Fixes for JENA-855. Added principal as an argument to SecurityEvaluator functions.
Project: http://git-wip-us.apache.org/repos/asf/jena/repo Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/23d1bde2 Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/23d1bde2 Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/23d1bde2 Branch: refs/heads/master Commit: 23d1bde29ec4985584a63dfc209155115a7959c2 Parents: cd62e6d Author: Claude Warren <[email protected]> Authored: Tue Jan 20 21:00:44 2015 +0000 Committer: Claude Warren <[email protected]> Committed: Tue Jan 20 21:00:44 2015 +0000 ---------------------------------------------------------------------- .../apache/jena/security/SecurityEvaluator.java | 512 +++++++++--------- .../security/graph/SecuredCapabilities.java | 18 +- .../graph/SecuredGraphEventManager.java | 531 +++++++------------ .../security/impl/CachedSecurityEvaluator.java | 117 ++-- .../jena/security/impl/SecuredItemImpl.java | 16 +- .../security/model/impl/SecuredRDFListImpl.java | 2 +- .../security/model/impl/SecuredRSIterator.java | 2 +- .../jena/security/query/SecuredQueryEngine.java | 14 +- .../security/query/rewriter/OpRewriter.java | 5 +- .../query/rewriter/SecuredFunction.java | 3 +- .../security/utils/PermStatementFilter.java | 9 +- .../jena/security/utils/PermTripleFilter.java | 9 +- .../jena/security/utils/RDFListSecFilter.java | 9 +- .../jena/security/MockSecurityEvaluator.java | 16 +- .../security/ModelBasedSecurityEvaluator.java | 35 +- .../jena/security/StaticSecurityEvaluator.java | 41 +- .../graph/CachedSecurityEvaluatorTest.java | 27 + .../security/graph/BulkUpdateHandlerTest.java | 57 +- .../graph/CrossIDGraphEventManagerTest.java | 78 +++ .../security/graph/GraphEventManagerTest.java | 127 +---- .../security/graph/RecordingGraphListener.java | 106 ++++ .../graph/SecuredPrefixMappingTest.java | 68 +-- .../security/model/SecuredModelDetailTest.java | 20 +- .../jena/security/query/QueryEngineTest.java | 97 ++-- 24 files changed, 971 insertions(+), 948 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java b/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java index e2ccd96..ab8ea1d 100644 --- a/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java +++ b/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -28,68 +28,71 @@ import org.apache.commons.lang.builder.HashCodeBuilder; * SecurityEvaluator. * <p> * The security evaluator is the link between the graph security system and an - * external - * security system. This interface specifies the methods that are required by - * the graph - * security system. It is assumed that the implementation will handle tracking - * the current - * user and will query some underlying data source to determine what actions the - * user can - * and can not take. - * </p><p> - * All questions of white listing or black listing will be handled in the concrete - * implementation. - * </p><p> + * external security system. This interface specifies the methods that are + * required by the graph security system. It is assumed that the implementation + * will handle tracking the current user and will query some underlying data + * source to determine what actions the user can and can not take. + * </p> + * <p> + * All questions of white listing or black listing will be handled in the + * concrete implementation. + * </p> + * <p> * Implementations of this class should probably cache any evaluate calculations - * as the evaluate methods are called frequently. However, the underlying classes - * do cache results within a single method check. + * as the evaluate methods are called frequently. However, the underlying + * classes do cache results within a single method check. * </p> * <p> * <dl> * <dt>Secured operations</dt> - * <dd>The security system recognizes and secures each of the CRUD (Create, Read, Update and Delete) - * operations as represented by the Action enumeration.</dd> + * <dd>The security system recognizes and secures each of the CRUD (Create, + * Read, Update and Delete) operations as represented by the Action enumeration. + * </dd> * </dl> * <dl> * <dt>Levels of security</dt> - * <dd>The security interfaces operates at two (2) levels: graph (or Model) and triple. - * <p>At the the graph level the security evaluator may restrict CRUD access to the graph or model as a whole. - * When evaluating the restriction, if the user it not permitted to perform the operation on the - * graph or model access is denied. If the user is permitted any triple restrictions are evaluated. - * </p><p> - * At the triple level the security evaluator may restrict CRUD access to specific triples. In order - * to skip potentially expensive triple security checks the system will generally ask if the user is - * permitted the CRUD action on any triple. This is represented by the SecTriple - * <code>(ANY, ANY, ANY)</code>. + * <dd>The security interfaces operates at two (2) levels: graph (or Model) and + * triple. + * <p> + * At the the graph level the security evaluator may restrict CRUD access to the + * graph or model as a whole. When evaluating the restriction, if the user it + * not permitted to perform the operation on the graph or model access is + * denied. If the user is permitted any triple restrictions are evaluated. + * </p> + * <p> + * At the triple level the security evaluator may restrict CRUD access to + * specific triples. In order to skip potentially expensive triple security + * checks the system will generally ask if the user is permitted the CRUD action + * on any triple. This is represented by the SecTriple + * <code>(ANY, ANY, ANY)</code>. * <ul> * <li> - * If the system does not support triple level security the system should always return <code>true</code>. - * </li> - * If the system does support triple level security and is unable to verify that the user can execute - * the CRUD action against any arbitrary triple the system should return <code>false</code>. - * </li> - * <li>See <code>SecNode.ANY</code>, <code>SecNode.FUTURE</code>, and <code>SecNode.VARIABLE</code> - * for discussion of specifics of their respective usages.</li> + * If the system does not support triple level security the system should always + * return <code>true</code>.</li> + * If the system does support triple level security and is unable to verify that + * the user can execute the CRUD action against any arbitrary triple the system + * should return <code>false</code>. </li> + * <li>See <code>SecNode.ANY</code>, <code>SecNode.FUTURE</code>, and + * <code>SecNode.VARIABLE</code> for discussion of specifics of their respective + * usages.</li> * </ul> * </p> * </dd> * </dl> * <dl> * <dt> - * + * * </p> */ -public interface SecurityEvaluator -{ +public interface SecurityEvaluator { /** * Identifies a sepcific CRUD actions. */ - static enum Action - { + static enum Action { /** * Allow creation of the object in question. */ - Create, + Create, /** * Allow the user to read the object in question. */ @@ -97,50 +100,48 @@ public interface SecurityEvaluator /** * Allow the user to update the object in question */ - Update, + Update, /** * Allow the user to delete the object in question. */ Delete - + } /** * A node in the evaluation. * <p> * A node with no value represents a node of that type but unknown - * exactitude. (e.g. - * <code>SecNode(URI,"")</code> is a URI but of unknown value. Useful for systems that - * restrict - * type creation. - * </p><p> - * <code>SecNode(Anonymous,"")</code> represents an anonymous node that will be created. - * Otherwise anonymous - * node values are the values within the secured graph. - * </p><p> + * exactitude. (e.g. <code>SecNode(URI,"")</code> is a URI but of unknown + * value. Useful for systems that restrict type creation. + * </p> + * <p> + * <code>SecNode(Anonymous,"")</code> represents an anonymous node that will + * be created. Otherwise anonymous node values are the values within the + * secured graph. + * </p> + * <p> * An "Any" node type matches any node. * </p> */ - public static class SecNode implements Comparable<SecNode> - { + public static class SecNode implements Comparable<SecNode> { /** * The types of nodes. */ - public static enum Type - { + public static enum Type { /** * A URI type node */ - URI, + URI, /** * A Literal node. */ - Literal, + Literal, /** - * An anonymous node. Also called a "blank" node. + * An anonymous node. Also called a "blank" node. */ - Anonymous, + Anonymous, /** * Any node. */ @@ -152,81 +153,80 @@ public interface SecurityEvaluator * <p> * Used in triple checks as follows: * <dl> - * <dt><code>(ANY, ANY, ANY)</code> - * </dt><dd>Asks if the user may perform the action on any triple. - * </dd> - * <dt><code>(X, ANY, ANY)</code> - * </dt><dd>Asks if the user may perform the action against - * any triple where X is the subject. - * </dd> - * <dt><code>(ANY, X, ANY)</code> - * </dt><dd>Asks if the user may perform the action against - * any triple where X is the predicate. - * </dd> - * <dt><code>(SecNode.ANY, SecNode.ANY, SecNode.X)</code> - * </dt><dd>Asks if if the user may perform the action against - * any triple where X is the object. - * </dd> + * <dt><code>(ANY, ANY, ANY)</code></dt> + * <dd>Asks if the user may perform the action on any triple.