use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.
the class AuthorizationManager method checkPermission.
/**
* Returns <code>true</code> or <code>false</code>, depending on
* whether a Permission is allowed for the Subject associated with
* a supplied WikiSession. The access control algorithm works this way:
* <ol>
* <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
* <li>The Subject associated with the current
* {@link org.apache.wiki.WikiSession} is obtained</li>
* <li>If the Subject's Principal set includes the Role Principal that is
* the administrator group, always allow the Permission</li>
* <li>For all permissions, check to see if the Permission is allowed according
* to the default security policy. If it isn't, deny the permission and halt
* further processing.</li>
* <li>If there is an Acl, get the list of Principals assigned this
* Permission in the Acl: these will be role, group or user Principals, or
* {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
* Then iterate through the Subject's Principal set and determine whether
* the user (Subject) possesses any one of these specified Roles or
* Principals. The matching process delegates to
* {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
* </ol>
* <p>
* Note that when iterating through the Acl's list of authorized Principals,
* it is possible that one or more of the Acl's Principal entries are of
* type <code>UnresolvedPrincipal</code>. This means that the last time
* the ACL was read, the Principal (user, built-in Role, authorizer Role, or
* wiki Group) could not be resolved: the Role was not valid, the user
* wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
* cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
* encountered, this method will attempt to resolve it first <em>before</em>
* checking to see if the Subject possesses this principal, by calling
* {@link #resolvePrincipal(String)}. If the (re-)resolution does not
* succeed, the access check for the principal will fail by definition (the
* Subject should never contain UnresolvedPrincipals).
* </p>
* <p>
* If security not set to JAAS, will return true.
* </p>
* @param session the current wiki session
* @param permission the Permission being checked
* @see #hasRoleOrPrincipal(WikiSession, Principal)
* @return the result of the Permission check
*/
public boolean checkPermission(WikiSession session, Permission permission) {
//
if (session == null || permission == null) {
fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
return false;
}
Principal user = session.getLoginPrincipal();
// Always allow the action if user has AllPermission
Permission allPermission = new AllPermission(m_engine.getApplicationName());
boolean hasAllPermission = checkStaticPermission(session, allPermission);
if (hasAllPermission) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
// If the user doesn't have *at least* the permission
// granted by policy, return false.
boolean hasPolicyPermission = checkStaticPermission(session, permission);
if (!hasPolicyPermission) {
fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
return false;
}
// If this isn't a PagePermission, it's allowed
if (!(permission instanceof PagePermission)) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
//
// If the page or ACL is null, it's allowed.
//
String pageName = ((PagePermission) permission).getPage();
WikiPage page = m_engine.getPage(pageName);
Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
if (page == null || acl == null || acl.isEmpty()) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
//
// Next, iterate through the Principal objects assigned
// this permission. If the context's subject possesses
// any of these, the action is allowed.
Principal[] aclPrincipals = acl.findPrincipals(permission);
log.debug("Checking ACL entries...");
log.debug("Acl for this page is: " + acl);
log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
log.debug("Permission: " + permission);
for (Principal aclPrincipal : aclPrincipals) {
// try to resolve it here & correct the Acl
if (aclPrincipal instanceof UnresolvedPrincipal) {
AclEntry aclEntry = acl.getEntry(aclPrincipal);
aclPrincipal = resolvePrincipal(aclPrincipal.getName());
if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
aclEntry.setPrincipal(aclPrincipal);
}
}
if (hasRoleOrPrincipal(session, aclPrincipal)) {
fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
return true;
}
}
fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
return false;
}
use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.
the class PageManager method changeAcl.
/**
* For a single wiki page, replaces all Acl entries matching a supplied array of Principals
* with a new Principal.
*
* @param page the wiki page whose Acl is to be modified
* @param oldPrincipals an array of Principals to replace; all AclEntry objects whose
* {@link AclEntry#getPrincipal()} method returns one of these Principals will be replaced
* @param newPrincipal the Principal that should receive the old Principals' permissions
* @return <code>true</code> if the Acl was actually changed; <code>false</code> otherwise
*/
protected boolean changeAcl(WikiPage page, Principal[] oldPrincipals, Principal newPrincipal) {
Acl acl = page.getAcl();
boolean pageChanged = false;
if (acl != null) {
Enumeration<AclEntry> entries = acl.entries();
Collection<AclEntry> entriesToAdd = new ArrayList<AclEntry>();
Collection<AclEntry> entriesToRemove = new ArrayList<AclEntry>();
while (entries.hasMoreElements()) {
AclEntry entry = entries.nextElement();
if (ArrayUtils.contains(oldPrincipals, entry.getPrincipal())) {
// Create new entry
AclEntry newEntry = new AclEntryImpl();
newEntry.setPrincipal(newPrincipal);
Enumeration<Permission> permissions = entry.permissions();
while (permissions.hasMoreElements()) {
Permission permission = permissions.nextElement();
newEntry.addPermission(permission);
}
pageChanged = true;
entriesToRemove.add(entry);
entriesToAdd.add(newEntry);
}
}
for (Iterator<AclEntry> ix = entriesToRemove.iterator(); ix.hasNext(); ) {
AclEntry entry = ix.next();
acl.removeEntry(entry);
}
for (Iterator<AclEntry> ix = entriesToAdd.iterator(); ix.hasNext(); ) {
AclEntry entry = ix.next();
acl.addEntry(entry);
}
}
return pageChanged;
}
use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.
the class WikiPage method clone.
/**
* Creates a deep clone of a WikiPage. Strings are not cloned, since
* they're immutable. Attributes are not cloned, only the internal
* HashMap (so if you modify the contents of a value of an attribute,
* these will reflect back to everyone).
*
* @return A deep clone of the WikiPage
*/
public Object clone() {
WikiPage p = new WikiPage(m_engine, m_name);
p.m_wiki = m_wiki;
p.m_author = m_author;
p.m_version = m_version;
p.m_lastModified = m_lastModified != null ? (Date) m_lastModified.clone() : null;
p.m_fileSize = m_fileSize;
for (Map.Entry<String, Object> entry : m_attributes.entrySet()) {
p.m_attributes.put(entry.getKey(), entry.getValue());
}
if (m_accessList != null) {
p.m_accessList = new AclImpl();
for (Enumeration<AclEntry> entries = m_accessList.entries(); entries.hasMoreElements(); ) {
AclEntry e = entries.nextElement();
p.m_accessList.addEntry(e);
}
}
return p;
}
Aggregations