Author: adrianc
Date: Tue Jan 5 18:29:22 2010
New Revision: 896161
URL: http://svn.apache.org/viewvc?rev=896161&view=rev
Log:
Improved security implementation. Converted the Example component to the new
security design.
Modified:
ofbiz/branches/executioncontext20091231/BranchReadMe.txt
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsIntersection.java
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsUnion.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
ofbiz/branches/executioncontext20091231/framework/example/servicedef/services.xml
ofbiz/branches/executioncontext20091231/framework/example/widget/example/CommonScreens.xml
ofbiz/branches/executioncontext20091231/framework/example/widget/example/ExampleScreens.xml
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
ofbiz/branches/executioncontext20091231/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
ofbiz/branches/executioncontext20091231/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
Modified: ofbiz/branches/executioncontext20091231/BranchReadMe.txt
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/BranchReadMe.txt?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
--- ofbiz/branches/executioncontext20091231/BranchReadMe.txt (original)
+++ ofbiz/branches/executioncontext20091231/BranchReadMe.txt Tue Jan 5
18:29:22 2010
@@ -63,3 +63,20 @@
The Authorization Manager is mostly working. Filtering
EntityListIterator values is not implemented due to architectural
problems.
+
+---------------------------------------------------
+
+2010-05-03: Artifact paths now support substitution ("?")
+and wildcard ("*") path elements.
+This solves an issue that was discussed during the design - how
+to grant access to a particular artifact regardless of the
+execution path. You can see examples of their use in
+framework/security/data/SecurityData.xml and
+framework/example/data/ExampleSecurityData.xml.
+
+The Example component has been converted to the new
+security design.
+
+The Execution Context seems to fulfill all needs so far, and it
+works pretty well, so its API could be considered stable at
+this time.
Modified:
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsIntersection.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsIntersection.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsIntersection.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsIntersection.java
Tue Jan 5 18:29:22 2010
@@ -19,6 +19,7 @@
package org.ofbiz.api.authorization;
import java.security.Permission;
+import java.util.Arrays;
import java.util.List;
/**
@@ -35,6 +36,10 @@
super(listName, permissionsList);
}
+ public PermissionsIntersection(String listName, Permission... permissions)
{
+ super(listName, Arrays.asList(permissions));
+ }
+
/** Returns <code>true</code> if all of the contained permissions
* return <code>true</code>.
*/
Modified:
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsUnion.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsUnion.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsUnion.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/api/src/org/ofbiz/api/authorization/PermissionsUnion.java
Tue Jan 5 18:29:22 2010
@@ -19,6 +19,7 @@
package org.ofbiz.api.authorization;
import java.security.Permission;
+import java.util.Arrays;
import java.util.List;
/**
@@ -35,6 +36,10 @@
super(listName, permissionsList);
}
+ public PermissionsUnion(String listName, Permission... permissions) {
+ super(listName, Arrays.asList(permissions));
+ }
+
/** Returns <code>true</code> if any of the contained permissions
* returns <code>true</code>.
