Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlImporter.java (revision ) @@ -91,7 +91,7 @@ this.namePathMapper = namePathMapper; AccessControlConfiguration config = securityProvider.getAccessControlConfiguration(); if (isWorkspaceImport) { - acMgr = config.getAccessControlManager(root, namePathMapper, null); + acMgr = config.getAccessControlManager(root, namePathMapper); } else { acMgr = session.getAccessControlManager(); } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorProvider.java (revision ) @@ -17,20 +17,15 @@ package org.apache.jackrabbit.oak.security.authorization.permission; import java.security.AccessController; -import java.security.Principal; -import java.util.Collections; -import java.util.Set; import javax.annotation.Nonnull; import javax.security.auth.Subject; -import org.apache.jackrabbit.oak.core.ImmutableRoot; import org.apache.jackrabbit.oak.core.ImmutableTree; import org.apache.jackrabbit.oak.core.TreeTypeProviderImpl; import org.apache.jackrabbit.oak.spi.commit.Validator; import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; -import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.state.NodeState; @@ -40,21 +35,19 @@ public class PermissionValidatorProvider extends ValidatorProvider { private final SecurityProvider securityProvider; - private final String workspaceName; private Context acCtx; private Context userCtx; public PermissionValidatorProvider(SecurityProvider securityProvider, String workspaceName) { this.securityProvider = securityProvider; - this.workspaceName = workspaceName; } //--------------------------------------------------< ValidatorProvider >--- @Nonnull @Override public Validator getRootValidator(NodeState before, NodeState after) { - PermissionProvider pp = getPermissionProvider(before); + PermissionProvider pp = getPermissionProvider(); return new PermissionValidator(createTree(before), createTree(after), pp, this); } @@ -78,12 +71,10 @@ return new ImmutableTree(root, new TreeTypeProviderImpl(getAccessControlContext())); } - private PermissionProvider getPermissionProvider(NodeState before) { + private PermissionProvider getPermissionProvider() { Subject subject = Subject.getSubject(AccessController.getContext()); if (subject == null || subject.getPublicCredentials(PermissionProvider.class).isEmpty()) { - Set principals = (subject != null) ? subject.getPrincipals() : Collections.emptySet(); - AccessControlConfiguration acConfig = securityProvider.getAccessControlConfiguration(); - return acConfig.getPermissionProvider(new ImmutableRoot(createTree(before), workspaceName), principals); + throw new IllegalStateException("Unable to validate permissions; no permission provider associated with the commit call."); } else { return subject.getPublicCredentials(PermissionProvider.class).iterator().next(); } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserInitializer.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserInitializer.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserInitializer.java (revision ) @@ -33,6 +33,7 @@ import org.apache.jackrabbit.oak.spi.commit.EmptyHook; import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer; import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; +import org.apache.jackrabbit.oak.spi.security.OpenSecurityProvider; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; import org.apache.jackrabbit.oak.spi.security.user.UserConstants; @@ -95,7 +96,8 @@ } catch (CommitFailedException e) { throw new RuntimeException(e); } - Root root = new RootImpl(store, commitHook, workspaceName, SystemSubject.INSTANCE, securityProvider, indexProvider); + // TODO reconsider + Root root = new RootImpl(store, commitHook, workspaceName, SystemSubject.INSTANCE, new OpenSecurityProvider(), indexProvider); UserConfiguration userConfiguration = securityProvider.getUserConfiguration(); UserManager userManager = userConfiguration.getUserManager(root, NamePathMapper.DEFAULT); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (revision ) @@ -100,11 +100,9 @@ private PermissionProvider permissionProvider; public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper, - @Nonnull SecurityProvider securityProvider, - @Nullable PermissionProvider permissionProvider) { + @Nonnull SecurityProvider securityProvider) { this.root = root; this.namePathMapper = namePathMapper; - this.permissionProvider = permissionProvider; privilegeManager = securityProvider.getPrivilegeConfiguration().getPrivilegeManager(root, namePathMapper); principalManager = securityProvider.getPrincipalConfiguration().getPrincipalManager(root, namePathMapper); @@ -130,13 +128,13 @@ @Override public boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges) throws RepositoryException { - return hasPrivileges(absPath, privileges, permissionProvider); + return