Search in sources :

Example 1 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class AuthorizationManager method checkPermission.

/**
 * Returns <code>true</code> or <code>false</code>, depending on
 * whether a Permission is allowed for the Subject associated with
 * a supplied WikiSession. The access control algorithm works this way:
 * <ol>
 * <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
 * <li>The Subject associated with the current
 * {@link org.apache.wiki.WikiSession} is obtained</li>
 * <li>If the Subject's Principal set includes the Role Principal that is
 * the administrator group, always allow the Permission</li>
 * <li>For all permissions, check to see if the Permission is allowed according
 * to the default security policy. If it isn't, deny the permission and halt
 * further processing.</li>
 * <li>If there is an Acl, get the list of Principals assigned this
 * Permission in the Acl: these will be role, group or user Principals, or
 * {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
 * Then iterate through the Subject's Principal set and determine whether
 * the user (Subject) possesses any one of these specified Roles or
 * Principals. The matching process delegates to
 * {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
 * </ol>
 * <p>
 * Note that when iterating through the Acl's list of authorized Principals,
 * it is possible that one or more of the Acl's Principal entries are of
 * type <code>UnresolvedPrincipal</code>. This means that the last time
 * the ACL was read, the Principal (user, built-in Role, authorizer Role, or
 * wiki Group) could not be resolved: the Role was not valid, the user
 * wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
 * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
 * encountered, this method will attempt to resolve it first <em>before</em>
 * checking to see if the Subject possesses this principal, by calling
 * {@link #resolvePrincipal(String)}. If the (re-)resolution does not
 * succeed, the access check for the principal will fail by definition (the
 * Subject should never contain UnresolvedPrincipals).
 * </p>
 * <p>
 * If security not set to JAAS, will return true.
 * </p>
 * @param session the current wiki session
 * @param permission the Permission being checked
 * @see #hasRoleOrPrincipal(WikiSession, Principal)
 * @return the result of the Permission check
 */
public boolean checkPermission(WikiSession session, Permission permission) {
    // 
    if (session == null || permission == null) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
        return false;
    }
    Principal user = session.getLoginPrincipal();
    // Always allow the action if user has AllPermission
    Permission allPermission = new AllPermission(m_engine.getApplicationName());
    boolean hasAllPermission = checkStaticPermission(session, allPermission);
    if (hasAllPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // If the user doesn't have *at least* the permission
    // granted by policy, return false.
    boolean hasPolicyPermission = checkStaticPermission(session, permission);
    if (!hasPolicyPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
        return false;
    }
    // If this isn't a PagePermission, it's allowed
    if (!(permission instanceof PagePermission)) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // If the page or ACL is null, it's allowed.
    // 
    String pageName = ((PagePermission) permission).getPage();
    WikiPage page = m_engine.getPage(pageName);
    Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
    if (page == null || acl == null || acl.isEmpty()) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // Next, iterate through the Principal objects assigned
    // this permission. If the context's subject possesses
    // any of these, the action is allowed.
    Principal[] aclPrincipals = acl.findPrincipals(permission);
    log.debug("Checking ACL entries...");
    log.debug("Acl for this page is: " + acl);
    log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
    log.debug("Permission: " + permission);
    for (Principal aclPrincipal : aclPrincipals) {
        // try to resolve it here & correct the Acl
        if (aclPrincipal instanceof UnresolvedPrincipal) {
            AclEntry aclEntry = acl.getEntry(aclPrincipal);
            aclPrincipal = resolvePrincipal(aclPrincipal.getName());
            if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
                aclEntry.setPrincipal(aclPrincipal);
            }
        }
        if (hasRoleOrPrincipal(session, aclPrincipal)) {
            fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
            return true;
        }
    }
    fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
    return false;
}
Also used : WikiPage(org.apache.wiki.WikiPage) PagePermission(org.apache.wiki.auth.permissions.PagePermission) AllPermission(org.apache.wiki.auth.permissions.AllPermission) Permission(java.security.Permission) AclEntry(org.apache.wiki.auth.acl.AclEntry) AllPermission(org.apache.wiki.auth.permissions.AllPermission) Acl(org.apache.wiki.auth.acl.Acl) Principal(java.security.Principal) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal) PagePermission(org.apache.wiki.auth.permissions.PagePermission) UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal)

Example 2 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class PageManager method changeAcl.

