BeanConfig.
+ *
+ * @param parent Workspace-Root-Element
+ * @return BeanConfig or null if the worspaceACLProvider element
+ * is missing.
+ * @throws ConfigurationException
+ */
+ public BeanConfig parseWorkspaceACLConfig(Element parent) throws ConfigurationException {
+ Element element = getElement(parent, WSP_ACL_PROVIDER_ELEMENT, false);
+ if (element != null) {
+ return parseBeanConfig(parent, WSP_ACL_PROVIDER_ELEMENT);
+ } else {
+ // no wsp-acl-provider element in configuration.
+ return null;
+ }
+ }
+
+ /**
+ * Read the WorkspaceSecurity Element of Workspace's configuration.
+ * @param parent Workspace-Root-Element
+ * @return
+ * @throws ConfigurationException
+ */
+ public WorkspaceSecurityConfig parseWorkspaceSecurityConfig(Element parent)
+ throws ConfigurationException {
+
+ BeanConfig aclConf = null;
+ BeanConfig compAclConf = null;
+ Element element = getElement(parent, WSP_SECURITY_ELEMENT, false);
+ if (element!=null) {
+ Element aclProv = getElement(element, ACL_PROVIDER_FACTORY_ELEMENT, false);
+ if (aclProv!=null) {
+ aclConf = parseBeanConfig(element, ACL_PROVIDER_FACTORY_ELEMENT);
+ }
+ Element compAclProv = getElement(element, COMPILED_ACL_PROVIDER_FACTORY_ELEMENT, false);
+ if (compAclProv!=null) {
+ compAclConf = parseBeanConfig(element, COMPILED_ACL_PROVIDER_FACTORY_ELEMENT);
+ }
+ }
+ return new WorkspaceSecurityConfig(aclConf, compAclConf);
+ }
+
+ /**
* Parses workspace configuration. Workspace configuration uses the
* following format:
*
@@ -360,8 +427,10 @@
// Search implementation (optional)
SearchConfig sc = tmpParser.parseSearchConfig(root);
+ // workspace specific security configuration
+ WorkspaceSecurityConfig sec = tmpParser.parseWorkspaceSecurityConfig(root);
- return new WorkspaceConfig(home, name, clustered, fsc, pmc, sc);
+ return new WorkspaceConfig(home, name, clustered, fsc, pmc, sc, sec);
}
/**
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/SecurityConfig.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/SecurityConfig.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/SecurityConfig.java (working copy)
@@ -28,6 +28,11 @@
private final String name;
/**
+ * Name of the Worspace to Store security relevant data
+ */
+ private final String workspaceName;
+
+ /**
* Repository access manager configuration;
*/
private final AccessManagerConfig amc;
@@ -37,18 +42,25 @@
*/
private final LoginModuleConfig lmc;
+ private final BeanConfig workspaceACLConfig;
+
/**
* Creates a new security configuration.
*
* @param name repository name for a JAAS app-entry configuration
+ * @param workspaceName name of the Workspace to sotre security data
* @param amc access manager configuration
* @param lmc login module configuration (can be null)
*/
public SecurityConfig(
- String name, AccessManagerConfig amc, LoginModuleConfig lmc) {
+ String name, String workspaceName,
+ AccessManagerConfig amc, LoginModuleConfig lmc,
+ BeanConfig workspaceACLConfig) {
this.name = name;
+ this.workspaceName = workspaceName;
this.amc = amc;
this.lmc = lmc;
+ this.workspaceACLConfig = workspaceACLConfig;
}
/**
@@ -62,6 +74,14 @@
}
/**
+ *
+ * @return name of the Workspace containing Security data
+ */
+ public String getWorkspaceName() {
+ return workspaceName;
+ }
+
+ /**
* Returns the repository access manager configuration.
*
* @return access manager configuration
@@ -80,4 +100,12 @@
return lmc;
}
+ /**
+ * @return the configuration for the WorkspaceACLProvider.
+ * May be null if the configuration entry is missing (i.e.
+ * the system default should be used).
+ */
+ public BeanConfig getWorkspaceACLConfig() {
+ return workspaceACLConfig;
+ }
}
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceConfig.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceConfig.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceConfig.java (working copy)
@@ -58,6 +58,11 @@
private SearchConfig sc;
/**
+ * Workspace security configuration. Can be null.
+ */
+ private final WorkspaceSecurityConfig workspaceSecurityConfig;
+
+ /**
* Creates a workspace configuration object.
*
* @param home home directory
@@ -68,13 +73,14 @@
*/
public WorkspaceConfig(String home, String name, boolean clustered,
FileSystemConfig fsc, PersistenceManagerConfig pmc,
- SearchConfig sc) {
+ SearchConfig sc, WorkspaceSecurityConfig sec) {
this.home = home;
this.name = name;
this.clustered = clustered;
this.fsc = fsc;
this.pmc = pmc;
this.sc = sc;
+ this.workspaceSecurityConfig = sec;
}
/**
@@ -133,4 +139,11 @@
return sc;
}
+ /**
+ * @return workspace-specific security settings
+ * @see WorkspaceSecurityConfig
+ */
+ public WorkspaceSecurityConfig getSecurityConfig() {
+ return workspaceSecurityConfig;
+ }
}
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceSecurityConfig.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceSecurityConfig.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/config/WorkspaceSecurityConfig.java (revision 0)
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.config;
+
+/**
+ * Respresentation of workspace specific security settings.
+ */
+public class WorkspaceSecurityConfig {
+
+ /** configuration for ACLProviderFactory */
+ private final BeanConfig aclProvider;
+
+ /** configuration for CompiledACLProviderFactory */
+ private final BeanConfig compAclProvider;
+
+ /**
+ * @param aclProvider
+ * @param compAclProvider
+ */
+ public WorkspaceSecurityConfig(BeanConfig aclProvider,
+ BeanConfig compAclProvider) {
+ this.aclProvider = aclProvider;
+ this.compAclProvider = compAclProvider;
+ }
+
+ /**
+ * @return Factory configuration for the configured ACLProviderFactory.
+ * May be null, if optional configuration value is missing
+ */
+ public BeanConfig getAclProviderFactoryConfig() {
+ return aclProvider;
+ }
+
+ /**
+ * @return Factory configuration for the configured CompiledACLProviderFactory.
