Example 1 with PrincipalImpl
use of org.apache.jackrabbit.core.security.principal.PrincipalImpl in project jackrabbit by apache.
the class WriteTest method testInvalidPrincipal.
public void testInvalidPrincipal() throws Exception {
PrincipalManager pMgr = ((JackrabbitSession) superuser).getPrincipalManager();
String unknown = "unknown";
while (pMgr.hasPrincipal(unknown)) {
unknown = unknown + "_";
}
Principal principal = new PrincipalImpl(unknown);
if (acMgr instanceof JackrabbitAccessControlManager) {
// first try applicable policies
try {
AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acMgr).getApplicablePolicies(principal);
assertNotNull(policies);
assertEquals(0, policies.length);
} catch (AccessControlException e) {
// success
}
// second existing policies
try {
AccessControlPolicy[] policies = ((JackrabbitAccessControlManager) acMgr).getPolicies(principal);
assertNotNull(policies);
assertEquals(0, policies.length);
} catch (AccessControlException e) {
// success
}
} else {
throw new NotExecutableException();
}
}
Also used :
PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager)
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
AccessControlException(javax.jcr.security.AccessControlException)
JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession)
ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal)
TestPrincipal(org.apache.jackrabbit.core.security.TestPrincipal)
Principal(java.security.Principal)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Example 2 with PrincipalImpl
use of org.apache.jackrabbit.core.security.principal.PrincipalImpl in project jackrabbit by apache.
the class SessionImplTest method testGetSubject.
/**
* JCR-2895 : SessionImpl#getSubject() should return an unmodifiable subject
*
* @see <a href="https://issues.apache.org/jira/browse/JCR-2895">JCR-2895</a>
*/
public void testGetSubject() {
Subject subject = ((SessionImpl) superuser).getSubject();
assertFalse(subject.getPublicCredentials().isEmpty());
assertFalse(subject.getPublicCredentials(Credentials.class).isEmpty());
assertFalse(subject.getPrincipals().isEmpty());
assertTrue(subject.isReadOnly());
try {
subject.getPublicCredentials().add(new SimpleCredentials("test", new char[0]));
fail("Subject expected to be readonly");
} catch (IllegalStateException e) {
// success
}
try {
subject.getPrincipals().add(new PrincipalImpl("test"));
fail("Subject expected to be readonly");
} catch (IllegalStateException e) {
// success
}
}
Also used :
SimpleCredentials(javax.jcr.SimpleCredentials)
SessionImpl(org.apache.jackrabbit.core.SessionImpl)
Subject(javax.security.auth.Subject)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Example 3 with PrincipalImpl
use of org.apache.jackrabbit.core.security.principal.PrincipalImpl in project jackrabbit by apache.
the class AccessControlImporterTest method testImportPrincipalBasedACL.
/**
* Imports a principal-based ACL containing a single entry mist fail with
* the default configuration.
*
* @throws Exception
*/
public void testImportPrincipalBasedACL() throws Exception {
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) sImpl.getAccessControlManager();
if (acMgr.getApplicablePolicies(EveryonePrincipal.getInstance()).length > 0 || acMgr.getPolicies(EveryonePrincipal.getInstance()).length > 0) {
// test expects that only resource-based acl is supported
throw new NotExecutableException();
}
PrincipalManager pmgr = sImpl.getPrincipalManager();
if (!pmgr.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
UserManager umgr = sImpl.getUserManager();
umgr.createGroup(new PrincipalImpl(SecurityConstants.ADMINISTRATORS_NAME));
if (!umgr.isAutoSave()) {
sImpl.save();
}
if (pmgr.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
throw new NotExecutableException();
}
}
NodeImpl target;
NodeImpl root = (NodeImpl) sImpl.getRootNode();
if (!root.hasNode(AccessControlConstants.N_ACCESSCONTROL)) {
target = root.addNode(AccessControlConstants.N_ACCESSCONTROL, AccessControlConstants.NT_REP_ACCESS_CONTROL, null);
} else {
target = root.getNode(AccessControlConstants.N_ACCESSCONTROL);
if (!target.isNodeType(AccessControlConstants.NT_REP_ACCESS_CONTROL)) {
target.setPrimaryType(sImpl.getJCRName(AccessControlConstants.NT_REP_ACCESS_CONTROL));
}
}
try {
InputStream in = new ByteArrayInputStream(XML_AC_TREE.getBytes("UTF-8"));
SessionImporter importer = new SessionImporter(target, sImpl, ImportUUIDBehavior.IMPORT_UUID_COLLISION_THROW, new PseudoConfig());
ImportHandler ih = new ImportHandler(importer, sImpl);
new ParsingContentHandler(ih).parse(in);
fail("Default config only allows resource-based ACL -> protected import must fail");
} catch (SAXException e) {
if (e.getException() instanceof ConstraintViolationException) {
// success
} else {
throw e;
}
} finally {
superuser.refresh(false);
}
}
Also used :
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
ParsingContentHandler(org.apache.jackrabbit.commons.xml.ParsingContentHandler)
SAXException(org.xml.sax.SAXException)
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
UserManager(org.apache.jackrabbit.api.security.user.UserManager)
ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Example 4 with PrincipalImpl
use of org.apache.jackrabbit.core.security.principal.PrincipalImpl in project jackrabbit by apache.