/**
 * For a single wiki page, replaces all Acl entries matching a supplied array of Principals
 * with a new Principal.
 *
 * @param page          the wiki page whose Acl is to be modified
 * @param oldPrincipals an array of Principals to replace; all AclEntry objects whose
 *                      {@link AclEntry#getPrincipal()} method returns one of these Principals will be replaced
 * @param newPrincipal  the Principal that should receive the old Principals' permissions
 * @return <code>true</code> if the Acl was actually changed; <code>false</code> otherwise
 */
protected boolean changeAcl(WikiPage page, Principal[] oldPrincipals, Principal newPrincipal) {
    Acl acl = page.getAcl();
    boolean pageChanged = false;
    if (acl != null) {
        Enumeration<AclEntry> entries = acl.entries();
        Collection<AclEntry> entriesToAdd = new ArrayList<AclEntry>();
        Collection<AclEntry> entriesToRemove = new ArrayList<AclEntry>();
        while (entries.hasMoreElements()) {
            AclEntry entry = entries.nextElement();
            if (ArrayUtils.contains(oldPrincipals, entry.getPrincipal())) {
                // Create new entry
                AclEntry newEntry = new AclEntryImpl();
                newEntry.setPrincipal(newPrincipal);
                Enumeration<Permission> permissions = entry.permissions();
                while (permissions.hasMoreElements()) {
                    Permission permission = permissions.nextElement();
                    newEntry.addPermission(permission);
                }
                pageChanged = true;
                entriesToRemove.add(entry);
                entriesToAdd.add(newEntry);
            }
        }
        for (Iterator<AclEntry> ix = entriesToRemove.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.removeEntry(entry);
        }
        for (Iterator<AclEntry> ix = entriesToAdd.iterator(); ix.hasNext(); ) {
            AclEntry entry = ix.next();
            acl.addEntry(entry);
        }
    }
    return pageChanged;
}
Also used : AclEntry(org.apache.wiki.auth.acl.AclEntry) ArrayList(java.util.ArrayList) Permission(java.security.Permission) AclEntryImpl(org.apache.wiki.auth.acl.AclEntryImpl) Acl(org.apache.wiki.auth.acl.Acl)

Example 3 with AclEntry

use of org.apache.wiki.auth.acl.AclEntry in project jspwiki by apache.

the class WikiPage method clone.

/**
 *  Creates a deep clone of a WikiPage.  Strings are not cloned, since
 *  they're immutable.  Attributes are not cloned, only the internal
 *  HashMap (so if you modify the contents of a value of an attribute,
 *  these will reflect back to everyone).
 *
 *  @return A deep clone of the WikiPage
 */
public Object clone() {
    WikiPage p = new WikiPage(m_engine, m_name);
    p.m_wiki = m_wiki;
    p.m_author = m_author;
    p.m_version = m_version;
    p.m_lastModified = m_lastModified != null ? (Date) m_lastModified.clone() : null;
    p.m_fileSize = m_fileSize;
    for (Map.Entry<String, Object> entry : m_attributes.entrySet()) {
        p.m_attributes.put(entry.getKey(), entry.getValue());
    }
    if (m_accessList != null) {
        p.m_accessList = new AclImpl();
        for (Enumeration<AclEntry> entries = m_accessList.entries(); entries.hasMoreElements(); ) {
            AclEntry e = entries.nextElement();
            p.m_accessList.addEntry(e);
        }
    }
    return p;
}
Also used : AclImpl(org.apache.wiki.auth.acl.AclImpl) AclEntry(org.apache.wiki.auth.acl.AclEntry) Map(java.util.Map) HashMap(java.util.HashMap) Date(java.util.Date)

Aggregations

AclEntry (org.apache.wiki.auth.acl.AclEntry)3 Permission (java.security.Permission)2 Acl (org.apache.wiki.auth.acl.Acl)2 Principal (java.security.Principal)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 WikiPage (org.apache.wiki.WikiPage)1 AclEntryImpl (org.apache.wiki.auth.acl.AclEntryImpl)1 AclImpl (org.apache.wiki.auth.acl.AclImpl)1 UnresolvedPrincipal (org.apache.wiki.auth.acl.UnresolvedPrincipal)1 AllPermission (org.apache.wiki.auth.permissions.AllPermission)1 PagePermission (org.apache.wiki.auth.permissions.PagePermission)1