Example 6 with AccessManager
use of org.apache.jackrabbit.core.security.AccessManager in project jackrabbit by apache.
the class ProtectedItemModifier method checkPermission.
private void checkPermission(NodeImpl node, Name childName, int perm) throws RepositoryException {
if (perm > Permission.NONE) {
SessionImpl sImpl = (SessionImpl) node.getSession();
AccessManager acMgr = sImpl.getAccessManager();
boolean isGranted = acMgr.isGranted(node.getPrimaryPath(), childName, perm);
if (!isGranted) {
throw new AccessDeniedException("Permission denied.");
}
}
}
Also used :
AccessManager(org.apache.jackrabbit.core.security.AccessManager)
AccessDeniedException(javax.jcr.AccessDeniedException)
Example 7 with AccessManager
use of org.apache.jackrabbit.core.security.AccessManager in project jackrabbit by apache.
the class BatchedItemOperations method checkAddNode.
//--------------------------------------< misc. high-level helper methods >
/**
* Checks if adding a child node called <code>nodeName</code> of node type
* <code>nodeTypeName</code> to the given parent node is allowed in the
* current context.
*
* @param parentState
* @param nodeName
* @param nodeTypeName
* @param options bit-wise OR'ed flags specifying the checks that should be
* performed; any combination of the following constants:
* <ul>
* <li><code>{@link #CHECK_ACCESS}</code>: make sure
* current session is granted read & write access on
* parent node</li>
* <li><code>{@link #CHECK_LOCK}</code>: make sure
* there's no foreign lock on parent node</li>
* <li><code>{@link #CHECK_CHECKED_OUT}</code>: make sure
* parent node is checked-out</li>
* <li><code>{@link #CHECK_CONSTRAINTS}</code>:
* make sure no node type constraints would be violated</li>
* <li><code>{@link #CHECK_HOLD}</code>: check for effective holds preventing the add operation</li>
* <li><code>{@link #CHECK_RETENTION}</code>: check for effective retention policy preventing the add operation</li>
* </ul>
* @throws ConstraintViolationException
* @throws AccessDeniedException
* @throws VersionException
* @throws LockException
* @throws ItemNotFoundException
* @throws ItemExistsException
* @throws RepositoryException
*/
public void checkAddNode(NodeState parentState, Name nodeName, Name nodeTypeName, int options) throws ConstraintViolationException, AccessDeniedException, VersionException, LockException, ItemNotFoundException, ItemExistsException, RepositoryException {
Path parentPath = hierMgr.getPath(parentState.getNodeId());
if ((options & CHECK_LOCK) == CHECK_LOCK) {
// make sure there's no foreign lock on parent node
verifyUnlocked(parentPath);
}
if ((options & CHECK_CHECKED_OUT) == CHECK_CHECKED_OUT) {
// make sure parent node is checked-out
verifyCheckedOut(parentPath);
}
if ((options & CHECK_ACCESS) == CHECK_ACCESS) {
AccessManager accessMgr = context.getAccessManager();
// make sure current session is granted read access on parent node
if (!accessMgr.isGranted(parentPath, Permission.READ)) {
throw new ItemNotFoundException(safeGetJCRPath(parentState.getNodeId()));
}
// make sure current session is granted write access on parent node
if (!accessMgr.isGranted(parentPath, nodeName, Permission.ADD_NODE)) {
throw new AccessDeniedException(safeGetJCRPath(parentState.getNodeId()) + ": not allowed to add child node");
}
// specified node type (and ev. mixins)
if (!accessMgr.isGranted(parentPath, nodeName, Permission.NODE_TYPE_MNGMT)) {
throw new AccessDeniedException(safeGetJCRPath(parentState.getNodeId()) + ": not allowed to add child node");
}
}
if ((options & CHECK_CONSTRAINTS) == CHECK_CONSTRAINTS) {
QItemDefinition parentDef = context.getItemManager().getDefinition(parentState).unwrap();
// make sure parent node is not protected
if (parentDef.isProtected()) {
throw new ConstraintViolationException(safeGetJCRPath(parentState.getNodeId()) + ": cannot add child node to protected parent node");
}
// make sure there's an applicable definition for new child node
EffectiveNodeType entParent = getEffectiveNodeType(parentState);
entParent.checkAddNodeConstraints(nodeName, nodeTypeName, context.getNodeTypeRegistry());
QNodeDefinition newNodeDef = findApplicableNodeDefinition(nodeName, nodeTypeName, parentState);
// check for name collisions
if (parentState.hasChildNodeEntry(nodeName)) {
// there's already a node with that name...
