jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r659024 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/ main/java/org/apache/jackrabbit/core/security/ main/java/org/apache/jackrabbit/core/security/simple/ test/java/org/apache/jackrabbit/core/security/user/
Date Thu, 22 May 2008 07:11:50 GMT
Author: angela
Date: Thu May 22 00:11:50 2008
New Revision: 659024

URL: http://svn.apache.org/viewvc?rev=659024&view=rev
Log:
JCR-1588: JSR 283 Access Control (work in progress)
JCR-1622 - Session.getUserID returns first principal in the set obtained from Subject.getPrincipals()

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/DefaultSecurityManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserManagerImplTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/DefaultSecurityManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/DefaultSecurityManager.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/DefaultSecurityManager.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/DefaultSecurityManager.java
Thu May 22 00:11:50 2008
@@ -21,6 +21,7 @@
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.UserManager;
+import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.core.config.AccessManagerConfig;
 import org.apache.jackrabbit.core.config.BeanConfig;
 import org.apache.jackrabbit.core.config.LoginModuleConfig;
@@ -43,6 +44,7 @@
 import org.apache.jackrabbit.core.security.principal.PrincipalProvider;
 import org.apache.jackrabbit.core.security.principal.PrincipalProviderRegistry;
 import org.apache.jackrabbit.core.security.principal.ProviderRegistryImpl;
+import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.core.security.user.UserManagerImpl;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -53,6 +55,7 @@
 import javax.jcr.Repository;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
 import javax.security.auth.Subject;
 import java.security.Principal;
 import java.util.HashMap;
@@ -318,6 +321,47 @@
     }
 
     /**
+     * @see JackrabbitSecurityManager#getUserID(Subject)
+     */
+    public String getUserID(Subject subject) throws RepositoryException {
+        /* shortcut if the subject contains the AdminPrincipal in which case
+           the userID is already known. */
+        if (!subject.getPrincipals(AdminPrincipal.class).isEmpty()) {
+            return adminId;
+        }
+        /*
+         Retrieve userID from the subject.
+         Since the subject may contain multiple principals and the principal
+         name must not be equals to the UserID by definition, the userID
+         may either be obtained from the login-credentials or from the
+         user manager. in the latter case the set of principals present with
+         the specified subject is used to search for the user.
+        */
+        String uid = null;
+        // try simple access to userID over SimpleCredentials first.
+        Iterator creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
+        if (creds.hasNext()) {
+            SimpleCredentials sc = (SimpleCredentials) creds.next();
+            uid = sc.getUserID();
+        } else {
+            // no SimpleCredentials: retrieve authorizables corresponding to
+            // a non-group principal. the first one present is used to determine
+            // the userID.
+            for (Iterator it = subject.getPrincipals().iterator(); it.hasNext();) {
+                Principal p = (Principal) it.next();
+                if (!(p instanceof Group)) {
+                    Authorizable authorz = systemUserManager.getAuthorizable(p);
+                    if (authorz != null && !authorz.isGroup()) {
+                        uid = ((User) authorz).getID();
+                        break;
+                    }
+                }
+            }
+        }
+        return uid;
+    }
+
+    /**
      * Creates an AuthContext for the given {@link Credentials} and
      * {@link Subject}.<br>
      * This includes selection of application specific LoginModules and

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
Thu May 22 00:11:50 2008
@@ -260,23 +260,7 @@
         this.rep = rep;
         this.subject = subject;
 
-        /*
-         Retrieve userID from the subject.
-         Since the subject may contain multiple principals and the principal
-         name must not be equals to the UserID by definition, the proper way
-         is to check for known credentials the provide the correct userID.
-         The specification explicitely defines the UserID to be related to
-         the credentials and allows 'null' values in case the credentials do
-         not reveal a userID.
-         TODO: eval alternative approach via UserManager
-        */
-        String uid = null;
-        Iterator creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
-        if (creds.hasNext()) {
-            SimpleCredentials sc = (SimpleCredentials) creds.next();
-            uid = sc.getUserID();
-        }
-        userId = uid;
+        userId = retrieveUserId(subject);
 
         namePathResolver = new DefaultNamePathResolver(this, true);
         ntMgr = new NodeTypeManagerImpl(rep.getNodeTypeRegistry(), this, rep.getDataStore());
@@ -291,6 +275,15 @@
     }
 
     /**
+     * Retrieve the userID from the specified subject.
+     *
+     * @return the userID.
+     */
+    protected String retrieveUserId(Subject subject) throws RepositoryException {
+        return rep.getSecurityManager().getUserID(subject);
+    }
+
+    /**
      * Create the session item state manager.
      *
      * @return session item state manager

