From commits-return-9275-apmail-jackrabbit-commits-archive=jackrabbit.apache.org@jackrabbit.apache.org Wed Dec 02 15:11:15 2009 Return-Path: Delivered-To: apmail-jackrabbit-commits-archive@www.apache.org Received: (qmail 67383 invoked from network); 2 Dec 2009 15:11:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 2 Dec 2009 15:11:15 -0000 Received: (qmail 68050 invoked by uid 500); 2 Dec 2009 15:11:15 -0000 Delivered-To: apmail-jackrabbit-commits-archive@jackrabbit.apache.org Received: (qmail 67967 invoked by uid 500); 2 Dec 2009 15:11:14 -0000 Mailing-List: contact commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list commits@jackrabbit.apache.org Received: (qmail 67957 invoked by uid 99); 2 Dec 2009 15:11:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Dec 2009 15:11:14 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Dec 2009 15:11:11 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id BAE2923889CF; Wed, 2 Dec 2009 15:10:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r886170 - in /jackrabbit/sandbox/JCR-1456: ./ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/ jackrabbit-core/src/test/java/org/apache/jackrabbit/core/ jackrab... Date: Wed, 02 Dec 2009 15:10:49 -0000 To: commits@jackrabbit.apache.org From: jukka@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20091202151049.BAE2923889CF@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jukka Date: Wed Dec 2 15:10:49 2009 New Revision: 886170 URL: http://svn.apache.org/viewvc?rev=886170&view=rev Log: JCR-1456: Database connection pooling Merge latest changes from trunk. Added: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java - copied unchanged from r886168, jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ReadTest.java Modified: jackrabbit/sandbox/JCR-1456/ (props changed) jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManager.java jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/MultiIndex.java jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManagerTest.java jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Propchange: jackrabbit/sandbox/JCR-1456/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Wed Dec 2 15:10:49 2009 @@ -2,4 +2,4 @@ /jackrabbit/branches/1.5:794012,794100,794102 /jackrabbit/sandbox/JCR-2170:812417-816332 /jackrabbit/sandbox/tripod-JCR-2209:795441-795863 -/jackrabbit/trunk:387422-885400 +/jackrabbit/trunk:387422-886168 Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/ItemManager.java Wed Dec 2 15:10:49 2009 @@ -181,8 +181,11 @@ } NodeState parentState = null; try { - NodeImpl parent = (NodeImpl) getItem(parentId); - parentState = parent.getNodeState(); + // access the parent state circumventing permission check, since + // read permission on the parent isn't required in order to retrieve + // a node's definition. see also JCR-2418 + ItemData parentData = getItemData(parentId, null, false); + parentState = (NodeState) parentData.getState(); if (state.getParentId() == null) { // indicates state has been removed, must use // overlayed state of parent, otherwise child node entry @@ -237,7 +240,11 @@ PropertyDefinitionImpl getDefinition(PropertyState state) throws RepositoryException { try { - NodeImpl parent = (NodeImpl) getItem(state.getParentId()); + // retrieve parent in 2 steps in order to avoid the check for + // read permissions on the parent which isn't required in order + // to read the property's definition. see also JCR-2418. + ItemData parentData = getItemData(state.getParentId(), null, false); + NodeImpl parent = (NodeImpl) createItemInstance(parentData); return parent.getApplicablePropertyDefinition( state.getName(), state.getType(), state.isMultiValued(), true); } catch (ItemNotFoundException e) { Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManager.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManager.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManager.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManager.java Wed Dec 2 15:10:49 2009 @@ -28,8 +28,6 @@ import org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager; import org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager; import org.apache.jackrabbit.core.security.user.UserManagerImpl; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import javax.jcr.Credentials; import javax.jcr.Repository; @@ -37,6 +35,7 @@ import javax.jcr.Session; import javax.security.auth.Subject; import java.security.Principal; +import java.security.acl.Group; import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; @@ -63,11 +62,6 @@ */ public class UserPerWorkspaceSecurityManager extends DefaultSecurityManager { - /** - * the default logger - */ - private static final Logger log = LoggerFactory.getLogger(UserPerWorkspaceSecurityManager.class); - private final Map ppRegistries = new HashMap(); /** @@ -304,14 +298,47 @@ } } - private final class WorkspaceAccessManagerImpl extends SimpleWorkspaceAccessManager { - @Override + private final class WorkspaceAccessManagerImpl implements WorkspaceAccessManager { + /** + * Does nothing. + * @see WorkspaceAccessManager#init(javax.jcr.Session) + */ + public void init(Session systemSession) throws RepositoryException { + // nothing to do. + } + + /** + * Does nothing. + * @see org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager#close() + */ + public void close() throws RepositoryException { + // nothing to do. + } + + /** + * Returns true if a workspace with the given + * workspaceName exists and if that workspace defines a + * user that matches any of the given principals; + * false otherwise. + * + * @see WorkspaceAccessManager#grants(java.util.Set, String) + */ public boolean grants(Set principals, String workspaceName) throws RepositoryException { if (!(Arrays.asList(((RepositoryImpl) getRepository()).getWorkspaceNames())).contains(workspaceName)) { return false; } else { - return super.grants(principals, workspaceName); + UserManager umgr = UserPerWorkspaceSecurityManager.this.getSystemUserManager(workspaceName); + for (Principal principal : principals) { + if (!