/** * Gets principal instance for the given name. This method uses feature of the security context to discover known principals. * * @param name the name of the principal. * @return principal instance. */ private Principal principal( String name ) { return SimplePrincipal.newInstance(name); } }
/** * Gets principal instance for the given name. This method uses feature of the security context to discover known principals. * * @param name the name of the principal. * @return principal instance. */ private Principal principal( String name ) { return SimplePrincipal.newInstance(name); } }
/** * Constructs a SimplePrincipal after encoding the source principal's type into the name. * @param principal the source principal * @return a SimplePrincipal derived from the source */ private static SimplePrincipal encodePrincipal(Principal principal) { if (principal instanceof UsernamePrincipal) { return SimplePrincipal.newInstance(USER_PREFIX + principal.getName()); } else if (principal instanceof Group) { return SimplePrincipal.newInstance(GROUP_PREFIX + principal.getName()); } else { return SimplePrincipal.newInstance(principal.getName()); } }
@Override public Principal getUnknownPrincipal( Session session ) { return SimplePrincipal.newInstance("unknown"); }
@Override public void logout() { if (LOGGER.isDebugEnabled()) { LOGGER.debug("Logging out security context...."); } authenticationManager.logout(SimplePrincipal.newInstance(jaasSecurityContext.getUserName()), null); jaasSecurityContext.logout(); } }
@Override public Principal getKnownPrincipal( Session session ) { return SimplePrincipal.newInstance(session.getUserID()); }
private static boolean addEntry(Session session, AccessControlList acl, Principal principal, Privilege... privileges) throws RepositoryException, AccessControlException, UnsupportedRepositoryOperationException { // Ensure admin is always included in the ACL if (acl.getAccessControlEntries().length == 0) { SimplePrincipal simple = SimplePrincipal.newInstance(ModeShapeRoles.ADMIN); acl.addAccessControlEntry(simple, asPrivileges(session, Privilege.JCR_ALL)); } // ModeShape reads back all principals as SimplePrincipals after they are stored, so we have to use // the same principal type here or the entry will treated as a new one instead of adding privileges to the // to an existing principal. This can be considered a bug in ModeShape. SimplePrincipal simple = encodePrincipal(principal); boolean added = acl.addAccessControlEntry(simple, privileges); return added; }
@Before public void setUp() throws AccessControlException, RepositoryException { // acl-1 JcrAccessControlList alice = new JcrAccessControlList("alice"); alice.addAccessControlEntry(SimplePrincipal.newInstance("alice"), new Privilege[] {new PrivilegeImpl()}); JcrAccessControlList bob = new JcrAccessControlList("bob"); bob.addAccessControlEntry(SimplePrincipal.newInstance("bob"), new Privilege[] {new PrivilegeImpl()}); it = new AccessControlPolicyIteratorImpl(alice, bob); }
@Test public void shouldAllowRead() throws Exception { Node root = session.getRootNode(); Node aircraft = root.addNode("aircraft"); assertThat(aircraft, is(notNullValue())); AccessControlList acl2 = acl("/aircraft"); acl2.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acl2.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_READ)}); acm.setPolicy("/aircraft", acl2); AccessControlList acl = acl("/"); acl.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_READ)}); acm.setPolicy("/", acl); session.save(); root = session.getRootNode(); aircraft = root.getNode("aircraft"); }
private ExecutionContext validateSimpleCredentials( SimpleCredentials credentials, ExecutionContext repositoryContext) { if (LOGGER.isDebugEnabled()) { LOGGER.debugv("Authenticating {0} in the {1} security domain using the JBoss Server security manager", credentials.getUserID(), securityDomain()); } Subject subject = new Subject(); if (authenticationManager.isValid(SimplePrincipal.newInstance(credentials.getUserID()), credentials.getPassword(), subject)) { if (LOGGER.isDebugEnabled()) { LOGGER.debug("Authentication successful...."); } return repositoryContext.with(new JBossSecurityContext(new JaasSecurityContext(subject))); } else { if (LOGGER.isDebugEnabled()) { LOGGER.debugv("Credentials for {0} are not valid for the {1} security domain", credentials.getUserID(), securityDomain()); } return null; } }
@Before public void setUp() throws AccessControlException, RepositoryException { privileges = new Privileges(session); rw = new Privilege[] {privileges.forName(Privilege.JCR_READ), privileges.forName(Privilege.JCR_WRITE)}; acl.addAccessControlEntry(SimplePrincipal.newInstance("kulikov"), rw); }
