Search in sources :

Example 1 with Acl

use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.

the class AccessRuleLinkNodePostProcessorState method process.

/**
 * {@inheritDoc}
 *
 * @see NodePostProcessorState#process(NodeTracker, JSPWikiLink)
 */
@Override
public void process(final NodeTracker state, final JSPWikiLink link) {
    String ruleLine = NodePostProcessorStateCommonOperations.inlineLinkTextOnWysiwyg(state, link, m_wysiwygEditorMode);
    if (wikiContext.getEngine().getRenderingManager().getParser(wikiContext, link.getUrl().toString()).isParseAccessRules()) {
        final WikiPage page = wikiContext.getRealPage();
        if (ruleLine.startsWith("{")) {
            ruleLine = ruleLine.substring(1);
        }
        if (ruleLine.endsWith("}")) {
            ruleLine = ruleLine.substring(0, ruleLine.length() - 1);
        }
        LOG.debug("page=" + page.getName() + ", ACL = " + ruleLine);
        try {
            final Acl acl = wikiContext.getEngine().getAclManager().parseAcl(page, ruleLine);
            page.setAcl(acl);
            link.unlink();
            state.nodeRemoved(link);
            LOG.debug(acl.toString());
        } catch (final WikiSecurityException wse) {
            NodePostProcessorStateCommonOperations.makeError(state, link, wse.getMessage());
        }
    }
}
Also used : WikiSecurityException(org.apache.wiki.auth.WikiSecurityException) WikiPage(org.apache.wiki.WikiPage) Acl(org.apache.wiki.auth.acl.Acl)

Example 2 with Acl

use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.

the class AuthorizationManager method checkPermission.

/**
 * Returns <code>true</code> or <code>false</code>, depending on
 * whether a Permission is allowed for the Subject associated with
 * a supplied WikiSession. The access control algorithm works this way:
 * <ol>
 * <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
 * <li>The Subject associated with the current
 * {@link org.apache.wiki.WikiSession} is obtained</li>
 * <li>If the Subject's Principal set includes the Role Principal that is
 * the administrator group, always allow the Permission</li>
 * <li>For all permissions, check to see if the Permission is allowed according
 * to the default security policy. If it isn't, deny the permission and halt
 * further processing.</li>
 * <li>If there is an Acl, get the list of Principals assigned this
 * Permission in the Acl: these will be role, group or user Principals, or
 * {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
 * Then iterate through the Subject's Principal set and determine whether
 * the user (Subject) possesses any one of these specified Roles or
 * Principals. The matching process delegates to
 * {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
 * </ol>
 * <p>
 * Note that when iterating through the Acl's list of authorized Principals,
 * it is possible that one or more of the Acl's Principal entries are of
 * type <code>UnresolvedPrincipal</code>. This means that the last time
 * the ACL was read, the Principal (user, built-in Role, authorizer Role, or
 * wiki Group) could not be resolved: the Role was not valid, the user
 * wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
 * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
 * encountered, this method will attempt to resolve it first <em>before</em>
 * checking to see if the Subject possesses this principal, by calling
 * {@link #resolvePrincipal(String)}. If the (re-)resolution does not
 * succeed, the access check for the principal will fail by definition (the
 * Subject should never contain UnresolvedPrincipals).
 * </p>
 * <p>
 * If security not set to JAAS, will return true.
 * </p>
 * @param session the current wiki session
 * @param permission the Permission being checked
 * @see #hasRoleOrPrincipal(WikiSession, Principal)
 * @return the result of the Permission check
 */
public boolean checkPermission(WikiSession session, Permission permission) {
    // 
    if (session == null || permission == null) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
        return false;
    }
    Principal user = session.getLoginPrincipal();
    // Always allow the action if user has AllPermission
    Permission allPermission = new AllPermission(m_engine.getApplicationName());
    boolean hasAllPermission = checkStaticPermission(session, allPermission);
    if (hasAllPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // If the user doesn't have *at least* the permission
    // granted by policy, return false.
    boolean hasPolicyPermission = checkStaticPermission(session, permission);
    if (!hasPolicyPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
        return false;
    }
    // If this isn't a PagePermission, it's allowed
    if (!(permission instanceof PagePermission)) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // If the page or ACL is null, it's allowed.
    // 
    String pageName = ((PagePermission) permission).getPage();
    WikiPage page = m_engine.getPage(pageName);
    Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
    if (page == null || acl == null || acl.isEmpty()) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // Next, iterate through the Principal objects assigned
    // this permission. If the context's subject possesses
    // any of these, the action is allowed.
    Principal[] aclPrincipals = acl.findPrincipals(permission);
    log.debug("Checking ACL entries...");
    log.debug("Acl for this page is: " + acl);
    log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
    log.debug("Permission: " + permission);
    for (Principal aclPrincipal : aclPrincipals) {
        // try to resolve it here & correct the Acl
        if (aclPrincipal instanceof UnresolvedPrincipal) {
            AclEntry aclEntry = acl.getEntry(aclPrincipal);
            aclPrincipal = resolvePrincipal(aclPrincipal.getName());
            if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
                aclEntry.setPrincipal(aclPrincipal);
            }
        }
        if (hasRoleOrPrincipal(session, aclPrincipal)) {
            fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
            return true;
        }
    }
    fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
    return false;
}
Also used : WikiPage(org.apache.wiki.WikiPage) PagePermission(org.apache.wiki.auth.permissions.PagePermission) AllPermission(org.apache.wiki.auth.permissions.AllPermission) Permission(java.security.Permission) AclEntry(org.apache.wiki.auth.acl.AclEntry) AllPermission(org.apache.wiki.auth.permissions.AllPermission) Acl(org.apache.wiki.auth.acl.Acl) Principal(java.security.Principal) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal) PagePermission(org.apache.wiki.auth.permissions.PagePermission) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal)

