Example 31 with AccessControlManager
use of javax.jcr.security.AccessControlManager in project jackrabbit by apache.
the class MoveTest method testMoveWithDifferentEffectiveAc.
public void testMoveWithDifferentEffectiveAc() throws Exception {
Session testSession = getTestSession();
AccessControlManager testAcMgr = getTestACManager();
ValueFactory vf = superuser.getValueFactory();
/*
precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
checkReadOnly(childNPath);
Node node3 = superuser.getNode(childNPath).addNode(nodeName3);
superuser.save();
String node3Path = node3.getPath();
Privilege[] privileges = privilegesFromName(NameConstants.JCR_READ.toString());
// @path read is denied, @childNode its allowed again
withdrawPrivileges(path, privileges, getRestrictions(superuser, path));
givePrivileges(childNPath, privileges, getRestrictions(superuser, childNPath));
assertTrue(testSession.nodeExists(node3Path));
assertTrue(testAcMgr.hasPrivileges(node3Path, privileges));
// move the ancestor node
String movedPath = path + "/movedNode";
superuser.move(node3Path, movedPath);
superuser.save();
// expected behavior:
// due to move node3 should not e visible any more
assertFalse(testSession.nodeExists(movedPath));
assertFalse(testAcMgr.hasPrivileges(movedPath, privileges));
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
Node(javax.jcr.Node)
ValueFactory(javax.jcr.ValueFactory)
Privilege(javax.jcr.security.Privilege)
Session(javax.jcr.Session)
Example 32 with AccessControlManager
use of javax.jcr.security.AccessControlManager in project jackrabbit by apache.
the class RestrictionTest method testHasPermissionWithRestrictions.
/**
* Tests if the restriction are active at the proper place
*/
public void testHasPermissionWithRestrictions() throws Exception {
// create permissions
// allow rep:write /testroot
// deny jcr:removeNode /testroot/a glob=*/c
// allow jcr:removeNode /testroot/a glob=*/b
// allow jcr:removeNode /testroot/a glob=*/c/*
addEntry(path_root, true, "", Privilege.JCR_READ, Privilege.JCR_WRITE);
addEntry(path_a, false, "*/c", Privilege.JCR_REMOVE_NODE);
addEntry(path_a, true, "*/b", Privilege.JCR_REMOVE_NODE);
addEntry(path_a, true, "*/c/*", Privilege.JCR_REMOVE_NODE);
Session testSession = getTestSession();
try {
AccessControlManager acMgr = getAccessControlManager(testSession);
assertFalse("user should not have remove node on /a/b/c", acMgr.hasPrivileges(path_c, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
assertTrue("user should have remove node on /a/b", acMgr.hasPrivileges(path_b, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
assertTrue("user should have remove node on /a/b/c/d", acMgr.hasPrivileges(path_d, AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_REMOVE_NODE)));
// should be able to remove /a/b/c/d
testSession.getNode(path_d).remove();
testSession.save();
try {
testSession.getNode(path_c).remove();
testSession.save();
fail("removing node on /a/b/c should fail");
} catch (RepositoryException e) {
// all ok
}
} finally {
testSession.logout();
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
RepositoryException(javax.jcr.RepositoryException)
Session(javax.jcr.Session)
Example 33 with AccessControlManager
use of javax.jcr.security.AccessControlManager in project jackrabbit by apache.
the class WriteTest method testInheritedGroupPermissions.
public void testInheritedGroupPermissions() throws NotExecutableException, RepositoryException {
Group testGroup = getTestGroup();
AccessControlManager testAcMgr = getTestACManager();
/*
precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
Privilege[] privileges = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
/* give MODIFY_PROPERTIES privilege for testGroup at 'path' */
givePrivileges(path, testGroup.getPrincipal(), privileges, getRestrictions(superuser, path));
/*
withdraw MODIFY_PROPERTIES privilege for everyone at 'childNPath'
*/
withdrawPrivileges(childNPath, EveryonePrincipal.getInstance(), privileges, getRestrictions(superuser, path));
// result at 'child path' must be deny
assertFalse(testAcMgr.hasPrivileges(childNPath, privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES)));
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
Group(org.apache.jackrabbit.api.security.user.Group)
Privilege(javax.jcr.security.Privilege)
Example 34 with AccessControlManager
use of javax.jcr.security.AccessControlManager in project jackrabbit-oak by apache.
