jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1394441 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/authentication/ security/authentication/token/ security/principal/ security/user/ spi/security/authentication/ spi/security/user/
Date Fri, 05 Oct 2012 11:10:19 GMT
Author: angela
Date: Fri Oct  5 11:10:18 2012
New Revision: 1394441

URL: http://svn.apache.org/viewvc?rev=1394441&view=rev
Log:
 OAK-91 - Implement Authentication Support (WIP)
 OAK-50 - User Management (WIP)

Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationImpl.java
Fri Oct  5 11:10:18 2012
@@ -16,28 +16,30 @@
  */
 package org.apache.jackrabbit.oak.security.authentication;
 
-import java.security.Principal;
-import java.util.Set;
 import javax.jcr.Credentials;
-import javax.jcr.GuestCredentials;
-import javax.jcr.SimpleCredentials;
+import javax.security.auth.Subject;
 
-import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
-import org.apache.jackrabbit.oak.spi.security.user.PasswordUtility;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
 import org.apache.jackrabbit.oak.spi.security.user.UserProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * AuthenticationImpl...
  */
 public class AuthenticationImpl implements Authentication {
 
+    private static final Logger log = LoggerFactory.getLogger(AuthenticationImpl.class);
+
     private final String userID;
     private final UserProvider userProvider;
+    private final PrincipalProvider principalProvider;
 
-    public AuthenticationImpl(String userID, UserProvider userProvider) {
+    public AuthenticationImpl(String userID, UserProvider userProvider, PrincipalProvider
principalProvider) {
         this.userID = userID;
         this.userProvider = userProvider;
+        this.principalProvider = principalProvider;
     }
 
     @Override
@@ -62,8 +64,18 @@ public class AuthenticationImpl implemen
     }
 
     @Override
-    public boolean impersonate(Set<Principal> principals) {
+    public boolean impersonate(Subject subject) {
         // TODO
         return true;
+
+//        if (userProvider == null || userID == null) {
+//            try {
+//                return userProvider.getImpersonation(userID, principalProvider).allows(subject);
+//            } catch (RepositoryException e) {
+//                log.debug("Error while validating impersonation", e.getMessage());
+//                return false;
+//            }
+//        }
+//        return false;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginModuleImpl.java
Fri Oct  5 11:10:18 2012
@@ -18,6 +18,7 @@ package org.apache.jackrabbit.oak.securi
 
 import java.io.IOException;
 import java.security.Principal;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -114,7 +115,7 @@ public class LoginModuleImpl extends Abs
         credentials = getCredentials();
         userID = getUserID();
 
-        Authentication authentication = new AuthenticationImpl(userID, getUserProvider());
+        Authentication authentication = new AuthenticationImpl(userID, getUserProvider(),
getPrincipalProvider());
         boolean success = authentication.authenticate(credentials);
         if (!success) {
             success = impersonate(authentication);
@@ -140,7 +141,7 @@ public class LoginModuleImpl extends Abs
             if (!subject.isReadOnly()) {
                 subject.getPrincipals().addAll(principals);
                 subject.getPublicCredentials().add(credentials);
-                subject.getPublicCredentials().add(getAuthInfo());
+                subject.getPublicCredentials().add(createAuthInfo());
             } else {
                 log.debug("Could not add information to read only subject {}", subject);
             }
@@ -165,7 +166,6 @@ public class LoginModuleImpl extends Abs
     //--------------------------------------------------------------------------
     @CheckForNull
     private String getUserID() {
-        // TODO add proper implementation
         String userID = null;
         if (credentials != null) {
             if (credentials instanceof SimpleCredentials) {
@@ -193,7 +193,6 @@ public class LoginModuleImpl extends Abs
         if (userID == null) {
             userID = getSharedLoginName();
         }
-
         return userID;
     }
 
@@ -205,14 +204,15 @@ public class LoginModuleImpl extends Abs
     private boolean impersonate(Authentication authentication) {
         if (credentials instanceof ImpersonationCredentials) {
             AuthInfo info = ((ImpersonationCredentials) credentials).getImpersonatorInfo();
-            if (authentication.impersonate(info.getPrincipals())) {
+            Subject subject = new Subject(true, info.getPrincipals(), Collections.emptySet(),
Collections.emptySet());
+            if (authentication.impersonate(subject)) {
                 return true;
             }
         }
         return false;
     }
 