Example 3 with Acl

use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.

the class PageManager method changeAcl.

/**
 * For a single wiki page, replaces all Acl entries matching a supplied array of Principals
 * with a new Principal.
 *
 * @param page          the wiki page whose Acl is to be modified
 * @param oldPrincipals an array of Principals to replace; all AclEntry objects whose
 *                      {@link AclEntry#getPrincipal()} method returns one of these Principals will be replaced
 * @param newPrincipal  the Principal that should receive the old Principals' permissions
 * @return <code>true</code> if the Acl was actually changed; <code>false</code> otherwise
 */
protected boolean changeAcl(WikiPage page, Principal[] oldPrincipals, Principal newPrincipal) {
    Acl acl = page.getAcl();
    boolean pageChanged = false;
    if (acl != null) {
        Enumeration<AclEntry> entries = acl.entries();
        Collection<AclEntry> entriesToAdd = new ArrayList<AclEntry>();
        Collection<AclEntry> entriesToRemove = new ArrayList<AclEntry>();
        while (entries.hasMoreElements()) {
            AclEntry entry = entries.nextElement();
            if (ArrayUtils.contains(oldPrincipals, entry.getPrincipal())) {
                // Create new entry
                AclEntry newEntry = new AclEntryImpl();
                newEntry.setPrincipal(newPrincipal);
                Enumeration<Permission> permissions = entry.permissions();
                while (permissions.hasMoreElements()) {
                    Permission permission = permissions.nextElement();
                    newEntry.addPermission(permission);
                }
                pageChanged = true;
                entriesToRemove.add(entry);
                entriesToAdd.add(newEntry);
            }
        }
        for (Iterator<AclEntry> ix = entriesToRemove.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.removeEntry(entry);
        }
        for (Iterator<AclEntry> ix = entriesToAdd.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.addEntry(entry);
        }
    }
    return pageChanged;
}
Also used : AclEntry(org.apache.wiki.auth.acl.AclEntry) ArrayList(java.util.ArrayList) Permission(java.security.Permission) AclEntryImpl(org.apache.wiki.auth.acl.AclEntryImpl) Acl(org.apache.wiki.auth.acl.Acl)

Example 4 with Acl

use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.

the class JSPWikiMarkupParser method handleAccessRule.

private Element handleAccessRule(String ruleLine) {
    if (m_wysiwygEditorMode) {
        m_currentElement.addContent("[" + ruleLine + "]");
    }
    if (!m_parseAccessRules)
        return m_currentElement;
    Acl acl;
    WikiPage page = m_context.getRealPage();
    if (ruleLine.startsWith("{"))
        ruleLine = ruleLine.substring(1);
    if (ruleLine.endsWith("}"))
        ruleLine = ruleLine.substring(0, ruleLine.length() - 1);
    if (log.isDebugEnabled())
        log.debug("page=" + page.getName() + ", ACL = " + ruleLine);
    try {
        acl = m_engine.getAclManager().parseAcl(page, ruleLine);
        page.setAcl(acl);
        if (log.isDebugEnabled())
            log.debug(acl.toString());
    } catch (WikiSecurityException wse) {
        return makeError(wse.getMessage());
    }
    return m_currentElement;
}
Also used : WikiSecurityException(org.apache.wiki.auth.WikiSecurityException) WikiPage(org.apache.wiki.WikiPage) Acl(org.apache.wiki.auth.acl.Acl)

Aggregations

Acl (org.apache.wiki.auth.acl.Acl)4 WikiPage (org.apache.wiki.WikiPage)3 Permission (java.security.Permission)2 WikiSecurityException (org.apache.wiki.auth.WikiSecurityException)2 AclEntry (org.apache.wiki.auth.acl.AclEntry)2 Principal (java.security.Principal)1 ArrayList (java.util.ArrayList)1 AclEntryImpl (org.apache.wiki.auth.acl.AclEntryImpl)1 UnresolvedPrincipal (org.apache.wiki.auth.acl.UnresolvedPrincipal)1 AllPermission (org.apache.wiki.auth.permissions.AllPermission)1 PagePermission (org.apache.wiki.auth.permissions.PagePermission)1