Example 1 with AccessDeniedException
use of net.sf.acegisecurity.AccessDeniedException in project records-management by Alfresco.
the class RMMethodSecurityInterceptor method beforeInvocation.
/**
* @see net.sf.acegisecurity.intercept.AbstractSecurityInterceptor#beforeInvocation(java.lang.Object)
*/
@Override
protected InterceptorStatusToken beforeInvocation(Object object) {
InterceptorStatusToken result = null;
try {
// clear the capability report information
RMMethodSecurityInterceptor.CAPABILITIES.remove();
RMMethodSecurityInterceptor.IS_RM_SECURITY_CHECK.remove();
RMMethodSecurityInterceptor.MESSAGES.remove();
// before invocation (where method security check takes place)
result = super.beforeInvocation(object);
} catch (AccessDeniedException exception) {
if (LOGGER.isDebugEnabled()) {
MethodInvocation mi = (MethodInvocation) object;
StringBuilder methodDetails = new StringBuilder("\n");
if (RMMethodSecurityInterceptor.IS_RM_SECURITY_CHECK.get()) {
methodDetails.append("RM method security check was performed.\n");
} else {
methodDetails.append("Standard DM method security check was performed.\n");
}
boolean first = true;
methodDetails.append("Failed on method: ").append(mi.getMethod().getName()).append("(");
for (Object arg : mi.getArguments()) {
if (first) {
first = false;
} else {
methodDetails.append(", ");
}
if (arg != null) {
methodDetails.append(arg.toString());
} else {
methodDetails.append("null");
}
}
methodDetails.append(")\n");
List<String> messages = RMMethodSecurityInterceptor.MESSAGES.get();
for (String message : messages) {
methodDetails.append(message).append("\n");
}
String failureReport = getFailureReport();
if (failureReport == null) {
// rethrow with additional information
throw new AccessDeniedException(exception.getMessage() + methodDetails, exception);
} else {
// rethrow with additional information
throw new AccessDeniedException(exception.getMessage() + methodDetails + getFailureReport(), exception);
}
} else {
throw exception;
}
}
return result;
}
Also used :
AccessDeniedException(net.sf.acegisecurity.AccessDeniedException)
InterceptorStatusToken(net.sf.acegisecurity.intercept.InterceptorStatusToken)
MethodInvocation(org.aopalliance.intercept.MethodInvocation)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 2 with AccessDeniedException
use of net.sf.acegisecurity.AccessDeniedException in project records-management by Alfresco.
the class RMAfterInvocationProvider method decide.
private ChildAssociationRef decide(Authentication authentication, Object object, ConfigAttributeDefinition config, ChildAssociationRef returnedObject) {
if (returnedObject == null) {
return null;
}
List<ConfigAttributeDefintion> supportedDefinitions = extractSupportedDefinitions(config);
if (supportedDefinitions.size() == 0) {
return returnedObject;
}
int parentReadCheck = checkRead(returnedObject.getParentRef());
int childReadCheck = checkRead(returnedObject.getChildRef());
for (ConfigAttributeDefintion cad : supportedDefinitions) {
NodeRef testNodeRef = null;
if (cad.parent) {
testNodeRef = returnedObject.getParentRef();
} else {
testNodeRef = returnedObject.getChildRef();
}
if (isUnfiltered(testNodeRef)) {
continue;
}
if ((cad.parent && parentReadCheck != AccessDecisionVoter.ACCESS_GRANTED) || (childReadCheck != AccessDecisionVoter.ACCESS_GRANTED)) {
throw new AccessDeniedException("Access Denied");
}
}
return returnedObject;
}
Also used :
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
AccessDeniedException(net.sf.acegisecurity.AccessDeniedException)
Example 3 with AccessDeniedException
use of net.sf.acegisecurity.AccessDeniedException in project records-management by Alfresco.
the class RMAfterInvocationProvider method decide.
@SuppressWarnings({ "unchecked", "rawtypes" })
private Collection decide(Authentication authentication, Object object, ConfigAttributeDefinition config, Collection returnedObject) {
if (returnedObject == null) {
return null;
}
List<ConfigAttributeDefintion> supportedDefinitions = extractSupportedDefinitions(config);
if (logger.isDebugEnabled()) {
logger.debug("Entries are " + supportedDefinitions);
}
if (supportedDefinitions.size() == 0) {
return returnedObject;
}
// Default to the system-wide values and we'll see if they need to be reduced
long targetResultCount = returnedObject.size();
int maxPermissionChecks = Integer.MAX_VALUE;
long maxPermissionCheckTimeMillis = this.maxPermissionCheckTimeMillis;
if (returnedObject instanceof PermissionCheckCollection<?>) {
PermissionCheckCollection permissionCheckCollection = (PermissionCheckCollection) returnedObject;
// Get values
targetResultCount = permissionCheckCollection.getTargetResultCount();
if (permissionCheckCollection.getCutOffAfterCount() > 0) {
maxPermissionChecks = permissionCheckCollection.getCutOffAfterCount();
}
if (permissionCheckCollection.getCutOffAfterTimeMs() > 0) {
maxPermissionCheckTimeMillis = permissionCheckCollection.getCutOffAfterTimeMs();
}
}
// Start timer and counter for cut-off
boolean cutoff = false;
long startTimeMillis = System.currentTimeMillis();
int count = 0;
// Keep values explicitly
List<Object> keepValues = new ArrayList<Object>(returnedObject.size());
for (Object nextObject : returnedObject) {
// if the maximum result size or time has been exceeded, then we have to remove only
long currentTimeMillis = System.currentTimeMillis();
// NOTE: for reference - the "maxPermissionChecks" has never been honoured by this loop (since previously the count was not being incremented)
if (count >= targetResultCount) {
// We have enough results. We stop without cutoff.
