/** * @see AbstractLoginModule#getAuthentication(java.security.Principal, javax.jcr.Credentials) */ @Override protected Authentication getAuthentication(Principal principal, Credentials creds) throws RepositoryException { if (GroupPrincipals.isGroup(principal)) { return null; } return new Authentication() { public boolean canHandle(Credentials credentials) { return true; } public boolean authenticate(Credentials credentials) throws RepositoryException { return true; } }; }
@Override public boolean isMember(Principal member) { return GroupPrincipals.isMember(delegatee, member); }
public Enumeration<? extends Principal> members() { Iterator<? extends Principal> it = Collections.list(GroupPrincipals.members(delegatee)).iterator(); final PrincipalIterator members = new CheckedPrincipalIterator(it, provider); return new Enumeration<Principal>() { public boolean hasMoreElements() { return members.hasNext(); } public Principal nextElement() { return members.nextPrincipal(); } }; }
/** * @see AbstractLoginModule#getAuthentication(java.security.Principal, javax.jcr.Credentials) */ @Override protected Authentication getAuthentication(Principal principal, Credentials creds) throws RepositoryException { if (GroupPrincipals.isGroup(principal)) { return null; } return new Authentication() { public boolean canHandle(Credentials credentials) { return true; } public boolean authenticate(Credentials credentials) throws RepositoryException { return true; } }; }
public Enumeration<? extends Principal> members() { Iterator<? extends Principal> it = Collections.list(GroupPrincipals.members(delegatee)).iterator(); final PrincipalIterator members = new CheckedPrincipalIterator(it, provider); return new Enumeration<Principal>() { public boolean hasMoreElements() { return members.hasNext(); } public Principal nextElement() { return members.nextPrincipal(); } }; }
@Override public boolean isMember(Principal member) { return GroupPrincipals.isMember(delegatee, member); }
/** * @see AbstractLoginModule#impersonate(java.security.Principal, javax.jcr.Credentials) */ @Override protected boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException { if (GroupPrincipals.isGroup(principal)) { return false; } Subject impersSubject = getImpersonatorSubject(credentials); return impersSubject != null; }
public PrincipalIterator findPrincipals(String simpleFilter, int searchType) { Principal p = getPrincipal(simpleFilter); if (p == null) { return PrincipalIteratorAdapter.EMPTY; } else if (GroupPrincipals.isGroup(p) && searchType == PrincipalManager.SEARCH_TYPE_NOT_GROUP || !GroupPrincipals.isGroup(p) && searchType == PrincipalManager.SEARCH_TYPE_GROUP) { return PrincipalIteratorAdapter.EMPTY; } else { return new PrincipalIteratorAdapter(Collections.singletonList(p)); } }
public PrincipalIterator findPrincipals(String simpleFilter, int searchType) { Principal p = getPrincipal(simpleFilter); if (p == null) { return PrincipalIteratorAdapter.EMPTY; } else if (GroupPrincipals.isGroup(p) && searchType == PrincipalManager.SEARCH_TYPE_NOT_GROUP || !GroupPrincipals.isGroup(p) && searchType == PrincipalManager.SEARCH_TYPE_GROUP) { return PrincipalIteratorAdapter.EMPTY; } else { return new PrincipalIteratorAdapter(Collections.singletonList(p)); } }
/** * @see AbstractLoginModule#impersonate(java.security.Principal, javax.jcr.Credentials) */ @Override protected boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException { if (GroupPrincipals.isGroup(principal)) { return false; } Subject impersSubject = getImpersonatorSubject(credentials); return impersSubject != null; }
/** * @see JackrabbitSecurityManager#getUserID(javax.security.auth.Subject, String) */ public String getUserID(Subject subject, String workspaceName) throws RepositoryException { String uid = null; // if SimpleCredentials are present, the UserID can easily be retrieved. Iterator<SimpleCredentials> creds = subject.getPublicCredentials(SimpleCredentials.class).iterator(); if (creds.hasNext()) { SimpleCredentials sc = creds.next(); uid = sc.getUserID(); } else if (anonymID != null && !subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) { uid = anonymID; } else { // assume that UserID and principal name // are the same (not totally correct) and thus return the name // of the first non-group principal. for (Principal p : subject.getPrincipals()) { if (!GroupPrincipals.isGroup(p)) { uid = p.getName(); break; } } } return uid; }
/** * @see JackrabbitSecurityManager#getUserID(javax.security.auth.Subject, String) */ public String getUserID(Subject subject, String workspaceName) throws RepositoryException { String uid = null; // if SimpleCredentials are present, the UserID can easily be retrieved. Iterator<SimpleCredentials> creds = subject.getPublicCredentials(SimpleCredentials.class).iterator(); if (creds.hasNext()) { SimpleCredentials sc = creds.next(); uid = sc.getUserID(); } else if (anonymID != null && !subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) { uid = anonymID; } else { // assume that UserID and principal name // are the same (not totally correct) and thus return the name // of the first non-group principal. for (Principal p : subject.getPrincipals()) { if (!GroupPrincipals.isGroup(p)) { uid = p.getName(); break; } } } return uid; }