+ * May be null, if optional configuration value is missing
+ */
+ public BeanConfig getCompiledAclProviderFactoryConfig() {
+ return compAclProvider;
+ }
+
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\config\WorkspaceSecurityConfig.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/RepositoryImpl.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/RepositoryImpl.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/RepositoryImpl.java (working copy)
@@ -31,7 +31,6 @@
import org.apache.jackrabbit.core.config.ClusterConfig;
import org.apache.jackrabbit.core.config.DataStoreConfig;
import org.apache.jackrabbit.core.config.FileSystemConfig;
-import org.apache.jackrabbit.core.config.LoginModuleConfig;
import org.apache.jackrabbit.core.config.PersistenceManagerConfig;
import org.apache.jackrabbit.core.config.RepositoryConfig;
import org.apache.jackrabbit.core.config.VersioningConfig;
@@ -51,6 +50,8 @@
import org.apache.jackrabbit.core.persistence.PMContext;
import org.apache.jackrabbit.core.persistence.PersistenceManager;
import org.apache.jackrabbit.core.security.AuthContext;
+import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
+import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.state.CacheManager;
import org.apache.jackrabbit.core.state.ChangeLog;
import org.apache.jackrabbit.core.state.ItemStateCacheFactory;
@@ -67,6 +68,19 @@
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Credentials;
+import javax.jcr.LoginException;
+import javax.jcr.NamespaceRegistry;
+import javax.jcr.NoSuchWorkspaceException;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.observation.Event;
+import javax.jcr.observation.EventIterator;
+import javax.jcr.observation.EventListener;
+import javax.jcr.observation.ObservationManager;
+import javax.security.auth.Subject;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
@@ -83,19 +97,6 @@
import java.util.Properties;
import java.util.Set;
-import javax.jcr.AccessDeniedException;
-import javax.jcr.Credentials;
-import javax.jcr.LoginException;
-import javax.jcr.NamespaceRegistry;
-import javax.jcr.NoSuchWorkspaceException;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.observation.Event;
-import javax.jcr.observation.EventIterator;
-import javax.jcr.observation.EventListener;
-import javax.jcr.observation.ObservationManager;
-import javax.security.auth.Subject;
-
/**
* A RepositoryImpl ...
*/
@@ -147,6 +148,11 @@
private final VirtualNodeTypeStateManager virtNTMgr;
/**
+ * Security manager
+ */
+ private JackrabbitSecurityManager securityMgr;
+
+ /**
* Search manager for the jcr:system tree. May be null if
* none is configured.
*/
@@ -362,6 +368,26 @@
}
/**
+ * Returns the {@link org.apache.jackrabbit.core.security.JackrabbitSecurityManager SecurityManager}
+ * of this Repository
+ *
+ * @return the security manager
+ * @throws RepositoryException if an error occurs.
+ */
+ protected synchronized JackrabbitSecurityManager getSecurityManager()
+ throws RepositoryException {
+
+ if (securityMgr == null) {
+ SystemSession securitySession = getSystemSession(SecurityConstants.SYSTEM_WORKSPACE_NAME);
+ // mark system session as 'active' for that the system workspace does
+ // not get disposed by workspace-janitor
+ onSessionCreated(securitySession);
+ securityMgr = new DefaultSecurityManager(securitySession, this);
+ }
+ return securityMgr;
+ }
+
+ /**
* Creates the version manager.
*
* @param vConfig the versioning config
@@ -395,8 +421,13 @@
*/
protected void initStartupWorkspaces() throws RepositoryException {
String wspName = repConfig.getDefaultWorkspaceName();
+ String secWspName = repConfig.getSecurityConfig().getWorkspaceName();
try {
initWorkspace((WorkspaceInfo) wspInfos.get(wspName));
+ if(!wspInfos.containsKey(secWspName)) {
+ createWorkspace(secWspName);
+ log.info("created system workspace: {}", secWspName);
+ }
} catch (RepositoryException e) {
// if default workspace failed to initialize, shutdown again
log.error("Failed to initialize workspace '" + wspName + "'", e);
@@ -912,8 +943,56 @@
}
}
+ /**
+ * Tries to add Principals to a given subject:
+ * First Access the Subject from the current AccessControlContext,
+ * If Subject is found the LoginContext is evokoed for it, in order
+ * to possibly allow for extension of preauthenticated Subject.
+ * In contrast to a login with Credentials, a Session is created, even if the
+ * Authentication failed.
+ * If the {@link Subject} is marked to be unmodificable or if the
+ * authentication of the the Subject failed Session is build for unchanged
+ * Subject.
+ *
+ * @param workspaceName must not be null
+ * @return if a Subject is exsting null else
+ * @throws RepositoryException
+ * @throws AccessDeniedException
+ */
+ private Session extendAuthentication(String workspaceName)
+ throws RepositoryException, AccessDeniedException {
+
+ Subject subject = null;
+ try {
+ AccessControlContext acc = AccessController.getContext();
+ subject = Subject.getSubject(acc);
+ } catch (SecurityException se) {
+ log.error("login: can't check for preauthentication -> use credentials");
+ log.debug(" reason:", se);
+ }
+ if (subject==null) {
+ return null;
+ }
+ if (subject.isReadOnly()) {
+ log.debug("login: preauthenticated Subject is read-only -> create Session");
+ return createSession(subject, workspaceName);
+ }
+ log.debug("login: found preauthenticated Subject, try to extend authentication");
+
+ // login either using JAAS or our own LoginModule
+ AuthContext authCtx = getSecurityManager().getAuthContext(null, subject);
+ try {
+ authCtx.login();
+ return createSession(authCtx, workspaceName);
+
+ // subject could not be extended
+ } catch (javax.security.auth.login.LoginException e) {
+ log.debug("login: preauthentication could not be extended");
+ return createSession(subject, workspaceName);
+ }
+ }
+
//-------------------------------------------------< JackrabbitRepository >
-
/**
* Shuts down this repository. The shutdown is guarded by a shutdown lock
* that prevents any new sessions from being started simultaneously.