@Test public void shouldAllowAccessUsingRole() throws Exception { Node root = session.getRootNode(); Node truks = root.addNode("tractors"); session.save(); AccessControlManager acm = session.getAccessControlManager(); Privilege[] privileges = new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}; AccessControlList acl; AccessControlPolicyIterator it = acm.getApplicablePolicies(truks.getPath()); if (it.hasNext()) { acl = (AccessControlList)it.nextAccessControlPolicy(); } else { acl = (AccessControlList)acm.getPolicies(truks.getPath())[0]; } acl.addAccessControlEntry(SimplePrincipal.newInstance("admin"), privileges); acm.setPolicy(truks.getPath(), acl); session.save(); Node node = root.getNode("tractors"); assertThat(node, is(notNullValue())); }
public void shouldAllowReadingAccessibleNodes() throws Exception { AccessControlList acl = acl("/"); acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acm.setPolicy("/", acl); acl1.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acl1.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_READ)}); acl2.addAccessControlEntry(SimplePrincipal.newInstance("user"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acm.setPolicy("/vans", acl2);
private void setPolicy( String path, String... privileges ) throws Exception { AccessControlManager acm = session.getAccessControlManager(); Privilege[] permissions = new Privilege[privileges.length]; for (int i = 0; i < privileges.length; i++) { permissions[i] = acm.privilegeFromName(privileges[i]); } AccessControlList acl = acl(path); acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), permissions); acm.setPolicy(path, acl); session.save(); } }
@Test @FixFor( "MODE-2036" ) public void shouldDenyAccessChildNode() throws Exception { Node root = session.getRootNode(); Node truks = root.addNode("truks"); session.save(); AccessControlManager acm = session.getAccessControlManager(); Privilege[] privileges = new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}; AccessControlList acl; AccessControlPolicyIterator it = acm.getApplicablePolicies(truks.getPath()); if (it.hasNext()) { acl = (AccessControlList)it.nextAccessControlPolicy(); } else { acl = (AccessControlList)acm.getPolicies(truks.getPath())[0]; } acl.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), privileges); acm.setPolicy(truks.getPath(), acl); session.save(); try { root.getNode("truks"); fail("Access list should deny access"); } catch (javax.jcr.security.AccessControlException e) { //expected } }
SimplePrincipal principalA = SimplePrincipal.newInstance("a"); SimplePrincipal principalB = SimplePrincipal.newInstance("b"); SimplePrincipal everyone = SimplePrincipal.newInstance("everyone"); AccessControlManager acm = session.getAccessControlManager(); Privilege[] allPriviledges = { acm.privilegeFromName(Privilege.JCR_ALL) };
aclNode1.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acm.setPolicy("/testNode/node1", aclNode1); aclNode2.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[] {acm.privilegeFromName(Privilege.JCR_ALL)}); acm.setPolicy("/testNode/node2", aclNode2);
private static void setPolicy( String path, String... privileges ) throws UnsupportedRepositoryOperationException, RepositoryException { AccessControlManager acm = session.getAccessControlManager(); Privilege[] permissions = new Privilege[privileges.length]; for (int i = 0; i < privileges.length; i++) { permissions[i] = acm.privilegeFromName(privileges[i]); } AccessControlList acl = null; AccessControlPolicyIterator it = acm.getApplicablePolicies(path); if (it.hasNext()) { acl = (AccessControlList)it.nextAccessControlPolicy(); } else { acl = (AccessControlList)acm.getPolicies(path)[0]; } acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), permissions); acm.setPolicy(path, acl); session.save(); }
@Test @FixFor( "MODE-2408" ) public void shouldVerifyParentACLsIfChildHasEmptyACLList() throws Exception { Node parent = ((Node) session.getNode("/")).addNode("parent"); setPolicy("/parent", Privilege.JCR_ADD_CHILD_NODES, Privilege.JCR_MODIFY_ACCESS_CONTROL, Privilege.JCR_READ_ACCESS_CONTROL); session.save(); parent.addNode("child"); AccessControlList childAcl = acl("/parent/child"); // set an empty policy on the child node acm.setPolicy("/parent/child", childAcl); session.save(); // modify the parent's ACL to not allow changing of ACLs anymore AccessControlList parentAcl = acl("/parent"); parentAcl.removeAccessControlEntry(parentAcl.getAccessControlEntries()[0]); parentAcl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[]{ acm.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES), acm.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL)}); acm.setPolicy("/parent", parentAcl); session.save(); // attempt to modify the child's ACL and verify that it fails because the child has an empty ACL list so we should be really // checking the parent node try { setPolicy("/parent/child", Privilege.JCR_ALL); fail("Should not allow changing ACLs on a node with an empty policy list for which the parent doesn't have the appropriate permissions"); } catch (AccessDeniedException e) { // expected } }
privileges.forName(Privilege.JCR_READ_ACCESS_CONTROL) }; acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), privilegeArray);