the class UserImporter method handlePropInfo.
// -----------------------------------------< ProtectedPropertyImporter >---
/**
* @see ProtectedPropertyImporter#handlePropInfo(org.apache.jackrabbit.core.NodeImpl, org.apache.jackrabbit.core.xml.PropInfo, org.apache.jackrabbit.spi.QPropertyDefinition)
*/
public boolean handlePropInfo(NodeImpl parent, PropInfo protectedPropInfo, QPropertyDefinition def) throws RepositoryException {
if (!initialized) {
throw new IllegalStateException("Not initialized");
}
/* importer can only handle protected properties below user/group
nodes that are properly stored underneath the configured users/groups
hierarchies (see {@link UserManagerImpl#getAuthorizable(NodeImpl)}.
this prevents from importing user/group nodes somewhere in the
content hierarchy which isn't possible when creating user/groups
using the corresponding API calls {@link UserManager#createUser} or
{@link UserManager#createGroup} respectively. */
Authorizable a = userManager.getAuthorizable(parent);
if (a == null) {
log.warn("Cannot handle protected PropInfo " + protectedPropInfo + ". Node " + parent + " doesn't represent a valid Authorizable.");
return false;
}
// assert that user manager is isn't in auto-save mode
if (userManager.isAutoSave()) {
userManager.autoSave(false);
}
try {
Name propName = protectedPropInfo.getName();
if (UserConstants.P_PRINCIPAL_NAME.equals(propName)) {
// protected rep:principalName property defined by rep:Authorizable.
if (def.isMultiple() || !UserConstants.NT_REP_AUTHORIZABLE.equals(def.getDeclaringNodeType())) {
// some other unexpected property definition -> cannot handle
log.warn("Unexpected definition for property rep:principalName");
return false;
}
Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
String princName = v.getString();
userManager.setPrincipal(parent, new PrincipalImpl(princName));
/*
Execute authorizable actions for a NEW group as this is the
same place in the userManager#createGroup that the actions
are called.
In case of a NEW user the actions are executed if the password
has been imported before.
*/
if (parent.isNew()) {
if (a.isGroup()) {
userManager.onCreate((Group) a);
} else if (currentPw.containsKey(a.getID())) {
userManager.onCreate((User) a, currentPw.remove(a.getID()));
}
}
return true;
} else if (UserConstants.P_PASSWORD.equals(propName)) {
if (a.isGroup()) {
log.warn("Expected parent node of type rep:User.");
return false;
}
// minimal validation of the passed definition
if (def.isMultiple() || !UserConstants.NT_REP_USER.equals(def.getDeclaringNodeType())) {
// some other unexpected property definition -> cannot handle
log.warn("Unexpected definition for property rep:password");
return false;
}
Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
String pw = v.getString();
userManager.setPassword(parent, pw, false);
/*
Execute authorizable actions for a NEW user at this point after
having set the password if the principal name has already been
processed, otherwise postpone it.
*/
if (parent.isNew()) {
if (parent.hasProperty(UserConstants.P_PRINCIPAL_NAME)) {
userManager.onCreate((User) a, pw);
} else {
// principal name not yet available -> remember the pw
currentPw.clear();
currentPw.put(a.getID(), pw);
}
}
return true;
} else if (UserConstants.P_IMPERSONATORS.equals(propName)) {
if (a.isGroup()) {
// unexpected parent type -> cannot handle
log.warn("Expected parent node of type rep:User.");
return false;
}
// minimal validation of the passed definition
if (!def.isMultiple() || !UserConstants.MIX_REP_IMPERSONATABLE.equals(def.getDeclaringNodeType())) {
// some other unexpected property definition -> cannot handle
log.warn("Unexpected definition for property rep:impersonators");
return false;
}
// since impersonators may be imported later on, postpone processing
// to the end.