-    private AuthInfo getAuthInfo() {
+    private AuthInfo createAuthInfo() {
         Map<String, Object> attributes = new HashMap<String, Object>();
         if (credentials instanceof SimpleCredentials) {
             SimpleCredentials sc = (SimpleCredentials) credentials;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenAuthentication.java
Fri Oct  5 11:10:18 2012
@@ -16,11 +16,10 @@
  */
 package org.apache.jackrabbit.oak.security.authentication.token;
 
-import java.security.Principal;
 import java.util.Date;
-import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.jcr.Credentials;
+import javax.security.auth.Subject;
 
 import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
@@ -30,7 +29,12 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * TokenAuthentication... TODO
+ * Implementation of the {@code Authentication} interface that deals with
+ * token based login. {@link #authenticate(javax.jcr.Credentials) Authentication}
+ * will be successful if the specified credentials are valid {@link TokenCredentials}
+ * according to the characteristics and constraints enforced by {@link TokenProvider}
+ * and the information obtained using {@link TokenProvider#getTokenInfo(String)}
+ * respectively.
  */
 class TokenAuthentication implements Authentication {
 
@@ -58,7 +62,7 @@ class TokenAuthentication implements Aut
      * Always returns {@code false}
      */
     @Override
-    public boolean impersonate(Set<Principal> principals) {
+    public boolean impersonate(Subject subject) {
         return false;
     }
 
@@ -92,13 +96,10 @@ class TokenAuthentication implements Aut
         }
 
         if (tokenInfo.matches(tokenCredentials)) {
-            if (!tokenProvider.resetTokenExpiration(tokenInfo, loginTime)) {
-                log.debug("Unable to reset token expiration... trying next time");
-            }
+            tokenProvider.resetTokenExpiration(tokenInfo, loginTime);
             return true;
         }
 
-
         return false;
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java
Fri Oct  5 11:10:18 2012
@@ -216,6 +216,7 @@ public class TokenProviderImpl implement
                 try {
                     tokenNode.setDate(TOKEN_ATTRIBUTE_EXPIRY, expirationTime);
                     root.commit();
+                    log.debug("Successfully reset token expiration time.");
                     return true;
                 } catch (CommitFailedException e) {
                     log.warn("Error while resetting token expiration", e.getMessage());

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalManagerImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalManagerImpl.java
Fri Oct  5 11:10:18 2012
@@ -35,6 +35,19 @@ public class PrincipalManagerImpl implem
         this.principalProvider = principalProvider;
     }
 
+    /**
+     * Returns the underlying principal provider implementation. Note, that
+     * in contrast to Jackrabbit 2.x the principal provider is associated with
+     * the editing session. Thus exposing the lower level interface will not
+     * expose information that wasn't accessible by other means.
+     *
+     * @return the principal provider.
+     */
+    public PrincipalProvider getPrincipalProvider() {
+        return principalProvider;
+    }
+
+    //---------------------------------------------------< PrincipalManager >---
     @Override
     public boolean hasPrincipal(String principalName) {
         return principalProvider.getPrincipal(principalName) != null;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/ImpersonationImpl.java
Fri Oct  5 11:10:18 2012
@@ -20,22 +20,20 @@ import java.security.Principal;
 import java.security.acl.Group;
 import java.util.HashSet;
 import java.util.Set;
-
+import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.security.auth.Subject;
 
-import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Impersonation;
-import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.oak.spi.security.principal.PrincipalIteratorAdapter;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
+import org.apache.jackrabbit.oak.spi.security.user.Type;
 import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
+import org.apache.jackrabbit.oak.spi.security.user.UserProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -51,10 +49,14 @@ class ImpersonationImpl implements Imper
      */
     private static final Logger log = LoggerFactory.getLogger(ImpersonationImpl.class);
 
-    private final UserImpl user;
-
-    ImpersonationImpl(UserImpl user) {
-        this.user = user;
+    private final String userId;
+    private final UserProvider userProvider;
+    private final PrincipalProvider principalProvider;
+
+    ImpersonationImpl(String userId, UserProvider userProvider, PrincipalProvider principalProvider)
{
+        this.userId = userId;
+        this.userProvider = userProvider;
+        this.principalProvider = principalProvider;
     }
 