break;
} else if (count >= maxPermissionChecks) {
// We have been cut off by count
cutoff = true;
if (logger.isDebugEnabled()) {
logger.debug("decide (collection) cut-off: " + count + " checks exceeded " + maxPermissionChecks + " checks");
}
break;
} else if ((currentTimeMillis - startTimeMillis) > maxPermissionCheckTimeMillis) {
// We have been cut off by time
cutoff = true;
if (logger.isDebugEnabled()) {
logger.debug("decide (collection) cut-off: " + (currentTimeMillis - startTimeMillis) + "ms exceeded " + maxPermissionCheckTimeMillis + "ms");
}
break;
}
boolean allowed = true;
for (ConfigAttributeDefintion cad : supportedDefinitions) {
if (cad.mode.equalsIgnoreCase("FilterNode")) {
NodeRef testNodeRef = null;
if (cad.parent) {
if (StoreRef.class.isAssignableFrom(nextObject.getClass())) {
// Will be allowed
testNodeRef = null;
} else if (NodeRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = nodeService.getPrimaryParent((NodeRef) nextObject).getParentRef();
} else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = ((ChildAssociationRef) nextObject).getParentRef();
} else if (AssociationRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = ((AssociationRef) nextObject).getSourceRef();
} else if (PermissionCheckValue.class.isAssignableFrom(nextObject.getClass())) {
NodeRef nodeRef = ((PermissionCheckValue) nextObject).getNodeRef();
testNodeRef = nodeService.getPrimaryParent(nodeRef).getParentRef();
} else {
throw new ACLEntryVoterException("The specified parameter is recognized: " + nextObject.getClass());
}
} else {
if (StoreRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = nodeService.getRootNode((StoreRef) nextObject);
} else if (NodeRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = (NodeRef) nextObject;
} else if (ChildAssociationRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = ((ChildAssociationRef) nextObject).getChildRef();
} else if (AssociationRef.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = ((AssociationRef) nextObject).getTargetRef();
} else if (PermissionCheckValue.class.isAssignableFrom(nextObject.getClass())) {
testNodeRef = ((PermissionCheckValue) nextObject).getNodeRef();
} else {
throw new ACLEntryVoterException("The specified parameter is recognized: " + nextObject.getClass());
}
}
if (logger.isDebugEnabled()) {
logger.debug("\t" + cad.typeString + " test on " + testNodeRef + " from " + nextObject.getClass().getName());
}
// Null allows
if (isUnfiltered(testNodeRef)) {
// Continue to next ConfigAttributeDefintion
continue;
}
if (allowed && testNodeRef != null && checkRead(testNodeRef) != AccessDecisionVoter.ACCESS_GRANTED) {
allowed = false;
// No point evaluating more ConfigAttributeDefintions
break;
}
}
}
// Failure or success, increase the count
count++;
if (allowed) {
keepValues.add(nextObject);
}
}
// Work out how many were left unchecked (for whatever reason)
int sizeOriginal = returnedObject.size();
int checksRemaining = sizeOriginal - count;
// So make sure that the collection needs modification at all
if (keepValues.size() < sizeOriginal) {
// There are values that need to be removed. We have to modify the collection.
try {
returnedObject.clear();
returnedObject.addAll(keepValues);
} catch (UnsupportedOperationException e) {
throw new AccessDeniedException("Permission-checked list must be modifiable", e);
}
}
// Attach the extra permission-check data to the collection
return PermissionCheckedCollectionMixin.create(returnedObject, cutoff, checksRemaining, sizeOriginal);
}
Also used :
StoreRef(org.alfresco.service.cmr.repository.StoreRef)
AccessDeniedException(net.sf.acegisecurity.AccessDeniedException)
ArrayList(java.util.ArrayList)
ACLEntryVoterException(org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterException)
AssociationRef(org.alfresco.service.cmr.repository.AssociationRef)
ChildAssociationRef(org.alfresco.service.cmr.repository.ChildAssociationRef)
NodeRef(org.alfresco.service.cmr.repository.NodeRef)
PermissionCheckValue(org.alfresco.repo.security.permissions.PermissionCheckValue)
PermissionCheckCollection(org.alfresco.repo.security.permissions.PermissionCheckCollection)
Example 4 with AccessDeniedException
use of net.sf.acegisecurity.AccessDeniedException in project records-management by Alfresco.
the class RMCaveatConfigComponentImpl method hasAccess.
