Author: adrianc
Date: Sun Jan 3 18:02:24 2010
New Revision: 895454
URL: http://svn.apache.org/viewvc?rev=895454&view=rev
Log:
Better OO design, added artifact path wildcard capability.
Added:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
(with props)
Modified:
ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/OFBizPermission.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
Modified:
ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/api/config/api.properties?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
--- ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
(original)
+++ ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
Sun Jan 3 18:02:24 2010
@@ -34,7 +34,7 @@
executionContext.verbose=false
# Set to true to enable AuthorizationManager info messages.
-authorizationManager.verbose=false
+authorizationManager.verbose=true
# Set to true to disable the AuthorizationManager.
authorizationManager.disabled=false
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
Sun Jan 3 18:02:24 2010
@@ -58,7 +58,7 @@
Debug.logInfo("Checking permission: " +
ThreadContext.getExecutionPath() + "[" + permission + "]", module);
}
this.permission.reset();
- this.node.getPermissions(ThreadContext.getExecutionPath(),
this.permission);
+ this.node.getPermissions(new
ArtifactPath(ThreadContext.getExecutionPath()), this.permission);
if (this.verbose) {
Debug.logInfo("Found permission(s): " +
ThreadContext.getUserLogin().getString("userLoginId") +
"@" + ThreadContext.getExecutionPath() + "[" +
this.permission + "]", module);
Added:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java?rev=895454&view=auto
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
(added)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
Sun Jan 3 18:02:24 2010
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+
*******************************************************************************/
+package org.ofbiz.context;
+
+import java.util.Arrays;
+import java.util.Iterator;
+
+/** Artifact path class. */
+public class ArtifactPath {
+
+ public static final String ELEMENT_SEPARATOR = "/";
+ protected String currentPathElement = null;
+ protected Iterator<String> pathIterator;
+
+ public ArtifactPath(String artifactPath) {
+ String[] strArray = artifactPath.split(ELEMENT_SEPARATOR);
+ this.currentPathElement = strArray[0];
+ this.pathIterator = Arrays.asList(strArray).iterator();
+ }
+
+ public String getCurrentPathElement() {
+ return this.currentPathElement;
+ }
+
+ public String getNextPathElement() {
+ this.currentPathElement = this.pathIterator.next();
+ return this.currentPathElement;
+ }
+
+ public boolean hasMoreElements() {
+ return this.pathIterator.hasNext();
+ }
+}
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
Sun Jan 3 18:02:24 2010
@@ -21,14 +21,10 @@
import java.security.AccessControlException;
import java.security.Permission;
import java.util.List;
-import java.util.Map;
-
-import javolution.util.FastMap;
import org.ofbiz.api.authorization.AccessController;
import org.ofbiz.api.authorization.BasicPermissions;
import org.ofbiz.api.authorization.AuthorizationManager;
-import org.ofbiz.api.authorization.NullAuthorizationManager;
import org.ofbiz.entity.Delegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
@@ -40,7 +36,7 @@
import org.ofbiz.service.ThreadContext;
/**
- * An implementation of the AuthorizationManager interface that uses the OFBiz
database
+ * An implementation of the AuthorizationManager interface that uses the
Entity Engine
* for authorization data storage.
*/
public class AuthorizationManagerImpl extends OFBizSecurity implements
AuthorizationManager {
@@ -48,10 +44,7 @@
// Right now this class implements permission checking only.
public static final String module =
AuthorizationManagerImpl.class.getName();
-// protected static final UtilCache<String, PathNode> userPermCache =
UtilCache.createUtilCache("authorization.UserPermissions");
- protected static final Map<String, PathNode> userPermCache =
FastMap.newInstance();
- protected static final AuthorizationManager nullAuthorizationManager = new
NullAuthorizationManager();
- protected static boolean underConstruction = false;
+ protected static final UtilCache<String, AccessController> userPermCache =
UtilCache.createUtilCache("authorization.UserPermissions");
public AuthorizationManagerImpl() {
}
@@ -134,31 +127,19 @@
public AccessController getAccessController() throws
AccessControlException {
String userLoginId =
ThreadContext.getUserLogin().getString("userLoginId");
- PathNode node = getUserPermissionsNode(userLoginId);
- if (node == null) {
- // During object construction, artifacts will be used that will
ultimately
- // call this method. In order for object construction to succeed,
we need
- // to allow unrestricted access to all artifacts.
