Example 21 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class RpcConnection method lockResource.
private boolean lockResource(final XmldbURI docURI, final String userName) throws EXistException, PermissionDeniedException {
return this.<Boolean>writeDocument(docURI).apply((document, broker, transaction) -> {
// TODO : register the lock within the transaction ?
if (!document.getPermissions().validate(user, Permission.WRITE)) {
throw new PermissionDeniedException("User is not allowed to lock resource " + docURI);
}
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!(userName.equals(user.getName()) || manager.hasAdminPrivileges(user))) {
throw new PermissionDeniedException("User " + user.getName() + " is not allowed " + "to lock the resource for user " + userName);
}
final Account lockOwner = document.getUserLock();
if (lockOwner != null && (!lockOwner.equals(user)) && (!manager.hasAdminPrivileges(user))) {
throw new PermissionDeniedException("Resource is already locked by user " + lockOwner.getName());
}
document.setUserLock(user);
broker.storeXMLResource(transaction, document);
return true;
});
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
Example 22 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class RpcConnection method addAccountToGroup.
@Override
public void addAccountToGroup(final String accountName, final String groupName) throws EXistException, PermissionDeniedException {
withDb((broker, transaction) -> {
final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
final Account account = sm.getAccount(accountName);
account.addGroup(groupName);
sm.updateAccount(account);
return null;
});
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
Example 23 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class RpcConnection method removeAccount.
@Override
public boolean removeAccount(final String name) throws EXistException, PermissionDeniedException {
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
if (!manager.hasAdminPrivileges(user)) {
throw new PermissionDeniedException("you are not allowed to remove users");
}
withDb((broker, transaction) -> manager.deleteAccount(name));
return true;
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
Example 24 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class RpcConnection method unlockResource.
private boolean unlockResource(final XmldbURI docURI) throws EXistException, PermissionDeniedException {
return this.<Boolean>writeDocument(docURI).apply((document, broker, transaction) -> {
if (!document.getPermissions().validate(user, Permission.WRITE)) {
throw new PermissionDeniedException("User is not allowed to lock resource " + docURI);
}
final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
final Account lockOwner = document.getUserLock();
if (lockOwner != null && (!lockOwner.equals(user)) && (!manager.hasAdminPrivileges(user))) {
throw new PermissionDeniedException("Resource is already locked by user " + lockOwner.getName());
}
document.setUserLock(null);
broker.storeXMLResource(transaction, document);
return true;
});
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
Example 25 with SecurityManager
use of org.exist.security.SecurityManager in project exist by eXist-db.
the class RpcConnection method updateAccount.
/**
* Added by {Marco.Tampucci, Massimo.Martinelli} @isti.cnr.it
*
* modified by Chris Tomlinson based on above updateAccount - it appears
* that this code can rely on the SecurityManager to enforce policy about
* whether user is or is not permitted to update the Account with name.
*
* This is called via RemoteUserManagementService.removeGroup(Account,
* String)
*
* @param name username to update
* @param groups a list of groups
* @param rgroup the user will be removed from this group
* @return true, if the action succeeded
*/
public boolean updateAccount(final String name, final List<String> groups, final String rgroup) {
try {
return withDb((broker, transaction) -> {
final SecurityManager manager = broker.getBrokerPool().getSecurityManager();
final Account u = manager.getAccount(name);
for (final String g : groups) {
if (g.equals(rgroup)) {
u.remGroup(g);
}
}
return manager.updateAccount(u);
});
} catch (final EXistException | PermissionDeniedException ex) {
if (LOG.isDebugEnabled()) {
LOG.debug("removeGroup encountered error", ex);
}
return false;
}
}
Also used :
Account(org.exist.security.Account)
SecurityManager(org.exist.security.SecurityManager)
PermissionDeniedException(org.exist.security.PermissionDeniedException)
EXistException(org.exist.EXistException)
Aggregations
SecurityManager (org.exist.security.SecurityManager)68
DBBroker (org.exist.storage.DBBroker)22
Txn (org.exist.storage.txn.Txn)16
Account (org.exist.security.Account)15
BrokerPool (org.exist.storage.BrokerPool)15
Subject (org.exist.security.Subject)12
EXistException (org.exist.EXistException)11
PermissionDeniedException (org.exist.security.PermissionDeniedException)9
XPathException (org.exist.xquery.XPathException)9
AuthenticationException (org.exist.security.AuthenticationException)8
GroupAider (org.exist.security.internal.aider.GroupAider)6
Collection (org.exist.collections.Collection)5
Group (org.exist.security.Group)5
Database (org.exist.Database)4
UserAider (org.exist.security.internal.aider.UserAider)4
LockedDocumentMap (org.exist.storage.lock.LockedDocumentMap)4
Test (org.junit.Test)4
java.util (java.util)2
List (java.util.List)2
HttpSession (javax.servlet.http.HttpSession)2