// see -> process References
Value[] vs = protectedPropInfo.getValues(PropertyType.STRING, resolver);
referenceTracker.processedReference(new Impersonators(a.getID(), vs));
return true;
} else if (UserConstants.P_DISABLED.equals(propName)) {
if (a.isGroup()) {
log.warn("Expected parent node of type rep:User.");
return false;
}
// minimal validation of the passed definition
if (def.isMultiple() || !UserConstants.NT_REP_USER.equals(def.getDeclaringNodeType())) {
// some other unexpected property definition -> cannot handle
log.warn("Unexpected definition for property rep:disabled");
return false;
}
Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
((User) a).disable(v.getString());
return true;
} else if (UserConstants.P_MEMBERS.equals(propName)) {
if (!a.isGroup()) {
// unexpected parent type -> cannot handle
log.warn("Expected parent node of type rep:Group.");
return false;
}
// minimal validation of the passed definition
if (!def.isMultiple() || !UserConstants.NT_REP_GROUP.equals(def.getDeclaringNodeType())) {
// some other unexpected property definition -> cannot handle
log.warn("Unexpected definition for property rep:members");
return false;
}
// since group-members are references to user/groups that potentially
// are to be imported later on -> postpone processing to the end.
// see -> process References
Membership membership = new Membership(a.getID());
for (Value v : protectedPropInfo.getValues(PropertyType.WEAKREFERENCE, resolver)) {
membership.addMember(new NodeId(v.getString()));
}
referenceTracker.processedReference(membership);
return true;
}
return false;
} finally {
// the original state.
if (resetAutoSave) {
userManager.autoSave(true);
}
}
}
Also used :
User(org.apache.jackrabbit.api.security.user.User)
Value(javax.jcr.Value)
NodeId(org.apache.jackrabbit.core.id.NodeId)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Name(org.apache.jackrabbit.spi.Name)
Example 5 with PrincipalImpl
use of org.apache.jackrabbit.core.security.principal.PrincipalImpl in project jackrabbit by apache.
the class ACLTemplateTest method testTwoEntriesPerPrincipal.
public void testTwoEntriesPerPrincipal() throws RepositoryException, NotExecutableException {
JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
Privilege[] readPriv = privilegesFromName(Privilege.JCR_READ);
Privilege[] writePriv = privilegesFromName(Privilege.JCR_WRITE);
Privilege[] acReadPriv = privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL);
pt.addEntry(testPrincipal, readPriv, true, emptyRestrictions);
pt.addEntry(testPrincipal, writePriv, true, emptyRestrictions);
pt.addEntry(testPrincipal, acReadPriv, true, emptyRestrictions);
pt.addEntry(testPrincipal, readPriv, false, emptyRestrictions);
pt.addEntry(new PrincipalImpl(testPrincipal.getName()), readPriv, false, emptyRestrictions);
pt.addEntry(new Principal() {
public String getName() {
return testPrincipal.getName();
}
}, readPriv, false, emptyRestrictions);
AccessControlEntry[] entries = pt.getAccessControlEntries();
assertEquals(2, entries.length);
}
Also used :
JackrabbitAccessControlEntry(org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Principal(java.security.Principal)
Aggregations
PrincipalImpl (org.apache.jackrabbit.core.security.principal.PrincipalImpl)22
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)13
User (org.apache.jackrabbit.api.security.user.User)11
Principal (java.security.Principal)8
Node (javax.jcr.Node)8
Test (org.junit.Test)8
ConstraintViolationException (javax.jcr.nodetype.ConstraintViolationException)6
ArrayList (java.util.ArrayList)4
ItemBasedPrincipal (org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal)4
NodeImpl (org.apache.jackrabbit.core.NodeImpl)4
RepositoryException (javax.jcr.RepositoryException)3
Value (javax.jcr.Value)3
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)3
Subject (javax.security.auth.Subject)3
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)3
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)3
PrincipalManager (org.apache.jackrabbit.api.security.principal.PrincipalManager)3
UserManager (org.apache.jackrabbit.api.security.user.UserManager)3
SessionImpl (org.apache.jackrabbit.core.SessionImpl)3
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)3