@@ -948,6 +1027,10 @@
clusterNode.stop();
}
+ if (securityMgr != null) {
+ securityMgr.close();
+ }
+
// close active user sessions
// (copy sessions to array to avoid ConcurrentModificationException;
// manually copy entries rather than calling ReferenceMap#toArray() in
@@ -1204,25 +1287,22 @@
if (credentials == null) {
// null credentials, obtain the identity of the already-authenticated
// subject from access control context
- AccessControlContext acc = AccessController.getContext();
- Subject subject = Subject.getSubject(acc);
- if (subject != null) {
- return createSession(subject, workspaceName);
+ Session session = extendAuthentication(workspaceName);
+ if (session == null) {
+ log.debug("login: attempt to login without Credentials and Subject " +
+ "-> set emtpy Credentials to attemp anonymous");
+ credentials = new SimpleCredentials("", new char[0]);
+ } else {
+ return session;
}
}
- // login either using JAAS or our own LoginModule
- AuthContext authCtx;
- LoginModuleConfig lmc = repConfig.getLoginModuleConfig();
- if (lmc == null) {
- authCtx = new AuthContext.JAAS(repConfig.getAppName(), credentials);
- } else {
- authCtx = new AuthContext.Local(
- lmc.getLoginModule(), lmc.getParameters(), credentials);
- }
+ // login either using the LoginModule defined by the AuthContext
+ // not preauthenticated -> try login with credentials
+ AuthContext authCtx = getSecurityManager().getAuthContext(credentials);
authCtx.login();
-
// create session
return createSession(authCtx, workspaceName);
+
} catch (SecurityException se) {
throw new LoginException(
"Unable to access authentication information", se);
@@ -1860,6 +1940,12 @@
searchMgr = null;
}
+ // deregister
+ if (securityMgr != null) {
+ securityMgr.dispose(getName());
+ }
+
+
// close system session
if (systemSession != null) {
systemSession.removeListener(RepositoryImpl.this);
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AMContext.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AMContext.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AMContext.java (working copy)
@@ -17,6 +17,9 @@
package org.apache.jackrabbit.core.security;
import org.apache.jackrabbit.core.HierarchyManager;
+import org.apache.jackrabbit.core.security.spi.CompiledACLProvider;
+import org.apache.jackrabbit.core.security.spi.WorkspaceACLProvider;
+import org.apache.jackrabbit.core.state.ItemStateManager;
import org.apache.jackrabbit.core.fs.FileSystem;
import org.apache.jackrabbit.name.NamespaceResolver;
@@ -62,6 +65,21 @@
private final String workspaceName;
/**
+ * The item state manager
+ */
+ private final ItemStateManager itemStateMgr;
+
+ /**
+ * The item ACL provider
+ */
+ private CompiledACLProvider compiledACLProvider;
+
+ /**
+ * The workspace ACL provider
+ */
+ private WorkspaceACLProvider wspACLProvider;
+
+ /**
* Creates a new AMContext.
*
* @param physicalHomeDir the physical home directory
@@ -77,12 +95,38 @@
HierarchyManager hierMgr,
NamespaceResolver nsResolver,
String workspaceName) {
+ this(physicalHomeDir, fs, subject, hierMgr, nsResolver, workspaceName, null, null, null);
+ }
+
+ /**
+ * Creates a new AMContext.
+ *
+ * @param physicalHomeDir the physical home directory
+ * @param fs the virtual jackrabbit filesystem
+ * @param subject subject whose access rights should be reflected
+ * @param itemStateMgr item state manager
+ * @param hierMgr hierarchy manager
+ * @param nsResolver namespace resolver
+ * @param workspaceName workspace name
+ */
+ public AMContext(File physicalHomeDir,
+ FileSystem fs,
+ Subject subject,
+ HierarchyManager hierMgr,
+ NamespaceResolver nsResolver,
+ String workspaceName,
+ ItemStateManager itemStateMgr,
+ CompiledACLProvider compiledACLProvider,
+ WorkspaceACLProvider wspACLProvider) {
this.physicalHomeDir = physicalHomeDir;
this.fs = fs;
this.subject = subject;
+ this.itemStateMgr = itemStateMgr;
this.hierMgr = hierMgr;
this.nsResolver = nsResolver;
this.workspaceName = workspaceName;
+ this.compiledACLProvider = compiledACLProvider;
+ this.wspACLProvider = wspACLProvider;
}
@@ -139,4 +183,31 @@
public String getWorkspaceName() {
return workspaceName;
}
+
+ /**
+ * Returns the item state manager.
+ *
+ * @return the item state manager.
+ */
+ public ItemStateManager getItemStateManager() {
+ return itemStateMgr;
+ }
+
+ /**
+ * Returns the provider for compiled ACLs.
+ *
+ * @return the provider for compiled ACLs.
+ */
+ public CompiledACLProvider getCompiledACLProvider() {
+ return compiledACLProvider;
+ }
+
+ /**
+ * Returns the provider for workspace ACLs.
+ *
+ * @return the provider for workspace ACLs.
+ */
+ public WorkspaceACLProvider getWorkspaceACLProvider() {
+ return wspACLProvider;
+ }
}
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AuthContext.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AuthContext.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AuthContext.java (working copy)
@@ -16,6 +16,9 @@
*/
package org.apache.jackrabbit.core.security;
+import org.apache.jackrabbit.core.security.authentication.JAASAuthContext;
+import org.apache.jackrabbit.core.security.authentication.LocalAuthContext;
+
import javax.jcr.Credentials;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
@@ -30,11 +33,10 @@
*
* This class is abstract and has two implementations:
*
LoginContextLoginContextLoginModuleLoginContext.
+ *
+ * @deprecated Use {@link org.apache.jackrabbit.core.security.authentication.JAASAuthContext} instead
*/
public static class JAAS extends AuthContext {
@@ -106,6 +110,8 @@
/**
* An {@link AuthContext} implemented using a particular LoginModule.
+ *
+ * @deprecated Use {@link org.apache.jackrabbit.core.security.authentication.LocalAuthContext} instead.
*/
public static class Local extends AuthContext {
private final LoginModule module;
@@ -118,7 +124,6 @@
*
* @param module the login module
* @param options login module options
- * @param config the login module configuration
* @param creds the credentials
*/
public Local(LoginModule module, Map options, Credentials creds) {
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallback.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallback.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallback.java (revision 0)
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authentication;
+
+import javax.jcr.Credentials;
+import javax.security.auth.callback.Callback;
+import java.io.Serializable;
+
+/**
+ * A CredentialsCallback
+ */
+public class CredentialsCallback implements Callback, Serializable {
+
+ private Credentials credentials;
+
+ /**
+ * Get the retrieved credentials.
+ *
+ * @return the retrieved credentials (which may be null)
+ */
+ public Credentials getCredentials() {
+ return credentials;
+ }
+
+ /**
+ * Set the retrieved credentials.
+ *
+ * @param credentials the retrieved credentials (which may be null)
+ */
+ public void setCredentials(Credentials credentials) {
+ this.credentials = credentials;
+ }
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\authentication\CredentialsCallback.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallbackHandler.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallbackHandler.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/CredentialsCallbackHandler.java (revision 0)
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authentication;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.principal.PrincipalProviderRegistry;
+
+import javax.jcr.Credentials;
+import javax.jcr.SimpleCredentials;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+
+/**
+ * Callbackhandle that deals with the following callbacks:
+ * null if not set.
+ */
+ public Subject getImpersonator() {
+ return impersonator;
+ }
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\authentication\ImpersonationCallback.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/JAASAuthContext.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/JAASAuthContext.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/JAASAuthContext.java (revision 0)
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authentication;
+
+import org.apache.jackrabbit.core.security.AuthContext;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import java.security.Principal;
+
+/**
+ * Implements the common {@link AuthContext} interface for the JAAS environment.