/**
* Check whether access to 'record component' node is vetoed for current user due to caveat(s)
*
* @param nodeRef
* @return false, if caveat(s) veto access otherwise return true
*/
@SuppressWarnings("unchecked")
public boolean hasAccess(NodeRef nodeRef) {
try {
if ((!nodeService.exists(nodeRef)) || (caveatAspectQNames.size() == 0)) {
return true;
}
boolean found = false;
for (QName caveatAspectQName : caveatAspectQNames) {
if (nodeService.hasAspect(nodeRef, caveatAspectQName)) {
found = true;
break;
}
}
if (!found) {
// no caveat aspect
return true;
} else {
// check for caveats
String userName = AuthenticationUtil.getRunAsUser();
if (userName != null) {
// check all text properties
Map<QName, Serializable> props = nodeService.getProperties(nodeRef);
for (Map.Entry<QName, Serializable> entry : props.entrySet()) {
QName propName = entry.getKey();
PropertyDefinition propDef = dictionaryService.getProperty(propName);
if ((propDef != null) && (propDef.getDataType().getName().equals(DATATYPE_TEXT))) {
List<ConstraintDefinition> conDefs = propDef.getConstraints();
for (ConstraintDefinition conDef : conDefs) {
Constraint con = conDef.getConstraint();
if (con instanceof RMListOfValuesConstraint) {
RMListOfValuesConstraint rmCon = ((RMListOfValuesConstraint) con);
String conName = rmCon.getShortName();
MatchLogic matchLogic = rmCon.getMatchLogicEnum();
Map<String, List<String>> caveatConstraintDef = caveatConfig.get(conName);
if (caveatConstraintDef == null) {
continue;
} else {
Set<String> userGroupNames = authorityService.getAuthoritiesForUser(userName);
List<String> allowedValues = getRMAllowedValues(userName, userGroupNames, conName);
List<String> propValues = null;
Object val = entry.getValue();
if (val instanceof String) {
propValues = new ArrayList<String>(1);
propValues.add((String) val);
} else if (val instanceof List) {
propValues = (List<String>) val;
}
if (propValues != null && !isAllowed(propValues, allowedValues, matchLogic)) {
if (logger.isDebugEnabled()) {
logger.debug("Veto access: caveat=" + conName + ", userName=" + userName + ", nodeRef=" + nodeRef + ", propName=" + propName + ", propValues=" + propValues + ", allowedValues=" + allowedValues);
}
return false;
}
}
}
}
}
}
}
return true;
}
} catch (AccessDeniedException ade) {
return false;
}
}
Also used :
Serializable(java.io.Serializable)
AccessDeniedException(net.sf.acegisecurity.AccessDeniedException)
Constraint(org.alfresco.service.cmr.dictionary.Constraint)
QName(org.alfresco.service.namespace.QName)
MatchLogic(org.alfresco.module.org_alfresco_module_rm.caveat.RMListOfValuesConstraint.MatchLogic)
PropertyDefinition(org.alfresco.service.cmr.dictionary.PropertyDefinition)
ConstraintDefinition(org.alfresco.service.cmr.dictionary.ConstraintDefinition)
List(java.util.List)
ArrayList(java.util.ArrayList)
JSONObject(org.json.JSONObject)
Map(java.util.Map)
MimetypeMap(org.alfresco.repo.content.MimetypeMap)
HashMap(java.util.HashMap)
Aggregations
AccessDeniedException (net.sf.acegisecurity.AccessDeniedException)4
ArrayList (java.util.ArrayList)3
List (java.util.List)2
NodeRef (org.alfresco.service.cmr.repository.NodeRef)2
Serializable (java.io.Serializable)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
InterceptorStatusToken (net.sf.acegisecurity.intercept.InterceptorStatusToken)1
MatchLogic (org.alfresco.module.org_alfresco_module_rm.caveat.RMListOfValuesConstraint.MatchLogic)1
MimetypeMap (org.alfresco.repo.content.MimetypeMap)1
PermissionCheckCollection (org.alfresco.repo.security.permissions.PermissionCheckCollection)1
PermissionCheckValue (org.alfresco.repo.security.permissions.PermissionCheckValue)1
ACLEntryVoterException (org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoterException)1
Constraint (org.alfresco.service.cmr.dictionary.Constraint)1
ConstraintDefinition (org.alfresco.service.cmr.dictionary.ConstraintDefinition)1
PropertyDefinition (org.alfresco.service.cmr.dictionary.PropertyDefinition)1
AssociationRef (org.alfresco.service.cmr.repository.AssociationRef)1
ChildAssociationRef (org.alfresco.service.cmr.repository.ChildAssociationRef)1
StoreRef (org.alfresco.service.cmr.repository.StoreRef)1
QName (org.alfresco.service.namespace.QName)1
