use of org.structr.core.entity.Principal in project structr by structr.
the class CMISAclService method applyAce.
// ----- private methods -----
private void applyAce(final AccessControllable node, final Ace toAdd, final boolean revoke) throws FrameworkException {
final String principalId = toAdd.getPrincipalId();
final List<String> permissions = toAdd.getPermissions();
final Principal principal = CMISObjectWrapper.translateUsernameToPrincipal(principalId);
if (principal != null) {
for (final String permissionString : permissions) {
final Permission permission = Permissions.valueOf(permissionString);
if (permission != null) {
if (revoke) {
node.revoke(permission, principal);
} else {
node.grant(permission, principal);
}
} else {
throw new CmisInvalidArgumentException("Permission with ID " + permissionString + " does not exist");
}
}
} else {
throw new CmisObjectNotFoundException("Principal with ID " + principalId + " does not exist");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class CMISObjectService method deleteObject.
@Override
public void deleteObject(String repositoryId, String objectId, Boolean allVersions, ExtensionsData extension) {
final App app = StructrApp.getInstance(securityContext);
try (final Tx tx = app.tx()) {
final Principal principal = securityContext.getUser(false);
final AbstractNode obj = app.get(AbstractNode.class, objectId);
if (obj != null) {
if (principal.isGranted(Permission.delete, securityContext)) {
if (obj.isNode()) {
// getSyncNode() returns the node or null
app.delete(obj.getSyncNode());
} else {
// getSyncRelationship() return the relationship or null
app.delete(obj.getSyncRelationship());
}
} else {
throw new CmisPermissionDeniedException("Cannot delete object with ID " + objectId);
}
} else {
throw new CmisObjectNotFoundException("Object with ID " + objectId + " does not exist");
}
tx.success();
} catch (FrameworkException fex) {
throw new CmisConstraintException(fex.getMessage(), fex);
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class UiAuthenticator method initializeAndExamineRequest.
/**
* Examine request and try to find a user.
*
* First, check session id, then try external (OAuth) authentication,
* finally, check standard login by credentials.
*
* @param request
* @param response
* @return security context
* @throws FrameworkException
*/
@Override
public SecurityContext initializeAndExamineRequest(final HttpServletRequest request, final HttpServletResponse response) throws FrameworkException {
Principal user = SessionHelper.checkSessionAuthentication(request);
SecurityContext securityContext;
if (user == null) {
user = checkExternalAuthentication(request, response);
}
if (user == null) {
user = getUser(request, true);
}
if (user == null) {
// If no user could be determined, assume frontend access
securityContext = SecurityContext.getInstance(user, request, AccessMode.Frontend);
} else {
if (user instanceof SuperUser) {
securityContext = SecurityContext.getSuperUserInstance(request);
} else {
securityContext = SecurityContext.getInstance(user, request, AccessMode.Backend);
}
}
securityContext.setAuthenticator(this);
// Check CORS settings (Cross-origin resource sharing, see http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
final String origin = request.getHeader("Origin");
if (!StringUtils.isBlank(origin)) {
response.setHeader("Access-Control-Allow-Origin", origin);
// allow cross site resource sharing (read only)
final String maxAge = Settings.AccessControlMaxAge.getValue();
if (StringUtils.isNotBlank(maxAge)) {
response.setHeader("Access-Control-MaxAge", maxAge);
}
final String allowMethods = Settings.AccessControlAllowMethods.getValue();
if (StringUtils.isNotBlank(allowMethods)) {
response.setHeader("Access-Control-Allow-Methods", allowMethods);
}
final String allowHeaders = Settings.AccessControlAllowHeaders.getValue();
if (StringUtils.isNotBlank(allowHeaders)) {
response.setHeader("Access-Control-Allow-Headers", allowHeaders);
}
final String allowCredentials = Settings.AccessControlAllowCredentials.getValue();
if (StringUtils.isNotBlank(allowCredentials)) {
response.setHeader("Access-Control-Allow-Credentials", allowCredentials);
}
final String exposeHeaders = Settings.AccessControlExposeHeaders.getValue();
if (StringUtils.isNotBlank(exposeHeaders)) {
response.setHeader("Access-Control-Expose-Headers", exposeHeaders);
}
}
examined = true;
// store a reference of the response object in SecurityContext
// to be able to stream data directly from builtin functions
securityContext.setResponse(response);
// expose Structr edition
response.setHeader("X-Structr-Edition", Services.getInstance().getEdition());
return securityContext;
}
use of org.structr.core.entity.Principal in project structr by structr.
the class UiAuthenticator method checkResourceAccess.
@Override
public void checkResourceAccess(final SecurityContext securityContext, final HttpServletRequest request, final String rawResourceSignature, final String propertyView) throws FrameworkException {
final ResourceAccess resourceAccess = ResourceAccess.findGrant(securityContext, rawResourceSignature);
final Method method = methods.get(request.getMethod());
final Principal user = securityContext.getUser(false);
final boolean validUser = (user != null);
// super user is always authenticated
if (validUser && (user instanceof SuperUser || user.isAdmin())) {
return;
}
// no grants => no access rights
if (resourceAccess == null) {
logger.info("No resource access grant found for signature {}. (URI: {})", new Object[] { rawResourceSignature, securityContext.getCompoundRequestURI() });
throw new UnauthorizedException("Forbidden");
} else {
switch(method) {
case GET:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_GET)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_GET)) {
return;
}
break;
case PUT:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_PUT)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_PUT)) {
return;
}
break;
case POST:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_POST)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_POST)) {
return;
}
break;
case DELETE:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_DELETE)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_DELETE)) {
return;
}
break;
case OPTIONS:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_OPTIONS)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_OPTIONS)) {
return;
}
break;
case HEAD:
if (!validUser && resourceAccess.hasFlag(NON_AUTH_USER_HEAD)) {
return;
}
if (validUser && resourceAccess.hasFlag(AUTH_USER_HEAD)) {
return;
}
break;
}
}
logger.info("Resource access grant found for signature {}, but method {} not allowed for {}.", new Object[] { rawResourceSignature, method, validUser ? "authenticated users" : "public users" });
throw new UnauthorizedException("Forbidden");
}
use of org.structr.core.entity.Principal in project structr by structr.
the class UiAuthenticator method doLogin.
@Override
public Principal doLogin(final HttpServletRequest request, final String emailOrUsername, final String password) throws AuthenticationException, FrameworkException {
final PropertyKey<String> confKey = StructrApp.key(User.class, "confirmationKey");
final PropertyKey<String> eMailKey = StructrApp.key(User.class, "eMail");
final Principal user = AuthHelper.getPrincipalForPassword(eMailKey, emailOrUsername, password);
if (user != null) {
final boolean allowLoginBeforeConfirmation = Settings.RegistrationAllowLoginBeforeConfirmation.getValue();
if (user.getProperty(confKey) != null && !allowLoginBeforeConfirmation) {
logger.warn("Login as {} not allowed before confirmation.", user);
throw new AuthenticationException(AuthHelper.STANDARD_ERROR_MSG);
}
AuthHelper.doLogin(request, user);
}
return user;
}
Aggregations