+ *
+ * @see AuthContext
+ */
+public class JAASAuthContext extends AuthContext {
+
+ private LoginContext context;
+
+ private Principal everyone;
+
+ /**
+ * @param appName application name in JAAS Login-Configuration to use
+ * @param cbHandler CallbackHandler for login-modules
+ * @param subject to extend authentication
+ * @param everyone Principal to be assigned to every authenticated subject
+ */
+ JAASAuthContext(String appName,
+ CallbackHandler cbHandler,
+ Subject subject,
+ Principal everyone) {
+
+ // make sure we are using our own context class loader when we
+ // instantiate a LoginContext. See bug# 14329.
+ Thread current = Thread.currentThread();
+ ClassLoader orig = current.getContextClassLoader();
+ try {
+ current.setContextClassLoader(JAASAuthContext.class.getClassLoader());
+ if (null == subject) {
+ this.context = new LoginContext(appName, cbHandler);
+ } else {
+ this.context = new LoginContext(appName, subject, cbHandler);
+ }
+ this.everyone = everyone;
+ } catch (LoginException e) {
+ //all caseses it is thrown are checked -> ignore
+ } finally {
+ current.setContextClassLoader(orig);
+ }
+ }
+
+ public void login() throws LoginException {
+ context.login();
+
+ //assert that a proper logged in subject is an everyone.
+ if (!getSubject().isReadOnly()) {
+ getSubject().getPrincipals().add(everyone);
+ }
+ }
+
+ public Subject getSubject() {
+ return context.getSubject();
+ }
+
+ public void logout() throws LoginException {
+ if (!getSubject().isReadOnly()) {
+ getSubject().getPrincipals().remove(everyone);
+ }
+ context.logout();
+ }
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\authentication\JAASAuthContext.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/LocalAuthContext.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/LocalAuthContext.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/LocalAuthContext.java (revision 0)
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authentication;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.jackrabbit.core.config.LoginModuleConfig;
+import org.apache.jackrabbit.core.config.ConfigurationException;
+import org.apache.jackrabbit.core.security.AuthContext;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+import java.security.Principal;
+import java.util.HashMap;
+
+/**
+ * Provide AuthContext interface, for a JAAS-LoginModule not running in
+ * a {@link javax.security.auth.login.LoginContext}
+ *
+ * @see AuthContext
+ */
+public class LocalAuthContext extends AuthContext {
+
+ private static final Logger log = LoggerFactory.getLogger(LocalAuthContext.class);
+
+ private Subject subject;
+
+ private LoginModuleConfig config;
+
+ private LoginModule module;
+
+ private final CallbackHandler cbHandler;
+
+ private final Principal everyone;
+
+ /**
+ * Create Context and set Subject to extend its authentication
+ *
+ * @param config Condiguration to be used for the LoginModule
+ * @param cbHandler CallbackHandler for the LoginModule
+ * @param subject Subject if a pre-authenticated exists
+ * @param everyone Principal to be assigned to every authentciated subject
+ */
+ LocalAuthContext(LoginModuleConfig config,
+ CallbackHandler cbHandler,
+ Subject subject,
+ Principal everyone) {
+ this.config = config;
+ this.cbHandler = cbHandler;
+ this.subject = (null == subject) ? new Subject() : subject;
+ this.everyone = everyone;
+ }
+
+ public void login() throws LoginException {
+ try {
+ module = config.getLoginModule();
+ } catch (ConfigurationException e) {
+ throw new LoginException(e.getMessage());
+ }
+ module.initialize(subject,
+ cbHandler,
+ new HashMap(),
+ config.getParameters());
+ try {
+ if (module.login() && module.commit()) {
+ if (!subject.isReadOnly()) {
+ subject.getPrincipals().add(everyone);
+ }
+ } else {
+ throw new FailedLoginException("LoginModule ignored Credentials");
+ }
+ } catch (LoginException le) {
+ module.abort();
+ throw le;
+ } catch (Exception e) {
+ module.abort();
+ LoginException le = new LoginException("LoginModule could not perform authentication: " +
+ e.getMessage());
+ le.initCause(e);
+ log.debug("Login failed to runtime-exception: ", e);
+ throw le;
+ }
+ }
+
+ public Subject getSubject() {
+ return subject;
+ }
+
+ public void logout() throws LoginException {
+ if (subject != null) {
+ if (!subject.isReadOnly()) {
+ subject.getPrincipals().remove(everyone);
+ }
+ module.logout();
+ }
+ }
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\authentication\LocalAuthContext.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/RepositoryCallback.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/RepositoryCallback.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/RepositoryCallback.java (revision 0)
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authentication;
+
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.core.security.principal.PrincipalProviderRegistry;
+
+import javax.jcr.Session;
+import javax.security.auth.callback.Callback;
+
+/**
+ * Callback for a {@link javax.security.auth.callback.CallbackHandler} to ask for
+ * a {@link Session} to access the {@link javax.jcr.Repository}
+ */
+public class RepositoryCallback implements Callback {
+
+ private JackrabbitSession session;
+ private PrincipalProviderRegistry principalProviderRegistry;
+
+ void setSession(JackrabbitSession session) {
+ this.session = session;
+ }
+
+ public JackrabbitSession getSession() {
+ return session;
+ }
+
+ void setPrincipalProviderRegistry(PrincipalProviderRegistry principalProviderRegistry) {
+ this.principalProviderRegistry = principalProviderRegistry;
+ }
+
+ public PrincipalProviderRegistry getPrincipalProviderRegistry() {
+ return principalProviderRegistry;
+ }
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\authentication\RepositoryCallback.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitSecurityManager.java (revision 0)
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security;
+
+import org.apache.jackrabbit.security.ACLManager;
+import org.apache.jackrabbit.security.PrincipalManager;
+import org.apache.jackrabbit.security.UserManager;
+
+import javax.jcr.Credentials;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.security.auth.Subject;
+
+/**
+ * JackrabbitSecurityManager...
+ */
+public interface JackrabbitSecurityManager {
+
+ public AuthContext getAuthContext(Credentials creds) throws RepositoryException;
+
+ public AuthContext getAuthContext(Credentials creds, Subject subject) throws RepositoryException;
+
+ public AccessManager getAccessManager(Session session) throws RepositoryException;
+
+ public ACLManager getACLManager(Session session, Subject subject) throws RepositoryException;
+
+ /**
+ * Retrieve the principal manager for the given session
+ *
+ * @param session
+ * @param subject
+ * @return PrincipalManager a principal manager
+ * @throws RepositoryException if an error occurs
+ */
+ public PrincipalManager getPrincipalManager(Session session, Subject subject) throws RepositoryException;
+
+ public UserManager getUserManager(Session session) throws RepositoryException;
+
+ /**
+ * Dispose those parts of this security manager that are related to the
+ * workspace indicated by the given workspaceName.