*/
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
Tue Jan 5 18:29:22 2010
@@ -51,6 +51,9 @@
this.permission = new
OFBizPermission(ThreadContext.getUserLogin().getString("userLoginId"));
this.verbose =
"true".equals(UtilProperties.getPropertyValue("api.properties",
"authorizationManager.verbose"));
this.disabled =
"true".equals(UtilProperties.getPropertyValue("api.properties",
"authorizationManager.disabled"));
+ if (this.verbose) {
+ Debug.logInfo("Permissions for " +
ThreadContext.getUserLogin().getString("userLoginId") + ": \n" + this.node,
module);
+ }
}
public void checkPermission(Permission permission) throws
AccessControlException {
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/ArtifactPath.java
Tue Jan 5 18:29:22 2010
@@ -18,32 +18,63 @@
*******************************************************************************/
package org.ofbiz.context;
-import java.util.Arrays;
import java.util.Iterator;
+import java.util.NoSuchElementException;
/** Artifact path class. */
-public class ArtifactPath {
+public class ArtifactPath implements Cloneable, Iterator<String> {
+ public static final ArtifactPath PATH_ROOT = new ArtifactPath("ofbiz");
public static final String ELEMENT_SEPARATOR = "/";
- protected String currentPathElement = null;
- protected Iterator<String> pathIterator;
+
+ protected int currentIndex = 0;
+ protected final String[] pathElementArray;
public ArtifactPath(String artifactPath) {
- String[] strArray = artifactPath.split(ELEMENT_SEPARATOR);
- this.currentPathElement = strArray[0];
- this.pathIterator = Arrays.asList(strArray).iterator();
+ this.pathElementArray = artifactPath.split(ELEMENT_SEPARATOR);
+ }
+
+ public ArtifactPath(String[] pathElementArray) {
+ this.pathElementArray = pathElementArray;
+ }
+
+ @Override
+ public ArtifactPath clone() {
+ ArtifactPath newPath = new ArtifactPath(this.pathElementArray);
+ newPath.currentIndex = this.currentIndex;
+ return newPath;
+ }
+
+ public String getCurrentPath() {
+ StringBuilder sb = new StringBuilder();
+ for (int i = this.currentIndex; i < this.pathElementArray.length; i++)
{
+ if (i != this.currentIndex) {
+ sb.append(ELEMENT_SEPARATOR);
+ }
+ sb.append(this.pathElementArray[i]);
+ }
+ return sb.toString();
}
public String getCurrentPathElement() {
- return this.currentPathElement;
+ return this.pathElementArray[this.currentIndex];
+ }
+
+ @Override
+ public boolean hasNext() {
+ return this.currentIndex + 1 < this.pathElementArray.length;
}
- public String getNextPathElement() {
- this.currentPathElement = this.pathIterator.next();
- return this.currentPathElement;
+ @Override
+ public String next() {
+ if (!this.hasNext()) {
+ throw new NoSuchElementException();
+ }
+ return this.pathElementArray[++this.currentIndex];
}
- public boolean hasMoreElements() {
- return this.pathIterator.hasNext();
+ @Override
+ public void remove() {
+ throw new UnsupportedOperationException();
}
}
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
Tue Jan 5 18:29:22 2010
@@ -139,7 +139,7 @@
try {
ThreadContext.runUnprotected();
Delegator delegator = ThreadContext.getDelegator();
- PathNode node = new PathNode();
+ PathNode node = PathNode.getInstance(ArtifactPath.PATH_ROOT);
// Process group membership permissions first
List<GenericValue> groupMemberships =
delegator.findList("UserToUserGroupRel",
EntityCondition.makeCondition(UtilMisc.toMap("userLoginId", userLoginId)),
null, null, null, false);
for (GenericValue userGroup : groupMemberships) {
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/PathNode.java
Tue Jan 5 18:29:22 2010
@@ -24,89 +24,66 @@
import javolution.util.FastList;
import javolution.util.FastMap;
-/** Implements a node in a permissions tree.
+/** A node in a permissions tree.
*/
-public class PathNode {
+public abstract class PathNode {
- public static final String PLACEHOLDER_CHARACTER = "?";
- protected String nodeName = null;
- protected OFBizPermission permission = null;
- protected Map<String, PathNode> childNodes = null;
- protected boolean handlePlaceholder = false;
+ public static final String SUBSTITUTION_CHARACTER = "?";
+ public static final String WILDCARD_CHARACTER = "*";
+
+ public static PathNode getInstance(ArtifactPath artifactPath) {
+ String currentPathElement =
artifactPath.getCurrentPathElement().intern();
