jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1072095 - in /jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core: ./ observation/ security/ security/principal/ security/user/
Date Fri, 18 Feb 2011 18:26:48 GMT
Author: angela
Date: Fri Feb 18 18:26:47 2011
New Revision: 1072095

URL: http://svn.apache.org/viewvc?rev=1072095&view=rev
Log:
JCR-2886 : Add SessionImpl#isAdminOrSystem

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
Fri Feb 18 18:26:47 2011
@@ -65,6 +65,8 @@ import org.apache.commons.collections.It
 import org.apache.commons.collections.map.ReferenceMap;
 import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.commons.AbstractSession;
 import org.apache.jackrabbit.core.config.WorkspaceConfig;
@@ -77,8 +79,10 @@ import org.apache.jackrabbit.core.retent
 import org.apache.jackrabbit.core.security.AMContext;
 import org.apache.jackrabbit.core.security.AccessManager;
 import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.authentication.AuthContext;
 import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.core.session.SessionContext;
 import org.apache.jackrabbit.core.session.SessionItemOperation;
 import org.apache.jackrabbit.core.session.SessionOperation;
@@ -378,6 +382,42 @@ public class SessionImpl extends Abstrac
     }
 
     /**
+     * Returns <code>true</code> if the subject contains a
+     * <code>SystemPrincipal</code>; <code>false</code> otherwise.
+     *
+     * @return <code>true</code> if this is an system session.
+     */
+    public boolean isSystem() {
+        // NOTE: for backwards compatibility evaluate subject for containing SystemPrincipal
+        // TODO: Q: shouldn't 'isSystem' rather be covered by instances of SystemSession
only?
+        return (subject != null && !subject.getPrincipals(SystemPrincipal.class).isEmpty());
+    }
+    
+    /**
+     * Returns <code>true</code> if this session has been created for the
+     * administrator. <code>False</code> otherwise.
+     *
+     * @return <code>true</code> if this is an admin session.
+     */
+    public boolean isAdmin() {
+        // NOTE: don't replace by getUserManager()
+        if (userManager != null) {
+            try {
+                Authorizable a = userManager.getAuthorizable(userId);
+                if (a != null && !a.isGroup()) {
+                    return ((User) a).isAdmin();
+                }
+            } catch (RepositoryException e) {
+                // no user management -> use fallback
+            }
+
+        }
+        // fallback: user manager not yet initialized or user mgt not supported
+        // -> check for AdminPrincipal being present in the subject.
+        return (subject != null && !subject.getPrincipals(AdminPrincipal.class).isEmpty());
+    }
+
+    /**
       * Creates a new session with the same subject as this sessions but to a
       * different workspace. The returned session is a newly logged in session,
       * with the same subject but a different workspace. Even if the given

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
Fri Feb 18 18:26:47 2011
@@ -17,7 +17,6 @@
 package org.apache.jackrabbit.core;
 
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.Set;
 import java.security.Principal;
 
@@ -59,11 +58,8 @@ class SystemSession extends SessionImpl 
             RepositoryContext repositoryContext, WorkspaceConfig wspConfig)
             throws RepositoryException {
         // create subject with SystemPrincipal
-        Set<SystemPrincipal> principals = new HashSet<SystemPrincipal>();
-        principals.add(new SystemPrincipal());
-        Subject subject =
-                new Subject(true, principals, Collections.EMPTY_SET,
-                        Collections.EMPTY_SET);
+        Set<SystemPrincipal> principals = Collections.singleton(new SystemPrincipal());
+        Subject subject = new Subject(true, principals, Collections.emptySet(), Collections.emptySet());
         return new SystemSession(repositoryContext, subject, wspConfig);
     }
 
@@ -86,6 +82,7 @@ class SystemSession extends SessionImpl 
      *
      * @return the name of <code>SystemPrincipal</code>.
      */
+    @Override
     protected String retrieveUserId(Subject subject, String workspaceName) throws RepositoryException
{
         return new SystemPrincipal().getName();
     }
@@ -105,6 +102,26 @@ class SystemSession extends SessionImpl 
         return new SystemAccessManager();
     }
 