hasPrivileges(absPath, privileges, getPermissionProvider()); } @Nonnull @Override public Privilege[] getPrivileges(@Nullable String absPath) throws RepositoryException { - return getPrivileges(absPath, permissionProvider); + return getPrivileges(absPath, getPermissionProvider()); } @Nonnull @@ -351,7 +349,8 @@ throw new PathNotFoundException("No tree at " + oakPath); } if (permissions != Permissions.NO_PERMISSION) { - if (permissionProvider != null && !permissionProvider.isGranted(tree, null, permissions)) { + + if (!getPermissionProvider().isGranted(tree, null, permissions)) { throw new AccessDeniedException("Access denied at " + tree); } // check if the tree is access controlled @@ -513,6 +512,16 @@ } @Nonnull + private PermissionProvider getPermissionProvider() { + if (permissionProvider == null) { + permissionProvider = acConfig.getPermissionProvider(root, root.getContentSession().getAuthInfo().getPrincipals()); + } else { + permissionProvider.refresh(); + } + return permissionProvider; + } + + @Nonnull private Set getPrivileges(@Nonnull Tree aceTree) throws RepositoryException { String[] privNames = checkNotNull(TreeUtil.getStrings(aceTree, REP_PRIVILEGES)); Set privileges = new HashSet(privNames.length); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/callback/RepositoryCallback.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/callback/RepositoryCallback.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/callback/RepositoryCallback.java (revision ) @@ -16,9 +16,15 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.callback; +import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import javax.annotation.CheckForNull; +import javax.jcr.NoSuchWorkspaceException; +import javax.security.auth.Subject; import javax.security.auth.callback.Callback; +import javax.security.auth.login.LoginException; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.core.RootImpl; import org.apache.jackrabbit.oak.security.authentication.SystemSubject; @@ -35,7 +41,7 @@ */ public class RepositoryCallback implements Callback { - private NodeStore nodeStore; + private ContentRepository contentRepository; private CommitHook commitHook; private SecurityProvider securityProvider; private QueryIndexProvider indexProvider; @@ -47,20 +53,17 @@ } @CheckForNull - public Root getRoot() { - if (nodeStore != null) { - return new RootImpl(nodeStore, commitHook, workspaceName, SystemSubject.INSTANCE, securityProvider, indexProvider); + public ContentRepository getContentRepository() { + return contentRepository; - } + } - return null; - } @CheckForNull public SecurityProvider getSecurityProvider() { return securityProvider; } - public void setNodeStore(NodeStore nodeStore) { - this.nodeStore = nodeStore; + public void setContentRepository(ContentRepository contentRepository) { + this.contentRepository = contentRepository; } public void setCommitHook(CommitHook commitHook) { Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java (revision ) @@ -158,10 +158,6 @@ return true; } - // the login attempt on this module did not succeed: clear state - // and check if another successful login asks for a new token to be created. - clearState(); - if (tokenProvider != null && sharedState.containsKey(SHARED_KEY_CREDENTIALS)) { Credentials shared = getSharedCredentials(); if (shared != null && tokenProvider.doCreateToken(shared)) { @@ -180,6 +176,10 @@ } } } + // the login attempt on this module did not succeed: clear state + // and check if another successful login asks for a new token to be created. + clearState(); + return false; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/CallbackHandlerImpl.java (revision ) @@ -25,12 +25,12 @@ import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.spi.commit.CommitHook; import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.callback.CredentialsCallback; import org.apache.jackrabbit.oak.spi.security.authentication.callback.RepositoryCallback; -import org.apache.jackrabbit.oak.spi.state.NodeStore; /** * Default implementation of the {@link CallbackHandler} interface. It currently @@ -47,19 +47,15 @@ private final Credentials credentials; private final String workspaceName; - private final NodeStore nodeStore; - private final CommitHook commitHook; - private final QueryIndexProvider indexProvider; + private final ContentRepository contentRepository; private final SecurityProvider securityProvider; public CallbackHandlerImpl(Credentials credentials, String workspaceName, - NodeStore nodeStore, CommitHook commitHook, QueryIndexProvider indexProvider, + ContentRepository contentRepository, SecurityProvider securityProvider) { this.credentials = credentials; this.workspaceName = workspaceName; - this.nodeStore = nodeStore; - this.commitHook = commitHook; - this.indexProvider = indexProvider; + this.contentRepository = contentRepository; this.securityProvider = securityProvider; } @@ -75,10 +71,8 @@ ((PasswordCallback) callback).setPassword(getPassword()); } else if (callback instanceof RepositoryCallback) { RepositoryCallback repositoryCallback = (RepositoryCallback) callback; - repositoryCallback.setNodeStore(nodeStore); + repositoryCallback.setContentRepository(contentRepository); repositoryCallback.setSecurityProvider(securityProvider); - repositoryCallback.setCommitHook(commitHook); - repositoryCallback.setIndexProvider(indexProvider); repositoryCallback.setWorkspaceName(workspaceName); } else { throw new UnsupportedCallbackException(callback); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/ImmutableRoot.java (revision ) @@ -23,6 +23,7 @@ import javax.annotation.Nullable; import org.apache.jackrabbit.oak.api.BlobFactory; +import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.QueryEngine; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.api.TreeLocation; @@ -61,15 +62,12 @@ return workspaceName; } - // TODO: review if getWorkspaceName() may be part of Root API - @CheckForNull - public static String getWorkspaceName(Root root) { + @Nonnull + private static String getWorkspaceName(Root root) { if (root instanceof ImmutableRoot) { return ((ImmutableRoot) root).getWorkspaceName(); - } else if (root instanceof RootImpl) { - return ((RootImpl) root).getWorkspaceName(); } else { - return null; + return root.getContentSession().getWorkspaceName(); } } @@ -131,4 +129,10 @@ public BlobFactory getBlobFactory() { throw new UnsupportedOperationException(); } + + @Override + public ContentSession getContentSession() { + throw new UnsupportedOperationException(); -} + } + +} Index: oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (revision 1466812) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (revision ) @@ -67,8 +67,7 @@ } protected JackrabbitAccessControlManager getAccessControlManager(Root root) { - PermissionProvider pp = null; // TODO - AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT, pp); + AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT); if (acMgr instanceof JackrabbitAccessControlManager) { return (JackrabbitAccessControlManager) acMgr; } else { Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/OpenAccessControlConfiguration.java (revision ) @@ -36,7 +36,7 @@ implements AccessControlConfiguration { @Override - public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper, PermissionProvider permissionProvider) { + public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper) { throw new UnsupportedOperationException(); } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java (revision ) @@ -163,7 +163,7 @@ return; } String path = authorizable.getPath(); - AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, namePathMapper, null); + AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, namePathMapper); JackrabbitAccessControlList acl = null; for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();) { AccessControlPolicy plc = it.nextAccessControlPolicy(); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (revision ) @@ -32,6 +32,7 @@ import org.apache.jackrabbit.oak.api.Blob; import org.apache.jackrabbit.oak.api.BlobFactory; import org.apache.jackrabbit.oak.api.CommitFailedException; +import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.QueryEngine; import org.apache.jackrabbit.oak.api.Root; @@ -155,24 +156,6 @@ } /** - * Oak level variant of {@link org.apache.jackrabbit.oak.api.ContentSession#getLatestRoot()} - * to be used when no {@code ContentSession} is available. - * - * @return A new Root instance. - * @see org.apache.jackrabbit.oak.api.ContentSession#getLatestRoot() - */ - public Root getLatest() { - checkLive(); - RootImpl root = new RootImpl(store, hook, workspaceName, subject, securityProvider, indexProvider) { - @Override - protected void checkLive() { - RootImpl.this.checkLive(); - } - }; - return root; - } - - /** * Called whenever a method on this instance or on any {@code Tree} instance * obtained from this {@code Root} is called. This default implementation * does nothing. Sub classes may override this method and throw an exception @@ -584,4 +567,9 @@ return '>' + source + ':' + PathUtils.concat(destParent.getPathInternal(), destName); } } + + @Override + public ContentSession getContentSession() { + throw new UnsupportedOperationException(); -} + } +} Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java (revision ) @@ -25,14 +25,12 @@ import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginException; -import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.JaasLoginContext; import