</dd> + * <dt><code>(X, ANY, ANY)</code></dt> + * <dd>Asks if the user may perform the action against any triple where + * X is the subject.</dd> + * <dt><code>(ANY, X, ANY)</code></dt> + * <dd>Asks if the user may perform the action against any triple where + * X is the predicate.</dd> + * <dt><code>(SecNode.ANY, SecNode.ANY, SecNode.X)</code></dt> + * <dd>Asks if if the user may perform the action against any triple + * where X is the object.</dd> * </dl> - * The <code>ANY</code> may occur multiple times and may occur with the + * The <code>ANY</code> may occur multiple times and may occur with the * <code>VARIABLE</code> and/or <code>FUTURE</code> nodes. * </p> */ public static final SecNode ANY = new SecNode(Type.Any, "any"); - + /** * Indicates a variable in the triple. * <p> - * </p>This differs from <code>ANY</code> - * in that the system is asking if there are any prohibitions not if the user - * may perform. Thus queries with the VARIABLE type node should return <code>true</code> - * where <code>ANY</code> returns <code>false</code>. In general this type is used in the - * query to determine if triple level filtering of results must be performed.<p> - * </p><p> + * </p> + * This differs from <code>ANY</code> in that the system is asking if + * there are any prohibitions not if the user may perform. Thus queries + * with the VARIABLE type node should return <code>true</code> where + * <code>ANY</code> returns <code>false</code>. In general this type is + * used in the query to determine if triple level filtering of results + * must be performed. + * <p> + * </p> + * <p> * <dl> - * <dt><code>(VARIABLE, X, Y )</code> - * </dt><dd> - * Asks if there are any prohibitions against the user seeing all subjects - * that have property X and object Y. - * </dd><dt> - * <code>(X, VARIABLE, Y )</code> - * </dt><dd> - * Asks if there are any prohibitions against the user seeing all predicates - * that have subject X and object Y. - * </dd><dt> - * <code>(X, Y, VARIABLE)</code> - * </dt><dd> - * Asks if there are any prohibitions against the user seeing all objects - * that have subject X and predicate Y. - * </dd> + * <dt><code>(VARIABLE, X, Y )</code></dt> + * <dd> + * Asks if there are any prohibitions against the user seeing all + * subjects that have property X and object Y.</dd> + * <dt> + * <code>(X, VARIABLE, Y )</code></dt> + * <dd> + * Asks if there are any prohibitions against the user seeing all + * predicates that have subject X and object Y.</dd> + * <dt> + * <code>(X, Y, VARIABLE)</code></dt> + * <dd> + * Asks if there are any prohibitions against the user seeing all + * objects that have subject X and predicate Y.</dd> * </dl> - * The <code>VARIABLE</code> may occur multiple times and may occur with the - * <code>ANY</code> node. + * The <code>VARIABLE</code> may occur multiple times and may occur with + * the <code>ANY</code> node. * </p> - * + * */ public static final SecNode VARIABLE = new SecNode(Type.Any, "variable"); /** * This is an anonymous node that will be created in the future. * <p> - * FUTURE is used to check that an anonymous node may be created in - * as specific position in a triple. - * </p><p> + * FUTURE is used to check that an anonymous node may be created in as + * specific position in a triple. + * </p> + * <p> * <dl> - * <dt><code>(FUTURE, X, Y )</code> - * </dt><dd> - * Asks if there the user may create an anonymous node - * that has property X and object Y. - * </dd><dt> - * <code>(X, Y, FUTURE)</code> - * </dt><dd> - * Asks if there the user may create an anonymous node - * that has subject X and property Y. - * </dd> + * <dt><code>(FUTURE, X, Y )</code></dt> + * <dd> + * Asks if there the user may create an anonymous node that has property + * X and object Y.</dd> + * <dt> + * <code>(X, Y, FUTURE)</code></dt> + * <dd> + * Asks if there the user may create an anonymous node that has subject + * X and property Y.</dd> * </dl> - * The <code>FUTURE</code> may occur multiple times and may occur with the - * <code>ANY</code> node. + * The <code>FUTURE</code> may occur multiple times and may occur with + * the <code>ANY</code> node. * </p> */ public static final SecNode FUTURE = new SecNode(Type.Anonymous, ""); @@ -237,27 +237,27 @@ public interface SecurityEvaluator /** * Create a SecNode of the type and value. - * @param type The type of the node - * @param value The value of the node. A null is interpreted as an empty string. + * + * @param type + * The type of the node + * @param value + * The value of the node. A null is interpreted as an empty + * string. */ - public SecNode( final Type type, final String value ) - { + public SecNode(final Type type, final String value) { this.type = type; this.value = value == null ? "" : value; } @Override - public int compareTo( final SecNode node ) - { + public int compareTo(final SecNode node) { final int retval = type.compareTo(node.type); return retval == 0 ? value.compareTo(node.value) : retval; } @Override - public boolean equals( final Object o ) - { - if (o instanceof SecNode) - { + public boolean equals(final Object o) { + if (o instanceof SecNode) { return this.compareTo((SecNode) o) == 0; } return false; @@ -265,27 +265,25 @@ public interface SecurityEvaluator /** * Get the type of the node. + * * @return The type of the node. */ - public Type getType() - { + public Type getType() { return type; } /** * Get the value of the node. + * * @return the value of the node */ - public String getValue() - { + public String getValue() { return value; } @Override - public int hashCode() - { - if (hashCode == null) - { + public int hashCode() { + if (hashCode == null) { hashCode = new HashCodeBuilder().append(type).append(value) .toHashCode(); } @@ -293,8 +291,7 @@ public interface SecurityEvaluator } @Override - public String toString() - { + public String toString() { return String.format("[%s:%s]", getType(), getValue()); } } @@ -302,8 +299,7 @@ public interface SecurityEvaluator /** * An immutable triple of SecNodes. */ - public static class SecTriple implements Comparable<SecTriple> - { + public static class SecTriple implements Comparable<SecTriple> { private final SecNode subject; private final SecNode predicate; private final SecNode object; @@ -317,24 +313,25 @@ public interface SecurityEvaluator /** * Create the sec triple - * @param subject The subject node. - * @param predicate The predicate node. - * @param object The object node. - * @throws IllegalArgumentException is any value is null. + * + * @param subject + * The subject node. + * @param predicate + * The predicate node. + * @param object + * The object node. + * @throws IllegalArgumentException + * is any value is null. */ - public SecTriple( final SecNode subject, final SecNode predicate, - final SecNode object ) - { - if (subject == null) - { + public SecTriple(final SecNode subject, final SecNode predicate, + final SecNode object) { + if (subject == null) { throw new IllegalArgumentException("Subject may not be null"); } - if (predicate == null) - { + if (predicate == null) { throw new IllegalArgumentException("Predicate may not be null"); } - if (object == null) - { + if (object == null) { throw new IllegalArgumentException("Object may not be null"); } this.subject = subject; @@ -343,25 +340,20 @@ public interface SecurityEvaluator } @Override - public int compareTo( final SecTriple o ) - { - if (o == null) - { + public int compareTo(final SecTriple o) { + if (o == null) { return 1; } int retval = subject.compareTo(o.subject); - if (retval == 0) - { + if (retval == 0) { retval = predicate.compareTo(o.predicate); } return retval == 0 ? object.compareTo(o.object) : retval; } @Override - public boolean equals( final Object o ) - { - if (o instanceof SecTriple) - { + public boolean equals(final Object o) { + if (o instanceof SecTriple) { return this.compareTo((SecTriple) o) == 0; } return false; @@ -370,32 +362,27 @@ public interface SecurityEvaluator /** * @return the object node. */ - public SecNode getObject() - { + public SecNode getObject() { return object; } /** * @return the predicate node. */ - public SecNode getPredicate() - { + public SecNode getPredicate() { return predicate; } /** * @return the subject node. */ - public SecNode getSubject() - { + public SecNode getSubject() { return subject; } @Override - public int hashCode() - { - if (hashCode == null) - { + public int hashCode() { + if (hashCode == null) { hashCode = new HashCodeBuilder().append(object) .append(predicate).append(subject).toHashCode(); } @@ -403,43 +390,46 @@ public interface SecurityEvaluator } @Override - public String toString() - { + public String toString() { return String.format("( %s, %s, %s )", getSubject(), getPredicate(), getObject()); } } /** - * A collection of utility functions for the SecurityEvaluator implementations. + * A collection of utility functions for the SecurityEvaluator + * implementations. */ - public static class Util - { + public static class Util { /** * Return an array of actions as a set. - * <p>The order of the collection is preserved</p> - * @param actions The actions. + * <p> + * The order of the collection is preserved + * </p> + * + * @param actions + * The actions. * @return The set of actions. */ - public static Set<Action> asSet( final Action[] actions ) - { + public static Set<Action> asSet(final Action[] actions) { return Util.asSet(Arrays.asList(actions)); } /** * Return a collection of actions as a set. - * <p>The order of the collection is preserved</p> - * @param actions The collection of actions. + * <p> + * The order of the collection is preserved + * </p> + * + * @param actions + * The collection of actions. * @return The set of actions. */ - public static Set<Action> asSet( final Collection<Action> actions ) - { - if (actions instanceof Set) - { + public static Set<Action> asSet(final Collection<Action> actions) { + if (actions instanceof Set) { return (Set<Action>) actions; } - else - { + else { return new LinkedHashSet<Action>(actions); } } @@ -447,14 +437,17 @@ public interface SecurityEvaluator /** * Determine if the action is allowed on the graph. - * + * + * @param principal + * The principal that is attempting the action. + * * @param action * The action to perform * @param graphIRI * The IRI of the graph to check * @return true if the action is allowed, false otherwise. */ - public boolean evaluate( Action action, SecNode graphIRI ); + public boolean evaluate(Object principal, Action action, SecNode graphIRI); /** * Determine if the action is allowed on the triple within the graph. @@ -462,124 +455,161 @@ public interface SecurityEvaluator * The evaluation should be performed in the following order: * <ol> * <li> - * If the triple contains a <code>VARIABLE</code> then this method must return <code>true</code> if - * there are any restrictions where the remaining nodes are either constants or <code>ANY</code> - * nodes. This will force the system to use subsequent checks to verify access by substituting - * the value of the <code>VARIABLE</code>s. <em>If the system can not quickly verify the solution + * If the triple contains a <code>VARIABLE</code> then this method must + * return <code>true</code> if there are any restrictions where the + * remaining nodes are either constants or <code>ANY</code> nodes. This will + * force the system to use subsequent checks to verify access by + * substituting the value of the <code>VARIABLE</code>s. + * <em>If the system can not quickly verify the solution * it is always acceptable to return <code>true</code>.</em> * <li> - * Except as specified in the above check, if the triple contains an <code>ANY</code> then this - * method must return <code>false</code> if - * there are any restrictions where the remaining nodes are held constant and the ANY - * node is allowed to vary. This checks is used to avoid subsequent explicit triple checks. + * Except as specified in the above check, if the triple contains an + * <code>ANY</code> then this method must return <code>false</code> if there + * are any restrictions where the remaining nodes are held constant and the + * ANY node is allowed to vary. This checks is used to avoid subsequent + * explicit triple checks. * <em>If the system can not quickly verify the solution it is always - * acceptable to return <code>false</code>.</em> - * </li> - * <li>All other triples are explict triples and the system must determine if the user is - * permitted to perform the action on the triple. - * If the triple contains a <code>FUTURE</code> node that node should be considered as - * an anonymous or blank node that is not yet created. It should only be used with - * <code>Create</code> actions and is asking if the user may create a blank node in that - * position in the triple.</li> + * acceptable to return <code>false</code>.</em></li> + * <li>All other triples are explict triples and the system must determine + * if the user is permitted to perform the action on the triple. If the + * triple contains a <code>FUTURE</code> node that node should be considered + * as an anonymous or blank node that is not yet created. It should only be + * used with <code>Create</code> actions and is asking if the user may + * create a blank node in that position in the triple.</li> * </ol> * </p> + * + * @param principal + * The principal that is attempting the action. + * * @param action * The action to perform * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @param triple * The triple to check * @return true if the action is allowed, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluate( Action action, SecNode graphIRI, SecTriple triple ); + public boolean evaluate(Object principal, Action action, SecNode graphIRI, + SecTriple triple); /** * Determine if all actions are allowed on the graph. - * + * + * @param principal + * The principal that is attempting the action. + * * @param actions * The set of actions to perform * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @return true if all the actions are allowed, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluate( Set<Action> actions, SecNode graphIRI ); + public boolean evaluate(Object principal, Set<Action> actions, + SecNode graphIRI); /** * Determine if all the actions are allowed on the triple within the graph. * <p> - * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation strategy. + * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation + * strategy. * </p> + * * @param actions * The actions to perform. * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @param triple * The triple to check * @return true if all the actions are allowed, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluate( Set<Action> actions, SecNode graphIRI, - SecTriple triple ); + public boolean evaluate(Object principal, Set<Action> actions, + SecNode graphIRI, SecTriple triple); /** * Determine if any of the actions are allowed on the graph. - * + * + * @param principal + * The principal that is attempting the action. + * * @param actions * The actions to perform * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @return true true if any the actions are