// get definition of existing conflicting node
ChildNodeEntry entry = parentState.getChildNodeEntry(nodeName, 1);
NodeState conflictingState;
NodeId conflictingId = entry.getId();
try {
conflictingState = (NodeState) stateMgr.getItemState(conflictingId);
} catch (ItemStateException ise) {
String msg = "internal error: failed to retrieve state of " + safeGetJCRPath(conflictingId);
log.debug(msg);
throw new RepositoryException(msg, ise);
}
QNodeDefinition conflictingTargetDef = context.getItemManager().getDefinition(conflictingState).unwrap();
// check same-name sibling setting of both target and existing node
if (!conflictingTargetDef.allowsSameNameSiblings() || !newNodeDef.allowsSameNameSiblings()) {
throw new ItemExistsException("cannot add child node '" + nodeName.getLocalName() + "' to " + safeGetJCRPath(parentState.getNodeId()) + ": colliding with same-named existing node");
}
}
}
RetentionRegistry retentionReg = context.getSessionImpl().getRetentionRegistry();
if ((options & CHECK_HOLD) == CHECK_HOLD) {
if (retentionReg.hasEffectiveHold(parentPath, false)) {
throw new RepositoryException("Unable to add node. Parent is affected by a hold.");
}
}
if ((options & CHECK_RETENTION) == CHECK_RETENTION) {
if (retentionReg.hasEffectiveRetention(parentPath, false)) {
throw new RepositoryException("Unable to add node. Parent is affected by a retention.");
}
}
}
Also used :
Path(org.apache.jackrabbit.spi.Path)
AccessManager(org.apache.jackrabbit.core.security.AccessManager)
AccessDeniedException(javax.jcr.AccessDeniedException)
NodeState(org.apache.jackrabbit.core.state.NodeState)
ChildNodeEntry(org.apache.jackrabbit.core.state.ChildNodeEntry)
RepositoryException(javax.jcr.RepositoryException)
RetentionRegistry(org.apache.jackrabbit.core.retention.RetentionRegistry)
QItemDefinition(org.apache.jackrabbit.spi.QItemDefinition)
QNodeDefinition(org.apache.jackrabbit.spi.QNodeDefinition)
NoSuchItemStateException(org.apache.jackrabbit.core.state.NoSuchItemStateException)
ItemStateException(org.apache.jackrabbit.core.state.ItemStateException)
EffectiveNodeType(org.apache.jackrabbit.core.nodetype.EffectiveNodeType)
ItemExistsException(javax.jcr.ItemExistsException)
NodeId(org.apache.jackrabbit.core.id.NodeId)
ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException)
ItemNotFoundException(javax.jcr.ItemNotFoundException)
Example 8 with AccessManager
use of org.apache.jackrabbit.core.security.AccessManager in project jackrabbit by apache.
the class BatchedItemOperations method verifyCanWrite.
