Search in sources :

Example 1 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class Restore method setAdminCredentials.

private void setAdminCredentials(final DBBroker broker, final String adminPassword) throws EXistException, PermissionDeniedException {
    final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
    final Account dba = securityManager.getAccount(SecurityManager.DBA_USER);
    if (dba == null) {
        throw new EXistException("'" + SecurityManager.DBA_USER + "' account can't be found.");
    }
    dba.setCredential(new Password(dba, adminPassword));
    securityManager.updateAccount(dba);
}
Also used : Account(org.exist.security.Account) SecurityManager(org.exist.security.SecurityManager) EXistException(org.exist.EXistException) Password(org.exist.security.internal.Password)

Example 2 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class Configurator method save.

public static DocumentImpl save(final Configurable instance, final DBBroker broker, final Collection collection, final XmldbURI uri) throws IOException, ConfigurationException {
    final StringWriter writer = new StringWriter();
    final SAXSerializer serializer = new SAXSerializer(writer, null);
    try {
        serializer.startDocument();
        serialize(instance, serializer);
        serializer.endDocument();
    } catch (final SAXException saxe) {
        throw new ConfigurationException(saxe.getMessage(), saxe);
    }
    final String data = writer.toString();
    if (data == null || data.length() == 0) {
        return null;
    }
    FullXmldbURI fullURI = null;
    final BrokerPool pool = broker.getBrokerPool();
    final TransactionManager transact = pool.getTransactionManager();
    LOG.info("Storing configuration {}/{}", collection.getURI(), uri);
    final SecurityManager securityManager = pool.getSecurityManager();
    try {
        final Subject systemSubject = securityManager.getSystemSubject();
        broker.pushSubject(systemSubject);
        Txn txn = broker.getCurrentTransaction();
        final boolean txnInProgress = txn != null;
        if (!txnInProgress) {
            txn = transact.beginTransaction();
        }
        try {
            txn.acquireCollectionLock(() -> pool.getLockManager().acquireCollectionWriteLock(collection.getURI()));
            fullURI = getFullURI(pool, collection.getURI().append(uri));
            saving.add(fullURI);
            final Permission systemResourcePermission = PermissionFactory.getDefaultResourcePermission(pool.getSecurityManager());
            systemResourcePermission.setOwner(systemSubject);
            systemResourcePermission.setGroup(systemSubject.getDefaultGroup());
            systemResourcePermission.setMode(Permission.DEFAULT_SYSTEM_RESOURCE_PERM);
            broker.storeDocument(txn, uri, new StringInputSource(data), MimeType.XML_TYPE, null, null, systemResourcePermission, null, null, collection);
            broker.saveCollection(txn, collection);
            if (!txnInProgress) {
                transact.commit(txn);
            }
        } catch (final EXistException | PermissionDeniedException | SAXException | LockException e) {
            if (!txnInProgress) {
                transact.abort(txn);
            }
            throw e;
        } finally {
            if (!txnInProgress) {
                txn.close();
            }
        }
        saving.remove(fullURI);
        broker.flush();
        broker.sync(Sync.MAJOR);
        return collection.getDocument(broker, uri.lastSegment());
    } catch (final EXistException | PermissionDeniedException | SAXException | LockException e) {
        LOG.error(e);
        if (fullURI != null) {
            saving.remove(fullURI);
        }
        throw new IOException(e);
    } finally {
        broker.popSubject();
    }
}
Also used : SecurityManager(org.exist.security.SecurityManager) Txn(org.exist.storage.txn.Txn) EXistException(org.exist.EXistException) SAXException(org.xml.sax.SAXException) StringInputSource(org.exist.util.StringInputSource) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) LockException(org.exist.util.LockException) TransactionManager(org.exist.storage.txn.TransactionManager) FullXmldbURI(org.exist.xmldb.FullXmldbURI) SAXSerializer(org.exist.util.serializer.SAXSerializer) BrokerPool(org.exist.storage.BrokerPool)

Example 3 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class BasicAuthenticator method authenticate.

@Override
public Subject authenticate(HttpServletRequest request, HttpServletResponse response, boolean sendChallenge) throws IOException {
    String credentials = request.getHeader("Authorization");
    String username = null;
    String password = null;
    try {
        if (credentials != null && credentials.startsWith("Basic")) {
            final byte[] c = Base64.decodeBase64(credentials.substring("Basic ".length()));
            final String s = new String(c, UTF_8);
            // LOG.debug("BASIC auth credentials: "+s);
            final int p = s.indexOf(':');
            username = p < 0 ? s : s.substring(0, p);
            password = p < 0 ? null : s.substring(p + 1);
        }
    } catch (final IllegalArgumentException iae) {
        LOG.warn("Invalid BASIC authentication header received: {}", iae.getMessage(), iae);
        credentials = null;
    }
    // get the user from the session if possible
    final HttpSession session = request.getSession(false);
    Subject user = null;
    if (session != null) {
        user = (Subject) session.getAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER);
        if (user != null && (username == null || user.getName().equals(username))) {
            return user;
        }
    }
    if (user != null) {
        session.removeAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER);
    }
    // get the credentials
    if (credentials == null) {
        // LOG.debug("Sending BASIC auth challenge.");
        if (sendChallenge) {
            sendChallenge(request, response);
        }
        return null;
    }
    // authenticate the credentials
    final SecurityManager secman = pool.getSecurityManager();
    try {
        user = secman.authenticate(username, password);
    } catch (final AuthenticationException e) {
        // if authentication failed then send a challenge request again
        if (sendChallenge) {
            sendChallenge(request, response);
        }
        return null;
    }
    // store the user in the session
    if (session != null) {
        session.setAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER, user);
    }
    // return the authenticated user
    return user;
}
Also used : SecurityManager(org.exist.security.SecurityManager) AuthenticationException(org.exist.security.AuthenticationException) HttpSession(javax.servlet.http.HttpSession) Subject(org.exist.security.Subject)

Example 4 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class GroupManagementFunctionRemoveGroupTest method deleteUsersSharingPersonalPrimaryGroup.