     //------------------------------------------------------< Impersonation >---
@@ -67,10 +69,9 @@ class ImpersonationImpl implements Imper
         if (impersonators.isEmpty()) {
             return PrincipalIteratorAdapter.EMPTY;
         } else {
-            final PrincipalManager pMgr = getPrincipalManager();
             Set<Principal> s = new HashSet<Principal>();
             for (final String pName : impersonators) {
-                Principal p = pMgr.getPrincipal(pName);
+                Principal p = principalProvider.getPrincipal(pName);
                 if (p == null) {
                     log.debug("Impersonator " + pName + " does not correspond to a known
Principal.");
                     p = new Principal() {
@@ -93,34 +94,33 @@ class ImpersonationImpl implements Imper
     @Override
     public synchronized boolean grantImpersonation(Principal principal) throws RepositoryException
{
         String principalName = principal.getName();
-        PrincipalManager pMgr = getPrincipalManager();
-        if (!pMgr.hasPrincipal(principalName)) {
+        Principal p = principalProvider.getPrincipal(principalName);
+        if (p == null) {
             log.debug("Cannot grant impersonation to an unknown principal.");
             return false;
         }
-
-        Principal p = pMgr.getPrincipal(principalName);
         if (p instanceof Group) {
             log.debug("Cannot grant impersonation to a principal that is a Group.");
             return false;
         }
 
         // make sure user does not impersonate himself
-        if (user.getPrincipal().getName().equals(principalName)) {
+        Tree userTree = getUserTree();
+        PropertyState prop = userTree.getProperty(REP_PRINCIPAL_NAME);
+        if (prop != null && prop.getValue(org.apache.jackrabbit.oak.api.Type.STRING).equals(principalName))
{
             log.warn("Cannot grant impersonation to oneself.");
             return false;
         }
 
         // make sure the given principal doesn't refer to the admin user.
-        Authorizable a = user.getUserManager().getAuthorizable(p);
-        if (a != null && ((User)a).isAdmin()) {
+        if (isAdmin(p)) {
             log.debug("Admin principal is already granted impersonation.");
             return false;
         }
 
-        Set<String> impersonators = getImpersonatorNames();
+        Set<String> impersonators = getImpersonatorNames(userTree);
         if (impersonators.add(principalName)) {
-            updateImpersonatorNames(impersonators);
+            updateImpersonatorNames(userTree, impersonators);
             return true;
         } else {
             return false;
@@ -134,9 +134,10 @@ class ImpersonationImpl implements Imper
     public synchronized boolean revokeImpersonation(Principal principal) throws RepositoryException
{
         String pName = principal.getName();
 
-        Set<String> impersonators = getImpersonatorNames();
+        Tree userTree = getUserTree();
+        Set<String> impersonators = getImpersonatorNames(userTree);
         if (impersonators.remove(pName)) {
-            updateImpersonatorNames(impersonators);
+            updateImpersonatorNames(userTree, impersonators);
             return true;
         } else {
             return false;
@@ -153,23 +154,15 @@ class ImpersonationImpl implements Imper
         }
 
         Set<String> principalNames = new HashSet<String>();
-        for (Principal p : subject.getPrincipals()) {
-            principalNames.add(p.getName());
+        for (Principal principal : subject.getPrincipals()) {
+            principalNames.add(principal.getName());
         }
 
-        boolean allows;
-        Set<String> impersonators = getImpersonatorNames();
-        allows = impersonators.removeAll(principalNames);
-
+        boolean allows = getImpersonatorNames().removeAll(principalNames);
         if (!allows) {
             // check if subject belongs to administrator user
-            for (Principal p : subject.getPrincipals()) {
-                if (p instanceof Group) {
-                    continue;
-                }
-                UserManagerImpl userManager = user.getUserManager();
-                Authorizable a = userManager.getAuthorizable(p);
-                if (a != null && ((User) a).isAdmin()) {
+            for (Principal principal : subject.getPrincipals()) {
+                if (isAdmin(principal)) {
                     allows = true;
                     break;
                 }
@@ -179,10 +172,12 @@ class ImpersonationImpl implements Imper
     }
 