+ *
+ * @param workspaceName Name of the workspace that is being disposed.
+ */
+ public void dispose(String workspaceName);
+
+ /**
+ * Dispose this security manager instance and clean all internal caches.
+ */
+ public void close();
+
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\JackrabbitSecurityManager.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SecurityConstants.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SecurityConstants.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SecurityConstants.java (working copy)
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.core.security;
+import org.apache.jackrabbit.name.QName;
+
/**
* This interface defines miscellaneous security related constants.
*/
@@ -30,4 +32,98 @@
*/
String IMPERSONATOR_ATTRIBUTE =
"org.apache.jackrabbit.core.security.impersonator";
+
+
+ /**
+ * name of the workspace, containing system data, like users etc
+ */
+ String SYSTEM_WORKSPACE_NAME = "system";
+
+ /**
+ * Default encryption for user password
+ */
+ String DEFAULT_ENCRYPTION = "sha1";
+
+ //-----------------------------------------------------< property names >---
+ String P_PRINCIPAL_NAME = "rep:principalName";
+ String P_REFEREE = "rep:referee";
+ String P_MEMBER = "rep:member";
+ String P_EMAIL = "rep:e-mail";
+ String P_USERID = "rep:userId";
+ String P_FULLNAME = "rep:fullname";
+ String P_PASSWORD = "rep:password";
+ String P_CREDENTIALS = "rep:credentials";
+
+ String P_ACTIONS = "rep:actions";
+ String P_PRINCIPAL = "rep:principal";
+ //---------------------------------------------------------< node names >---
+ // rep:acl node name
+ String N_REP_ACL = "rep:acl";
+ QName QN_REP_ACL = new QName(QName.NS_REP_URI, "acl");
+
+ /**
+ * Name of the child node containing sudoers.
+ */
+ String N_SUDOERS = "rep:sudoers";
+ // Node type names
+ String NT_REP_AUTHORIZABLE = "rep:Authorizable";
+ String NT_REP_AUTHORIZABLE_FOLDER = "rep:AuthorizableFolder";
+ String NT_REP_USER = "rep:User";
+ String NT_REP_GROUP = "rep:Group";
+ String NT_REP_SUDOERS = "rep:Sudoers";
+
+ // rep:AccessControllable nodetype
+ String NT_REP_ACCESS_CONTROLLABLE = "rep:AccessControllable";
+ QName QNT_REP_ACCESS_CONTROLLABLE = new QName(QName.NS_REP_URI, "AccessControllable");
+
+ // rep:ACL nodetype
+ String NT_REP_ACL = "rep:ACL";
+ QName QNT_REP_ACL = new QName(QName.NS_REP_URI, "ACL");
+
+ // rep:ACE nodetype
+ String NT_REP_ACE = "rep:ACE";
+ QName QNT_REP_ACE = new QName(QName.NS_REP_URI, "ACE");
+
+ // rep:GrantACE nodetype
+ String NT_REP_GRANT_ACE = "rep:GrantACE";
+ QName QNT_REP_GRANT_ACE = new QName(QName.NS_REP_URI, "GrantACE");
+
+ // rep:DenyACE nodetype
+ String NT_REP_DENY_ACE = "rep:DenyACE";
+ QName QNT_REP_DENY_ACE = new QName(QName.NS_REP_URI, "DenyACE");
+
+ //--------------------------------------------------< various constants >---
+ /**
+ * The name of the administrator.
+ */
+ String ADMIN_ID = "admin";
+ /**
+ * The name of the anonymous.
+ */
+ String ANONYMOUS_ID = "anonymous";
+
+ /**
+ * Name of the 'everyone' special principal
+ */
+ String EVERYONE_NAME = "everyone";
+
+ /**
+ * root-path to security related content e.g. principals
+ */
+ String SECURITY_ROOT_PATH = "/rep:security";
+ String AUTHORIZABLES_PATH = SECURITY_ROOT_PATH + "/rep:authorizables";
+ String USERS_PATH = AUTHORIZABLES_PATH + "/rep:users";
+ String GROUPS_PATH = AUTHORIZABLES_PATH + "/rep:groups";
+ String ADMIN_PATH = USERS_PATH + "/" + ADMIN_ID;
+
+ /**
+ * relative path to the sudoers ACL node
+ */
+ String SUDOERS_PATH = "rep:sudoers";
+
+ /**
+ * To be used for the encryption. E.g. for passwords in
+ * {@link javax.jcr.SimpleCredentials#getPassword()} SimpleCredentials}
+ */
+ String DEFAULT_DIGEST = "sha1";
}
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SimpleLoginModule.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SimpleLoginModule.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/SimpleLoginModule.java (working copy)
@@ -16,6 +16,8 @@
*/
package org.apache.jackrabbit.core.security;
+import org.apache.jackrabbit.core.security.authentication.CredentialsCallback;
+
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLEditor.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLEditor.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLEditor.java (revision 0)
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.core.ItemId;
+import org.apache.jackrabbit.security.ACLTemplate;
+
+import javax.jcr.RepositoryException;
+
+/**
+ * ACLEditor is used to edit the ACLs provided by the respective
+ * service.
+ */
+public interface ACLEditor {
+
+ /**
+ * Retrieves an editable acl for the respective item. The returned ACL is
+ * detached from the actual ACLProvider and is only an
+ * external representation. Thus any modification will not take effect,
+ * until it is {@link #setAcl(ItemId, ACLTemplate) stored} again.
+ *
+ * Compared to the ACL returned by {@link ACLProvider#getAcl(ItemId)}, the scope of the
+ * editable ACL it limited to the item and does not include inherited ACLs.
+ *
+ * @param id the id of the item to retrieve the ACL for
+ * @return the ACLTemplate or null if non defined.
+ *
+ * @throws RepositoryException if an error occurs
+ */
+ ACLTemplate editAcl(ItemId id) throws RepositoryException;
+
+ /**
+ * Stores the editable acl to the respective item.
+ *
+ * @param id the id of the item to store the acl for
+ * @param acl the acl to store.
+ *
+ * @throws RepositoryException if an error occurs
+ */
+ void setAcl(ItemId id, ACLTemplate acl) throws RepositoryException;
+
+ /**
+ * Removes the acl from the respective item.
+ *
+ * @param id the id of the item to remove the acl from.
+ *
+ * @throws RepositoryException if an error occurs
+ */
+ void removeAcl(ItemId id) throws RepositoryException;
+
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\ACLEditor.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProvider.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProvider.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProvider.java (revision 0)
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.core.ItemId;
+import org.apache.jackrabbit.security.ACL;
+
+import javax.jcr.Node;
+import javax.jcr.RepositoryException;
+
+/**
+ * The ACLProvider is used to provide ACL objects for Items in a single workspace.