org.apache.jackrabbit.oak.spi.security.authentication.LoginContext; import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider; import org.apache.jackrabbit.oak.spi.security.authentication.PreAuthContext; -import org.apache.jackrabbit.oak.spi.state.NodeStore; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -45,19 +43,15 @@ private final String appName; private final Configuration configuration; - private final NodeStore nodeStore; - private final CommitHook commitHook; - private final QueryIndexProvider indexProvider; + private final ContentRepository contentRepository; private final SecurityProvider securityProvider; public LoginContextProviderImpl(String appName, Configuration configuration, - NodeStore nodeStore, CommitHook commitHook, QueryIndexProvider indexProvider, + ContentRepository contentRepository, SecurityProvider securityProvider) { this.appName = appName; this.configuration = configuration; - this.nodeStore = nodeStore; - this.commitHook = commitHook; - this.indexProvider = indexProvider; + this.contentRepository = contentRepository; this.securityProvider = securityProvider; } @@ -92,6 +86,6 @@ @Nonnull private CallbackHandler getCallbackHandler(Credentials credentials, String workspaceName) { - return new CallbackHandlerImpl(credentials, workspaceName, nodeStore, commitHook, indexProvider, securityProvider); + return new CallbackHandlerImpl(credentials, workspaceName, contentRepository, securityProvider); } } \ No newline at end of file Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenAuthenticationConfiguration.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenAuthenticationConfiguration.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/OpenAuthenticationConfiguration.java (revision ) @@ -20,12 +20,10 @@ import javax.jcr.Credentials; import javax.security.auth.Subject; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider; -import org.apache.jackrabbit.oak.spi.state.NodeStore; /** * This implementation of the authentication configuration provides login @@ -36,7 +34,7 @@ @Nonnull @Override - public LoginContextProvider getLoginContextProvider(NodeStore nodeStore, CommitHook commitHook, QueryIndexProvider indexProvider) { + public LoginContextProvider getLoginContextProvider(ContentRepository contentRepository) { return new LoginContextProvider() { @Nonnull @Override Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java (revision ) @@ -19,7 +19,6 @@ import java.security.Principal; import java.util.Set; import javax.annotation.Nonnull; -import javax.annotation.Nullable; import javax.jcr.security.AccessControlManager; import org.apache.jackrabbit.oak.api.Root; @@ -35,8 +34,7 @@ @Nonnull AccessControlManager getAccessControlManager(@Nonnull Root root, - @Nonnull NamePathMapper namePathMapper, - @Nullable PermissionProvider permissionProvider); + @Nonnull NamePathMapper namePathMapper); @Nonnull RestrictionProvider getRestrictionProvider(@Nonnull NamePathMapper namePathMapper); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/api/Root.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/api/Root.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/api/Root.java (revision ) @@ -144,4 +144,16 @@ */ @Nonnull BlobFactory getBlobFactory(); + + + /** + * + * Get the ContentSession associated with a given Root + * + * @return the associated ContentSession + * + * @throws UnsupportedOperationException + */ + @Nonnull + ContentSession getContentSession(); } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java (revision ) @@ -18,12 +18,10 @@ import javax.annotation.Nonnull; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider; -import org.apache.jackrabbit.oak.spi.state.NodeStore; /** * AuthenticationConfiguration... TODO @@ -35,7 +33,7 @@ // TODO review again @Nonnull - LoginContextProvider getLoginContextProvider(NodeStore nodeStore, CommitHook commitHook, QueryIndexProvider indexProvider); + LoginContextProvider getLoginContextProvider(ContentRepository contentRepository); @Nonnull TokenProvider getTokenProvider(Root root); Index: oak-core/src/test/java/org/apache/jackrabbit/oak/core/RootImplTest.java =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/core/RootImplTest.java (revision 1466812) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/core/RootImplTest.java (revision ) @@ -403,28 +403,6 @@ checkEqual(root1.getTree("/"), (root2.getTree("/"))); } - @Test - public void testGetLatest() throws Exception { - RootImpl root = (RootImpl) session.getLatestRoot(); - Root root2 = root.getLatest(); - assertNotSame(root, root2); - - session.close(); - try { - root.getLatest(); - fail(); - } catch (IllegalStateException e) { - // success - } - - try { - ((RootImpl) root2).checkLive(); - fail(); - } catch (IllegalStateException e) { - // success - } - } - private static void checkEqual(Tree tree1, Tree