+    /**
+     * Always returns <code>true</code>.
+     *
+     * @return <code>true</code> as this is an system session instance.
+     */
+    @Override
+    public boolean isSystem() {
+        return true;
+    }
+
+    /**
+     * Always returns <code>false</code>.
+     *
+     * @return <code>false</code> as this is an system session instance.
+     */
+    @Override
+    public boolean isAdmin() {
+        return false;
+    }
+
     //--------------------------------------------------------< inner classes >
     /**
      * An access manager that grants access to everything.
@@ -212,6 +229,7 @@ class SystemSession extends SessionImpl 
         /**
          * @see AbstractAccessControlManager#checkInitialized()
          */
+        @Override
         protected void checkInitialized() throws IllegalStateException {
             // nop
         }
@@ -219,6 +237,7 @@ class SystemSession extends SessionImpl 
         /**
          * @see AbstractAccessControlManager#checkPermission(String,int)
          */
+        @Override
         protected void checkPermission(String absPath, int permission) throws
                 AccessDeniedException, PathNotFoundException, RepositoryException {
             // allow everything
@@ -235,6 +254,7 @@ class SystemSession extends SessionImpl 
         /**
          * @see AbstractAccessControlManager#checkValidNodePath(String)
          */
+        @Override
         protected void checkValidNodePath(String absPath)
                 throws PathNotFoundException, RepositoryException {
             Path p = getQPath(absPath);

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/observation/ObservationManagerImpl.java
Fri Feb 18 18:26:47 2011
@@ -21,7 +21,6 @@ import org.apache.jackrabbit.core.id.Nod
 import org.apache.jackrabbit.core.cluster.ClusterNode;
 import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
 import org.apache.jackrabbit.core.nodetype.NodeTypeManagerImpl;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.spi.commons.conversion.NameException;
 import org.apache.jackrabbit.spi.Path;
 import org.slf4j.Logger;
@@ -33,7 +32,6 @@ import javax.jcr.observation.EventJourna
 import javax.jcr.observation.EventListener;
 import javax.jcr.observation.EventListenerIterator;
 import javax.jcr.observation.ObservationManager;
-import javax.security.auth.Subject;
 
 /**
  * Each <code>Session</code> instance has its own <code>ObservationManager</code>
@@ -79,10 +77,9 @@ public class ObservationManagerImpl impl
      * @param dispatcher observation dispatcher
      * @param session the <code>Session</code> this ObservationManager
      *                belongs to.
-     * @param itemMgr {@link org.apache.jackrabbit.core.ItemManager} of the passed
-     *                <code>Session</code>.
+     * @param clusterNode
      * @throws NullPointerException if <code>dispatcher</code>, <code>session</code>
-     *                              or <code>itemMgr</code> is <code>null</code>.
+     *                              or <code>clusterNode</code> is <code>null</code>.
      */
     public ObservationManagerImpl(
             ObservationDispatcher dispatcher, SessionImpl session,
@@ -248,10 +245,8 @@ public class ObservationManagerImpl impl
                     "Event journal is only available in cluster deployments");
         }
 
-        Subject subject = session.getSubject();
-        if (subject.getPrincipals(AdminPrincipal.class).isEmpty()) {
-            throw new RepositoryException("Only administrator session may " +
-                    "access EventJournal");
+        if (!session.isAdmin()) {
+            throw new RepositoryException("Only administrator session may access EventJournal");
         }
 
         EventFilter filter = createEventFilter(

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
Fri Feb 18 18:26:47 2011
@@ -19,6 +19,7 @@ package org.apache.jackrabbit.core.secur
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
 import org.apache.jackrabbit.core.HierarchyManager;
+import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.id.ItemId;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
 import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
@@ -26,7 +27,6 @@ import org.apache.jackrabbit.core.securi
 import org.apache.jackrabbit.core.security.authorization.Permission;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
-import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.Path;
 import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
@@ -38,6 +38,7 @@ import javax.jcr.AccessDeniedException;
 import javax.jcr.ItemNotFoundException;
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
+import javax.jcr.Session;
 import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.security.AccessControlException;
 import javax.jcr.security.AccessControlPolicy;
@@ -58,8 +59,8 @@ import java.util.Set;
  * Please note the following exceptional situations:<br>
  * This manager allows all privileges for a particular item if
  * <ul>
- * <li>the Session's Subject contains a {@link SystemPrincipal} <i>or</i>
- * an {@link AdminPrincipal}</li>
+ * <li>the Session's represents a system session or a session associated with
+ * the repository's administrator</li>
  * </ul>
  * <p/>
  * It allows to access all available workspaces if
@@ -137,7 +138,7 @@ public class DefaultAccessManager extend
             principals = subject.getPrincipals();
         }
 
-        wspAccess = new WorkspaceAccess(wspAccessManager, isSystemOrAdmin(subject));
+        wspAccess = new WorkspaceAccess(wspAccessManager, isSystemOrAdmin(amContext.getSession()));
         privilegeRegistry = new PrivilegeRegistry(resolver);
 
         if (acProvider != null) {
@@ -491,15 +492,15 @@ public class DefaultAccessManager extend
     }
 