+ if (SUBSTITUTION_CHARACTER.equals(currentPathElement)) {
+ return new SubstitutionNode();
+ }
+ if (WILDCARD_CHARACTER.equals(currentPathElement)) {
+ return new WildCardNode();
+ }
+ return new BranchNode(currentPathElement);
+ }
- public PathNode() {}
+ protected Map<String, PathNode> childNodes = null;
+ protected String nodeName = null;
protected PathNode(String nodeName) {
this.nodeName = nodeName;
}
protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
- currentPath.add(this);
- if (this.permission != null) {
- for (PathNode pathNode: currentPath) {
- result.append("/");
- result.append(pathNode.nodeName);
- }
- result.append("[");
- result.append(this.permission);
- result.append("]");
- result.append("\n");
- }
if (this.childNodes != null) {
Collection<PathNode> childNodes = this.childNodes.values();
for (PathNode childNode : childNodes) {
childNode.buildNodeString(currentPath, result);
}
}
- currentPath.removeLast();
}
- public void getPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
- permission.accumulatePermissions(this.permission);
- if (artifactPath.hasMoreElements() && this.childNodes != null) {
- String nextNodeName = artifactPath.getNextPathElement();
- if (this.handlePlaceholder) {
- if (!artifactPath.hasMoreElements()) {
- return;
- }
- nextNodeName = artifactPath.getNextPathElement();
- }
- PathNode node = this.childNodes.get(nextNodeName.toUpperCase());
+ protected void getChildNodePermissions(String key, ArtifactPath
artifactPath, OFBizPermission permission) {
+ if (this.childNodes != null) {
+ PathNode node = this.childNodes.get(key.toUpperCase());
if (node != null) {
node.getPermissions(artifactPath, permission);
}
}
}
- public void setPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
- if (this.nodeName == null) {
- this.nodeName = artifactPath.getCurrentPathElement();
- }
- if (!artifactPath.hasMoreElements()) {
- if (this.permission == null) {
- this.permission = permission;
- } else {
- this.permission.accumulatePermissions(permission);
- }
- return;
- }
- String nextNodeName = artifactPath.getNextPathElement();
- if (PLACEHOLDER_CHARACTER.equals(nextNodeName)) {
- this.handlePlaceholder = true;
- nextNodeName = artifactPath.getNextPathElement();
- }
- String key = nextNodeName.toUpperCase();
+ public abstract void getPermissions(ArtifactPath artifactPath,
OFBizPermission permission);
+
+ protected void setChildNodePermissions(String key, ArtifactPath
artifactPath, OFBizPermission permission) {
if (this.childNodes == null) {
this.childNodes = FastMap.newInstance();
}
+ key = key.toUpperCase();
PathNode node = this.childNodes.get(key);
if (node == null) {
- node = new PathNode(nextNodeName);
+ node = PathNode.getInstance(artifactPath);
this.childNodes.put(key, node);
}
node.setPermissions(artifactPath, permission);
}
+ public abstract void setPermissions(ArtifactPath artifactPath,
OFBizPermission permission);
+
@Override
public String toString() {
FastList<PathNode> currentPath = FastList.newInstance();
@@ -114,4 +91,143 @@
buildNodeString(currentPath, result);
return result.toString();
}
+
+ protected static class BranchNode extends PathNode {
+ protected OFBizPermission permission = null;
+ protected SubstitutionNode substitutionNode = null;
+ protected WildCardNode wildCardNode = null;
+
+ protected BranchNode(String nodeName) {
+ super(nodeName);
+ }
+
+ @Override
+ protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
+ currentPath.add(this);
+ if (this.permission != null) {
+ for (PathNode pathNode: currentPath) {
+ result.append("/");
+ result.append(pathNode.nodeName);
+ }
+ result.append("[");
+ result.append(this.permission);
+ result.append("]");
+ result.append("\n");
+ }
+ if (this.substitutionNode != null) {
+ this.substitutionNode.buildNodeString(currentPath, result);
+ }
+ if (this.wildCardNode != null) {
+ this.wildCardNode.buildNodeString(currentPath, result);
+ }
+ super.buildNodeString(currentPath, result);
+ currentPath.removeLast();
+ }
+
+ @Override
+ public void getPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ permission.accumulatePermissions(this.permission);
+ if (artifactPath.hasNext()) {
+ String key = artifactPath.next();
+ if (this.substitutionNode != null) {
+ this.substitutionNode.getPermissions(artifactPath.clone(),
permission);
+ }
+ if (this.wildCardNode != null) {