/**
* Verifies that the node at <code>nodePath</code> is writable. The
* following conditions must hold true:
* <ul>
* <li>the node must exist</li>
* <li>the current session must be granted read & write access on it</li>
* <li>the node must not be locked by another session</li>
* <li>the node must not be checked-in</li>
* <li>the node must not be protected</li>
* <li>the node must not be affected by a hold or a retention policy</li>
* </ul>
*
* @param nodePath path of node to check
* @throws PathNotFoundException if no node exists at
* <code>nodePath</code> of the current
* session is not granted read access
* to the specified path
* @throws AccessDeniedException if write access to the specified
* path is not allowed
* @throws ConstraintViolationException if the node at <code>nodePath</code>
* is protected
* @throws VersionException if the node at <code>nodePath</code>
* is checked-in
* @throws LockException if the node at <code>nodePath</code>
* is locked by another session
* @throws RepositoryException if another error occurs
*/
public void verifyCanWrite(Path nodePath) throws PathNotFoundException, AccessDeniedException, ConstraintViolationException, VersionException, LockException, RepositoryException {
NodeState node = getNodeState(nodePath);
// access rights
// make sure current session is granted read access on node
AccessManager accessMgr = context.getAccessManager();
if (!accessMgr.isGranted(nodePath, Permission.READ)) {
throw new PathNotFoundException(safeGetJCRPath(node.getNodeId()));
}
// TODO: removed check for 'WRITE' permission on node due to the fact,
// TODO: that add_node and set_property permission are granted on the
// TODO: items to be create/modified and not on their parent.
// in any case, the ability to add child-nodes and properties is checked
// while executing the corresponding operation.
// locking status
verifyUnlocked(nodePath);
// node type constraints
verifyNotProtected(nodePath);
// versioning status
verifyCheckedOut(nodePath);
RetentionRegistry retentionReg = context.getSessionImpl().getRetentionRegistry();
if (retentionReg.hasEffectiveHold(nodePath, false)) {
throw new RepositoryException("Unable to write. Node is affected by a hold.");
}
if (retentionReg.hasEffectiveRetention(nodePath, false)) {
throw new RepositoryException("Unable to write. Node is affected by a retention.");
}
}
Also used :
AccessManager(org.apache.jackrabbit.core.security.AccessManager)
NodeState(org.apache.jackrabbit.core.state.NodeState)
RetentionRegistry(org.apache.jackrabbit.core.retention.RetentionRegistry)
RepositoryException(javax.jcr.RepositoryException)
PathNotFoundException(javax.jcr.PathNotFoundException)
Example 9 with AccessManager
use of org.apache.jackrabbit.core.security.AccessManager in project jackrabbit by apache.
the class BatchedItemOperations method checkRemoveNode.
/**
* Checks if removing the given target node from the specifed parent
* is allowed in the current context.
*
* @param targetState
* @param parentId
* @param options bit-wise OR'ed flags specifying the checks that should be
* performed; any combination of the following constants:
* <ul>
* <li><code>{@link #CHECK_ACCESS}</code>: make sure
* current session is granted read access on parent
* and remove privilege on target node</li>
* <li><code>{@link #CHECK_LOCK}</code>: make sure
* there's no foreign lock on parent node</li>
* <li><code>{@link #CHECK_CHECKED_OUT}</code>: make sure
* parent node is checked-out</li>
* <li><code>{@link #CHECK_CONSTRAINTS}</code>:
* make sure no node type constraints would be violated</li>
* <li><code>{@link #CHECK_REFERENCES}</code>:
* make sure no references exist on target node</li>
* <li><code>{@link #CHECK_HOLD}</code>: check for effective holds preventing the add operation</li>
* <li><code>{@link #CHECK_RETENTION}</code>: check for effective retention policy preventing the add operation</li>
* </ul>
* @throws ConstraintViolationException
* @throws AccessDeniedException
* @throws VersionException
* @throws LockException
* @throws ItemNotFoundException
* @throws ReferentialIntegrityException
* @throws RepositoryException
*/
public void checkRemoveNode(NodeState targetState, NodeId parentId, int options) throws ConstraintViolationException, AccessDeniedException, VersionException, LockException, ItemNotFoundException, ReferentialIntegrityException, RepositoryException {