     /**
-     * @param subject The subject associated with the session.
+     * @param s the session
      * @return if created with system-privileges
      */
-    private static boolean isSystemOrAdmin(Subject subject) {
-        if (subject == null) {
+    private static boolean isSystemOrAdmin(Session s) {
+        if (s == null || !(s instanceof SessionImpl)) {
             return false;
         } else {
-            return !(subject.getPrincipals(SystemPrincipal.class).isEmpty() &&
-                     subject.getPrincipals(AdminPrincipal.class).isEmpty());
+            SessionImpl sImpl = (SessionImpl) s;
+            return sImpl.isSystem() || sImpl.isAdmin();
         }
     }
 
@@ -513,16 +514,16 @@ public class DefaultAccessManager extend
 
         private final WorkspaceAccessManager wspAccessManager;
 
-        private final boolean isAdmin;
+        private final boolean alwaysAllowed;
         // TODO: entries must be cleared if access permission to wsp changes.
         private final List <String>allowed;
         private final List<String> denied;
 
         private WorkspaceAccess(WorkspaceAccessManager wspAccessManager,
-                                boolean isAdmin) {
+                                boolean alwaysAllowed) {
             this.wspAccessManager = wspAccessManager;
-            this.isAdmin = isAdmin;
-            if (!isAdmin) {
+            this.alwaysAllowed = alwaysAllowed;
+            if (!alwaysAllowed) {
                 allowed = new ArrayList<String>(5);
                 denied = new ArrayList<String>(5);
             } else {
@@ -531,7 +532,7 @@ public class DefaultAccessManager extend
         }
 
         private boolean canAccess(String workspaceName) throws RepositoryException {
-            if (isAdmin || wspAccessManager == null || allowed.contains(workspaceName)) {
+            if (alwaysAllowed || wspAccessManager == null || allowed.contains(workspaceName))
{
                 return true;
             } else if (denied.contains(workspaceName)) {
                 return false;

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
Fri Feb 18 18:26:47 2011
@@ -24,7 +24,6 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.observation.SynchronousEventListener;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.user.UserManagerImpl;
 import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
 import org.apache.jackrabbit.util.Text;
@@ -36,7 +35,6 @@ import javax.jcr.Session;
 import javax.jcr.observation.Event;
 import javax.jcr.observation.EventIterator;
 import javax.jcr.observation.EventListener;
-import javax.security.auth.Subject;
 import java.security.Principal;
 import java.util.Iterator;
 import java.util.LinkedHashSet;
@@ -224,9 +222,7 @@ public class DefaultPrincipalProvider ex
         // given principal
         if (session instanceof SessionImpl) {
             SessionImpl sImpl = (SessionImpl) session;
-            Subject subject = sImpl.getSubject();
-            if (!subject.getPrincipals(SystemPrincipal.class).isEmpty()
-                    || !subject.getPrincipals(AdminPrincipal.class).isEmpty()) {
+            if (sImpl.isAdmin() || sImpl.isSystem()) {
                 return true;
             }
             try {

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java?rev=1072095&r1=1072094&r2=1072095&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java
(original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserManagerImpl.java
Fri Feb 18 18:26:47 2011
@@ -29,7 +29,6 @@ import org.apache.jackrabbit.core.Protec
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.SessionListener;
 import org.apache.jackrabbit.core.id.NodeId;
-import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.core.session.SessionOperation;
@@ -250,11 +249,6 @@ public class UserManagerImpl extends Pro
     private final boolean compatibleJR16;
 
     /**
-     * boolean flag indicating whether the editing session is a system session.
-     */
-    private final boolean isSystemUserManager;
-
-    /**
      * Maximum number of properties on the group membership node structure under
      * {@link UserConstants#N_MEMBERS} until additional intermediate nodes are inserted.
      * If 0 (default), {@link UserConstants#P_MEMBERS} is used to record group
@@ -341,17 +335,6 @@ public class UserManagerImpl extends Pro
         }
         authResolver = nr;
         authResolver.setSearchRoots(usersPath, groupsPath);
-
-        /**
-         * evaluate if the editing session is a system session. since the
-         * SystemSession class is package protected the session object cannot
-         * be checked for the property instance.
-         *
-         * workaround: compare the class name and check if the subject contains
-         * the system principal.
-         */
-        isSystemUserManager = "org.apache.jackrabbit.core.SystemSession".equals(session.getClass().getName())
&&
-                !session.getSubject().getPrincipals(SystemPrincipal.class).isEmpty();
     }
 
     /**
@@ -412,7 +395,7 @@ public class UserManagerImpl extends Pro
          * node an explicit test for the current editing session being
          * a system session is performed.
          */
-        if (a == null && adminId.equals(id) && isSystemUserManager) {
+        if (a == null && adminId.equals(id) && session.isSystem()) {
             log.info("Admin user does not exist.");
             a = createAdmin();
         }



Mime
View raw message