+ * The ACLs and thus the ACLProvider are not bound to a session/subject.
+ *
+ * How the ACLs are retrieved is an implementation issue but must stick to the
+ * following rules:
+ * Node is considered access controlled if an ACL has
+ * been explicitely assigned to it.Property item. Therefore, if the
+ * given ItemId refers to a Property, the ACL that applies to its direct
+ * ancestor Node will be returned.
+ * Node that is not access controlled may inherit the ACL. The
+ * means of inheritance is an implementation detail. For example the ACL could
+ * be inherited from the closest access controlled ancestor.
+ * Node has no effective ACL, in
+ * which case null or some implementation specific default value is
+ * returned.
+ * null and the respective compiled acl provider or the access
+ * manager itself must handle those cases correctly. It is advisable that the
+ * ACL of the closest access controlled item is used.null is returned.
+ *
+ * @param itemId the id of the repository item the acl should be returned from.
+ * @return ACL applicable for this {@link Node} ot null.
+ *
+ * @throws RepositoryException
+ */
+ ACL getAcl(ItemId itemId) throws RepositoryException;
+
+ /**
+ * Returns the ACL editor for this provider or null if the ACLs
+ * cannot be edited.
+ *
+ * @return the ACL editor or null
+ */
+ ACLEditor getEditor();
+
+ /**
+ * Closes this provider when it is no longer used by the respective
+ * workspace. The implementation can release eventual resources bound to
+ * this provider.
+ */
+ void close();
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\ACLProvider.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProviderFactory.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProviderFactory.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/ACLProviderFactory.java (revision 0)
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.security.auth.Subject;
+
+/**
+ * The acl providerfactory is used to create {@link ACLProvider}s for a
+ * given workspace. If a provider is no longer used by the workspace, it is
+ * {@link ACLProvider#close() closed} and the factory could release eventual
+ * resources bound to the provider.
+ *
+ * The factory does not need to cache the created {@link ACLProvider}s. They
+ * are used during the entire lifetime of their workspace, and are cached
+ * together with the respective workspace related objects by the repository
+ * implementation.
+ *
+ * The {@link ACLProvider}s are requested using a {@link Session system Session}. The
+ * system sessions have a distinct access controll mechanism in order to prevent
+ * chicken-egg problems when setting up security for a workspace.
+ */
+public interface ACLProviderFactory {
+
+ /**
+ * Initalize the Factory with JackrabbitSecurityManager.
+ * This allows to access Repsoitory's Security objects
+ *
+ * @param securityManager
+ */
+ void init(JackrabbitSecurityManager securityManager) throws RepositoryException;
+
+ /**
+ * Dispose this ACLProviderFactory and its resources.
+ *
+ * @throws RepositoryException if an error occurs.
+ */
+ void close() throws RepositoryException;
+
+ /**
+ * Creates an ACLProvider for the workspace of the given system session.
+ * If this factory does not feel responsible for this workspace,
+ * null should be returned.
+ *
+ * @param systemSession the system session on the workspace the ACLs are needed
+ * @return a new ACLProvider
+ * @throws RepositoryException if an error occurs
+ */
+ ACLProvider createACLProvider(Session systemSession) throws RepositoryException;
+
+ /**
+ * Creates an compiled ACL provider for the given subject and workspace.null should be returned.
+ *
+ * @param subject
+ * @param workspaceName
+ * @return a new CompiledACLProvider
+ * @throws RepositoryException if an error occurs
+ */
+ CompiledACLProvider createCompiledACLProvider(Subject subject, String workspaceName) throws RepositoryException;
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\ACLProviderFactory.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACL.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACL.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACL.java (revision 0)
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.security.ACL;
+import org.apache.jackrabbit.security.ActionSet;
+
+import javax.jcr.RepositoryException;
+import javax.security.auth.Subject;
+
+/**
+ * The compiled ACL is an optimization of the ACL for a specific subject.
+ * This means that it can be expected to contain only ACL information relevant
+ * for the subject.
+ *
+ * @see CompiledACLProvider
+ * @see ACL
+ */
+public interface CompiledACL {
+
+ /**
+ * Returns the subject this ACL was compiled for.
+ *
+ * @return the subject.
+ */
+ Subject getSubject();
+
+ /**
+ * Returns the ActionSet that this ACL allows.
+ * @return the ActionSet
+ */
+ ActionSet getActionSet() throws RepositoryException;
+
+ /**
+ * Checks if this ACL is used to protect an item that is used for building
+ * and ACL itself, e.g. a rep:ACL Node.
+ *
+ * @return true if this ACL is used to protect an ACL;
+ * false otherwise.
+ */
+ boolean protectsACL();
+
+ /**
+ * Checks if all of the actions are granted
+ *
+ * @param actions
+ * @return true if this ACL grants all of the given actions
+ */
+ boolean grants(ActionSet actions);
+
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\CompiledACL.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACLProvider.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACLProvider.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/CompiledACLProvider.java (revision 0)
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.core.NodeId;
+
+import javax.jcr.RepositoryException;
+import javax.security.auth.Subject;
+
+/**
+ * The CompiledACLProvider is used to provide compiled ACL objects for
+ * repository items. The provided ACLs are 'compiled' for the subject of the
+ * session.
+ */
+public interface CompiledACLProvider {
+
+ /**
+ * Returns the ACL that applies for the Node identified by the
+ * given NodeId.
+ *
+ * @param nodeId
+ * @return ACL effective for the Node identified by the given
+ * NodeId or null if no Node exists with the given
+ * nodeId e.g. if it hasn't been persisted yet and is therefore
+ * not known to the CompiledACLProvider which is not bound to a particular Session.
+ * @throws RepositoryException
+ */
+ CompiledACL getAcl(NodeId nodeId) throws RepositoryException;
+
+ /**
+ * Returns the subject this provider was build for
+ * @return the subject
+ */
+ Subject getSubject();
+
+ /**
+ * Closes this provider. Implementations can then savely release any
+ * bound resources.
+ */
+ void close();
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\CompiledACLProvider.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/PrincipalProvider.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/PrincipalProvider.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/PrincipalProvider.java (revision 0)
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.security.ActionSet;
+import org.apache.jackrabbit.security.PrincipalIterator;
+import org.apache.jackrabbit.security.PrincipalManager;
+
+import javax.security.auth.Subject;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Properties;
+
+/**
+ * This interface defines methods to provide access to sources of
+ * {@link Principal}s. This allows the security framework share any external
+ * sources for authorization and authentication, as may be used by a custom
+ * {@link javax.security.auth.spi.LoginModule} for example.
+ *
+ * @see PrincipalManager for more details about principals, users and groups.