if (targetState.getParentId() == null) {
// root or orphaned node
throw new ConstraintViolationException("cannot remove root node");
}
Path targetPath = hierMgr.getPath(targetState.getNodeId());
NodeState parentState = getNodeState(parentId);
Path parentPath = hierMgr.getPath(parentId);
if ((options & CHECK_LOCK) == CHECK_LOCK) {
// make sure there's no foreign lock on parent node
verifyUnlocked(parentPath);
}
if ((options & CHECK_CHECKED_OUT) == CHECK_CHECKED_OUT) {
// make sure parent node is checked-out
verifyCheckedOut(parentPath);
}
if ((options & CHECK_ACCESS) == CHECK_ACCESS) {
try {
AccessManager accessMgr = context.getAccessManager();
// make sure current session is granted read access on parent node
if (!accessMgr.isGranted(targetPath, Permission.READ)) {
throw new PathNotFoundException(safeGetJCRPath(targetPath));
}
// make sure current session is allowed to remove target node
if (!accessMgr.isGranted(targetPath, Permission.REMOVE_NODE)) {
throw new AccessDeniedException(safeGetJCRPath(targetPath) + ": not allowed to remove node");
}
} catch (ItemNotFoundException infe) {
String msg = "internal error: failed to check access rights for " + safeGetJCRPath(targetPath);
log.debug(msg);
throw new RepositoryException(msg, infe);
}
}
if ((options & CHECK_CONSTRAINTS) == CHECK_CONSTRAINTS) {
QItemDefinition parentDef = context.getItemManager().getDefinition(parentState).unwrap();
if (parentDef.isProtected()) {
throw new ConstraintViolationException(safeGetJCRPath(parentId) + ": cannot remove child node of protected parent node");
}
QItemDefinition targetDef = context.getItemManager().getDefinition(targetState).unwrap();
if (targetDef.isMandatory()) {
throw new ConstraintViolationException(safeGetJCRPath(targetPath) + ": cannot remove mandatory node");
}
if (targetDef.isProtected()) {
throw new ConstraintViolationException(safeGetJCRPath(targetPath) + ": cannot remove protected node");
}
}
if ((options & CHECK_REFERENCES) == CHECK_REFERENCES) {
EffectiveNodeType ent = getEffectiveNodeType(targetState);
if (ent.includesNodeType(NameConstants.MIX_REFERENCEABLE)) {
NodeId targetId = targetState.getNodeId();
if (stateMgr.hasNodeReferences(targetId)) {
try {
NodeReferences refs = stateMgr.getNodeReferences(targetId);
if (refs.hasReferences()) {
throw new ReferentialIntegrityException(safeGetJCRPath(targetPath) + ": cannot remove node with references");
}
} catch (ItemStateException ise) {
String msg = "internal error: failed to check references on " + safeGetJCRPath(targetPath);
log.error(msg, ise);
throw new RepositoryException(msg, ise);
}
}
}
}
RetentionRegistry retentionReg = context.getSessionImpl().getRetentionRegistry();
if ((options & CHECK_HOLD) == CHECK_HOLD) {
if (retentionReg.hasEffectiveHold(targetPath, true)) {
throw new RepositoryException("Unable to perform removal. Node is affected by a hold.");
}
}
if ((options & CHECK_RETENTION) == CHECK_RETENTION) {
if (retentionReg.hasEffectiveRetention(targetPath, true)) {
throw new RepositoryException("Unable to perform removal. Node is affected by a retention.");
}
}
}
Also used :
Path(org.apache.jackrabbit.spi.Path)
AccessManager(org.apache.jackrabbit.core.security.AccessManager)
AccessDeniedException(javax.jcr.AccessDeniedException)
NodeState(org.apache.jackrabbit.core.state.NodeState)
RepositoryException(javax.jcr.RepositoryException)
NodeReferences(org.apache.jackrabbit.core.state.NodeReferences)
RetentionRegistry(org.apache.jackrabbit.core.retention.RetentionRegistry)
QItemDefinition(org.apache.jackrabbit.spi.QItemDefinition)
NoSuchItemStateException(org.apache.jackrabbit.core.state.NoSuchItemStateException)
ItemStateException(org.apache.jackrabbit.core.state.ItemStateException)
EffectiveNodeType(org.apache.jackrabbit.core.nodetype.EffectiveNodeType)
ReferentialIntegrityException(javax.jcr.ReferentialIntegrityException)
NodeId(org.apache.jackrabbit.core.id.NodeId)
ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException)
PathNotFoundException(javax.jcr.PathNotFoundException)
ItemNotFoundException(javax.jcr.ItemNotFoundException)
Example 10 with AccessManager
use of org.apache.jackrabbit.core.security.AccessManager in project jackrabbit by apache.
the class DefaultSecurityManager method getAccessManager.