     //------------------------------------------------------------< private >---
+    private Set<String> getImpersonatorNames() throws RepositoryException {
+        return getImpersonatorNames(getUserTree());
+    }
 
-    private Set<String> getImpersonatorNames() {
+    private Set<String> getImpersonatorNames(Tree userTree) {
         Set<String> princNames = new HashSet<String>();
-        Tree userTree = user.getTree();
         PropertyState impersonators = userTree.getProperty(REP_IMPERSONATORS);
         if (impersonators != null) {
             for (String v : impersonators.getValue(STRINGS)) {
@@ -192,21 +187,30 @@ class ImpersonationImpl implements Imper
         return princNames;
     }
 
-    private void updateImpersonatorNames(Set<String> principalNames) throws RepositoryException
{
+    private void updateImpersonatorNames(Tree userTree, Set<String> principalNames)
{
         String[] pNames = principalNames.toArray(new String[principalNames.size()]);
         if (pNames.length == 0) {
-            user.setProtectedProperty(REP_PRINCIPAL_NAME, (String) null);
-        } else {
-            user.setProtectedProperty(REP_IMPERSONATORS, pNames);
+            pNames = null;
         }
+        userProvider.setProtectedProperty(userTree, REP_IMPERSONATORS, pNames, PropertyType.STRING);
     }
 
-    private PrincipalManager getPrincipalManager() throws RepositoryException {
-        Session s = user.getUserManager().getSession();
-        if (s instanceof JackrabbitSession) {
-            return ((JackrabbitSession) s).getPrincipalManager();
+    private Tree getUserTree() throws RepositoryException {
+        Tree userTree = userProvider.getAuthorizable(userId, Type.USER);
+        if (userTree == null) {
+            throw new RepositoryException("UserId " + userId + " cannot be resolved to user.");
+        }
+        return userTree;
+    }
+
+    private boolean isAdmin(Principal principal) {
+        if (principal == AdminPrincipal.INSTANCE) {
+            return true;
+        } else if (principal instanceof Group) {
+            return false;
         } else {
-            throw new UnsupportedRepositoryOperationException("Principal management not supported.");
+            Tree authorizableTree = userProvider.getAuthorizableByPrincipal(principal);
+            return authorizableTree != null && userProvider.isAdminUser(authorizableTree);
         }
     }
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
Fri Oct  5 11:10:18 2012
@@ -97,7 +97,7 @@ class UserImpl extends AuthorizableImpl 
      */
     @Override
     public Impersonation getImpersonation() throws RepositoryException {
-       return new ImpersonationImpl(this);
+        return getUserProvider().getImpersonation(getID(), getUserManager().getPrincipalProvider());
     }
 
     /**
@@ -139,10 +139,10 @@ class UserImpl extends AuthorizableImpl 
         if (reason == null) {
             if (isDisabled()) {
                 // enable the user again.
-                setProtectedProperty(REP_DISABLED, (String) null);
-            }
+                getUserProvider().setProtectedProperty(userTree, REP_DISABLED, (String) null,
PropertyType.STRING);
+            } // else: not disabled -> nothing to
         } else {
-            setProtectedProperty(REP_DISABLED, reason);
+            getUserProvider().setProtectedProperty(userTree, REP_DISABLED, reason, PropertyType.STRING);
         }
     }
 
@@ -165,14 +165,4 @@ class UserImpl extends AuthorizableImpl 
         } else
             return null;
     }
-
-    //--------------------------------------------------------------------------
-
-    void setProtectedProperty(String oakName, String value) throws RepositoryException {
-        getUserProvider().setProtectedProperty(getTree(), oakName, value, PropertyType.STRING);
-    }
-
-    void setProtectedProperty(String oakName, String[] values) throws RepositoryException
{
-        getUserProvider().setProtectedProperty(getTree(), oakName, values, PropertyType.STRING);
-    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
Fri Oct  5 11:10:18 2012
@@ -24,6 +24,7 @@ import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.UnsupportedRepositoryOperationException;
 
