use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.
the class AccessRuleLinkNodePostProcessorState method process.
/**
* {@inheritDoc}
*
* @see NodePostProcessorState#process(NodeTracker, JSPWikiLink)
*/
@Override
public void process(final NodeTracker state, final JSPWikiLink link) {
String ruleLine = NodePostProcessorStateCommonOperations.inlineLinkTextOnWysiwyg(state, link, m_wysiwygEditorMode);
if (wikiContext.getEngine().getRenderingManager().getParser(wikiContext, link.getUrl().toString()).isParseAccessRules()) {
final WikiPage page = wikiContext.getRealPage();
if (ruleLine.startsWith("{")) {
ruleLine = ruleLine.substring(1);
}
if (ruleLine.endsWith("}")) {
ruleLine = ruleLine.substring(0, ruleLine.length() - 1);
}
LOG.debug("page=" + page.getName() + ", ACL = " + ruleLine);
try {
final Acl acl = wikiContext.getEngine().getAclManager().parseAcl(page, ruleLine);
page.setAcl(acl);
link.unlink();
state.nodeRemoved(link);
LOG.debug(acl.toString());
} catch (final WikiSecurityException wse) {
NodePostProcessorStateCommonOperations.makeError(state, link, wse.getMessage());
}
}
}
use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.
the class AuthorizationManager method checkPermission.
/**
* Returns <code>true</code> or <code>false</code>, depending on
* whether a Permission is allowed for the Subject associated with
* a supplied WikiSession. The access control algorithm works this way:
* <ol>
* <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
* <li>The Subject associated with the current
* {@link org.apache.wiki.WikiSession} is obtained</li>
* <li>If the Subject's Principal set includes the Role Principal that is
* the administrator group, always allow the Permission</li>
* <li>For all permissions, check to see if the Permission is allowed according
* to the default security policy. If it isn't, deny the permission and halt
* further processing.</li>
* <li>If there is an Acl, get the list of Principals assigned this
* Permission in the Acl: these will be role, group or user Principals, or
* {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
* Then iterate through the Subject's Principal set and determine whether
* the user (Subject) possesses any one of these specified Roles or
* Principals. The matching process delegates to
* {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
* </ol>
* <p>
* Note that when iterating through the Acl's list of authorized Principals,
* it is possible that one or more of the Acl's Principal entries are of
* type <code>UnresolvedPrincipal</code>. This means that the last time
* the ACL was read, the Principal (user, built-in Role, authorizer Role, or
* wiki Group) could not be resolved: the Role was not valid, the user
* wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
* cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
* encountered, this method will attempt to resolve it first <em>before</em>
* checking to see if the Subject possesses this principal, by calling
* {@link #resolvePrincipal(String)}. If the (re-)resolution does not
* succeed, the access check for the principal will fail by definition (the
* Subject should never contain UnresolvedPrincipals).
* </p>
* <p>
* If security not set to JAAS, will return true.
* </p>
* @param session the current wiki session
* @param permission the Permission being checked
* @see #hasRoleOrPrincipal(WikiSession, Principal)
* @return the result of the Permission check
*/
public boolean checkPermission(WikiSession session, Permission permission) {
//
if (session == null || permission == null) {
fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
return false;
}
Principal user = session.getLoginPrincipal();
// Always allow the action if user has AllPermission
Permission allPermission = new AllPermission(m_engine.getApplicationName());
boolean hasAllPermission = checkStaticPermission(session, allPermission);
if (hasAllPermission) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
// If the user doesn't have *at least* the permission
// granted by policy, return false.
boolean hasPolicyPermission = checkStaticPermission(session, permission);
if (!hasPolicyPermission) {
fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
return false;
}
// If this isn't a PagePermission, it's allowed
if (!(permission instanceof PagePermission)) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
//
// If the page or ACL is null, it's allowed.
