Examples with AclEntry org.apache.wiki.auth.acl.AclEntry used on opensource projects

Example 1 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class AuthorizationManager method checkPermission.

/**
 * Returns <code>true</code> or <code>false</code>, depending on
 * whether a Permission is allowed for the Subject associated with
 * a supplied WikiSession. The access control algorithm works this way:
 * <ol>
 * <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
 * <li>The Subject associated with the current
 * {@link org.apache.wiki.WikiSession} is obtained</li>
 * <li>If the Subject's Principal set includes the Role Principal that is
 * the administrator group, always allow the Permission</li>
 * <li>For all permissions, check to see if the Permission is allowed according
 * to the default security policy. If it isn't, deny the permission and halt
 * further processing.</li>
 * <li>If there is an Acl, get the list of Principals assigned this
 * Permission in the Acl: these will be role, group or user Principals, or
 * {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
 * Then iterate through the Subject's Principal set and determine whether
 * the user (Subject) possesses any one of these specified Roles or
 * Principals. The matching process delegates to
 * {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
 * </ol>
 * <p>
 * Note that when iterating through the Acl's list of authorized Principals,
 * it is possible that one or more of the Acl's Principal entries are of
 * type <code>UnresolvedPrincipal</code>. This means that the last time
 * the ACL was read, the Principal (user, built-in Role, authorizer Role, or
 * wiki Group) could not be resolved: the Role was not valid, the user
 * wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
 * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
 * encountered, this method will attempt to resolve it first <em>before</em>
 * checking to see if the Subject possesses this principal, by calling
 * {@link #resolvePrincipal(String)}. If the (re-)resolution does not
 * succeed, the access check for the principal will fail by definition (the
 * Subject should never contain UnresolvedPrincipals).
 * </p>
 * <p>
 * If security not set to JAAS, will return true.
 * </p>
 * @param session the current wiki session
 * @param permission the Permission being checked
 * @see #hasRoleOrPrincipal(WikiSession, Principal)
 * @return the result of the Permission check
 */
public boolean checkPermission(WikiSession session, Permission permission) {
    // 
    if (session == null || permission == null) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
        return false;
    }
    Principal user = session.getLoginPrincipal();
    // Always allow the action if user has AllPermission
    Permission allPermission = new AllPermission(m_engine.getApplicationName());
    boolean hasAllPermission = checkStaticPermission(session, allPermission);
    if (hasAllPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // If the user doesn't have *at least* the permission
    // granted by policy, return false.
    boolean hasPolicyPermission = checkStaticPermission(session, permission);
    if (!hasPolicyPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
        return false;
    }
    // If this isn't a PagePermission, it's allowed
    if (!(permission instanceof PagePermission)) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // If the page or ACL is null, it's allowed.
    // 
    String pageName = ((PagePermission) permission).getPage();
    WikiPage page = m_engine.getPage(pageName);
    Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
    if (page == null || acl == null || acl.isEmpty()) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // Next, iterate through the Principal objects assigned
    // this permission. If the context's subject possesses
    // any of these, the action is allowed.
    Principal[] aclPrincipals = acl.findPrincipals(permission);
    log.debug("Checking ACL entries...");
    log.debug("Acl for this page is: " + acl);
    log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
    log.debug("Permission: " + permission);
    for (Principal aclPrincipal : aclPrincipals) {
        // try to resolve it here & correct the Acl
        if (aclPrincipal instanceof UnresolvedPrincipal) {
            AclEntry aclEntry = acl.getEntry(aclPrincipal);
            aclPrincipal = resolvePrincipal(aclPrincipal.getName());
            if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
                aclEntry.setPrincipal(aclPrincipal);
            }
        }
        if (hasRoleOrPrincipal(session, aclPrincipal)) {
            fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
            return true;
        }
    }
    fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
    return false;
}

Example 2 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class PageManager method changeAcl.

/**
 * For a single wiki page, replaces all Acl entries matching a supplied array of Principals
 * with a new Principal.
 *
 * @param page          the wiki page whose Acl is to be modified
 * @param oldPrincipals an array of Principals to replace; all AclEntry objects whose
 *                      {@link AclEntry#getPrincipal()} method returns one of these Principals will be replaced
 * @param newPrincipal  the Principal that should receive the old Principals' permissions
 * @return <code>true</code> if the Acl was actually changed; <code>false</code> otherwise
 */
protected boolean changeAcl(WikiPage page, Principal[] oldPrincipals, Principal newPrincipal) {
    Acl acl = page.getAcl();
    boolean pageChanged = false;
    if (acl != null) {
        Enumeration<AclEntry> entries = acl.entries();
        Collection<AclEntry> entriesToAdd = new ArrayList<AclEntry>();
        Collection<AclEntry> entriesToRemove = new ArrayList<AclEntry>();
        while (entries.hasMoreElements()) {
            AclEntry entry = entries.nextElement();
            if (ArrayUtils.contains(oldPrincipals, entry.getPrincipal())) {
                // Create new entry
                AclEntry newEntry = new AclEntryImpl();
                newEntry.setPrincipal(newPrincipal);
                Enumeration<Permission> permissions = entry.permissions();
                while (permissions.hasMoreElements()) {
                    Permission permission = permissions.nextElement();
                    newEntry.addPermission(permission);
                }
                pageChanged = true;
                entriesToRemove.add(entry);
                entriesToAdd.add(newEntry);
            }
        }
        for (Iterator<AclEntry> ix = entriesToRemove.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.removeEntry(entry);
        }
        for (Iterator<AclEntry> ix = entriesToAdd.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.addEntry(entry);
        }
    }
    return pageChanged;
}

Example 3 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class WikiPage method clone.

/**
 *  Creates a deep clone of a WikiPage.  Strings are not cloned, since
 *  they're immutable.  Attributes are not cloned, only the internal
 *  HashMap (so if you modify the contents of a value of an attribute,
 *  these will reflect back to everyone).
 *
 *  @return A deep clone of the WikiPage
 */
public Object clone() {
    WikiPage p = new WikiPage(m_engine, m_name);
    p.m_wiki = m_wiki;
    p.m_author = m_author;
    p.m_version = m_version;
    p.m_lastModified = m_lastModified != null ? (Date) m_lastModified.clone() : null;
    p.m_fileSize = m_fileSize;
    for (Map.Entry<String, Object> entry : m_attributes.entrySet()) {
        p.m_attributes.put(entry.getKey(), entry.getValue());
    }
    if (m_accessList != null) {
        p.m_accessList = new AclImpl();
        for (Enumeration<AclEntry> entries = m_accessList.entries(); entries.hasMoreElements(); ) {
            AclEntry e = entries.nextElement();
            p.m_accessList.addEntry(e);
        }
    }
    return p;
}