allowed, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluateAny( Set<Action> actions, SecNode graphIRI ); + public boolean evaluateAny(Object principal, Set<Action> actions, + SecNode graphIRI); /** - * Determine if any of the actions are allowed on the triple within the graph. + * Determine if any of the actions are allowed on the triple within the + * graph. * <p> - * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation strategy. + * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation + * strategy. * </p> - * + * + * @param principal + * The principal that is attempting the action. + * * @param actions * The actions to check. * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @param triple * The triple to check * @return true if any the actions are allowed, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluateAny( Set<Action> actions, SecNode graphIRI, - SecTriple triple ); + public boolean evaluateAny(Object principal, Set<Action> actions, + SecNode graphIRI, SecTriple triple); /** * Determine if the user is allowed to update the "from" triple to the "to" * triple. * <p> - * Update is a special case since it modifies one triple to be another. So the user must - * have permissions to change the "from" triple into the "to" triple. - * + * Update is a special case since it modifies one triple to be another. So + * the user must have permissions to change the "from" triple into the "to" + * triple. + * + * @param principal + * The principal that is attempting the action. * @param graphIRI - * The IRI of the graph to the action is being taken upon. May be <code>ANY</code>. + * The IRI of the graph to the action is being taken upon. May be + * <code>ANY</code>. * @param from * The triple to be changed * @param to * The value to change it to. * @return true if the user may make the change, false otherwise. - * @throws IllegalArgumentException if any argument is null. + * @throws IllegalArgumentException + * if any argument is null. */ - public boolean evaluateUpdate( SecNode graphIRI, SecTriple from, - SecTriple to ); + public boolean evaluateUpdate(Object principal, SecNode graphIRI, + SecTriple from, SecTriple to); /** * returns the current principal or null if there is no current principal. - * - * All security evaluation methods use this method to determine who - * the call is being executed as. This allows subsystems (like the listener system) - * to capture the current user - * and evaluate later calls in terms of that user. - * + * + * All security evaluation methods use this method to determine who the call + * is being executed as. This allows subsystems (like the listener system) + * to capture the current user and evaluate later calls in terms of that + * user. + * * @return The current principal */ public Object getPrincipal(); http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java index d39e116..55dac8f 100644 --- a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java +++ b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java @@ -62,7 +62,7 @@ public class SecuredCapabilities implements Capabilities @Override public boolean addAllowed() { - return securityEvaluator.evaluate(Action.Update, graphIRI) + return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI) && capabilities.addAllowed(); } @@ -73,12 +73,14 @@ public class SecuredCapabilities implements Capabilities @Override public boolean addAllowed( final boolean everyTriple ) { - boolean retval = securityEvaluator.evaluate(Action.Update, graphIRI) + Object principal = securityEvaluator.getPrincipal(); + + boolean retval = securityEvaluator.evaluate(principal, Action.Update, graphIRI) && capabilities.addAllowed(everyTriple); if (retval && everyTriple) { // special security check - retval = securityEvaluator.evaluate(Action.Create, graphIRI, + retval = securityEvaluator.evaluate(principal, Action.Create, graphIRI, SecTriple.ANY); } return retval; @@ -96,7 +98,7 @@ public class SecuredCapabilities implements Capabilities @Override public boolean deleteAllowed() { - return securityEvaluator.evaluate(Action.Update, graphIRI) + return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI) && capabilities.deleteAllowed(); } @@ -107,12 +109,14 @@ public class SecuredCapabilities implements Capabilities @Override public boolean deleteAllowed( final boolean everyTriple ) { - boolean retval = securityEvaluator.evaluate(Action.Update, graphIRI) + Object principal = securityEvaluator.getPrincipal(); + + boolean retval = securityEvaluator.evaluate(principal, Action.Update, graphIRI) && capabilities.addAllowed(everyTriple); if (retval && everyTriple) { // special security check - retval = securityEvaluator.evaluate(Action.Delete, graphIRI, + retval = securityEvaluator.evaluate(principal, Action.Delete, graphIRI, SecTriple.ANY); } return retval; @@ -136,7 +140,7 @@ public class SecuredCapabilities implements Capabilities @Override public boolean iteratorRemoveAllowed() { - return securityEvaluator.evaluate(Action.Update, graphIRI) + return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI) && capabilities.iteratorRemoveAllowed(); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java index 70549f4..229c953 100644 --- a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java +++ b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -17,16 +17,6 @@ */ package org.apache.jena.security.graph; -import com.hp.hpl.jena.graph.Graph; -import com.hp.hpl.jena.graph.GraphEventManager; -import com.hp.hpl.jena.graph.GraphListener; -import com.hp.hpl.jena.graph.Triple; -import com.hp.hpl.jena.graph.impl.CollectionGraph; -import com.hp.hpl.jena.util.iterator.ExtendedIterator; -import com.hp.hpl.jena.util.iterator.NiceIterator; -import com.hp.hpl.jena.util.iterator.WrappedIterator; - -import java.security.Principal; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -45,21 +35,26 @@ import org.apache.jena.security.impl.CachedSecurityEvaluator; import org.apache.jena.security.impl.SecuredItemImpl; import org.apache.jena.security.utils.PermTripleFilter; +import com.hp.hpl.jena.graph.Graph; +import com.hp.hpl.jena.graph.GraphEventManager; +import com.hp.hpl.jena.graph.GraphListener; +import com.hp.hpl.jena.graph.Triple; +import com.hp.hpl.jena.graph.impl.CollectionGraph; +import com.hp.hpl.jena.util.iterator.ExtendedIterator; +import com.hp.hpl.jena.util.iterator.NiceIterator; +import com.hp.hpl.jena.util.iterator.WrappedIterator; + /** - * Since we sit between the graph and other items we have to determine when the message is - * first seen and send it to the underlying graph if necessary. + * Since we sit between the graph and other items we have to determine when the + * message is first seen and send it to the underlying graph if necessary. */ -public class SecuredGraphEventManager implements GraphEventManager -{ - private class SecuredGraphListener implements GraphListener - { +public class SecuredGraphEventManager implements GraphEventManager { + private class SecuredGraphListener implements GraphListener { private final GraphListener wrapped; private final Object runAs; - SecuredGraphListener( final GraphListener wrapped ) - { - if (wrapped == null) - { + SecuredGraphListener(final GraphListener wrapped) { + if (wrapped == null) { throw new IllegalArgumentException( "Wrapped listener may not be null"); } @@ -67,32 +62,25 @@ public class SecuredGraphEventManager implements GraphEventManager this.runAs = securedGraph.getSecurityEvaluator().getPrincipal(); } - private Triple[] getArray( final Graph g, final Triple[] triples, - final Set<Action> perms ) - { + private Triple[] getArray(final Graph g, final Triple[] triples, + final Set<Action> perms) { Triple[] retval = triples; - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(perms, sg.getModelNode())) - { - if (!evaluator.evaluateAny(perms, sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, perms, sg.getModelNode())) { + if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { final List<Triple> list = wrapPermIterator(sg, Arrays.asList(triples).iterator(), perms) .toList(); retval = list.toArray(new Triple[list.size()]); } - else - { + else { retval = triples; } } - else - { + else { retval = new Triple[0]; } } @@ -100,248 +88,196 @@ public class SecuredGraphEventManager implements GraphEventManager } @Override - public void notifyAddArray( final Graph g, final Triple[] triples ) - { + public void notifyAddArray(final Graph g, final Triple[] triples) { final Triple[] added = getArray(g, triples, SecuredGraphEventManager.ADD); - if (added.length > 0) - { + if (added.length > 0) { wrapped.notifyAddArray(g, added); } } @Override - public void notifyAddGraph( final Graph g, final Graph added ) - { + public void notifyAddGraph(final Graph g, final Graph added) { Graph addGraph = added; - if (g instanceof SecuredGraph) - { + if (g instanceof SecuredGraph) { final SecuredGraph sg = (SecuredGraph) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode())) - { - if (!evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, + sg.getModelNode())) { + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.ADD, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { final List<Triple> lst = added.find(Triple.ANY) .toList(); addGraph = new CollectionGraph(Arrays.asList(getArray( g, lst.toArray(new Triple[lst.size()]), SecuredGraphEventManager.ADD))); } - else - { + else { addGraph = added; } } - else - { + else { addGraph = new CollectionGraph( Collections.<Triple> emptyList()); } } - if (addGraph.size() > 0) - { + if (addGraph.size() > 0) { wrapped.notifyAddGraph(g, addGraph); } } @Override - public void notifyAddIterator( final Graph g, final Iterator<Triple> it ) - { + public void notifyAddIterator(final Graph g, final Iterator<Triple> it) { - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); // only report if we can write to the graph - if (evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode())) - { + if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, + sg.getModelNode())) { final ExtendedIterator<Triple> iter = wrapPermIterator(sg, it, SecuredGraphEventManager.ADD); - try - { + try { wrapped.notifyAddIterator(g, iter); - } - finally - { + } finally { iter.close(); } } } - else - { + else { wrapped.notifyAddIterator(g, it); } } @Override - public void notifyAddList( final Graph g, final List<Triple> triples ) - { + public void notifyAddList(final Graph g, final List<Triple> triples) { List<Triple> list = triples; - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode())) - { - if (!evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, + sg.getModelNode())) { + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.ADD, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { list = wrapPermIterator(sg, triples.iterator(), SecuredGraphEventManager.ADD).toList(); } - else - { + else { list = triples; } } - else - { + else { list = Collections.emptyList(); } } - if (list.size() > 0) - { + if (list.size() > 0) { wrapped.notifyAddList(g, list); } } @Override - public void notifyAddTriple( final Graph g, final Triple t ) - { + public void notifyAddTriple(final Graph g, final Triple t) { boolean notify = false; - if (g instanceof SecuredGraph) - { + if (g instanceof SecuredGraph) { final SecuredGraph sg = (SecuredGraph) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - notify = evaluator.evaluateAny(SecuredGraphEventManager.ADD, - sg.getModelNode()); - if (notify) - { - notify = evaluator.evaluateAny( + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + notify = evaluator.evaluateAny(runAs, + SecuredGraphEventManager.ADD, sg.getModelNode()); + if (notify) { + notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD, sg.getModelNode(), SecuredItemImpl.convert(t)); } } - else - { + else { notify = true; } - if (notify) - { + if (notify) { wrapped.notifyAddTriple(g, t); } } @Override - public void notifyDeleteArray( final Graph g, final Triple[] triples ) - { + public void notifyDeleteArray(final Graph g, final Triple[] triples) { Triple[] deleted = triples; - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode())) - { - if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode())) { + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { final List<Triple> list = wrapPermIterator(sg, Arrays.asList(triples).iterator(), SecuredGraphEventManager.DELETE).toList(); deleted = list.toArray(new Triple[list.size()]); } - else - { + else { deleted = triples; } } - else - { + else { deleted = new Triple[0]; } } - if (deleted.length > 0) - { + if (deleted.length > 0) { wrapped.notifyDeleteArray(g, deleted); } } @Override - public void notifyDeleteGraph( final Graph g, final Graph removed ) - { - if (g instanceof SecuredGraphImpl) - { + public void notifyDeleteGraph(final Graph g, final Graph removed) { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode())) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode())) { Graph g2 = removed; - if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { g2 = new CollectionGraph( removed.find(Triple.ANY) - .filterKeep( - new PermTripleFilter( - SecuredGraphEventManager.DELETE, - sg, evaluator)) - .toList()); + .filterKeep( + new PermTripleFilter( + SecuredGraphEventManager.DELETE, + sg, evaluator)) + .toList()); } wrapped.notifyDeleteGraph(g, g2); } - else - { + else { // do nothing. } } - else - { + else { wrapped.notifyDeleteGraph(g, removed); } } @Override - public void notifyDeleteIterator( final Graph g, - final Iterator<Triple> it ) - { + public void notifyDeleteIterator(final Graph g, + final Iterator<Triple> it) { Iterator<Triple> iter = it; - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode())) - { - - if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode())) { + + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { iter = WrappedIterator.create(it).filterKeep( new PermTripleFilter( SecuredGraphEventManager.DELETE, sg, @@ -350,34 +286,27 @@ public class SecuredGraphEventManager implements GraphEventManager // else use the default list as all can bee seen wrapped.notifyDeleteIterator(g, iter); } - else - { + else { // do nothing. } } - else - { + else { wrapped.notifyDeleteIterator(g, iter); } } @Override - public void notifyDeleteList( final Graph g, final List<Triple> triples ) - { + public void notifyDeleteList(final Graph g, final List<Triple> triples) { List<Triple> list = triples; - if (g instanceof SecuredGraphImpl) - { + if (g instanceof SecuredGraphImpl) { final SecuredGraphImpl sg = (SecuredGraphImpl) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode())) - { - if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode())) { + if (!evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { list = WrappedIterator .create(triples.iterator()) .filterKeep( @@ -387,67 +316,55 @@ public class SecuredGraphEventManager implements GraphEventManager } // else use the default list as all can bee seen } - else - { + else { list = Collections.emptyList(); } } - if (list.size() > 0) - { + if (list.size() > 0) { wrapped.notifyDeleteList(g, list); } } @Override - public void notifyDeleteTriple( final Graph g, final Triple t ) - { + public void notifyDeleteTriple(final Graph g, final Triple t) { boolean notify = false; - if (g instanceof SecuredGraph) - { + if (g instanceof SecuredGraph) { final SecuredGraph sg = (SecuredGraph) g; - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - notify = evaluator.evaluateAny(SecuredGraphEventManager.DELETE, - sg.getModelNode()); - if (notify) - { - notify = evaluator.evaluateAny( + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + notify = evaluator.evaluateAny(runAs, + SecuredGraphEventManager.DELETE, sg.getModelNode()); + if (notify) { + notify = evaluator.evaluateAny(runAs, SecuredGraphEventManager.DELETE, sg.getModelNode(), SecuredItemImpl.convert(t)); } } - else - { + else { notify = true; } - if (notify) - { + if (notify) { wrapped.notifyDeleteTriple(g, t); } } @Override - public void notifyEvent( final Graph source, final Object value ) - { + public void notifyEvent(final Graph source, final Object value) { wrapped.notifyEvent(source, value); } private ExtendedIterator<Triple> wrapPermIterator( final SecuredGraphImpl sg, final Iterator<Triple> it, - final Set<Action> perms ) - { - final SecurityEvaluator evaluator = CachedSecurityEvaluator - .getInstance(sg.getSecurityEvaluator(), runAs); - if (!evaluator.evaluateAny(perms, sg.getModelNode(), - SecuredItemImpl.convert(Triple.ANY))) - { + final Set<Action> perms) { + final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs); + if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(), + SecuredItemImpl.convert(Triple.ANY))) { // nope so wrap the iterator with security iterator return WrappedIterator.create(it).filterKeep( new PermTripleFilter(perms, sg, evaluator)); } return WrappedIterator.create(it); - } + } } @@ -459,251 +376,203 @@ public class SecuredGraphEventManager implements GraphEventManager private static Set<Action> ADD; - static - { + static { SecuredGraphEventManager.ADD = new HashSet<Action>( - Arrays.asList(new Action[] { Action.Create, Action.Read })); + Arrays.asList(new Action[] { + Action.Create, Action.Read + })); SecuredGraphEventManager.DELETE = new HashSet<Action>( - Arrays.asList(new Action[] { Action.Delete, Action.Read })); + Arrays.asList(new Action[] { + Action.Delete, Action.Read + })); } - public SecuredGraphEventManager( final SecuredGraph securedGraph, - final Graph baseGraph, final GraphEventManager manager ) - { + public SecuredGraphEventManager(final SecuredGraph securedGraph, + final Graph baseGraph, final GraphEventManager manager) { this.securedGraph = securedGraph; this.baseGraph = baseGraph; manager.register(this); } - private synchronized Collection<SecuredGraphListener> getListenerCollection() - { + private synchronized Collection<SecuredGraphListener> getListenerCollection() { ExtendedIterator<SecuredGraphListener> retval = NiceIterator .emptyIterator(); - for (final Collection<SecuredGraphListener> coll : listenerMap.values()) - { + for (final Collection<SecuredGraphListener> coll : listenerMap.values()) { retval = retval.andThen(coll.iterator()); } return retval.toList(); } @Override - public boolean listening() - { + public boolean listening() { return !listenerMap.isEmpty(); } @Override - public void notifyAddArray( final Graph g, final Triple[] triples ) - { + public void notifyAddArray(final Graph g, final Triple[] triples) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyAddArray(securedGraph, triples); } - else - { + else { sgl.notifyAddArray(g, triples); } } } @Override - public void notifyAddGraph( final Graph g, final Graph added ) - { + public void notifyAddGraph(final Graph g, final Graph added) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyAddGraph(securedGraph, added); } - else - { + else { sgl.notifyAddGraph(g, added); } } } @Override - public void notifyAddIterator( final Graph g, final Iterator<Triple> it ) - { + public void notifyAddIterator(final Graph g, final Iterator<Triple> it) { notifyAddIterator(g, WrappedIterator.create(it).toList()); baseGraph.equals(g); } @Override - public void notifyAddIterator( final Graph g, final List<Triple> triples ) - { + public void notifyAddIterator(final Graph g, final List<Triple> triples) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyAddIterator(securedGraph, triples.iterator()); } - else - { + else { sgl.notifyAddIterator(g, triples.iterator()); } } } @Override - public void notifyAddList( final Graph g, final List<Triple> triples ) - { + public void notifyAddList(final Graph g, final List<Triple> triples) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyAddList(securedGraph, triples); } - else - { + else { sgl.notifyAddList(g, triples); } } } @Override - public void notifyAddTriple( final Graph g, final Triple t ) - { + public void notifyAddTriple(final Graph g, final Triple t) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyAddTriple(securedGraph, t); } - else - { + else { sgl.notifyAddTriple(g, t); } } } @Override - public void notifyDeleteArray( final Graph g, final Triple[] triples ) - { + public void notifyDeleteArray(final Graph g, final Triple[] triples) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyDeleteArray(securedGraph, triples); } - else - { + else { sgl.notifyDeleteArray(g, triples); } } } @Override - public void notifyDeleteGraph( final Graph g, final Graph removed ) - { + public void notifyDeleteGraph(final Graph g, final Graph removed) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyDeleteGraph(securedGraph, removed); } - else - { + else { sgl.notifyDeleteGraph(g, removed); } } } @Override - public void notifyDeleteIterator( final Graph g, final Iterator<Triple> it ) - { + public void notifyDeleteIterator(final Graph g, final Iterator<Triple> it) { notifyDeleteIterator(g, WrappedIterator.create(it).toList()); } @Override - public void notifyDeleteIterator( final Graph g, final List<Triple> triples ) - { + public void notifyDeleteIterator(final Graph g, final List<Triple> triples) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyDeleteIterator(securedGraph, triples.iterator()); } - else - { + else { sgl.notifyDeleteIterator(g, triples.iterator()); } } } @Override - public void notifyDeleteList( final Graph g, final List<Triple> L ) - { + public void notifyDeleteList(final Graph g, final List<Triple> L) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyDeleteList(securedGraph, L); } - else - { + else { sgl.notifyDeleteList(g, L); } } } @Override - public void notifyDeleteTriple( final Graph g, final Triple t ) - { + public void notifyDeleteTriple(final Graph g, final Triple t) { final boolean wrap = baseGraph.equals(g); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyDeleteTriple(securedGraph, t); } - else - { + else { sgl.notifyDeleteTriple(g, t); } } } @Override - public void notifyEvent( final Graph source, final Object value ) - { - if (source instanceof SecuredGraph && securedGraph.equals(source)) - { - baseGraph.getEventManager().notifyEvent( baseGraph, value); + public void notifyEvent(final Graph source, final Object value) { + if ((source instanceof SecuredGraph) && securedGraph.equals(source)) { + baseGraph.getEventManager().notifyEvent(baseGraph, value); } else { - + final boolean wrap = baseGraph.equals(source); - for (final SecuredGraphListener sgl : getListenerCollection()) - { - if (wrap) - { + for (final SecuredGraphListener sgl : getListenerCollection()) { + if (wrap) { sgl.notifyEvent(securedGraph, value); } - else - { + else { sgl.notifyEvent(source, value); } } @@ -711,11 +580,9 @@ public class SecuredGraphEventManager implements GraphEventManager } @Override - public synchronized GraphEventManager register( final GraphListener listener ) - { + public synchronized GraphEventManager register(final GraphListener listener) { Stack<SecuredGraphListener> sgl = listenerMap.get(listener); - if (sgl == null) - { + if (sgl == null) { sgl = new Stack<SecuredGraphListener>(); } sgl.push(new SecuredGraphListener(listener)); @@ -725,17 +592,13 @@ public class SecuredGraphEventManager implements GraphEventManager @Override public synchronized GraphEventManager unregister( - final GraphListener listener ) - { + final GraphListener listener) { final Stack<SecuredGraphListener> sgl = listenerMap.get(listener); - if (sgl != null) - { - if (sgl.size() == 1) - { + if (sgl != null) { + if (sgl.size() == 1) { listenerMap.remove(listener); } - else - { + else { sgl.pop(); listenerMap.put(listener, sgl); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java b/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java index 342f35b..ffc2868 100644 --- a/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java +++ b/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java @@ -6,9 +6,9 @@ * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -17,91 +17,74 @@ */ package org.apache.jena.security.impl; -import java.lang.reflect.InvocationHandler; -import java.lang.reflect.Method; -import java.lang.reflect.Proxy; -import java.util.LinkedHashSet; import java.util.Set; -import org.apache.commons.lang.ClassUtils; import org.apache.jena.security.SecurityEvaluator; /** * A SecurityEvaluator that can be cached for later use. */ -public class CachedSecurityEvaluator implements InvocationHandler -{ +public class CachedSecurityEvaluator implements SecurityEvaluator { private final SecurityEvaluator wrapped; private final Object origPrincipal; - // The getPrincipal() method. - private static Method GET_PRINCIPAL; + /** + * + * @param wrapped + * @param runAs + */ + public CachedSecurityEvaluator(final SecurityEvaluator wrapped, + final Object runAs) { + this.origPrincipal = runAs; + this.wrapped = wrapped; + } - static - { - try - { - CachedSecurityEvaluator.GET_PRINCIPAL = SecurityEvaluator.class - .getMethod("getPrincipal"); - } - catch (final SecurityException e) - { - throw new RuntimeException(e); - } - catch (final NoSuchMethodException e) - { - throw new RuntimeException(e); - } + @Override + public boolean evaluate(final Object principal, final Action action, + final SecNode graphIRI) { + return wrapped.evaluate(principal, action, graphIRI); } - /** - * Create an instance. - * @param evaluator The security evaluator we are caching. - * @param runAs The principal that we want to use when checking the permissions. - * @return The proxied SecurityEvaluator. - */ - public static SecurityEvaluator getInstance( - final SecurityEvaluator evaluator, final Object runAs ) - { - final Set<Class<?