+ */
+public interface PrincipalProvider {
+
+ /**
+ * Checks if the principal with the given name is known to this provider.
+ *
+ * @param principalName the name of the principal to check
+ * @return return true if the principal with this name is known
+ * to this provider; false otherwise.
+ */
+ boolean hasPrincipal(String principalName);
+
+ /**
+ * Returns the principal with the given name if is known to this provider
+ *
+ * @param principalName the name of the principal to retrieve
+ * @return return the requested principal or null
+ */
+ Principal getPrincipal(String principalName);
+
+ /**
+ * Searches for Principals that match the given String.
+ * NOTE: Groups are included in the search result.
+ *
+ * @param simpleFilter
+ * @return
+ * @see #searchPrincipal(String,int)
+ */
+ PrincipalIterator searchPrincipal(String simpleFilter);
+
+ /**
+ * Searches for Principals that match the given String.
+ *
+ * @param simpleFilter
+ * @param searchType searchType Any of the following constants:
+ * {@link Group#isMember(Principal)}
+ * evaluates to true. A principal is an indirect member of a
+ * group if any of its groups (to any degree of separation) is direct memeber
+ * of the group.
+ *
+ * Example:true if the subject is allowed to perform the actions
+ * on the given principal; false otherwise.
+ */
+ boolean hasPermission(Subject subject, Principal principal, ActionSet actions);
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\PrincipalProvider.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/WorkspaceACLProvider.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/WorkspaceACLProvider.java (revision 0)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/spi/WorkspaceACLProvider.java (revision 0)
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.spi;
+
+import org.apache.jackrabbit.security.ACL;
+import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.NoSuchWorkspaceException;
+
+/**
+ * The WorkspaceACLProvider is responsible for workspace access.
+ * In contrast to Items that are identified, workspaces are named Objects
+ * on different class hierarchy.
+ *
+ * @see ACLProvider for the corresponding provider related to Items.
+ * @see CompiledACLProvider for the corresponding provider related to Items.
+ */
+public interface WorkspaceACLProvider {
+
+ /**
+ * Initialize this WorkspaceACLProvider.
+ *
+ * @param securityManager
+ * @throws RepositoryException if an error occurs.
+ */
+ void init(JackrabbitSecurityManager securityManager) throws RepositoryException;
+
+ /**
+ * Dispose this WorkspaceACLProvider and its resources.
+ *
+ * @throws RepositoryException if an error occurs.
+ */
+ void close() throws RepositoryException;
+
+ /**
+ * Returns the ACL for the given workspace or null if the
+ * respective ACL is not defined for that workspace.
+ *
+ * @param workspaceName the name of the workspace
+ * @return the ACL for the given workspace or null.
+ * @throws NoSuchWorkspaceException if the workspace with the given name
+ * does not exist.
+ * @throws RepositoryException if an error occurs.
+ */
+ public ACL getAcl(String workspaceName) throws RepositoryException, NoSuchWorkspaceException;
+}
Property changes on: jackrabbit-core\src\main\java\org\apache\jackrabbit\core\security\spi\WorkspaceACLProvider.java
___________________________________________________________________
Name: svn:keywords
+ author date id rev url
Name: svn:eol-style
+ native
Index: jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java
===================================================================
--- jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java (revision 576808)
+++ jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java (working copy)
@@ -16,20 +16,43 @@
*/
package org.apache.jackrabbit.core;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.PrintStream;
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
+import org.apache.commons.collections.IteratorUtils;
+import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.jackrabbit.core.config.WorkspaceConfig;
+import org.apache.jackrabbit.core.lock.LockManager;
+import org.apache.jackrabbit.core.nodetype.NodeDefinitionImpl;
+import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
+import org.apache.jackrabbit.core.nodetype.NodeTypeManagerImpl;
+import org.apache.jackrabbit.core.security.AccessManager;
+import org.apache.jackrabbit.core.security.AuthContext;
+import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.state.LocalItemStateManager;
+import org.apache.jackrabbit.core.state.NodeState;
+import org.apache.jackrabbit.core.state.SessionItemStateManager;
+import org.apache.jackrabbit.core.state.SharedItemStateManager;
+import org.apache.jackrabbit.core.util.Dumpable;
+import org.apache.jackrabbit.core.version.VersionManager;
+import org.apache.jackrabbit.core.xml.DocViewSAXEventGenerator;
+import org.apache.jackrabbit.core.xml.ImportHandler;
+import org.apache.jackrabbit.core.xml.SAXParserProvider;
+import org.apache.jackrabbit.core.xml.SessionImporter;
+import org.apache.jackrabbit.core.xml.SysViewSAXEventGenerator;
+import org.apache.jackrabbit.name.NameException;
+import org.apache.jackrabbit.name.NamePathResolver;
+import org.apache.jackrabbit.name.NamespaceResolver;
+import org.apache.jackrabbit.name.Path;
+import org.apache.jackrabbit.name.QName;
+import org.apache.jackrabbit.uuid.UUID;
+import org.apache.jackrabbit.value.ValueFactoryImpl;
+import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.security.PrincipalManager;
+import org.apache.jackrabbit.security.ACLManager;
+import org.apache.jackrabbit.security.UserManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.ContentHandler;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
@@ -65,47 +88,24 @@
import javax.xml.transform.sax.SAXTransformerFactory;
import javax.xml.transform.sax.TransformerHandler;
import javax.xml.transform.stream.StreamResult;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
-import org.apache.commons.collections.IteratorUtils;
-import org.apache.commons.collections.map.ReferenceMap;
-import org.apache.jackrabbit.core.config.AccessManagerConfig;
-import org.apache.jackrabbit.core.config.WorkspaceConfig;
-import org.apache.jackrabbit.core.lock.LockManager;
-import org.apache.jackrabbit.core.nodetype.NodeDefinitionImpl;
-import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
-import org.apache.jackrabbit.core.nodetype.NodeTypeManagerImpl;
-import org.apache.jackrabbit.core.security.AMContext;
-import org.apache.jackrabbit.core.security.AccessManager;
-import org.apache.jackrabbit.core.security.AuthContext;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.state.LocalItemStateManager;
-import org.apache.jackrabbit.core.state.NodeState;
-import org.apache.jackrabbit.core.state.SessionItemStateManager;
-import org.apache.jackrabbit.core.state.SharedItemStateManager;
-import org.apache.jackrabbit.core.util.Dumpable;
-import org.apache.jackrabbit.core.version.VersionManager;
-import org.apache.jackrabbit.core.xml.DocViewSAXEventGenerator;
-import org.apache.jackrabbit.core.xml.ImportHandler;
-import org.apache.jackrabbit.core.xml.SAXParserProvider;
-import org.apache.jackrabbit.core.xml.SessionImporter;
-import org.apache.jackrabbit.core.xml.SysViewSAXEventGenerator;
-import org.apache.jackrabbit.name.NameException;
-import org.apache.jackrabbit.name.NamePathResolver;
-import org.apache.jackrabbit.name.NamespaceResolver;
-import org.apache.jackrabbit.name.Path;
-import org.apache.jackrabbit.name.QName;
-import org.apache.jackrabbit.uuid.UUID;
-import org.apache.jackrabbit.value.ValueFactoryImpl;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.xml.sax.ContentHandler;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-
/**
* A SessionImpl ...