+ this.wildCardNode.getPermissions(artifactPath.clone(),
permission);
+ }
+ this.getChildNodePermissions(key, artifactPath, permission);
+ }
+ }
+
+ @Override
+ public void setPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (!artifactPath.hasNext()) {
+ if (this.permission == null) {
+ this.permission = permission;
+ } else {
+ this.permission.accumulatePermissions(permission);
+ }
+ return;
+ }
+ String key = artifactPath.next();
+ if (SUBSTITUTION_CHARACTER.equals(key)) {
+ if (this.substitutionNode == null) {
+ this.substitutionNode = new SubstitutionNode();
+ }
+ this.substitutionNode.setPermissions(artifactPath, permission);
+ return;
+ }
+ if (WILDCARD_CHARACTER.equals(key)) {
+ if (this.wildCardNode == null) {
+ this.wildCardNode = new WildCardNode();
+ }
+ this.wildCardNode.setPermissions(artifactPath, permission);
+ return;
+ }
+ this.setChildNodePermissions(key, artifactPath, permission);
+ }
+ }
+
+ protected static class SubstitutionNode extends PathNode {
+
+ protected SubstitutionNode() {
+ super(SUBSTITUTION_CHARACTER);
+ }
+
+ @Override
+ protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
+ currentPath.add(this);
+ super.buildNodeString(currentPath, result);
+ currentPath.removeLast();
+ }
+
+ @Override
+ public void getPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (artifactPath.hasNext()) {
+ this.getChildNodePermissions(artifactPath.next(),
artifactPath, permission);
+ }
+ }
+
+ @Override
+ public void setPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (artifactPath.hasNext()) {
+ this.setChildNodePermissions(artifactPath.next(),
artifactPath, permission);
+ }
+ }
+ }
+
+ protected static class WildCardNode extends PathNode {
+
+ protected WildCardNode() {
+ super(WILDCARD_CHARACTER);
+ }
+
+ @Override
+ protected void buildNodeString(FastList<PathNode> currentPath,
StringBuilder result) {
+ currentPath.add(this);
+ super.buildNodeString(currentPath, result);
+ currentPath.removeLast();
+ }
+
+ public void getPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (artifactPath.hasNext() && this.childNodes != null) {
+ artifactPath.next();
+ String currentPath =
artifactPath.getCurrentPath().toUpperCase();
+ for (Map.Entry<String, PathNode> entry :
this.childNodes.entrySet()) {
+ if (currentPath.endsWith(entry.getKey())) {
+ entry.getValue().getPermissions(artifactPath,
permission);
+ return;
+ }
+ }
+ }
+ }
+
+ @Override
+ public void setPermissions(ArtifactPath artifactPath, OFBizPermission
permission) {
+ if (artifactPath.hasNext()) {
+ artifactPath.next();
+ this.setChildNodePermissions(artifactPath.getCurrentPath(),
artifactPath, permission);
+ }
+ }
+ }
}
Modified:
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/example/data/ExampleSecurityData.xml
Tue Jan 5 18:29:22 2010
@@ -19,27 +19,16 @@
-->
<entity-engine-xml>
<!-- Example security -->
- <SecurityPermission description="View operations in the Example Management
Screens." permissionId="EXAMPLE_VIEW"/>
- <SecurityPermission description="Create operations in the Example
Management Screens." permissionId="EXAMPLE_CREATE"/>
- <SecurityPermission description="Update operations in the Example
Management Screens." permissionId="EXAMPLE_UPDATE"/>
- <SecurityPermission description="Delete operations in the Example
Management Screens." permissionId="EXAMPLE_DELETE"/>
- <SecurityPermission description="ALL operations in the Example Management
Screens." permissionId="EXAMPLE_ADMIN"/>
- <SecurityGroupPermission groupId="FULLADMIN" permissionId="EXAMPLE_ADMIN"/>
- <SecurityGroupPermission groupId="FLEXADMIN"
permissionId="EXAMPLE_CREATE"/>
- <SecurityGroupPermission groupId="FLEXADMIN"
permissionId="EXAMPLE_DELETE"/>
- <SecurityGroupPermission groupId="FLEXADMIN"
permissionId="EXAMPLE_UPDATE"/>
- <SecurityGroupPermission groupId="FLEXADMIN" permissionId="EXAMPLE_VIEW"/>
- <SecurityGroupPermission groupId="VIEWADMIN" permissionId="EXAMPLE_VIEW"/>
- <SecurityGroupPermission groupId="BIZADMIN" permissionId="EXAMPLE_ADMIN"/>
-
<ArtifactPath artifactPath="ofbiz/example" description="Example
Application"/>
<ArtifactPath artifactPath="ofbiz/exampleext" description="Extended
Example Application"/>
- <!-- Data needed for the transition to security-aware artifacts. As each
webapp
- is converted over to the new security design, the corresponding admin
- permission should be removed. -->
