From a3baaa7d7aaee696b4102d891076924cfa531870 Mon Sep 17 00:00:00 2001 From: Robert Munteanu Date: Mon, 17 Jul 2017 13:18:45 +0300 Subject: [PATCH 2/2] OAK-6450 - Stop relying on the service.pid property in SecurityProviderRegistration Switch to a custom oak.security.name property, as we don't want to rely on the DS-specific component.name property . --- .../principal/ExternalPrincipalConfiguration.java | 7 ++++- .../authorization/cug/impl/CugConfiguration.java | 7 ++++- .../token/TokenConfigurationImpl.java | 7 ++++- .../AuthorizationConfigurationImpl.java | 7 ++++- .../authorization/RegistrationConstants.java | 31 ++++++++++++++++++++++ .../restriction/RestrictionProviderImpl.java | 5 ++++ .../internal/SecurityProviderRegistration.java | 8 +++--- .../principal/PrincipalConfigurationImpl.java | 5 ++++ .../security/user/RandomAuthorizableNodeName.java | 5 ++++ .../user/UserAuthenticationFactoryImpl.java | 11 +++++--- .../action/DefaultAuthorizableActionProvider.java | 7 ++++- 11 files changed, 89 insertions(+), 11 deletions(-) create mode 100644 oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RegistrationConstants.java diff --git a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java index 2cc0a9384e..dbafb61ebb 100644 --- a/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java +++ b/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.security.Principal; import java.security.acl.Group; import java.util.Arrays; @@ -85,7 +87,10 @@ import org.slf4j.LoggerFactory; @Property(name = ExternalIdentityConstants.PARAM_PROTECT_EXTERNAL_IDS, label = "External Identity Protection", description = "If disabled rep:externalId properties won't be properly protected (backwards compatible behavior). NOTE: for security reasons it is strongly recommend to keep the protection enabled!", - boolValue = ExternalIdentityConstants.DEFAULT_PROTECT_EXTERNAL_IDS) + boolValue = ExternalIdentityConstants.DEFAULT_PROTECT_EXTERNAL_IDS), + @Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate= true, + value = "org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration") }) public class ExternalPrincipalConfiguration extends ConfigurationBase implements PrincipalConfiguration { diff --git a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java index 98913bf899..f96440256a 100644 --- a/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java +++ b/oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.io.IOException; import java.io.InputStream; import java.security.Principal; @@ -89,7 +91,10 @@ import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter; @Property(name = CompositeConfiguration.PARAM_RANKING, label = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.", - intValue = 200) + intValue = 200), + @Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate = true, + value = "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration") }) public class CugConfiguration extends ConfigurationBase implements AuthorizationConfiguration, CugConstants { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java index 0dbc5ebd36..b61818c4af 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenConfigurationImpl.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.security.authentication.token; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.security.Principal; import java.util.List; import java.util.Map; @@ -73,7 +75,10 @@ import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil; @Property(name = UserConstants.PARAM_PASSWORD_SALT_SIZE, label = "Hash Salt Size", description = "Size of the salt used to generate the hash.", - intValue = PasswordUtil.DEFAULT_SALT_SIZE) + intValue = PasswordUtil.DEFAULT_SALT_SIZE), + @Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate = true, + value = "org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl") }) public class TokenConfigurationImpl extends ConfigurationBase implements TokenConfiguration { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java index 8dc7b5ad2b..9487dcbd3f 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.security.authorization; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.security.Principal; import java.util.ArrayList; import java.util.List; @@ -108,7 +110,10 @@ import com.google.common.collect.ImmutableList; @Property(name = CompositeConfiguration.PARAM_RANKING, label = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.", - intValue = 100) + intValue = 100), + @Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate = true, + value = "org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl") }) public class AuthorizationConfigurationImpl extends ConfigurationBase implements AuthorizationConfiguration { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RegistrationConstants.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RegistrationConstants.java new file mode 100644 index 0000000000..72efba50e7 --- /dev/null +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/RegistrationConstants.java @@ -0,0 +1,31 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.jackrabbit.oak.security.authorization; + +/** + * Holds the names of well-known registration properties for security-related components + * + */ +public abstract class RegistrationConstants { + + public static final String PN_OAK_SECURITY_NAME = "oak.security.name"; + + private RegistrationConstants() { + + } +} diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java index cad35830cf..54b5959f18 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImpl.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.security.authorization.restriction; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -26,6 +28,7 @@ import javax.jcr.security.AccessControlException; import com.google.common.collect.ImmutableMap; import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Property; import org.apache.felix.scr.annotations.Service; import org.apache.jackrabbit.oak.api.PropertyState; import org.apache.jackrabbit.oak.api.Tree; @@ -58,6 +61,8 @@ import org.slf4j.LoggerFactory; */ @Component @Service(RestrictionProvider.class) +@Property(name = PN_OAK_SECURITY_NAME, + value = "org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl") public class RestrictionProviderImpl extends AbstractRestrictionProvider { private static final Logger log = LoggerFactory.getLogger(RestrictionProviderImpl.class); diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java index 07a8e6f081..bf2c17659f 