tree2) { assertEquals(tree1.getChildrenCount(), tree2.getChildrenCount()); assertEquals(tree1.getPropertyCount(), tree2.getPropertyCount()); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeManagerImpl.java (revision ) @@ -25,13 +25,11 @@ import javax.annotation.Nonnull; import javax.jcr.InvalidItemStateException; import javax.jcr.RepositoryException; -import javax.jcr.UnsupportedRepositoryOperationException; import javax.jcr.security.AccessControlException; import javax.jcr.security.Privilege; import org.apache.jackrabbit.api.security.authorization.PrivilegeManager; import org.apache.jackrabbit.oak.api.Root; -import org.apache.jackrabbit.oak.core.RootImpl; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition; import org.slf4j.Logger; @@ -92,13 +90,9 @@ //------------------------------------------------------------< private >--- @Nonnull - private Root getWriteRoot() throws UnsupportedRepositoryOperationException { - if (root instanceof RootImpl) { - return ((RootImpl) root).getLatest(); - } else { - throw new UnsupportedRepositoryOperationException("Privilege registration not supported"); + private Root getWriteRoot() { + return root.getContentSession().getLatestRoot(); - } + } - } @Nonnull private Set getOakNames(String[] jcrNames) throws RepositoryException { Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (revision ) @@ -72,7 +72,7 @@ public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set principals, @Nonnull SecurityProvider securityProvider) { this.root = root; - this.workspaceName = checkNotNull(ImmutableRoot.getWorkspaceName(root)); + this.workspaceName = root.getContentSession().getWorkspaceName(); acConfig = securityProvider.getAccessControlConfiguration(); if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) { compiledPermissions = AllPermissions.getInstance(); Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java =================================================================== --- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java (revision 1466812) +++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/SessionContext.java (revision ) @@ -171,7 +171,7 @@ public AccessControlManager getAccessControlManager() throws RepositoryException { if (accessControlManager == null) { SecurityProvider securityProvider = repository.getSecurityProvider(); - accessControlManager = securityProvider.getAccessControlConfiguration().getAccessControlManager(delegate.getRoot(), namePathMapper, getPermissionProvider()); + accessControlManager = securityProvider.getAccessControlConfiguration().getAccessControlManager(delegate.getRoot(), namePathMapper); } return accessControlManager; } Index: oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.java (revision ) @@ -18,12 +18,15 @@ import java.io.IOException; import java.security.Principal; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.Collections; import java.util.Map; import java.util.Set; import javax.annotation.CheckForNull; import javax.annotation.Nonnull; import javax.jcr.Credentials; +import javax.jcr.NoSuchWorkspaceException; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; @@ -32,8 +35,11 @@ import javax.security.auth.spi.LoginModule; import org.apache.jackrabbit.api.security.user.UserManager; +import org.apache.jackrabbit.oak.api.ContentRepository; +import org.apache.jackrabbit.oak.api.ContentSession; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.security.authentication.SystemSubject; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.callback.CredentialsCallback; @@ -153,6 +159,8 @@ protected ConfigurationParameters options; private SecurityProvider securityProvider; + + private ContentSession systemSession; private Root root; //--------------------------------------------------------< LoginModule >--- @@ -192,7 +200,14 @@ protected void clearState() { securityProvider = null; root = null; + if (systemSession != null) { + try { + systemSession.close(); + } catch (IOException e) { + log.debug(e.getMessage()); - } + } + } + } /** * @return A set of supported credential classes. @@ -321,14 +336,24 @@ @CheckForNull protected Root getRoot() { if (root == null && callbackHandler != null) { - RepositoryCallback rcb = new RepositoryCallback(); try { + final RepositoryCallback rcb = new RepositoryCallback(); callbackHandler.handle(new Callback[]{rcb}); - root = rcb.getRoot(); + + final ContentRepository repository = rcb.getContentRepository(); + systemSession = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction() { + @Override + public ContentSession run() throws LoginException, NoSuchWorkspaceException { + return repository.login(null, rcb.getWorkspaceName()); + } + }); + root = systemSession.getLatestRoot(); } catch (UnsupportedCallbackException e) { log.debug(e.getMessage()); } catch (IOException e) { log.debug(e.getMessage()); + } catch (PrivilegedActionException e){ + log.debug(e.getMessage()); } } return root; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlConfigurationImpl.java (revision ) @@ -91,8 +91,8 @@ //-----------------------------------------< AccessControlConfiguration >--- @Override - public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper, PermissionProvider permissionProvider) { - return new AccessControlManagerImpl(root, namePathMapper, securityProvider, permissionProvider); + public AccessControlManager getAccessControlManager(Root root, NamePathMapper namePathMapper) { + return new AccessControlManagerImpl(root, namePathMapper, securityProvider); } @Nonnull Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthenticationConfigurationImpl.java (revision ) @@ -19,18 +19,16 @@ import javax.annotation.Nonnull; import javax.security.auth.login.Configuration; +import org.apache.jackrabbit.oak.api.ContentRepository; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil; import org.apache.jackrabbit.oak.security.authentication.token.TokenProviderImpl; -import org.apache.jackrabbit.oak.spi.commit.CommitHook; -import org.apache.jackrabbit.oak.spi.query.QueryIndexProvider; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; import org.apache.jackrabbit.oak.spi.security.authentication.AuthenticationConfiguration; import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider; import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider; -import org.apache.jackrabbit.oak.spi.state.NodeStore; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -55,7 +53,7 @@ @Nonnull @Override - public LoginContextProvider getLoginContextProvider(NodeStore nodeStore, CommitHook commitHook, QueryIndexProvider indexProvider) { + public LoginContextProvider getLoginContextProvider(ContentRepository contentRepository) { String appName = config.getConfigValue(PARAM_APP_NAME, DEFAULT_APP_NAME); Configuration loginConfig = null; try { @@ -73,7 +71,7 @@ // TODO: review if having a default is desirable or if login should fail without valid login configuration. loginConfig = ConfigurationUtil.getDefaultConfiguration(config); } - return new LoginContextProviderImpl(appName, loginConfig, nodeStore, commitHook, indexProvider, securityProvider); + return new LoginContextProviderImpl(appName, loginConfig, contentRepository, securityProvider); } @Nonnull Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (revision 1466812) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java (revision ) @@ -52,7 +52,6 @@ import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants; import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest; -import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal; import org.apache.jackrabbit.oak.util.NodeUtil; @@ -120,8 +119,7 @@ } private AccessControlManagerImpl getAccessControlManager(NamePathMapper npMapper) { - PermissionProvider pp = getSecurityProvider().getAccessControlConfiguration().getPermissionProvider(root, adminSession.getAuthInfo().getPrincipals()); - return new AccessControlManagerImpl(root, npMapper, getSecurityProvider(), pp); + return new AccessControlManagerImpl(root, npMapper, getSecurityProvider()); } private NamePathMapper getLocalNamePathMapper() { Index: oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ReadWriteVersionManager.java (revision ) @@ -19,7 +19,6 @@ package org.apache.jackrabbit.oak.plugins.version; import java.util.Collections; -import java.util.GregorianCalendar; import java.util.Iterator; import javax.annotation.Nonnull; @@ -33,7 +32,6 @@ import org.apache.jackrabbit.oak.core.ImmutableTree; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; -import org.apache.jackrabbit.oak.plugins.value.Conversions; import org.apache.jackrabbit.oak.spi.state.NodeBuilder; import org.apache.jackrabbit.oak.util.TODO; Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentRepositoryImpl.java (revision ) @@ -81,7 +81,7 @@ throw new NoSuchWorkspaceException(workspaceName); } - LoginContextProvider lcProvider = securityProvider.getAuthenticationConfiguration().getLoginContextProvider(nodeStore, commitHook, indexProvider); + LoginContextProvider lcProvider = securityProvider.getAuthenticationConfiguration().getLoginContextProvider(this); LoginContext loginContext = lcProvider.getLoginContext(credentials, workspaceName); loginContext.login(); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java (revision 1466812) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/core/ContentSessionImpl.java (revision ) @@ -97,7 +97,12 @@ @Override protected void checkLive() { ContentSessionImpl.this.checkLive(); - } + } + + @Override + public ContentSession getContentSession() { + return ContentSessionImpl.this; + } }; return root; }