-
-<!-- <UserGrpToArtifactPermRel groupId="OFBIZ_USERS"
artifactPath="ofbiz/example" permissionValue="admin=true"/> -->
- <UserGrpToArtifactPermRel groupId="OFBIZ_USERS"
artifactPath="ofbiz/exampleext" permissionValue="admin=true"/>
+ <!-- Data needed to demonstrate the security-aware artifacts. This is
temporary -
+ it will not be included in the project. -->
+ <UserToArtifactPermRel userLoginId="artifact-user"
artifactPath="ofbiz/example" permissionValue="access=true"/>
+ <UserToArtifactPermRel userLoginId="artifact-user"
artifactPath="ofbiz/example" permissionValue="view=true"/>
+ <UserToArtifactPermRel userLoginId="artifact-user"
artifactPath="ofbiz/example" permissionValue="create=true"/>
+ <UserToArtifactPermRel userLoginId="artifact-user"
artifactPath="ofbiz/example" permissionValue="update=true"/>
+ <ArtifactPath artifactPath="ofbiz/example/*/anotherDate"
description="Example Application - 'anotherDate' field"/>
+ <UserToArtifactPermRel userLoginId="artifact-user"
artifactPath="ofbiz/example/*/anotherDate" permissionValue="view=false"/>
</entity-engine-xml>
Modified:
ofbiz/branches/executioncontext20091231/framework/example/servicedef/services.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/example/servicedef/services.xml?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/example/servicedef/services.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/example/servicedef/services.xml
Tue Jan 5 18:29:22 2010
@@ -27,7 +27,6 @@
<!-- Example & Related Services -->
<service name="createExample" default-entity-name="Example"
engine="entity-auto" invoke="create" auth="true">
<description>Create a Example</description>
- <permission-service service-name="exampleGenericPermission"
main-action="CREATE"/>
<auto-attributes include="pk" mode="OUT" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
<override name="exampleTypeId" optional="false"/>
@@ -36,20 +35,17 @@
</service>
<service name="updateExample" default-entity-name="Example"
engine="entity-auto" invoke="update" auth="true">
<description>Update a Example</description>
- <permission-service service-name="exampleGenericPermission"
main-action="UPDATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
<attribute name="oldStatusId" type="String" mode="OUT"
optional="false"/>
</service>
<service name="deleteExample" default-entity-name="Example"
engine="entity-auto" invoke="delete" auth="true">
<description>Delete a Example</description>
- <permission-service service-name="exampleGenericPermission"
main-action="DELETE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
</service>
<service name="createExampleStatus" default-entity-name="ExampleStatus"
engine="simple"
location="component://example/script/org/ofbiz/example/example/ExampleServices.xml"
invoke="createExampleStatus" auth="true">
<description>Create a ExampleStatus</description>
- <permission-service service-name="exampleGenericPermission"
main-action="CREATE"/>
<auto-attributes include="all" mode="IN" optional="false">
<exclude field-name="statusDate"/>
<exclude field-name="statusEndDate"/>
@@ -58,7 +54,6 @@
<service name="createExampleItem" default-entity-name="ExampleItem"
engine="entity-auto" invoke="create" auth="true">
<description>Create a ExampleItem</description>
- <permission-service service-name="exampleGenericPermission"
main-action="CREATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
<override name="exampleItemSeqId" mode="OUT"/> <!-- make this OUT
rather than IN, we will automatically generate the next sub-sequence ID -->
@@ -66,61 +61,47 @@
</service>
<service name="updateExampleItem" default-entity-name="ExampleItem"
engine="entity-auto" invoke="update" auth="true">
<description>Update a ExampleItem</description>
- <permission-service service-name="exampleGenericPermission"
main-action="UPDATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
</service>
<service name="deleteExampleItem" default-entity-name="ExampleItem"
engine="entity-auto" invoke="delete" auth="true">
<description>Delete a ExampleItem</description>
- <permission-service service-name="exampleGenericPermission"
main-action="DELETE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
</service>
<!-- ExampleFeature Services -->
<service name="createExampleFeature" default-entity-name="ExampleFeature"
engine="entity-auto" invoke="create" auth="true">