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/internal/SecurityProviderRegistration.java @@ -36,6 +36,7 @@ import org.apache.felix.scr.annotations.ReferencePolicy; import org.apache.felix.scr.annotations.References; import org.apache.jackrabbit.oak.commons.PropertiesUtil; import org.apache.jackrabbit.oak.osgi.OsgiWhiteboard; +import org.apache.jackrabbit.oak.security.authorization.RegistrationConstants; import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration; import org.apache.jackrabbit.oak.security.user.UserConfigurationImpl; import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration; @@ -68,6 +69,7 @@ import org.slf4j.LoggerFactory; import static com.google.common.collect.Lists.newArrayList; import static com.google.common.collect.Lists.newCopyOnWriteArrayList; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; import static org.osgi.framework.Constants.OBJECTCLASS; @Component( @@ -82,9 +84,9 @@ import static org.osgi.framework.Constants.OBJECTCLASS; label = "Required Services", description = "The SecurityProvider will not register itself " + "unless the services identified by the following service pids " + - "or component names are registered first. The class name is " + + "or the oak.security.name properties are registered first. The class name is " + "identified by checking the service.pid property. If that property " + - "does not exist, the component.name property is used as a fallback." + + "does not exist, the oak.security.name property is used as a fallback." + "Only implementations of the following interfaces are checked :" + "AuthorizationConfiguration, PrincipalConfiguration, " + "TokenConfiguration, AuthorizableActionProvider, " + @@ -594,7 +596,7 @@ public class SecurityProviderRegistration { if ( servicePid != null ) { return servicePid; } - return PropertiesUtil.toString(properties.get("component.name"), null); + return PropertiesUtil.toString(properties.get(PN_OAK_SECURITY_NAME), null); } private static String[] getRequiredServicePids(Map configuration) { diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImpl.java index d2b666fe6c..f8ab796309 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImpl.java @@ -16,12 +16,15 @@ */ package org.apache.jackrabbit.oak.security.principal; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.util.Map; import javax.annotation.Nonnull; import org.apache.felix.scr.annotations.Activate; import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Property; import org.apache.felix.scr.annotations.Service; import org.apache.jackrabbit.api.security.principal.PrincipalManager; import org.apache.jackrabbit.oak.api.Root; @@ -40,6 +43,8 @@ import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; */ @Component() @Service({PrincipalConfiguration.class, SecurityConfiguration.class}) +@Property(name = PN_OAK_SECURITY_NAME, + value = "org.apache.jackrabbit.oak.security.principal.PrincipalConfigurationImpl" ) public class PrincipalConfigurationImpl extends ConfigurationBase implements PrincipalConfiguration { @SuppressWarnings("UnusedDeclaration") diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.java index 5991c74d1b..13212bb4ec 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.security.user; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.security.SecureRandom; import java.util.Map; import java.util.Random; @@ -35,6 +37,9 @@ import org.apache.jackrabbit.oak.spi.security.user.AuthorizableNodeName; */ @Component(metatype = true, label = "Apache Jackrabbit Oak Random Authorizable Node Name", description = "Generates a random name for the authorizable node.", policy = ConfigurationPolicy.REQUIRE) @Service(AuthorizableNodeName.class) +@Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate = true, + value = "org.apache.jackrabbit.oak.security.user.RandomAuthorizableNodeName") public class RandomAuthorizableNodeName implements AuthorizableNodeName { /** diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthenticationFactoryImpl.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthenticationFactoryImpl.java index a9f49990c4..773efe0eb5 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthenticationFactoryImpl.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthenticationFactoryImpl.java @@ -16,18 +16,23 @@ */ package org.apache.jackrabbit.oak.security.user; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + +import javax.annotation.Nonnull; +import javax.annotation.Nullable; + import org.apache.felix.scr.annotations.Component; +import org.apache.felix.scr.annotations.Property; import org.apache.felix.scr.annotations.Service; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.spi.security.authentication.Authentication; import org.apache.jackrabbit.oak.spi.security.user.UserAuthenticationFactory; import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration; -import javax.annotation.Nonnull; -import javax.annotation.Nullable; - @Component @Service +@Property(name = PN_OAK_SECURITY_NAME, + value = "org.apache.jackrabbit.oak.security.user.UserAuthenticationFactoryImpl") public class UserAuthenticationFactoryImpl implements UserAuthenticationFactory { @Nonnull diff --git a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/DefaultAuthorizableActionProvider.java b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/DefaultAuthorizableActionProvider.java index 4ed997e4a4..8acc770b10 100644 --- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/DefaultAuthorizableActionProvider.java +++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/DefaultAuthorizableActionProvider.java @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.spi.security.user.action; +import static org.apache.jackrabbit.oak.security.authorization.RegistrationConstants.PN_OAK_SECURITY_NAME; + import java.util.List; import java.util.Map; import javax.annotation.Nonnull; @@ -60,7 +62,10 @@ import org.slf4j.LoggerFactory; cardinality = Integer.MAX_VALUE), @Property(name = PasswordValidationAction.CONSTRAINT, label = "Configure PasswordValidationAction: Password Constraint", - description = "A regular expression specifying the pattern that must be matched by a user's password.") + description = "A regular expression specifying the pattern that must be matched by a user's password."), + @Property(name = PN_OAK_SECURITY_NAME, + propertyPrivate = true, + value = "org.apache.jackrabbit.oak.spi.security.user.action.DefaultAuthorizableActionProvider") }) public class DefaultAuthorizableActionProvider implements AuthorizableActionProvider { -- 2.13.2