use of org.exist.security.SecurityManager in project exist by eXist-db.
the class Restore method setAdminCredentials.
private void setAdminCredentials(final DBBroker broker, final String adminPassword) throws EXistException, PermissionDeniedException {
final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
final Account dba = securityManager.getAccount(SecurityManager.DBA_USER);
if (dba == null) {
throw new EXistException("'" + SecurityManager.DBA_USER + "' account can't be found.");
}
dba.setCredential(new Password(dba, adminPassword));
securityManager.updateAccount(dba);
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class Configurator method save.
public static DocumentImpl save(final Configurable instance, final DBBroker broker, final Collection collection, final XmldbURI uri) throws IOException, ConfigurationException {
final StringWriter writer = new StringWriter();
final SAXSerializer serializer = new SAXSerializer(writer, null);
try {
serializer.startDocument();
serialize(instance, serializer);
serializer.endDocument();
} catch (final SAXException saxe) {
throw new ConfigurationException(saxe.getMessage(), saxe);
}
final String data = writer.toString();
if (data == null || data.length() == 0) {
return null;
}
FullXmldbURI fullURI = null;
final BrokerPool pool = broker.getBrokerPool();
final TransactionManager transact = pool.getTransactionManager();
LOG.info("Storing configuration {}/{}", collection.getURI(), uri);
final SecurityManager securityManager = pool.getSecurityManager();
try {
final Subject systemSubject = securityManager.getSystemSubject();
broker.pushSubject(systemSubject);
Txn txn = broker.getCurrentTransaction();
final boolean txnInProgress = txn != null;
if (!txnInProgress) {
txn = transact.beginTransaction();
}
try {
txn.acquireCollectionLock(() -> pool.getLockManager().acquireCollectionWriteLock(collection.getURI()));
fullURI = getFullURI(pool, collection.getURI().append(uri));
saving.add(fullURI);
final Permission systemResourcePermission = PermissionFactory.getDefaultResourcePermission(pool.getSecurityManager());
systemResourcePermission.setOwner(systemSubject);
systemResourcePermission.setGroup(systemSubject.getDefaultGroup());
systemResourcePermission.setMode(Permission.DEFAULT_SYSTEM_RESOURCE_PERM);
broker.storeDocument(txn, uri, new StringInputSource(data), MimeType.XML_TYPE, null, null, systemResourcePermission, null, null, collection);
broker.saveCollection(txn, collection);
if (!txnInProgress) {
transact.commit(txn);
}
} catch (final EXistException | PermissionDeniedException | SAXException | LockException e) {
if (!txnInProgress) {
transact.abort(txn);
}
throw e;
} finally {
if (!txnInProgress) {
txn.close();
}
}
saving.remove(fullURI);
broker.flush();
broker.sync(Sync.MAJOR);
return collection.getDocument(broker, uri.lastSegment());
} catch (final EXistException | PermissionDeniedException | SAXException | LockException e) {
LOG.error(e);
if (fullURI != null) {
saving.remove(fullURI);
}
throw new IOException(e);
} finally {
broker.popSubject();
}
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class BasicAuthenticator method authenticate.
@Override
public Subject authenticate(HttpServletRequest request, HttpServletResponse response, boolean sendChallenge) throws IOException {
String credentials = request.getHeader("Authorization");
String username = null;
String password = null;
try {
if (credentials != null && credentials.startsWith("Basic")) {
final byte[] c = Base64.decodeBase64(credentials.substring("Basic ".length()));
final String s = new String(c, UTF_8);
// LOG.debug("BASIC auth credentials: "+s);
final int p = s.indexOf(':');
username = p < 0 ? s : s.substring(0, p);
password = p < 0 ? null : s.substring(p + 1);
}
} catch (final IllegalArgumentException iae) {
LOG.warn("Invalid BASIC authentication header received: {}", iae.getMessage(), iae);
credentials = null;
}
// get the user from the session if possible
final HttpSession session = request.getSession(false);
Subject user = null;
if (session != null) {
user = (Subject) session.getAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER);
if (user != null && (username == null || user.getName().equals(username))) {
return user;
}
}
if (user != null) {
session.removeAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER);
}
// get the credentials
if (credentials == null) {
// LOG.debug("Sending BASIC auth challenge.");
if (sendChallenge) {
sendChallenge(request, response);
}
return null;
}
// authenticate the credentials
final SecurityManager secman = pool.getSecurityManager();
try {
user = secman.authenticate(username, password);
} catch (final AuthenticationException e) {
// if authentication failed then send a challenge request again
if (sendChallenge) {
sendChallenge(request, response);
}
return null;
}
// store the user in the session
if (session != null) {
session.setAttribute(XQueryContext.HTTP_SESSIONVAR_XMLDB_USER, user);
}
// return the authenticated user
return user;
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class GroupManagementFunctionRemoveGroupTest method deleteUsersSharingPersonalPrimaryGroup.