- return nullAuthorizationManager.getAccessController();
- }
- return new AccessControllerImpl(getUserPermissionsNode(userLoginId));
+ return getAccessController(userLoginId);
}
- protected static PathNode getUserPermissionsNode(String userLoginId)
throws AccessControlException {
- if (underConstruction) {
- return null;
- }
- PathNode node = userPermCache.get(userLoginId);
- if (node != null) {
- return node;
+ protected static AccessController getAccessController(String userLoginId)
throws AccessControlException {
+ AccessController accessController = userPermCache.get(userLoginId);
+ if (accessController != null) {
+ return accessController;
}
synchronized (userPermCache) {
- underConstruction = true;
- node = new PathNode();
- // Set up the ExecutionContext for unrestricted access to
security-aware artifacts
- ThreadContext.runUnprotected();
- Delegator delegator = ThreadContext.getDelegator();
try {
+ ThreadContext.runUnprotected();
+ Delegator delegator = ThreadContext.getDelegator();
+ PathNode node = new PathNode();
// Process group membership permissions first
List<GenericValue> groupMemberships =
delegator.findList("UserToUserGroupRel",
EntityCondition.makeCondition(UtilMisc.toMap("userLoginId", userLoginId)),
null, null, null, false);
for (GenericValue userGroup : groupMemberships) {
@@ -167,15 +148,15 @@
// Process user permissions last
List<GenericValue> permissionValues =
delegator.findList("UserToArtifactPermRel",
EntityCondition.makeCondition(UtilMisc.toMap("userLoginId", userLoginId)),
null, null, null, false);
setPermissions(userLoginId, node, permissionValues);
- userPermCache.put(userLoginId, node);
+ accessController = new AccessControllerImpl(node);
+ userPermCache.put(userLoginId, accessController);
} catch (GenericEntityException e) {
throw new AccessControlException(e.getMessage());
} finally {
ThreadContext.endRunUnprotected();
- underConstruction = false;
}
}
- return node;
+ return accessController;
}
protected static void processGroupPermissions(String groupId, PathNode
node, Delegator delegator) throws AccessControlException {
@@ -199,9 +180,9 @@
OFBizPermission target = new OFBizPermission(id + "@" +
artifactPath);
String[] pair = value.getString("permissionValue").split("=");
if ("filter".equalsIgnoreCase(pair[0])) {
- target.filters.add(pair[1]);
+ target.addFilter(pair[1]);
} else if ("service".equalsIgnoreCase(pair[0])) {
- target.services.add(pair[1]);
+ target.addService(pair[1]);
} else {
Permission permission =
BasicPermissions.ConversionMap.get(pair[0].toUpperCase());
if (permission != null) {
@@ -214,7 +195,7 @@
throw new AccessControlException("Invalid permission: " +
pair[0]);
}
}
- node.setPermissions(artifactPath, target);
+ node.setPermissions(new ArtifactPath(artifactPath), target);
}
}
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/OFBizPermission.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/OFBizPermission.java?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/OFBizPermission.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/OFBizPermission.java
Sun Jan 3 18:02:24 2010
@@ -31,6 +31,8 @@
* <p>This class enforces the security-aware artifact permission
* checking rules:<br>
* <ul>
+ * <li>If the permissions list contains the admin permission,
+ * then access is granted</li>
* <li>If the permissions list contains the specified permission,
* then access is granted</li>
* <li>If services are specified, and all services return
@@ -55,6 +57,14 @@
this.excludePermissions = new PermissionsUnion(name);
}
+ public void addFilter(String filter) {
+ this.filters.add(filter);
+ }
+
+ public void addService(String service) {
+ this.services.add(service);
+ }
+
@Override
public boolean equals(Object obj) {
if (obj == this) {
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
Sun Jan 3 18:02:24 2010
@@ -28,9 +28,11 @@
*/
public class PathNode {
+ public static final String PLACEHOLDER_CHARACTER = "?";
protected String nodeName = null;
protected OFBizPermission permission = null;
protected Map<String, PathNode> childNodes = null;
+ protected boolean handlePlaceholder = false;
public PathNode() {}
@@ -38,28 +40,60 @@
this.nodeName = nodeName;
}
- public void setPermissions(String artifactPath, OFBizPermission
permission) {
- int pos = artifactPath.indexOf("/");
- if (pos == -1) {
+ protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
+ currentPath.add(this);
+ if (this.permission != null) {
+ for (PathNode pathNode: currentPath) {
+ result.append("/");
+ result.append(pathNode.nodeName);
+ }
+ result.append("[");
+ result.append(this.permission);
+ result.append("]");
+ result.append("\n");
+ }
+ if (this.childNodes != null) {
+ Collection<PathNode> childNodes = this.childNodes.values();
+ for (PathNode childNode : childNodes) {
+ childNode.buildNodeString(currentPath, result);
+ }
+ }
+ currentPath.removeLast();
+ }
+
+ public void getPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ permission.accumulatePermissions(this.permission);
+ if (artifactPath.hasMoreElements() && this.childNodes != null) {
+ String nextNodeName = artifactPath.getNextPathElement();
+ if (this.handlePlaceholder) {
+ if (!artifactPath.hasMoreElements()) {
+ return;
+ }
+ nextNodeName = artifactPath.getNextPathElement();
+ }
+ PathNode node = this.childNodes.get(nextNodeName.toUpperCase());
+ if (node != null) {
+ node.getPermissions(artifactPath, permission);
+ }
+ }
+ }