<description>Create a ExampleFeature</description>
- <permission-service service-name="exampleGenericPermission"
main-action="CREATE"/>
<auto-attributes include="pk" mode="OUT" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
<override name="description" optional="false"/>
</service>
<service name="updateExampleFeature" default-entity-name="ExampleFeature"
engine="entity-auto" invoke="update" auth="true">
<description>Update a ExampleFeature</description>
- <permission-service service-name="exampleGenericPermission"
main-action="UPDATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
</service>
<service name="deleteExampleFeature" default-entity-name="ExampleFeature"
engine="entity-auto" invoke="delete" auth="true">
<description>Delete a ExampleFeature</description>
- <permission-service service-name="exampleGenericPermission"
main-action="DELETE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
</service>
<service name="createExampleFeatureAppl"
default-entity-name="ExampleFeatureAppl" engine="entity-auto" invoke="create"
auth="true">
<description>Create a ExampleFeatureAppl</description>
- <permission-service service-name="exampleGenericPermission"
main-action="CREATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
<override name="fromDate" optional="true"/>
</service>
<service name="updateExampleFeatureAppl"
default-entity-name="ExampleFeatureAppl" engine="entity-auto" invoke="update"
auth="true">
<description>Update a ExampleFeatureAppl</description>
- <permission-service service-name="exampleGenericPermission"
main-action="UPDATE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
<auto-attributes include="nonpk" mode="IN" optional="true"/>
</service>
<service name="deleteExampleFeatureAppl"
default-entity-name="ExampleFeatureAppl" engine="entity-auto" invoke="delete"
auth="true">
<description>Delete a ExampleFeatureAppl</description>
- <permission-service service-name="exampleGenericPermission"
main-action="DELETE"/>
<auto-attributes include="pk" mode="IN" optional="false"/>
</service>
- <!-- Permission Services -->
- <service name="exampleGenericPermission" engine="simple"
-
location="component://example/script/org/ofbiz/example/ExamplePermissionServices.xml"
invoke="exampleGenericPermission">
- <implements service="permissionInterface"/>
- </service>
-
<!-- Example ServiceTest Service -->
<service name="testCreateExampleService" engine="simple"
location="component://example/script/org/ofbiz/example/example/ExampleServices.xml"
invoke="testCreateExampleService">
Modified:
ofbiz/branches/executioncontext20091231/framework/example/widget/example/CommonScreens.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/example/widget/example/CommonScreens.xml?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/example/widget/example/CommonScreens.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/example/widget/example/CommonScreens.xml
Tue Jan 5 18:29:22 2010
@@ -82,10 +82,7 @@
<decorator-section name="pre-body">
<section>
<condition>
- <and>
- <if-has-permission permission="EXAMPLE"
action="_VIEW"/>
- <not><if-empty field="example"/></not>
- </and>
+ <not><if-empty field="example"/></not>
</condition>
<widgets>
<include-menu name="EditExample"
location="component://example/widget/example/ExampleMenus.xml"/>
@@ -94,10 +91,6 @@
</decorator-section>
<decorator-section name="body">
<section>
- <!-- do check for EXAMPLE, _VIEW permission -->
- <condition>
- <if-has-permission permission="EXAMPLE"
action="_VIEW"/>
- </condition>
<widgets>
<section>
<condition>
@@ -124,9 +117,6 @@
</section>
<decorator-section-include name="body"/>
</widgets>
- <fail-widgets>
- <label
style="h3">${uiLabelMap.ExampleViewPermissionError}</label>
- </fail-widgets>
</section>
</decorator-section>
</decorator-screen>
@@ -146,10 +136,7 @@
<decorator-section name="pre-body">
<section>
<condition>
- <and>
- <if-has-permission permission="EXAMPLE"
action="_VIEW"/>
- <not><if-empty
field="exampleFeature"/></not>
- </and>
+ <not><if-empty field="exampleFeature"/></not>
</condition>
<widgets>
<include-menu name="EditExampleFeature"
location="component://example/widget/example/ExampleMenus.xml"/>
@@ -158,10 +145,6 @@
</decorator-section>
<decorator-section name="body">
<section>
- <!-- do check for EXAMPLE, _VIEW permission -->
- <condition>
