1 /*****************************************************************************
2 * Copyright Igor Barma, Eric Brun, Alexandre Desoubeaux, Christian Martel,
5 * Ce logiciel est un programme informatique servant à l'évaluation des
8 * Ce logiciel est régi par la licence CeCILL soumise au droit français et
9 * respectant les principes de diffusion des logiciels libres. Vous pouvez
10 * utiliser, modifier et/ou redistribuer ce programme sous les conditions
11 * de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
12 * sur le site "http://www.cecill.info".
14 * En contrepartie de l'accessibilité au code source et des droits de copie,
15 * de modification et de redistribution accordés par cette licence, il n'est
16 * offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
17 * seule une responsabilité restreinte pèse sur l'auteur du programme, le
18 * titulaire des droits patrimoniaux et les concédants successifs.
20 * A cet égard l'attention de l'utilisateur est attirée sur les risques
21 * associés au chargement, à l'utilisation, à la modification et/ou au
22 * développement et à la reproduction du logiciel par l'utilisateur étant
23 * donné sa spécificité de logiciel libre, qui peut le rendre complexe à
24 * manipuler et qui le réserve donc à des développeurs et des professionnels
25 * avertis possédant des connaissances informatiques approfondies. Les
26 * utilisateurs sont donc invités à charger et tester l'adéquation du
27 * logiciel à leurs besoins dans des conditions permettant d'assurer la
28 * sécurité de leurs systèmes et ou de leurs données et, plus généralement,
29 * à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
31 * Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
32 * pris connaissance de la licence CeCILL, et que vous en avez accepté les
34 *******************************************************************************/
35 package com.pentila.jackrabbit.auth;
37 import java.util.Properties;
39 import javax.jcr.AccessDeniedException;
40 import javax.jcr.ItemNotFoundException;
41 import javax.jcr.NoSuchWorkspaceException;
42 import javax.jcr.Node;
43 import javax.jcr.PathNotFoundException;
44 import javax.jcr.RepositoryException;
45 import javax.jcr.Session;
46 import javax.jcr.SimpleCredentials;
47 import javax.jcr.Value;
48 import javax.naming.InitialContext;
50 import org.apache.jackrabbit.core.ItemId;
51 import org.apache.jackrabbit.core.NodeId;
52 import org.apache.jackrabbit.core.PropertyId;
53 import org.apache.jackrabbit.core.RepositoryImpl;
54 import org.apache.jackrabbit.core.security.AMContext;
55 import org.apache.jackrabbit.core.security.AccessManager;
56 import org.apache.jackrabbit.uuid.UUID;
60 // TODO: Auto-generated Javadoc
62 * The Class SimpleCASAccessManager.
64 public class SimpleCASAccessManager implements AccessManager {
66 org.slf4j.Logger logger = org.slf4j.LoggerFactory
67 .getLogger(SimpleCASAccessManager.class);
69 /** The am context. */
72 /** The is content node. */
73 boolean isContentNode = false;// = n.getName().equals("jcr:content");
75 /** The is file node type. */
76 boolean isFileNodeType = false;// = n.isNodeType("nt:file");
78 /** The is folder node type. */
79 boolean isFolderNodeType = false;// = n.isNodeType("nt:folder");
82 boolean isOwner = false;// = this.isOwner(n, user);
84 /** The is parent owner. */
85 boolean isParentOwner = false;// = (parent != null) && (this.isOwner(parent,
88 /** The is root folder. */
89 boolean isRootFolder = false;// = n.getPath().equals("/");
91 /** The is root parent. */
92 boolean isRootParent = false;// = n.getParent().getPath().equals("/");
95 boolean isShared = false;// = this.isOwner(n, user);
97 /** The is system node. */
98 boolean isSystemNode = false;// = n.getName().equals("jcr:system");
100 /** The is workspace name. */
101 boolean isWorkspaceName = false;
104 String path = null;// = n.getPath();
113 private static String access = "anonymous";
115 /** The superuser. */
116 private static boolean superuser = false;
119 * Instantiates a new simple cas access manager.