>> ifac = new LinkedHashSet<Class<?>>(); - if (evaluator.getClass().isInterface()) - { - ifac.add(evaluator.getClass()); - } - ifac.addAll(ClassUtils.getAllInterfaces(evaluator.getClass())); + @Override + public boolean evaluate(final Object principal, final Action action, + final SecNode graphIRI, final SecTriple triple) { + return wrapped.evaluate(principal, action, graphIRI, triple); + } - return (SecurityEvaluator) Proxy.newProxyInstance( - SecuredItemImpl.class.getClassLoader(), - ifac.toArray(new Class<?>[ifac.size()]), - new CachedSecurityEvaluator(evaluator, runAs)); + @Override + public boolean evaluate(final Object principal, final Set<Action> actions, + final SecNode graphIRI) { + return wrapped.evaluate(principal, actions, graphIRI); } - /** - * - * @param wrapped - * @param runAs - */ - private CachedSecurityEvaluator( final SecurityEvaluator wrapped, - final Object runAs ) - { - origPrincipal = runAs; - this.wrapped = wrapped; + @Override + public boolean evaluate(final Object principal, final Set<Action> actions, + final SecNode graphIRI, final SecTriple triple) { + return wrapped.evaluate(principal, actions, graphIRI, triple); } @Override - public Object invoke( final Object proxy, final Method method, - final Object[] args ) throws Throwable - { - // check for the special case methods - if (CachedSecurityEvaluator.GET_PRINCIPAL.equals(method)) - { - return origPrincipal; - } + public boolean evaluateAny(final Object principal, + final Set<Action> actions, final SecNode graphIRI) { + return wrapped.evaluateAny(principal, actions, graphIRI); + } - // if we get here then the method is not being proxied so call the - // original method - // on the base item. - return method.invoke(wrapped, args); + @Override + public boolean evaluateAny(final Object principal, + final Set<Action> actions, final SecNode graphIRI, + final SecTriple triple) { + return wrapped.evaluateAny(principal, actions, graphIRI, triple); + } + + @Override + public boolean evaluateUpdate(final Object principal, + final SecNode graphIRI, final SecTriple from, final SecTriple to) { + return wrapped.evaluateUpdate(principal, graphIRI, from, to); + } + @Override + public Object getPrincipal() { + return origPrincipal; } + } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java b/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java index b095356..dac1036 100644 --- a/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java +++ b/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java @@ -334,7 +334,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Create, modelNode); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode); cachePut(key, retval); } return retval; @@ -352,7 +352,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Create, modelNode, t); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode, t); cachePut(key, retval); } return retval; @@ -375,7 +375,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Delete, modelNode); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode); cachePut(key, retval); } return retval; @@ -393,7 +393,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Delete, modelNode, t); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode, t); cachePut(key, retval); } return retval; @@ -416,7 +416,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Read, modelNode); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode); cachePut(key, retval); } return retval; @@ -434,7 +434,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Read, modelNode, t); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode, t); cachePut(key, retval); } return retval; @@ -457,7 +457,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluate(Action.Update, modelNode); + retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Update, modelNode); cachePut(key, retval); } return retval; @@ -477,7 +477,7 @@ public abstract class SecuredItemImpl implements SecuredItem Boolean retval = cacheGet(key); if (retval == null) { - retval = securityEvaluator.evaluateUpdate(modelNode, from, to); + retval = securityEvaluator.evaluateUpdate(securityEvaluator.getPrincipal(),modelNode, from, to); cachePut(key, retval); } return retval; http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java index d0b07c0..4397244 100644 --- a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java +++ b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java @@ -895,7 +895,7 @@ public class SecuredRDFListImpl extends SecuredResourceImpl implements // have to be able to read and delete to delete all. final Set<Action> perms = SecurityEvaluator.Util.asSet(new Action[] { Action.Delete, Action.Read }); - if (getSecurityEvaluator().evaluate(perms, this.getModelNode(), + if (getSecurityEvaluator().evaluate(getSecurityEvaluator().getPrincipal(), perms, this.getModelNode(), SecuredItemImpl.convert(t))) { holder.getBaseItem().removeList(); http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java index 15d5626..3eae571 100644 --- a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java +++ b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java @@ -55,7 +55,7 @@ public class SecuredRSIterator implements RSIterator @Override public boolean accept( final ReifiedStatement t ) { - return evaluator.evaluateAny(actions, modelNode, + return evaluator.evaluateAny(evaluator.getPrincipal(), actions, modelNode, SecuredItemImpl.convert(t.getStatement().asTriple())); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java b/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java index 2068f65..b6e5e07 100644 --- a/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java +++ b/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java @@ -93,49 +93,49 @@ public class SecuredQueryEngine extends QueryEngineMain this.securityEvaluator = new SecurityEvaluator() { @Override - public boolean evaluate( final Action action, + public boolean evaluate( final Object principal, final Action action, final SecNode graphIRI ) { return true; } @Override - public boolean evaluate( final Action action, + public boolean evaluate( final Object principal, final Action action, final SecNode graphIRI, final SecTriple triple ) { return true; } @Override - public boolean evaluate( final Set<Action> action, + public boolean evaluate( final Object principal, final Set<Action> action, final SecNode graphIRI ) { return true; } @Override - public boolean evaluate( final Set<Action> action, + public boolean evaluate( final Object principal, final Set<Action> action, final SecNode graphIRI, final SecTriple triple ) { return true; } @Override - public boolean evaluateAny( final Set<Action> action, + public boolean evaluateAny( final Object principal, final Set<Action> action, final SecNode graphIRI ) { return true; } @Override - public boolean evaluateAny( final Set<Action> action, + public boolean evaluateAny( final Object principal, final Set<Action> action, final SecNode graphIRI, final SecTriple triple ) { return true; } @Override - public boolean evaluateUpdate( final SecNode graphIRI, + public