Search in sources :

Example 11 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class CMISAclService method applyAce.

// ----- private methods -----
private void applyAce(final AccessControllable node, final Ace toAdd, final boolean revoke) throws FrameworkException {
    final String principalId = toAdd.getPrincipalId();
    final List<String> permissions = toAdd.getPermissions();
    final Principal principal = CMISObjectWrapper.translateUsernameToPrincipal(principalId);
    if (principal != null) {
        for (final String permissionString : permissions) {
            final Permission permission = Permissions.valueOf(permissionString);
            if (permission != null) {
                if (revoke) {
                    node.revoke(permission, principal);
                } else {
                    node.grant(permission, principal);
                }
            } else {
                throw new CmisInvalidArgumentException("Permission with ID " + permissionString + " does not exist");
            }
        }
    } else {
        throw new CmisObjectNotFoundException("Principal with ID " + principalId + " does not exist");
    }
}
Also used : CmisObjectNotFoundException(org.apache.chemistry.opencmis.commons.exceptions.CmisObjectNotFoundException) Permission(org.structr.common.Permission) CmisInvalidArgumentException(org.apache.chemistry.opencmis.commons.exceptions.CmisInvalidArgumentException) Principal(org.structr.core.entity.Principal)

Example 12 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class CMISObjectService method deleteObject.

@Override
public void deleteObject(String repositoryId, String objectId, Boolean allVersions, ExtensionsData extension) {
    final App app = StructrApp.getInstance(securityContext);
    try (final Tx tx = app.tx()) {
        final Principal principal = securityContext.getUser(false);
        final AbstractNode obj = app.get(AbstractNode.class, objectId);
        if (obj != null) {
            if (principal.isGranted(Permission.delete, securityContext)) {
                if (obj.isNode()) {
                    // getSyncNode() returns the node or null
                    app.delete(obj.getSyncNode());
                } else {
                    // getSyncRelationship() return the relationship or null
                    app.delete(obj.getSyncRelationship());
                }
            } else {
                throw new CmisPermissionDeniedException("Cannot delete object with ID " + objectId);
            }
        } else {
            throw new CmisObjectNotFoundException("Object with ID " + objectId + " does not exist");
        }
        tx.success();
    } catch (FrameworkException fex) {
        throw new CmisConstraintException(fex.getMessage(), fex);
    }
}
Also used : App(org.structr.core.app.App) StructrApp(org.structr.core.app.StructrApp) Tx(org.structr.core.graph.Tx) CmisObjectNotFoundException(org.apache.chemistry.opencmis.commons.exceptions.CmisObjectNotFoundException) FrameworkException(org.structr.common.error.FrameworkException) AbstractNode(org.structr.core.entity.AbstractNode) CmisConstraintException(org.apache.chemistry.opencmis.commons.exceptions.CmisConstraintException) CmisPermissionDeniedException(org.apache.chemistry.opencmis.commons.exceptions.CmisPermissionDeniedException) Principal(org.structr.core.entity.Principal)

Example 13 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class UiAuthenticator method initializeAndExamineRequest.

/**
 * Examine request and try to find a user.
 *
 * First, check session id, then try external (OAuth) authentication,
 * finally, check standard login by credentials.
 *
 * @param request
 * @param response
 * @return security context
 * @throws FrameworkException
 */
@Override
public SecurityContext initializeAndExamineRequest(final HttpServletRequest request, final HttpServletResponse response) throws FrameworkException {
    Principal user = SessionHelper.checkSessionAuthentication(request);
    SecurityContext securityContext;
    if (user == null) {
        user = checkExternalAuthentication(request, response);
    }
    if (user == null) {
        user = getUser(request, true);
    }
    if (user == null) {
        // If no user could be determined, assume frontend access
        securityContext = SecurityContext.getInstance(user, request, AccessMode.Frontend);
    } else {
        if (user instanceof SuperUser) {
            securityContext = SecurityContext.getSuperUserInstance(request);
        } else {
            securityContext = SecurityContext.getInstance(user, request, AccessMode.Backend);
        }
    }
    securityContext.setAuthenticator(this);
    // Check CORS settings (Cross-origin resource sharing, see http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
    final String origin = request.getHeader("Origin");
    if (!StringUtils.isBlank(origin)) {
        response.setHeader("Access-Control-Allow-Origin", origin);
        // allow cross site resource sharing (read only)
        final String maxAge = Settings.AccessControlMaxAge.getValue();
        if (StringUtils.isNotBlank(maxAge)) {
            response.setHeader("Access-Control-MaxAge", maxAge);
        }
        final String allowMethods = Settings.AccessControlAllowMethods.getValue();
        if (StringUtils.isNotBlank(allowMethods)) {
            response.setHeader("Access-Control-Allow-Methods", allowMethods);
        }
        final String allowHeaders = Settings.AccessControlAllowHeaders.getValue();
        if (StringUtils.isNotBlank(allowHeaders)) {
            response.setHeader("Access-Control-Allow-Headers", allowHeaders);
        }
        final String allowCredentials = Settings.AccessControlAllowCredentials.getValue();
        if (StringUtils.isNotBlank(allowCredentials)) {
            response.setHeader("Access-Control-Allow-Credentials", allowCredentials);
        }
        final String exposeHeaders = Settings.AccessControlExposeHeaders.getValue();
        if (StringUtils.isNotBlank(exposeHeaders)) {
            response.setHeader("Access-Control-Expose-Headers", exposeHeaders);
        }
    }
    examined = true;
    // store a reference of the response object in SecurityContext
    // to be able to stream data directly from builtin functions
    securityContext.setResponse(response);
    // expose Structr edition
    response.setHeader("X-Structr-Edition", Services.getInstance().getEdition());
    return securityContext;
}
Also used : SecurityContext(org.structr.common.SecurityContext) SuperUser(org.structr.core.entity.SuperUser) Principal(org.structr.core.entity.Principal)