121 public SimpleCASAccessManager() {
125 logger.debug("SimpleCASAccessManager initilize ....");
130 Properties props = new Properties();
132 .put("java.naming.factory.initial",
133 "org.apache.jackrabbit.core.jndi.provider.DummyInitialContextFactory");
134 props.put("java.naming.provider.url",
135 "http://www.apache.org/jackrabbit");
137 InitialContext ic = new InitialContext(props);
138 rep = (RepositoryImpl) ic.lookup("jackrabbit.repository");
140 } catch (Exception e) {
142 logger.debug("Exception Constructor", e);
148 * @see org.apache.jackrabbit.core.security.AccessManager#canAccess(java.lang.String)
150 public boolean canAccess(String arg0) throws NoSuchWorkspaceException,
151 RepositoryException {
156 * @see org.apache.jackrabbit.core.security.AccessManager#checkPermission(org.apache.jackrabbit.core.ItemId, int)
158 public void checkPermission(ItemId arg0, int arg1)
159 throws AccessDeniedException, ItemNotFoundException,
160 RepositoryException {
165 * @see org.apache.jackrabbit.core.security.AccessManager#close()
167 public void close() throws Exception {
174 * @return access : anonimus or restricted
176 public String getAccess() {
181 * Used tu get the folder of the current node. if this node is of
182 * "jcr:content" type, which is a child node of "nt:file" which can be in a
183 * "nt:folder" node, it will return the "nt:folder" node.
185 * @param start the node from where the search is made. No matter if the node
186 * it is a folder, it will start looking in the parent node.
188 * @return the first "nt:folder" found
190 private Node getFolder(Node start) {
193 pp = start.getParent();
194 if (pp.isNodeType("nt:folder")) {
199 } catch (Exception e) {
206 * Retreives the node found in requestNode item.
208 * @param requestNode ItemId ( can be NodeId or PropertyId )
209 * @param jcrSession a open session object
211 * @return the Node located in requestNode item
213 * @throws ItemNotFoundException the item not found exception
214 * @throws RepositoryException the repository exception
216 private Node getNode(ItemId requestNode, Session jcrSession)
217 throws ItemNotFoundException, RepositoryException {
221 if (requestNode.denotesNode()) {
222 nid = (NodeId) requestNode;
224 PropertyId pid = (PropertyId) requestNode;
225 nid = pid.getParentId();
227 uuid = nid.getUUID();
228 String u = uuid.toString();
230 return jcrSession.getNodeByUUID(u);
234 * Will test if the following parameters will grant or not the current user.
236 * @param isFileNodeType the is file node type
237 * @param isFolderNodeType the is folder node type
238 * @param isRootFolder the is root folder
239 * @param isContentNode the is content node
240 * @param isSystemNode the is system node
241 * @param isParentOwner the is parent owner
242 * @param isWorkspaceName the is workspace name
243 * @param isOwner the is owner
244 * @param isRootParent the is root parent
245 * @param isShared the is shared
247 * @return true, if checks for access
249 private boolean hasAccess(boolean isFileNodeType, boolean isFolderNodeType,
250 boolean isRootFolder, boolean isContentNode, boolean isSystemNode,
251 boolean isParentOwner, boolean isWorkspaceName, boolean isOwner,
252 boolean isRootParent, boolean isShared) {
254 //TODO : Seriouly must be perform !!!
257 boolean localHasAccess = isOwner || isShared;
260 return localHasAccess;
264 if (isFileNodeType || isFolderNodeType || isRootFolder || isContentNode
267 if (!localHasAccess && isContentNode && isParentOwner) {
269 localHasAccess = true;
272 if (!localHasAccess && (isRootFolder || isSystemNode)) {
274 localHasAccess = true;
277 if (!localHasAccess && isWorkspaceName && isRootParent) // in
283 localHasAccess = true;
288 localHasAccess = true;
295 if (!localHasAccess && isWorkspaceName && isRootParent) // in in
299 localHasAccess = true;
303 return localHasAccess;
307 * @see org.apache.jackrabbit.core.security.AccessManager#init(org.apache.jackrabbit.core.security.AMContext)
309 public void init(AMContext amContext) throws AccessDeniedException,
312 user = amContext.getSubject().getPrincipals().iterator().next()
314 if (user.equals("system")){
317 this.amContext = amContext;
321 * Main method called by the cas. In permissionLevel will be the action: 1
322 * is read 2 is add 0 is delete
324 * @param arg0 the arg0