(principal instanceof Group)) { + // check if the workspace identified by the given workspace + // name contains a user with this principal + if (umgr.getAuthorizable(principal) != null) { + return true; + } + } + } } + return false; } } } \ No newline at end of file Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/MultiIndex.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/MultiIndex.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/MultiIndex.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/query/lucene/MultiIndex.java Wed Dec 2 15:10:49 2009 @@ -329,7 +329,7 @@ flushTask = new Timer.Task() { public void run() { // check if there are any indexing jobs finished - checkIndexingQueue(); + checkIndexingQueue(false); // check if volatile index should be flushed checkFlush(); } @@ -1266,17 +1266,6 @@ /** * Checks the indexing queue for finished text extrator jobs and updates the - * index accordingly if there are any new ones. This method is synchronized - * and should only be called by the timer task that periodically checks if - * there are documents ready in the indexing queue. A new transaction is - * used when documents are transfered from the indexing queue to the index. - */ - private synchronized void checkIndexingQueue() { - checkIndexingQueue(false); - } - - /** - * Checks the indexing queue for finished text extrator jobs and updates the * index accordingly if there are any new ones. * * @param transactionPresent whether a transaction is in progress and the @@ -1304,11 +1293,13 @@ try { if (transactionPresent) { - for (NodeId id : finished.keySet()) { - executeAndLog(new DeleteNode(getTransactionId(), id)); - } - for (Document document : finished.values()) { - executeAndLog(new AddNode(getTransactionId(), document)); + synchronized (this) { + for (NodeId id : finished.keySet()) { + executeAndLog(new DeleteNode(getTransactionId(), id)); + } + for (Document document : finished.values()) { + executeAndLog(new AddNode(getTransactionId(), document)); + } } } else { update(finished.keySet(), finished.values()); Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManagerTest.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManagerTest.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManagerTest.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/UserPerWorkspaceSecurityManagerTest.java Wed Dec 2 15:10:49 2009 @@ -18,36 +18,30 @@ import org.apache.jackrabbit.api.JackrabbitSession; import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal; +import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.api.security.user.UserManager; -import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.core.security.JackrabbitSecurityManager; import org.apache.jackrabbit.test.AbstractJCRTest; import org.apache.jackrabbit.test.NotExecutableException; import org.apache.jackrabbit.util.Text; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import javax.jcr.Item; import javax.jcr.LoginException; +import javax.jcr.Node; import javax.jcr.RepositoryException; import javax.jcr.Session; import javax.jcr.SimpleCredentials; import javax.jcr.UnsupportedRepositoryOperationException; -import javax.jcr.Node; import javax.jcr.Value; import java.security.Principal; +import java.util.Arrays; /** * SecurityManagerTest... */ public class UserPerWorkspaceSecurityManagerTest extends AbstractJCRTest { - /** - * logger instance - */ - private static final Logger log = LoggerFactory.getLogger(UserPerWorkspaceSecurityManagerTest.class); - private JackrabbitSecurityManager secMgr; @Override @@ -147,6 +141,37 @@ } } + public void testAccessibleWorkspaceNames() throws Exception { + String altWsp = getAlternativeWorkspaceName(); + if (altWsp == null) { + throw new NotExecutableException(); + } + + Session s = getHelper().getSuperuserSession(altWsp); + User u = null; + Session us = null; + try { + // other users created in the default workspace... + u = ((JackrabbitSession) superuser).getUserManager().createUser("testUser", "testUser"); + superuser.save(); + + us = getHelper().getRepository().login(new SimpleCredentials("testUser", "testUser".toCharArray())); + String[] wspNames = us.getWorkspace().getAccessibleWorkspaceNames(); + assertFalse(Arrays.asList(wspNames).contains(altWsp)); + + } finally { + s.logout(); + if (us != null) { + us.logout(); + } + if (u != null) { + u.remove(); + superuser.save(); + } + } + + } + public void testCloneUser() throws Exception { String altWsp = getAlternativeWorkspaceName(); if (altWsp == null) { Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/TestAll.java Wed Dec 2 15:10:49 2009 @@ -40,6 +40,7 @@ suite.addTestSuite(ACLTemplateTest.class); suite.addTestSuite(EntryTest.class); + suite.addTestSuite(ReadTest.class); suite.addTestSuite(WriteTest.class); suite.addTestSuite(LockTest.class); suite.addTestSuite(VersionTest.class); Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=886170&r1=886169&r2=886170&view=diff ============================================================================== --- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original) +++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Wed Dec 2 15:10:49 2009 @@ -338,4 +338,27 @@ group2.remove(); } } + + public void testWriteIfReadingParentIsDenied() throws Exception { + Privilege[] privileges = privilegesFromNames(new String[] {Privilege.JCR_READ, Privilege.JCR_WRITE}); + + /* deny READ/WRITE privilege for testUser at 'path' */ + withdrawPrivileges(path, testUser.getPrincipal(), privileges, getRestrictions(superuser, path)); + /* + allow READ/WRITE privilege for testUser at 'childNPath' + */ + givePrivileges(childNPath, testUser.getPrincipal(), privileges, getRestrictions(superuser, childNPath)); + + + Session testSession = getTestSession(); + + assertFalse(testSession.nodeExists(path)); + + // reading the node and it's definition must succeed. + assertTrue(testSession.nodeExists(childNPath)); + Node n = testSession.getNode(childNPath); + + n.addNode("someChild"); + n.save(); + } } \ No newline at end of file