@Test
public void deleteUsersSharingPersonalPrimaryGroup() throws PermissionDeniedException, EXistException {
    final BrokerPool pool = existWebServer.getBrokerPool();
    final SecurityManager sm = pool.getSecurityManager();
    // create two users which share a primary group
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        final Group otherGroup1 = createGroup(broker, sm, OTHER_GROUP1_NAME);
        Account user1 = createUser(broker, sm, USER1_NAME, USER1_PWD);
        addUserToGroup(sm, user1, otherGroup1);
        setPrimaryGroup(sm, user1, otherGroup1);
        final Account user2 = createUser(broker, sm, USER2_NAME, USER2_PWD);
        addUserToGroup(sm, user2, otherGroup1);
        setPrimaryGroup(sm, user2, otherGroup1);
        transaction.commit();
    }
    // check that the users are as we expect
    String primaryGroup = null;
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        final Account user1 = sm.getAccount(USER1_NAME);
        primaryGroup = user1.getPrimaryGroup();
        assertEquals(OTHER_GROUP1_NAME, primaryGroup);
        final String[] user1Groups = user1.getGroups();
        assertArrayEquals(new String[] { OTHER_GROUP1_NAME, USER1_NAME }, user1Groups);
        for (final String user1Group : user1Groups) {
            assertNotNull(sm.getGroup(user1Group));
        }
        final Account user2 = sm.getAccount(USER2_NAME);
        assertEquals(OTHER_GROUP1_NAME, user2.getPrimaryGroup());
        final String[] user2Groups = user2.getGroups();
        assertArrayEquals(new String[] { OTHER_GROUP1_NAME, USER2_NAME }, user2Groups);
        for (final String user2Group : user2Groups) {
            assertNotNull(sm.getGroup(user2Group));
        }
        transaction.commit();
    }
    // attempt to remove the primary group of the first user
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        try {
            sm.deleteGroup(primaryGroup);
            fail("Should have received: PermissionDeniedException: Account 'user1' still has 'otherGroup1' as their primary group!");
        } catch (final PermissionDeniedException e) {
        // expected
        }
        transaction.commit();
    }
    // delete the first user
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        removeUser(sm, USER1_NAME);
        transaction.commit();
    }
    // attempt to remove the primary group of the second user
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        try {
            sm.deleteGroup(primaryGroup);
            fail("Should have received: PermissionDeniedException: Account 'user2' still has 'otherGroup1' as their primary group!");
        } catch (final PermissionDeniedException e) {
        // expected
        }
        transaction.commit();
    }
    // delete the second user
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        removeUser(sm, USER2_NAME);
        transaction.commit();
    }
    // no users have the group as primary group, so now should be able to delete the group
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        sm.deleteGroup(primaryGroup);
        transaction.commit();
    }
}
Also used : DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) Txn(org.exist.storage.txn.Txn) BrokerPool(org.exist.storage.BrokerPool)

Example 5 with SecurityManager

use of org.exist.security.SecurityManager in project exist by eXist-db.

the class GroupManagementFunctionRemoveGroupTest method deleteUsersPersonalPrimaryGroup.

@Test(expected = PermissionDeniedException.class)
public void deleteUsersPersonalPrimaryGroup() throws PermissionDeniedException, EXistException {
    final BrokerPool pool = existWebServer.getBrokerPool();
    final SecurityManager sm = pool.getSecurityManager();
    // create user with personal group as primary group
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        createUser(broker, sm, USER1_NAME, USER1_PWD);
        transaction.commit();
    }
    // check that the user is as we expect
    String user1PrimaryGroup = null;
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        final Account user1 = sm.getAccount(USER1_NAME);
        user1PrimaryGroup = user1.getPrimaryGroup();
        assertEquals(USER1_NAME, user1PrimaryGroup);
        assertArrayEquals(new String[] { USER1_NAME }, user1.getGroups());
        transaction.commit();
    }
    // attempt to remove the primary group of the user
    try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
        final Txn transaction = pool.getTransactionManager().beginTransaction()) {
        sm.deleteGroup(user1PrimaryGroup);
        fail("Should have received: PermissionDeniedException: Account 'user1' still has 'user1' as their primary group!");
        transaction.commit();
    }
}
Also used : DBBroker(org.exist.storage.DBBroker) SecurityManager(org.exist.security.SecurityManager) Txn(org.exist.storage.txn.Txn) BrokerPool(org.exist.storage.BrokerPool)

Aggregations

SecurityManager (org.exist.security.SecurityManager)68 DBBroker (org.exist.storage.DBBroker)22 Txn (org.exist.storage.txn.Txn)16 Account (org.exist.security.Account)15 BrokerPool (org.exist.storage.BrokerPool)15 Subject (org.exist.security.Subject)12 EXistException (org.exist.EXistException)11 PermissionDeniedException (org.exist.security.PermissionDeniedException)9 XPathException (org.exist.xquery.XPathException)9 AuthenticationException (org.exist.security.AuthenticationException)8 GroupAider (org.exist.security.internal.aider.GroupAider)6 Collection (org.exist.collections.Collection)5 Group (org.exist.security.Group)5 Database (org.exist.Database)4 UserAider (org.exist.security.internal.aider.UserAider)4 LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)4 Test (org.junit.Test)4 java.util (java.util)2 List (java.util.List)2 HttpSession (javax.servlet.http.HttpSession)2