- <if-has-permission permission="EXAMPLE"
action="_VIEW"/>
- </condition>
<widgets>
<section>
<condition>
@@ -181,9 +164,6 @@
</section>
<decorator-section-include name="body"/>
</widgets>
- <fail-widgets>
- <label
style="h3">${uiLabelMap.ExampleViewPermissionError}</label>
- </fail-widgets>
</section>
</decorator-section>
</decorator-screen>
Modified:
ofbiz/branches/executioncontext20091231/framework/example/widget/example/ExampleScreens.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/example/widget/example/ExampleScreens.xml?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/example/widget/example/ExampleScreens.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/example/widget/example/ExampleScreens.xml
Tue Jan 5 18:29:22 2010
@@ -31,11 +31,6 @@
<widgets>
<decorator-screen name="main-decorator"
location="${parameters.mainDecoratorLocation}">
<decorator-section name="body">
- <section>
- <condition>
- <if-has-permission permission="EXAMPLE"
action="_VIEW"/>
- </condition>
- <widgets>
<decorator-screen name="FindScreenDecorator"
location="component://common/widget/CommonScreens.xml">
<decorator-section name="menu-bar">
<container style="button-bar"><link
target="EditExample" text="${uiLabelMap.ExampleNewExample}"
style="buttontext"/></container>
@@ -47,11 +42,6 @@
<include-form name="ListExamples"
location="component://example/widget/example/ExampleForms.xml"/>
</decorator-section>
</decorator-screen>
- </widgets>
- <fail-widgets>
- <label
style="h3">${uiLabelMap.ExampleViewPermissionError}</label>
- </fail-widgets>
- </section>
</decorator-section>
</decorator-screen>
</widgets>
Modified:
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/security/data/SecurityData.xml
Tue Jan 5 18:29:22 2010
@@ -85,4 +85,8 @@
<UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/login" permissionValue="view=true"/>
<UserToArtifactPermRel userLoginId="NOT_LOGGED_IN"
artifactPath="ofbiz/?/ServerHit" permissionValue="create=true"/>
+ <!-- Data needed to demonstrate the security-aware artifacts. This is
temporary -
+ it will not be included in the project. -->
+ <UserLogin userLoginId="artifact-user" enabled="Y" isSystem="N"
currentPassword="{SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a"
passwordHint=""/>
+
</entity-engine-xml>
Modified:
ofbiz/branches/executioncontext20091231/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java
Tue Jan 5 18:29:22 2010
@@ -21,6 +21,7 @@
import static org.ofbiz.base.util.UtilGenerics.checkMap;
import java.math.BigInteger;
+import java.security.AccessControlException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
@@ -38,6 +39,7 @@
import javolution.util.FastList;
import javolution.util.FastMap;
+import static org.ofbiz.api.authorization.BasicPermissions.Access;
import org.ofbiz.base.component.ComponentConfig;
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.GeneralException;
@@ -853,6 +855,10 @@
}
protected static boolean hasBasePermission(GenericValue userLogin,
HttpServletRequest request) {
+ try {
+ ThreadContext.getAccessController().checkPermission(Access);
+ return true;
+ } catch (AccessControlException e) {}
ServletContext context = (ServletContext)
request.getAttribute("servletContext");
Authorization authz = (Authorization) request.getAttribute("authz");
Security security = (Security) request.getAttribute("security");
Modified:
ofbiz/branches/executioncontext20091231/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=896161&r1=896160&r2=896161&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
Tue Jan 5 18:29:22 2010
@@ -33,6 +33,7 @@
import javolution.util.FastList;
import javolution.util.FastMap;
+import static org.ofbiz.api.authorization.BasicPermissions.View;
import org.ofbiz.api.context.ExecutionArtifact;
import org.ofbiz.base.util.BshUtil;
import org.ofbiz.base.util.Debug;
@@ -595,8 +596,12 @@
public void renderFieldString(Appendable writer, Map<String, Object>
context, FormStringRenderer formStringRenderer) throws IOException {
try {
+ // Permissions should be checked by renderers, this is here
+ // for demonstration only
ThreadContext.pushExecutionArtifact(this);
+ ThreadContext.getAccessController().checkPermission(View);
this.fieldInfo.renderFieldString(writer, context,
formStringRenderer);
+ } catch (Exception e) {
} finally {
ThreadContext.popExecutionArtifact();
}