@Test
public void deleteUsersSharingPersonalPrimaryGroup() throws PermissionDeniedException, EXistException {
final BrokerPool pool = existWebServer.getBrokerPool();
final SecurityManager sm = pool.getSecurityManager();
// create two users which share a primary group
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
final Group otherGroup1 = createGroup(broker, sm, OTHER_GROUP1_NAME);
Account user1 = createUser(broker, sm, USER1_NAME, USER1_PWD);
addUserToGroup(sm, user1, otherGroup1);
setPrimaryGroup(sm, user1, otherGroup1);
final Account user2 = createUser(broker, sm, USER2_NAME, USER2_PWD);
addUserToGroup(sm, user2, otherGroup1);
setPrimaryGroup(sm, user2, otherGroup1);
transaction.commit();
}
// check that the users are as we expect
String primaryGroup = null;
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
final Account user1 = sm.getAccount(USER1_NAME);
primaryGroup = user1.getPrimaryGroup();
assertEquals(OTHER_GROUP1_NAME, primaryGroup);
final String[] user1Groups = user1.getGroups();
assertArrayEquals(new String[] { OTHER_GROUP1_NAME, USER1_NAME }, user1Groups);
for (final String user1Group : user1Groups) {
assertNotNull(sm.getGroup(user1Group));
}
final Account user2 = sm.getAccount(USER2_NAME);
assertEquals(OTHER_GROUP1_NAME, user2.getPrimaryGroup());
final String[] user2Groups = user2.getGroups();
assertArrayEquals(new String[] { OTHER_GROUP1_NAME, USER2_NAME }, user2Groups);
for (final String user2Group : user2Groups) {
assertNotNull(sm.getGroup(user2Group));
}
transaction.commit();
}
// attempt to remove the primary group of the first user
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
try {
sm.deleteGroup(primaryGroup);
fail("Should have received: PermissionDeniedException: Account 'user1' still has 'otherGroup1' as their primary group!");
} catch (final PermissionDeniedException e) {
// expected
}
transaction.commit();
}
// delete the first user
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
removeUser(sm, USER1_NAME);
transaction.commit();
}
// attempt to remove the primary group of the second user
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
try {
sm.deleteGroup(primaryGroup);
fail("Should have received: PermissionDeniedException: Account 'user2' still has 'otherGroup1' as their primary group!");
} catch (final PermissionDeniedException e) {
// expected
}
transaction.commit();
}
// delete the second user
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
removeUser(sm, USER2_NAME);
transaction.commit();
}
// no users have the group as primary group, so now should be able to delete the group
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
sm.deleteGroup(primaryGroup);
transaction.commit();
}
}
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class GroupManagementFunctionRemoveGroupTest method deleteUsersPersonalPrimaryGroup.
@Test(expected = PermissionDeniedException.class)
public void deleteUsersPersonalPrimaryGroup() throws PermissionDeniedException, EXistException {
final BrokerPool pool = existWebServer.getBrokerPool();
final SecurityManager sm = pool.getSecurityManager();
// create user with personal group as primary group
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
createUser(broker, sm, USER1_NAME, USER1_PWD);
transaction.commit();
}
// check that the user is as we expect
String user1PrimaryGroup = null;
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
final Account user1 = sm.getAccount(USER1_NAME);
user1PrimaryGroup = user1.getPrimaryGroup();
assertEquals(USER1_NAME, user1PrimaryGroup);
assertArrayEquals(new String[] { USER1_NAME }, user1.getGroups());
transaction.commit();
}
// attempt to remove the primary group of the user
try (final DBBroker broker = pool.get(Optional.of(sm.getSystemSubject()));
final Txn transaction = pool.getTransactionManager().beginTransaction()) {
sm.deleteGroup(user1PrimaryGroup);
fail("Should have received: PermissionDeniedException: Account 'user1' still has 'user1' as their primary group!");
transaction.commit();
}
}
Aggregations