Example 14 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class UiAuthenticator method checkResourceAccess.

@Override
public void checkResourceAccess(final SecurityContext securityContext, final HttpServletRequest request, final String rawResourceSignature, final String propertyView) throws FrameworkException {
    final ResourceAccess resourceAccess = ResourceAccess.findGrant(securityContext, rawResourceSignature);
    final Method method = methods.get(request.getMethod());
    final Principal user = securityContext.getUser(false);
    final boolean validUser = (user != null);
    // super user is always authenticated
    if (validUser && (user instanceof SuperUser || user.isAdmin())) {
        return;
    }
    // no grants => no access rights
    if (resourceAccess == null) {
        logger.info("No resource access grant found for signature {}. (URI: {})", new Object[] { rawResourceSignature, securityContext.getCompoundRequestURI() });
        throw new UnauthorizedException("Forbidden");
    } else {
        switch(method) {
            case GET:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_GET)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_GET)) {
                    return;
                }
                break;
            case PUT:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_PUT)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_PUT)) {
                    return;
                }
                break;
            case POST:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_POST)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_POST)) {
                    return;
                }
                break;
            case DELETE:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_DELETE)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_DELETE)) {
                    return;
                }
                break;
            case OPTIONS:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_OPTIONS)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_OPTIONS)) {
                    return;
                }
                break;
            case HEAD:
                if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_HEAD)) {
                    return;
                }
                if (validUser && resourceAccess.hasFlag(AUTH_USER_HEAD)) {
                    return;
                }
                break;
        }
    }
    logger.info("Resource access grant found for signature {}, but method {} not allowed for {}.", new Object[] { rawResourceSignature, method, validUser ? "authenticated users" : "public users" });
    throw new UnauthorizedException("Forbidden");
}
Also used : ResourceAccess(org.structr.core.entity.ResourceAccess) UnauthorizedException(org.structr.core.auth.exception.UnauthorizedException) SuperUser(org.structr.core.entity.SuperUser) Principal(org.structr.core.entity.Principal)

Example 15 with Principal

use of org.structr.core.entity.Principal in project structr by structr.

the class UiAuthenticator method doLogin.

@Override
public Principal doLogin(final HttpServletRequest request, final String emailOrUsername, final String password) throws AuthenticationException, FrameworkException {
    final PropertyKey<String> confKey = StructrApp.key(User.class, "confirmationKey");
    final PropertyKey<String> eMailKey = StructrApp.key(User.class, "eMail");
    final Principal user = AuthHelper.getPrincipalForPassword(eMailKey, emailOrUsername, password);
    if (user != null) {
        final boolean allowLoginBeforeConfirmation = Settings.RegistrationAllowLoginBeforeConfirmation.getValue();
        if (user.getProperty(confKey) != null && !allowLoginBeforeConfirmation) {
            logger.warn("Login as {} not allowed before confirmation.", user);
            throw new AuthenticationException(AuthHelper.STANDARD_ERROR_MSG);
        }
        AuthHelper.doLogin(request, user);
    }
    return user;
}
Also used : AuthenticationException(org.structr.core.auth.exception.AuthenticationException) Principal(org.structr.core.entity.Principal)

Aggregations

Principal (org.structr.core.entity.Principal)112 FrameworkException (org.structr.common.error.FrameworkException)68 Tx (org.structr.core.graph.Tx)65 Test (org.junit.Test)41 App (org.structr.core.app.App)31 StructrApp (org.structr.core.app.StructrApp)31 TestOne (org.structr.core.entity.TestOne)16 Group (org.structr.core.entity.Group)14 NodeAttribute (org.structr.core.graph.NodeAttribute)13 PropertyMap (org.structr.core.property.PropertyMap)13 SecurityContext (org.structr.common.SecurityContext)10 LinkedList (java.util.LinkedList)9 Result (org.structr.core.Result)8 User (org.structr.web.entity.User)8 AbstractNode (org.structr.core.entity.AbstractNode)7 SuperUser (org.structr.core.entity.SuperUser)7 StructrUiTest (org.structr.web.StructrUiTest)7 Page (org.structr.web.entity.dom.Page)7 IOException (java.io.IOException)6 List (java.util.List)6