the class AccessControlAction method setAC.
private void setAC(@Nonnull Authorizable authorizable, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper) throws RepositoryException {
if (securityProvider == null) {
throw new IllegalStateException("Not initialized");
}
if (authorizable.isGroup()) {
if (groupPrivilegeNames.length == 0) {
log.debug("No privileges configured for groups; omit ac setup.");
return;
}
} else {
if (userPrivilegeNames.length == 0) {
log.debug("No privileges configured for users; omit ac setup.");
return;
}
if (isBuiltInUser(authorizable)) {
log.debug("System user: " + authorizable.getID() + "; omit ac setup.");
return;
}
}
Principal principal = authorizable.getPrincipal();
if (administrativePrincipals.contains(principal.getName())) {
log.debug("Administrative principal: " + principal.getName() + "; omit ac setup.");
return;
}
String path = authorizable.getPath();
AuthorizationConfiguration acConfig = securityProvider.getConfiguration(AuthorizationConfiguration.class);
AccessControlManager acMgr = acConfig.getAccessControlManager(root, namePathMapper);
JackrabbitAccessControlList acl = null;
for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext(); ) {
AccessControlPolicy plc = it.nextAccessControlPolicy();
if (plc instanceof JackrabbitAccessControlList) {
acl = (JackrabbitAccessControlList) plc;
break;
}
}
if (acl == null) {
log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
} else {
// setup acl according to configuration.
boolean modified = false;
String[] privNames = (authorizable.isGroup()) ? groupPrivilegeNames : userPrivilegeNames;
modified = acl.addAccessControlEntry(principal, getPrivileges(privNames, acMgr));
if (modified) {
acMgr.setPolicy(path, acl);
}
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AuthorizationConfiguration(org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Principal(java.security.Principal)
Example 35 with AccessControlManager
use of javax.jcr.security.AccessControlManager in project jackrabbit-oak by apache.
the class AccessControlValidatorTest method testDuplicateAce.
@Test
public void testDuplicateAce() throws Exception {
AccessControlManager acMgr = getAccessControlManager(root);
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
acl.addAccessControlEntry(testPrincipal, privilegesFromNames(PrivilegeConstants.JCR_ADD_CHILD_NODES));
acMgr.setPolicy(testPath, acl);
// add duplicate ac-entry on OAK-API
NodeUtil policy = new NodeUtil(root.getTree(testPath + "/rep:policy"));
NodeUtil ace = policy.addChild("duplicateAce", NT_REP_GRANT_ACE);
ace.setString(REP_PRINCIPAL_NAME, testPrincipal.getName());
ace.setNames(AccessControlConstants.REP_PRIVILEGES, PrivilegeConstants.JCR_ADD_CHILD_NODES);
try {
root.commit();
fail("Creating duplicate ACE must be detected");
} catch (CommitFailedException e) {
assertTrue(e.isAccessControlViolation());
assertThat(e.getMessage(), containsString("/testRoot/rep:policy/duplicateAce"));
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException)
NodeUtil(org.apache.jackrabbit.oak.util.NodeUtil)
AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest)
Test(org.junit.Test)
Aggregations
AccessControlManager (javax.jcr.security.AccessControlManager)192
Privilege (javax.jcr.security.Privilege)82
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)77
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)62
Session (javax.jcr.Session)47
Test (org.junit.Test)45
AccessControlEntry (javax.jcr.security.AccessControlEntry)39
Node (javax.jcr.Node)33
AccessControlList (javax.jcr.security.AccessControlList)32
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)23
Principal (java.security.Principal)22
Value (javax.jcr.Value)17
HashMap (java.util.HashMap)14
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)14
Group (org.apache.jackrabbit.api.security.user.Group)14
ValueFactory (javax.jcr.ValueFactory)13
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)13
NodeImpl (org.apache.jackrabbit.core.NodeImpl)13
NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)12
