;
+import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
 
@@ -648,8 +649,8 @@
             log.debug(msg);
             throw new RepositoryException(msg, ise);
         } finally {
-            // update operation failed, cancel all modifications
             if (!succeeded) {
+                // update operation failed, cancel all modifications
                 stateMgr.cancel();
             }
         }
@@ -730,10 +731,15 @@
 
         // @todo re-implement Workspace#clone (respect new removeExisting flag, etc)
 
+        // check authorization for specified workspace
+        if (!session.getAccessManager().canAccess(srcWorkspace)) {
+            throw new AccessDeniedException("not authorized to access " + srcWorkspace);
+        }
+
         // clone (i.e. pull) subtree at srcAbsPath from srcWorkspace
         // to 'this' workspace at destAbsPath
 
-        // aquire session on other workspace (throws NoSuchWorkspaceException)
+        // acquire session on other workspace (throws NoSuchWorkspaceException)
         // @todo FIXME need to get session with same credentials as current
         SessionImpl srcSession = rep.getSystemSession(srcWorkspace);
         WorkspaceImpl srcWsp = (WorkspaceImpl) srcSession.getWorkspace();
@@ -775,12 +781,18 @@
             return;
         }
 
+        // check authorization for specified workspace
+        if (!session.getAccessManager().canAccess(srcWorkspace)) {
+            throw new AccessDeniedException("not authorized to access " + srcWorkspace);
+        }
+
         // copy (i.e. pull) subtree at srcAbsPath from srcWorkspace
         // to 'this' workspace at destAbsPath
 
-        // aquire session on other workspace (throws NoSuchWorkspaceException)
+        // acquire session on other workspace (throws NoSuchWorkspaceException)
         // @todo FIXME need to get session with same credentials as current
         SessionImpl srcSession = rep.getSystemSession(srcWorkspace);
+
         WorkspaceImpl srcWsp = (WorkspaceImpl) srcSession.getWorkspace();
 
         // do cross-workspace copy
@@ -902,8 +914,8 @@
             log.debug(msg);
             throw new RepositoryException(msg, ise);
         } finally {
-            // update operation failed, cancel all modifications
             if (!succeeded) {
+                // update operation failed, cancel all modifications
                 stateMgr.cancel();
             }
         }
@@ -980,8 +992,16 @@
         // check state of this instance
         sanityCheck();
 
-        // @todo filter workspaces according to access rights
-        return session.getWorkspaceNames();
+        // filter workspaces according to access rights
+        ArrayList list = new ArrayList();
+        String names[] = session.getWorkspaceNames();
+        for (int i = 0; i < names.length; i++) {
+            if (session.getAccessManager().canAccess(names[i])) {
+                list.add(names[i]);
+            }
+        }
+
+        return (String[]) list.toArray(new String[list.size()]);
     }
 
     /**
@@ -1013,12 +1033,10 @@
 
         // check locked-status
         getLockManager().checkLock(parentPath, session);
-/*
+
         Importer importer = new WorkspaceImporter(parentState, this, uuidBehavior);
         return new ImportHandler(importer, session.getNamespaceResolver(),
                 rep.getNamespaceRegistry());
-*/
-        throw new RepositoryException("not yet implemented");
     }
 
     /**

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/XASessionImpl.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/XASessionImpl.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/XASessionImpl.java (original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/XASessionImpl.java Fri
Mar 11 06:44:00 2005
@@ -23,6 +23,7 @@
 import org.apache.jackrabbit.core.state.TransactionListener;
 import org.apache.log4j.Logger;
 
+import javax.jcr.AccessDeniedException;
 import javax.jcr.RepositoryException;
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
@@ -64,11 +65,14 @@
      * @param rep          repository
      * @param loginContext login context containing authenticated subject
      * @param wspConfig    workspace configuration
-     * @throws RepositoryException if an error occurs
+     * @throws AccessDeniedException if the subject of the given login context
+     *                               is not granted access to the specified
+     *                               workspace
+     * @throws RepositoryException   if another error occurs
      */
     protected XASessionImpl(RepositoryImpl rep, LoginContext loginContext,
                             WorkspaceConfig wspConfig)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
 
         super(rep, loginContext, wspConfig);
     }
@@ -79,11 +83,13 @@
      * @param rep       repository
      * @param subject   authenticated subject
      * @param wspConfig workspace configuration
-     * @throws RepositoryException if an error occurs
+     * @throws AccessDeniedException if the given subject is not granted access
+     *                               to the specified workspace
+     * @throws RepositoryException   if another error occurs
      */
     protected XASessionImpl(RepositoryImpl rep, Subject subject,
                             WorkspaceConfig wspConfig)
-            throws RepositoryException {
+            throws AccessDeniedException, RepositoryException {
 
         super(rep, subject, wspConfig);
     }

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AMContext.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AMContext.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AMContext.java
(original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AMContext.java
Fri Mar 11 06:44:00 2005
@@ -49,6 +49,11 @@
      * hierarchy manager for resolving ItemId-to-Path mapping
      */
     private final HierarchyManager hierMgr;
+    
+    /**
+     * name of the workspace
+     */
+    private final String workspaceName;
 