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
Thu May 22 00:11:50 2008
@@ -71,6 +71,15 @@
     }
 
     /**
+     * Always returns the name of the <code>SystemPrincipal</code>.
+     *
+     * @return the name of <code>SystemPrincipal</code>.
+     */
+    protected String retrieveUserId(Subject subject) throws RepositoryException {
+        return new SystemPrincipal().getName();
+    }
+
+    /**
      * {@inheritDoc}
      * <p/>
      * Overridden in order to create custom access manager
@@ -156,7 +165,7 @@
         /**
          * Always returns true.
          *
-         * @see AccessManager#isGranted(Path, Name, int) 
+         * @see AccessManager#isGranted(Path, Name, int)
          */
         public boolean isGranted(Path parentPath, Name childName, int permissions) throws
RepositoryException {
             // allow everything

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java
Thu May 22 00:11:50 2008
@@ -100,4 +100,13 @@
      */
     public UserManager getUserManager(Session session) throws RepositoryException;
 
+    /**
+     * Retrieve the id to be displayed upon {@link Session#getUserID()} for
+     * the specified subject.
+     *
+     * @param subject
+     * @return userID to be displayed upon {@link Session#getUserID()}.
+     * @throws RepositoryException
+     */
+    public String getUserID(Subject subject) throws RepositoryException;
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
Thu May 22 00:11:50 2008
@@ -47,6 +47,7 @@
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.SimpleCredentials;
 import javax.security.auth.Subject;
 import java.security.Principal;
 import java.security.acl.Group;
@@ -56,6 +57,7 @@
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+import java.util.Iterator;
 
 /**
  * <code>SimpleSecurityManager</code>: simple implementation ignoring both
@@ -209,6 +211,31 @@
     }
 
     /**
+     * @see JackrabbitSecurityManager#getUserID(Subject)
+     */
+    public String getUserID(Subject subject) throws RepositoryException {
+        String uid = null;
+        // if SimpleCredentials are present, the UserID can easily be retrieved.
+        Iterator creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
+        if (creds.hasNext()) {
+            SimpleCredentials sc = (SimpleCredentials) creds.next();
+            uid = sc.getUserID();
+        } else {
+            // no SimpleCredentials: assume that UserID and principal name
+            // are the same (not totally correct) and thus return the name
+            // of the first non-group principal.
+            for (Iterator it = subject.getPrincipals().iterator(); it.hasNext();) {
+                Principal p = (Principal) it.next();
+                if (!(p instanceof Group)) {
+                    uid = p.getName();
+                    break;
+                }
+            }
+        }
+        return uid;
+    }
+
+    /**
      * Creates an AuthContext for the given {@link Credentials} and
      * {@link Subject}.<br>
      * This includes selection of applicatoin specific LoginModules and

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserManagerImplTest.java?rev=659024&r1=659023&r2=659024&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserManagerImplTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserManagerImplTest.java
Thu May 22 00:11:50 2008
@@ -126,19 +126,50 @@
         }
     }
 
+    public void testUserIDFromSession() throws RepositoryException {
+        Principal p = getTestPrincipal();
+        User u = null;
+        Session uSession = null;
+        try {
+            String uid = p.getName();
+            String pw = buildPassword(p);
+            u = userMgr.createUser(uid, pw);
+
+            uSession = superuser.getRepository().login(new SimpleCredentials(uid, pw.toCharArray()));
+            assertEquals(u.getID(), uSession.getUserID());
+        } finally {
+            if (uSession != null) {
+                uSession.logout();
+            }
+            if (u != null) {
+                u.remove();
+            }
+        }
+    }
+
     public void testCreateUserIdDifferentFromPrincipalName() throws RepositoryException {
         Principal p = getTestPrincipal();
         String uid = getTestUserId(p);
+        String pw = buildPassword(uid, true);
 
         User u = null;
+        Session uSession = null;
         try {
-            u = userMgr.createUser(uid, buildPassword(uid, true), p, null);
+            u = userMgr.createUser(uid, pw, p, null);
 
             String msg = "Creating a User with principal-name distinct from Principal-name
must succeed as long as both are unique.";
             assertEquals(msg, u.getID(), uid);
             assertEquals(msg, p.getName(), u.getPrincipal().getName());
             assertFalse(msg, u.getID().equals(u.getPrincipal().getName()));
+
+            // make sure the userID exposed by a Session corresponding to that
+            // user is equal to the users ID.
+            uSession = superuser.getRepository().login(new SimpleCredentials(uid, pw.toCharArray()));
+            assertEquals(uid, uSession.getUserID());
         } finally {
+            if (uSession != null) {
+                uSession.logout();
+            }
             if (u != null) {
                 u.remove();
             }



Mime
View raw message