@Override public Principal getKnownPrincipal(Session session) throws RepositoryException { Principal knownPrincipal = null; if (session instanceof SessionImpl) { for (Principal p : ((SessionImpl)session).getSubject().getPrincipals()) { if (!GroupPrincipals.isGroup(p)) { knownPrincipal = p; } } } if (knownPrincipal != null) { return knownPrincipal; } else { throw new RepositoryException("no applicable principal found"); } }
@Override public Principal getKnownPrincipal(Session session) throws RepositoryException { Principal knownPrincipal = null; if (session instanceof SessionImpl) { for (Principal p : ((SessionImpl)session).getSubject().getPrincipals()) { if (!GroupPrincipals.isGroup(p)) { knownPrincipal = p; } } } if (knownPrincipal != null) { return knownPrincipal; } else { throw new RepositoryException("no applicable principal found"); } }
/** * @param principal the principal * @param provider the provider * @return A group that only reveals those members that are visible to the * current session or the specified principal if its not a group or the * everyone principal. */ private Principal disguise(Principal principal, PrincipalProvider provider) { if (!GroupPrincipals.isGroup(principal) || principal instanceof EveryonePrincipal) { // nothing to do. return principal; } // make sure all groups except for the 'everyone' group expose only // principals visible to the session. if (principal instanceof ItemBasedPrincipal) { return new ItemBasedCheckedGroup(principal, provider); } else { return new CheckedGroup(principal, provider); } }
private ItemBasedPrincipal getUserPrincipal(Set<Principal> principals) { try { UserManager uMgr = session.getUserManager(); for (Principal p : principals) { if (!(GroupPrincipals.isGroup(p)) && p instanceof ItemBasedPrincipal && uMgr.getAuthorizable(p) != null) { return (ItemBasedPrincipal) p; } } } catch (RepositoryException e) { // should never get here log.error("Internal error while retrieving user principal: {}", e.getMessage()); } // none of the principals in the set is assigned to a User. return null; }
/** * @param principal the principal * @param provider the provider * @return A group that only reveals those members that are visible to the * current session or the specified principal if its not a group or the * everyone principal. */ private Principal disguise(Principal principal, PrincipalProvider provider) { if (!GroupPrincipals.isGroup(principal) || principal instanceof EveryonePrincipal) { // nothing to do. return principal; } // make sure all groups except for the 'everyone' group expose only // principals visible to the session. if (principal instanceof ItemBasedPrincipal) { return new ItemBasedCheckedGroup(principal, provider); } else { return new CheckedGroup(principal, provider); } }
/** * Uses the configured {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider} to retrieve the principal. * It takes the {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider#getPrincipal(String)} for the User-ID * resolved by {@link #getUserID(Credentials)}, assuming that * User-ID and the corresponding principal name are always identical. * * @param credentials Credentials for which the principal should be resolved. * @return principal or <code>null</code> if the principal provider does * not contain a user-principal with the given userID/principal name. * * @see AbstractLoginModule#getPrincipal(Credentials) */ @Override protected Principal getPrincipal(Credentials credentials) { String userId = getUserID(credentials); Principal principal = principalProvider.getPrincipal(userId); if (principal == null || GroupPrincipals.isGroup(principal)) { // no matching user principal return null; } else { return principal; } } }
private ItemBasedPrincipal getUserPrincipal(Set<Principal> principals) { try { UserManager uMgr = session.getUserManager(); for (Principal p : principals) { if (!(GroupPrincipals.isGroup(p)) && p instanceof ItemBasedPrincipal && uMgr.getAuthorizable(p) != null) { return (ItemBasedPrincipal) p; } } } catch (RepositoryException e) { // should never get here log.error("Internal error while retrieving user principal: {}", e.getMessage()); } // none of the principals in the set is assigned to a User. return null; }
/** * @see Impersonation#allows(Subject) */ public boolean allows(Subject subject) throws RepositoryException { if (subject == null) { return false; } Set<String> principalNames = new HashSet<String>(); for (Principal p : subject.getPrincipals()) { principalNames.add(p.getName()); } boolean allows; Set<String> impersonators = getImpersonatorNames(); allows = impersonators.removeAll(principalNames); if (!allows) { // check if subject belongs to administrator user for (Principal p : subject.getPrincipals()) { if (GroupPrincipals.isGroup(p)) { continue; } Authorizable a = userManager.getAuthorizable(p); if (a != null && userManager.isAdminId(a.getID())) { allows = true; break; } } } return allows; }