boolean evaluateUpdate( final Object principal, final SecNode graphIRI, final SecTriple from, final SecTriple to ) { return true; http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java index 4659d06..263c742 100644 --- a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java +++ b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java @@ -242,7 +242,8 @@ public class OpRewriter implements OpVisitor @Override public void visit( final OpBGP opBGP ) { - if (!securityEvaluator.evaluate(Action.Read, graphIRI)) + Object principal = securityEvaluator.getPrincipal(); + if (!securityEvaluator.evaluate(principal, Action.Read, graphIRI)) { if (silentFail) { @@ -255,7 +256,7 @@ public class OpRewriter implements OpVisitor } // if the user can read any triple just add the opBGP - if (securityEvaluator.evaluate(Action.Read, graphIRI, SecTriple.ANY)) + if (securityEvaluator.evaluate(principal, Action.Read, graphIRI, SecTriple.ANY)) { addOp(opBGP); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java index 5cd84d0..3675ec8 100644 --- a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java +++ b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java @@ -71,10 +71,11 @@ public class SecuredFunction extends ExprFunctionN private boolean checkAccess( Binding values ) { + Object principal = securityEvaluator.getPrincipal(); for (final Triple t : bgp) { final SecTriple secT = createSecTriple(t, values); - if (!securityEvaluator.evaluate(Action.Read, graphIRI, secT)) + if (!securityEvaluator.evaluate(principal, Action.Read, graphIRI, secT)) { return false; } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java index 8e8bb43..41c163a 100644 --- a/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java +++ b/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java @@ -39,6 +39,7 @@ public class PermStatementFilter extends Filter<Statement> private final SecurityEvaluator evaluator; private final SecNode modelNode; private final Set<Action> actions; + private final Object principal; /** * Creates a filter that requires that the user have all the permissions @@ -55,6 +56,7 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(new Action[] { action }); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -74,6 +76,7 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(new Action[] { action }); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } /** @@ -91,6 +94,7 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -110,6 +114,7 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } /** @@ -127,6 +132,7 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -146,12 +152,13 @@ public class PermStatementFilter extends Filter<Statement> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } @Override public boolean accept( final Statement s ) { - return evaluator.evaluateAny(actions, modelNode, + return evaluator.evaluateAny(principal, actions, modelNode, SecuredItemImpl.convert(s.asTriple())); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java index f8d2fa6..505d7f8 100644 --- a/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java +++ b/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java @@ -39,6 +39,7 @@ public class PermTripleFilter extends Filter<Triple> private final SecurityEvaluator evaluator; private final SecNode modelNode; private final Set<Action> actions; + private final Object principal; /** * Creates a filter that requires that the user have all the permissions @@ -54,6 +55,7 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(new Action[] { action }); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -73,6 +75,7 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(new Action[] { action }); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } /** @@ -90,6 +93,7 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -109,6 +113,7 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } /** @@ -126,6 +131,7 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = securedItem.getSecurityEvaluator(); + this.principal = evaluator.getPrincipal(); } /** @@ -145,12 +151,13 @@ public class PermTripleFilter extends Filter<Triple> this.modelNode = securedItem.getModelNode(); this.actions = SecurityEvaluator.Util.asSet(actions); this.evaluator = evaluator; + this.principal = evaluator.getPrincipal(); } @Override public boolean accept( final Triple t ) { - return evaluator.evaluateAny(actions, modelNode, + return evaluator.evaluateAny(principal, actions, modelNode, SecuredItemImpl.convert(t)); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java ---------------------------------------------------------------------- diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java index bfe6a98..286be4a 100644 --- a/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java +++ b/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java @@ -31,9 +31,9 @@ import org.apache.jena.security.impl.SecuredItemImpl; public class RDFListSecFilter<T extends RDFList> extends Filter<T> { - - private SecuredItem securedItem; - private Set<Action> perms; + private final SecuredItem securedItem; + private final Set<Action> perms; + private final Object principal; public RDFListSecFilter( final SecuredItem securedItem, final Action perm ) { @@ -45,13 +45,14 @@ public class RDFListSecFilter<T extends RDFList> extends Filter<T> { this.securedItem = securedItem; this.perms = perms; + this.principal = securedItem.getSecurityEvaluator().getPrincipal(); } @Override public boolean accept( final RDFList o ) { final Statement s = o.getRequiredProperty(RDF.first); - return securedItem.getSecurityEvaluator().evaluate(perms, + return securedItem.getSecurityEvaluator().evaluate(principal, perms, securedItem.getModelNode(), SecuredItemImpl.convert(s.asTriple())); } http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java ---------------------------------------------------------------------- diff --git a/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java b/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java index c00602e..0981664 100644 --- a/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java +++ b/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java @@ -87,13 +87,13 @@ public class MockSecurityEvaluator implements SecurityEvaluator } @Override - public boolean evaluate( final Action action, final SecNode uri ) + public boolean evaluate( final Object principal, final Action action, final SecNode uri ) { return evaluate(action); } @Override - public boolean evaluate( final Action action, final SecNode graphIRI, + public boolean evaluate( final Object principal, final Action action, final SecNode graphIRI, final SecTriple triple ) { if (forceTripleChecks) @@ -141,13 +141,13 @@ public class MockSecurityEvaluator implements SecurityEvaluator } @Override - public boolean evaluate( final Set<Action> action, final SecNode uri ) + public boolean evaluate( final Object principal, final Set<Action> action, final SecNode uri ) { return evaluate(action); } @Override - public boolean evaluate( final Set<Action> action, final SecNode graphIRI, + public boolean evaluate( final Object principal, final Set<Action> action, final SecNode graphIRI, final SecTriple triple ) { for (final Action a : action) @@ -161,7 +161,7 @@ public class MockSecurityEvaluator implements SecurityEvaluator } @Override - public boolean evaluateAny( final Set<Action> action, final SecNode graphIRI ) + public boolean evaluateAny( final Object principal, final Set<Action> action, final SecNode graphIRI ) { for (final Action a : action) { @@ -174,14 +174,14 @@ public class MockSecurityEvaluator implements SecurityEvaluator } @Override - public boolean evaluateAny( final Set<Action> action, + public boolean evaluateAny( final Object principal, final Set<Action> action, final SecNode graphIRI, final SecTriple triple ) { - return evaluateAny(action, graphIRI); + return evaluateAny( principal, action, graphIRI); } @Override - public boolean evaluateUpdate( final SecNode graphIRI, + public boolean evaluateUpdate( final Object principal, final SecNode graphIRI, final SecTriple from, final SecTriple to ) { return evaluate(Action.Update);