/**
* @see JackrabbitSecurityManager#getAccessManager(Session,AMContext)
*/
public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException {
checkInitialized();
AccessManagerConfig amConfig = repository.getConfig().getSecurityConfig().getAccessManagerConfig();
try {
String wspName = session.getWorkspace().getName();
AccessControlProvider pp = getAccessControlProvider(wspName);
AccessManager accessMgr;
if (amConfig == null) {
log.debug("No configuration entry for AccessManager. Using org.apache.jackrabbit.core.security.DefaultAccessManager");
accessMgr = new DefaultAccessManager();
} else {
accessMgr = amConfig.newInstance(AccessManager.class);
}
accessMgr.init(amContext, pp, workspaceAccessManager);
return accessMgr;
} catch (AccessDeniedException e) {
// re-throw
throw e;
} catch (Exception e) {
// wrap in RepositoryException
String clsName = (amConfig == null) ? "-- missing access manager configuration --" : amConfig.getClassName();
String msg = "Failed to instantiate AccessManager (" + clsName + ")";
log.error(msg, e);
throw new RepositoryException(msg, e);
}
}
Also used :
AccessManager(org.apache.jackrabbit.core.security.AccessManager)
WorkspaceAccessManager(org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager)
DefaultAccessManager(org.apache.jackrabbit.core.security.DefaultAccessManager)
AccessDeniedException(javax.jcr.AccessDeniedException)
AccessManagerConfig(org.apache.jackrabbit.core.config.AccessManagerConfig)
AccessControlProvider(org.apache.jackrabbit.core.security.authorization.AccessControlProvider)
RepositoryException(javax.jcr.RepositoryException)
DefaultAccessManager(org.apache.jackrabbit.core.security.DefaultAccessManager)
NoSuchWorkspaceException(javax.jcr.NoSuchWorkspaceException)
AccessDeniedException(javax.jcr.AccessDeniedException)
AccessControlException(javax.jcr.security.AccessControlException)
RepositoryException(javax.jcr.RepositoryException)
Aggregations
AccessManager (org.apache.jackrabbit.core.security.AccessManager)11
AccessDeniedException (javax.jcr.AccessDeniedException)9
RepositoryException (javax.jcr.RepositoryException)8
NodeState (org.apache.jackrabbit.core.state.NodeState)6
ConstraintViolationException (javax.jcr.nodetype.ConstraintViolationException)5
Path (org.apache.jackrabbit.spi.Path)5
ItemNotFoundException (javax.jcr.ItemNotFoundException)4
NodeId (org.apache.jackrabbit.core.id.NodeId)4
ItemExistsException (javax.jcr.ItemExistsException)3
PathNotFoundException (javax.jcr.PathNotFoundException)3
UnsupportedRepositoryOperationException (javax.jcr.UnsupportedRepositoryOperationException)3
EffectiveNodeType (org.apache.jackrabbit.core.nodetype.EffectiveNodeType)3
NodeTypeImpl (org.apache.jackrabbit.core.nodetype.NodeTypeImpl)3
RetentionRegistry (org.apache.jackrabbit.core.retention.RetentionRegistry)3
ChildNodeEntry (org.apache.jackrabbit.core.state.ChildNodeEntry)3
QItemDefinition (org.apache.jackrabbit.spi.QItemDefinition)3
AccessManagerConfig (org.apache.jackrabbit.core.config.AccessManagerConfig)2
AccessControlProvider (org.apache.jackrabbit.core.security.authorization.AccessControlProvider)2
WorkspaceAccessManager (org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager)2
ItemStateException (org.apache.jackrabbit.core.state.ItemStateException)2