+
+ public void setPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (this.nodeName == null) {
+ this.nodeName = artifactPath.getCurrentPathElement();
+ }
+ if (!artifactPath.hasMoreElements()) {
if (this.permission == null) {
this.permission = permission;
} else {
this.permission.accumulatePermissions(permission);
}
- if (this.nodeName == null) {
- this.nodeName = artifactPath;
- }
return;
}
- String thisNodeName = artifactPath.substring(0, pos);
- if (this.nodeName == null) {
- this.nodeName = thisNodeName;
- }
- artifactPath = artifactPath.substring(pos + 1);
- String nextNodeName = artifactPath;
- pos = artifactPath.indexOf("/");
- if (pos != -1) {
- nextNodeName = artifactPath.substring(0, pos);
+ String nextNodeName = artifactPath.getNextPathElement();
+ if (PLACEHOLDER_CHARACTER.equals(nextNodeName)) {
+ this.handlePlaceholder = true;
+ nextNodeName = artifactPath.getNextPathElement();
}
String key = nextNodeName.toUpperCase();
if (this.childNodes == null) {
@@ -73,23 +107,6 @@
node.setPermissions(artifactPath, permission);
}
- public void getPermissions(String artifactPath, OFBizPermission
permission) {
- permission.accumulatePermissions(this.permission);
- int pos = artifactPath.indexOf("/");
- if (pos != -1 && this.childNodes != null) {
- artifactPath = artifactPath.substring(pos + 1);
- String nextNodeName = artifactPath;
- pos = artifactPath.indexOf("/");
- if (pos != -1) {
- nextNodeName = artifactPath.substring(0, pos);
- }
- PathNode node = this.childNodes.get(nextNodeName.toUpperCase());
- if (node != null) {
- node.getPermissions(artifactPath, permission);
- }
- }
- }
-
@Override
public String toString() {
FastList<PathNode> currentPath = FastList.newInstance();
@@ -97,25 +114,4 @@
buildNodeString(currentPath, result);
return result.toString();
}
-
- protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
- currentPath.add(this);
- if (this.permission != null) {
- for (PathNode pathNode: currentPath) {
- result.append("/");
- result.append(pathNode.nodeName);
- }
- result.append("[");
- result.append(this.permission);
- result.append("]");
- result.append("\n");
- }
- if (this.childNodes != null) {
- Collection<PathNode> childNodes = this.childNodes.values();
- for (PathNode childNode : childNodes) {
- childNode.buildNodeString(currentPath, result);
- }
- }
- currentPath.removeLast();
- }
}
Modified:
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
Sun Jan 3 18:02:24 2010
@@ -35,15 +35,6 @@
<ArtifactPath artifactPath="ofbiz/example" description="Example
Application"/>
<ArtifactPath artifactPath="ofbiz/exampleext" description="Extended
Example Application"/>
- <!-- Data needed to get users logged in -->
- <ArtifactPath artifactPath="ofbiz/example/getUserPreferenceGroup"
description="Example Application - getUserPreferenceGroup service"/>
- <ArtifactPath artifactPath="ofbiz/example/login" description="Example
Application - Login screen"/>
- <ArtifactPath artifactPath="ofbiz/example/ServerHit" description="Example
Application - Server hit"/>
- <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/example/getUserPreferenceGroup"
permissionValue="access=true"/>
- <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/example/login" permissionValue="access=true"/>
- <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/example/login" permissionValue="view=true"/>
- <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/example/ServerHit" permissionValue="create=true"/>
-
<!-- Data needed for the transition to security-aware artifacts. As each
webapp
is converted over to the new security design, the corresponding admin
permission should be removed. -->
Modified:
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml?rev=895454&r1=895453&r2=895454&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
Sun Jan 3 18:02:24 2010
@@ -62,7 +62,12 @@
<UserLogin userLoginId="NOT_LOGGED_IN" enabled="N" isSystem="N"/>
<UserGroup groupId="OFBIZ_USERS" description="All OFBiz users"/>
+
<ArtifactPath artifactPath="ofbiz" description="The artifact path root"/>
+ <ArtifactPath artifactPath="ofbiz/?/getUserPreferenceGroup"
description="All Applications - getUserPreferenceGroup service"/>
+ <ArtifactPath artifactPath="ofbiz/?/login" description="All Applications -
Login screen"/>
+ <ArtifactPath artifactPath="ofbiz/?/ServerHit" description="All
Applications - Server hit"/>
+
<ArtifactPermission permissionValue="access=true" description="Access
granted"/>
<ArtifactPermission permissionValue="admin=true" description="Admin access
granted"/>
<ArtifactPermission permissionValue="create=true" description="Create
access granted"/>
@@ -73,6 +78,11 @@
<ArtifactPermission permissionValue="update=false" description="Update
access denied"/>
<ArtifactPermission permissionValue="view=true" description="View access
granted"/>
<ArtifactPermission permissionValue="view=false" description="View access
denied"/>
+
<UserToArtifactPermRel userLoginId="system" artifactPath="ofbiz"
permissionValue="admin=true"/>
+ <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/getUserPreferenceGroup" permissionValue="access=true"/>
+ <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/login" permissionValue="access=true"/>
+ <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/login" permissionValue="view=true"/>
+ <UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/ServerHit" permissionValue="create=true"/>
</entity-engine-xml>