325 * @param permissionLevel the permission level
327 * @return true, if checks if is granted
329 * @throws ItemNotFoundException the item not found exception
330 * @throws RepositoryException the repository exception
332 public boolean isGranted(ItemId arg0, int permissionLevel)
333 throws ItemNotFoundException, RepositoryException {
335 // TODO : must be perform
337 if (access.equals("anonymous")) {
339 } else if (access.equals("restricted")) {
344 Session jcrSession = rep.login(new SimpleCredentials(user, user
350 n = this.getNode(arg0, jcrSession);
351 }catch (Exception e){
352 // Cas ou parfois le repository est corrompu ... ItemNotFoundException
353 logger.debug("Erreur sur getNode Method : ", e);
357 isContentNode = n.getName().equals("jcr:content");
358 isSystemNode = n.getName().equals("jcr:system");
362 // on remonte d'un cran cas le noeud
363 // qui nous interesse est le noeud conteneur du jcr:content
367 isFileNodeType = n.isNodeType("nt:file");
368 isFolderNodeType = n.isNodeType("nt:folder");
369 isRootFolder = n.getDepth() == 0;
373 isOwner = this.isOwner(n, user);
374 isShared = this.isShared(n, user);
376 if (!isOwner && !isShared && !isRootFolder){
378 Node parent = getFolder(n);
379 boolean foundInHierarchy = false;
381 while (parent != null && !foundInHierarchy) {
383 foundInHierarchy = this.isOwner(parent, user) || this.isShared(parent, user);
384 if (foundInHierarchy){
387 parent = this.getFolder(parent);
391 isParentOwner = (foundInHierarchy)
392 || ((parent != null) && (this.isOwner(parent, user)));
395 isRootParent = n.getParent().getDepth() == 0;
396 } catch (Exception e) {
398 isWorkspaceName = n.getName().equals(user)
399 || n.getName().equals(user + "_eval");
402 if (logger.isDebugEnabled()){
404 logger.debug("isGranted Method : Access : " + access + " / Path : " + n.getPath() + " / User : " + user + " / isOwner : " + isOwner + " / isShared : " + isShared ) ;
410 /*if (logger.isDebugEnabled()){
411 logger.debug("isFileNodeType : " + isFileNodeType);
412 logger.debug("isFolderNodeType : " + isFolderNodeType);
413 logger.debug("isRootFolder : " + isRootFolder);
414 logger.debug("isContentNode : " + isContentNode);
415 logger.debug("isSystemNode : " + isSystemNode);
416 logger.debug("isParentOwner : " + isParentOwner);
417 logger.debug("isWorkspaceName : " + isWorkspaceName);
420 boolean retVal = this.hasAccess(isFileNodeType, isFolderNodeType,
421 isRootFolder, isContentNode, isSystemNode, isParentOwner,
422 isWorkspaceName, isOwner, isWorkspaceName, isShared);
425 if (logger.isDebugEnabled()){
426 logger.debug("After all : access is : " + retVal);
430 if (logger.isDebugEnabled()){
431 logger.debug("After all : access is : False" );
438 * Tests if the node has the userName in access list.
441 * @param userName user
443 * @return true if found
445 private boolean isOwner(Node node, String userName) {
446 boolean retVal = false;
447 String type = "jcr:owner";
451 Value ownersList[] = node.getProperty(type).getValues();
452 if (logger.isDebugEnabled()){
453 logger.debug("isOwner values found:" +ownersList.length);
456 for (Value i : ownersList) {
458 if (logger.isDebugEnabled()){
459 logger.debug(node.getName() + " >> "
460 + i.getString() + ".");
462 if (i.getString().equals(userName)) {
468 } catch (PathNotFoundException e) {
469 logger.debug("PathNotFound", e);
471 } catch (RepositoryException e) {
472 logger.debug("Reposit Exception", e);
480 * Checks if the node has the user in access list.
482 * @param node the node
483 * @param userName the user name
485 * @return true if found
487 private boolean isShared(Node node, String userName) {
488 boolean retVal = false;
489 String type = "jcr:shared";
492 Value ownersList[] = node.getProperty(type).getValues();
493 if (logger.isDebugEnabled()){
494 logger.debug("shared list size:" +
497 for (Value i : ownersList) {
498 if (logger.isDebugEnabled()){
499 logger.debug(" >> " + i.getString() + ".");
501 if (i.getString().equals(userName)) {
507 } catch (PathNotFoundException e) {
508 logger.debug("PathNotFound", e);
510 } catch (RepositoryException e) {
511 logger.debug("Reposit Exception", e);
518 * Set the access parameter which can be modified in the repository.xml
521 * @param access the access
523 public void setAccess(String access) {
524 SimpleCASAccessManager.access = access;