*/
-public class SessionImpl implements Session, NamePathResolver, Dumpable {
+public class SessionImpl implements JackrabbitSession, NamePathResolver, Dumpable {
private static Logger log = LoggerFactory.getLogger(SessionImpl.class);
@@ -204,6 +204,21 @@
protected ValueFactory valueFactory;
/**
+ * Principal Manager
+ */
+ private PrincipalManager principalManager;
+
+ /**
+ * ACL Manager
+ */
+ private ACLManager aclManager;
+
+ /**
+ * User Manager
+ */
+ private UserManager userManager;
+
+ /**
* Protected constructor.
*
* @param rep
@@ -317,27 +332,7 @@
protected AccessManager createAccessManager(Subject subject,
HierarchyManager hierMgr)
throws AccessDeniedException, RepositoryException {
- AccessManagerConfig amConfig = rep.getConfig().getAccessManagerConfig();
- try {
-
- AMContext ctx = new AMContext(new File(rep.getConfig().getHomeDir()),
- rep.getFileSystem(),
- subject,
- hierMgr,
- rep.getNamespaceRegistry(),
- wsp.getName());
- AccessManager accessMgr = (AccessManager) amConfig.newInstance();
- accessMgr.init(ctx);
- return accessMgr;
- } catch (AccessDeniedException ade) {
- // re-throw
- throw ade;
- } catch (Exception e) {
- // wrap in RepositoryException
- String msg = "failed to instantiate AccessManager implementation: " + amConfig.getClassName();
- log.error(msg, e);
- throw new RepositoryException(msg, e);
- }
+ return rep.getSecurityManager().getAccessManager(this);
}
/**
@@ -1428,6 +1423,53 @@
return wsp.getLockManager();
}
+ //-----------------------------------------------------< JackrabbitSession >
+ /**
+ * {@inheritDoc}
+ */
+ public JackrabbitSession createSession(String workspaceName)
+ throws AccessDeniedException, NoSuchWorkspaceException, RepositoryException {
+
+ if (workspaceName == null) {
+ workspaceName = rep.getConfig().getDefaultWorkspaceName();
+ }
+ if (loginContext!=null) {
+ return rep.createSession(loginContext, workspaceName);
+ } else {
+ return rep.createSession(getSubject(), workspaceName);
+ }
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public PrincipalManager getPrincipalManager() throws RepositoryException, AccessDeniedException {
+ if (principalManager == null) {
+ principalManager = rep.getSecurityManager().getPrincipalManager(this, subject);
+ }
+ return principalManager;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public ACLManager getACLManager() throws RepositoryException, AccessDeniedException {
+ if (aclManager == null) {
+ aclManager = rep.getSecurityManager().getACLManager(this, subject);
+ }
+ return aclManager;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public UserManager getUserManager() throws AccessDeniedException, RepositoryException {
+ if (userManager == null) {
+ userManager = rep.getSecurityManager().getUserManager(this);
+ }
+ return userManager;
+ }
+
//--------------------------------------------------< new JSR 283 methods >
/**
* Returns the node specified by the given identifier. Applies to both
@@ -1455,8 +1497,13 @@
throw new RepositoryException("invalid identifier: " + id);
}
return getNodeById(nodeId);
+
+
+
+
}
+
/**
* Returns the node at the specified absolute path in the workspace.
* If no node exists, then a PathNotFoundException is thrown.
@@ -1541,6 +1588,7 @@
} catch (PathNotFoundException pnfe) {
return false;
}
+
}
/**
@@ -1582,5 +1630,4 @@
ps.println();
itemStateMgr.dump(ps);
}
-
}
Index: jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/config/repository-1.3.dtd
===================================================================
--- jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/config/repository-1.3.dtd (revision 0)
+++ jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/config/repository-1.3.dtd (revision 0)
@@ -0,0 +1,167 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Index: jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd
===================================================================
--- jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd (revision 576808)
+++ jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd (working copy)
@@ -172,3 +172,56 @@
[rep:versionStorage]
+ * (nt:versionHistory) = nt:versionHistory protected multiple abort
+ * (rep:versionStorage) = rep:versionStorage protected multiple abort
+
+// -----------------------------------------------------------------------------
+// J A C K R A B B I T S E C U R I T Y
+// -----------------------------------------------------------------------------
+
+[rep:AccessControllable]
+ orderable mixin
+ + rep:acl (rep:ACL) = rep:ACL ignore
+
+[rep:ACL]
+ orderable
+ + * (rep:ACE) = rep:ACE
+
+[rep:ACE]
+ - rep:principal (string) mandatory
+ - rep:actions (string) mandatory multiple
+
+[rep:GrantACE] > rep:ACE
+
+[rep:DenyACE] > rep:ACE
+
+[rep:Authorizable] > mix:referenceable, nt:base
+ + * (rep:Authorizable) = rep:Authorizable version
+ + * (rep:AuthorizableFolder) = rep:AuthorizableFolder version
+ - rep:principalName (string)
+ - rep:referee (string) multiple
+ - * (undefined)
+ - * (undefined) multiple
+
+[rep:Impersonatable] mixin
+ + rep:sudoers (rep:Sudoers) = rep:Sudoers
+
+[rep:User] > rep:Authorizable, rep:Impersonatable
+ - rep:userId (string)
+ - rep:password (string)
+ - rep:credentials (binary) multiple
+
+[rep:Group] > rep:Authorizable
+ - rep:member (reference) multiple
+ < 'rep:Authorizable'
+
+[rep:AuthorizableFolder] > nt:base, mix:referenceable, rep:AccessControllable
+ + * (rep:Authorizable) = rep:User version
+ + * (rep:AuthorizableFolder) version
+
+[rep:Sudoers] > nt:base, rep:AccessControllable
+ - * (undefined)
+
+[rep:WorkspaceAccess] > nt:base, rep:AccessControllable
+ + * (rep:Workspace) = rep:Workspace
+
+[rep:Workspace] > nt:base, rep:AccessControllable
+ - * (undefined)
Index: jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml
===================================================================
--- jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml (revision 576808)
+++ jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml (working copy)
@@ -393,4 +393,153 @@
+
+