+import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
 import org.apache.jackrabbit.api.security.user.Group;
@@ -32,9 +33,11 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.security.principal.PrincipalManagerImpl;
 import org.apache.jackrabbit.oak.security.user.query.XPathQueryBuilder;
 import org.apache.jackrabbit.oak.security.user.query.XPathQueryEvaluator;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
 import org.apache.jackrabbit.oak.spi.security.user.MembershipProvider;
 import org.apache.jackrabbit.oak.spi.security.user.Type;
 import org.apache.jackrabbit.oak.spi.security.user.UserConfig;
@@ -297,6 +300,14 @@ public class UserManagerImpl implements 
         return membershipProvider;
     }
 
+    PrincipalProvider getPrincipalProvider() throws RepositoryException {
+        if (!(session instanceof JackrabbitSession)) {
+            throw new UnsupportedRepositoryOperationException("Principal management not supported");
+        }
+        JackrabbitSession js = (JackrabbitSession) session;
+        return ((PrincipalManagerImpl) js.getPrincipalManager()).getPrincipalProvider();
+    }
+
     @CheckForNull
     Authorizable getAuthorizable(Tree tree) throws RepositoryException {
         if (tree == null) {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProviderImpl.java
Fri Oct  5 11:10:18 2012
@@ -28,6 +28,7 @@ import javax.jcr.nodetype.ConstraintViol
 import javax.jcr.query.Query;
 
 import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.user.Impersonation;
 import org.apache.jackrabbit.oak.api.CoreValue;
 import org.apache.jackrabbit.oak.api.PropertyState;
 import org.apache.jackrabbit.oak.api.Result;
@@ -36,6 +37,7 @@ import org.apache.jackrabbit.oak.api.Roo
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.plugins.memory.SinglePropertyState;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
 import org.apache.jackrabbit.oak.spi.security.principal.TreeBasedPrincipal;
 import org.apache.jackrabbit.oak.spi.security.user.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.Type;
@@ -253,7 +255,7 @@ class UserProviderImpl extends Authoriza
     @Override
     public boolean isAdminUser(Tree userTree) {
         checkNotNull(userTree);
-        return config.getAdminId().equals(getAuthorizableId(userTree));
+        return isAuthorizableType(userTree, Type.USER) && config.getAdminId().equals(getAuthorizableId(userTree));
     }
 
     @Override
@@ -289,6 +291,11 @@ class UserProviderImpl extends Authoriza
     }
 
     @Override
+    public Impersonation getImpersonation(String userId, PrincipalProvider principalProvider)
{
+        return new ImpersonationImpl(userId, this, principalProvider);
+    }
+
+    @Override
     public void setProtectedProperty(Tree authorizableTree, String propertyName, String value,
int propertyType) {
         checkNotNull(authorizableTree);
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.java
Fri Oct  5 11:10:18 2012
@@ -16,9 +16,8 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authentication;
 
-import java.security.Principal;
-import java.util.Set;
 import javax.jcr.Credentials;
+import javax.security.auth.Subject;
 
 /**
  * The {@code Authentication} interface defines methods to validate
@@ -52,10 +51,10 @@ public interface Authentication {
      * Test if the given subject (i.e. any of the principals it contains) is
      * allowed to impersonate.
      *
-     * @param principals a set of principals to test.
+     * @param subject The subject that wants to impersonate.
      * @return true if this {@code Impersonation} allows the specified
      * set of principals to impersonate.
      */
-    boolean impersonate(Set<Principal> principals);
+    boolean impersonate(Subject subject);
 
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java?rev=1394441&r1=1394440&r2=1394441&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/UserProvider.java
Fri Oct  5 11:10:18 2012
@@ -22,7 +22,9 @@ import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
 
+import org.apache.jackrabbit.api.security.user.Impersonation;
 import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
 
 /**
  * UserProvider deals with with creating and resolving repository content
@@ -104,6 +106,8 @@ public interface UserProvider {
      */
     void setPassword(Tree userTree, String password, boolean forceHash) throws RepositoryException;
 
+    Impersonation getImpersonation(String userID, PrincipalProvider principalProvider);
+
     void setProtectedProperty(Tree authorizableTree, String propertyName, String value, int
propertyType);
 
     void setProtectedProperty(Tree v, String propertyName, String[] values, int propertyType);



Mime
View raw message