     /**
      * Creates a new <code>AMContext</code>.
@@ -57,15 +62,18 @@
      * @param fs      the virtual jackrabbit filesystem
      * @param subject subject whose access rights should be reflected
      * @param hierMgr hierarchy manager
+     * @param hierMgr workspace name
      */
     public AMContext(File homeDir,
                      FileSystem fs,
                      Subject subject,
-                     HierarchyManager hierMgr) {
+                     HierarchyManager hierMgr,
+                     String workspaceName) {
         this.physicalHomeDir = homeDir;
         this.fs = fs;
         this.subject = subject;
         this.hierMgr = hierMgr;
+        this.workspaceName = workspaceName;
     }
 
 
@@ -103,5 +111,14 @@
      */
     public HierarchyManager getHierarchyManager() {
         return hierMgr;
+    }
+
+    /**
+     * Returns the name of the workspace.
+     *
+     * @return the name of the workspace
+     */
+    public String getWorkspaceName() {
+        return workspaceName;
     }
 }

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AccessManager.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AccessManager.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AccessManager.java
(original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/AccessManager.java
Fri Mar 11 06:44:00 2005
@@ -20,6 +20,7 @@
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.ItemNotFoundException;
+import javax.jcr.NoSuchWorkspaceException;
 import javax.jcr.RepositoryException;
 
 /**
@@ -42,12 +43,16 @@
     public static final int REMOVE = 4;
 
     /**
-     * Initialize this access manager.
+     * Initialize this access manager. An <code>AccessDeniedException</code>
will
+     * be thrown if the subject of the given <code>context</code> is not
+     * granted access to the specified workspace.
      *
      * @param context access manager context
-     * @throws Exception if an error occurs
+     * @throws AccessDeniedException if the subject is not granted access
+     *                               to the specified workspace.
+     * @throws Exception             if another error occurs
      */
-    public void init(AMContext context) throws Exception;
+    public void init(AMContext context) throws AccessDeniedException, Exception;
 
     /**
      * Close this access manager. After having closed an access manager,
@@ -90,8 +95,22 @@
      *                    </ul>
      * @return <code>true</code> if permission is granted; otherwise <code>false</code>
      * @throws ItemNotFoundException if the target item does not exist
-     * @throws RepositoryException   it an error occurs
+     * @throws RepositoryException   if another error occurs
      */
     public boolean isGranted(ItemId id, int permissions)
             throws ItemNotFoundException, RepositoryException;
+
+    /**
+     * Determines whether the subject of the current context is granted access
+     * to the given workspace.
+     *
+     * @param workspaceName name of workspace
+     * @return <code>true</code> if the subject of the current context is
+     *         granted access to the given workspace; otherwise <code>false</code>.
+     * @throws NoSuchWorkspaceException if a workspace with the given name
+     *                                  does not exist.
+     * @throws RepositoryException      if another error occurs
+     */
+    public boolean canAccess(String workspaceName)
+            throws NoSuchWorkspaceException, RepositoryException;
 }

Modified: incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java
URL: http://svn.apache.org/viewcvs/incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java?view=diff&r1=157085&r2=157086
==============================================================================
--- incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java
(original)
+++ incubator/jackrabbit/trunk/src/java/org/apache/jackrabbit/core/security/SimpleAccessManager.java
Fri Mar 11 06:44:00 2005
@@ -22,6 +22,7 @@
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.ItemNotFoundException;
+import javax.jcr.NoSuchWorkspaceException;
 import javax.jcr.RepositoryException;
 import javax.security.auth.Subject;
 
@@ -60,7 +61,8 @@
     /**
      * {@inheritDoc}
      */
-    public void init(AMContext context) throws Exception {
+    public void init(AMContext context)
+            throws AccessDeniedException, Exception {
         if (initialized) {
             throw new IllegalStateException("already initialized");
         }
@@ -70,6 +72,7 @@
         anonymous = !subject.getPrincipals(AnonymousPrincipal.class).isEmpty();
         system = !subject.getPrincipals(SystemPrincipal.class).isEmpty();
 
+        // @todo check permission to access given workspace based on principals
         initialized = true;
     }
 
@@ -128,6 +131,15 @@
         }
 
         // @todo check permission based on principals
+        return true;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean canAccess(String workspaceName)
+            throws NoSuchWorkspaceException, RepositoryException {
+        // @todo check permission to access given workspace based on principals
         return true;
     }
 }



Mime
View raw message