//
String pageName = ((PagePermission) permission).getPage();
WikiPage page = m_engine.getPage(pageName);
Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
if (page == null || acl == null || acl.isEmpty()) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
//
// Next, iterate through the Principal objects assigned
// this permission. If the context's subject possesses
// any of these, the action is allowed.
Principal[] aclPrincipals = acl.findPrincipals(permission);
log.debug("Checking ACL entries...");
log.debug("Acl for this page is: " + acl);
log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
log.debug("Permission: " + permission);
for (Principal aclPrincipal : aclPrincipals) {
// try to resolve it here & correct the Acl
if (aclPrincipal instanceof UnresolvedPrincipal) {
AclEntry aclEntry = acl.getEntry(aclPrincipal);
aclPrincipal = resolvePrincipal(aclPrincipal.getName());
if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
aclEntry.setPrincipal(aclPrincipal);
}
}
if (hasRoleOrPrincipal(session, aclPrincipal)) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
}
fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
return false;
}
use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.
the class PageManager method changeAcl.
/**
* For a single wiki page, replaces all Acl entries matching a supplied array of Principals
* with a new Principal.
*
* @param page the wiki page whose Acl is to be modified
* @param oldPrincipals an array of Principals to replace; all AclEntry objects whose
* {@link AclEntry#getPrincipal()} method returns one of these Principals will be replaced
* @param newPrincipal the Principal that should receive the old Principals' permissions
* @return <code>true</code> if the Acl was actually changed; <code>false</code> otherwise
*/
protected boolean changeAcl(WikiPage page, Principal[] oldPrincipals, Principal newPrincipal) {
Acl acl = page.getAcl();
boolean pageChanged = false;
if (acl != null) {
Enumeration<AclEntry> entries = acl.entries();
Collection<AclEntry> entriesToAdd = new ArrayList<AclEntry>();
Collection<AclEntry> entriesToRemove = new ArrayList<AclEntry>();
while (entries.hasMoreElements()) {
AclEntry entry = entries.nextElement();
if (ArrayUtils.contains(oldPrincipals, entry.getPrincipal())) {
// Create new entry
AclEntry newEntry = new AclEntryImpl();
newEntry.setPrincipal(newPrincipal);
Enumeration<Permission> permissions = entry.permissions();
while (permissions.hasMoreElements()) {
Permission permission = permissions.nextElement();
newEntry.addPermission(permission);
}
pageChanged = true;
entriesToRemove.add(entry);
entriesToAdd.add(newEntry);
}
}
for (Iterator<AclEntry> ix = entriesToRemove.iterator(); ix.hasNext(); ) {
AclEntry entry = ix.next();
acl.removeEntry(entry);
}
for (Iterator<AclEntry> ix = entriesToAdd.iterator(); ix.hasNext(); ) {
AclEntry entry = ix.next();
acl.addEntry(entry);
}
}
return pageChanged;
}
use of org.apache.wiki.auth.acl.Acl in project jspwiki by apache.
the class JSPWikiMarkupParser method handleAccessRule.
private Element handleAccessRule(String ruleLine) {
if (m_wysiwygEditorMode) {
m_currentElement.addContent("[" + ruleLine + "]");
}
if (!m_parseAccessRules)
return m_currentElement;
Acl acl;
WikiPage page = m_context.getRealPage();
if (ruleLine.startsWith("{"))
ruleLine = ruleLine.substring(1);
if (ruleLine.endsWith("}"))
ruleLine = ruleLine.substring(0, ruleLine.length() - 1);
if (log.isDebugEnabled())
log.debug("page=" + page.getName() + ", ACL = " + ruleLine);
try {
acl = m_engine.getAclManager().parseAcl(page, ruleLine);
page.setAcl(acl);
if (log.isDebugEnabled())
log.debug(acl.toString());
} catch (WikiSecurityException wse) {
return makeError(wse.getMessage());
}
return m_currentElement;
}
Aggregations