Author: chathura
Date: Wed Dec 12 23:47:31 2007
New Revision: 11061
Log:
Improved registry user manager.
Modified:
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/RegistryUserManager.java
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/SecureRegistry.java
Modified:
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/RegistryUserManager.java
==============================================================================
---
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/RegistryUserManager.java
(original)
+++
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/RegistryUserManager.java
Wed Dec 12 23:47:31 2007
@@ -24,12 +24,17 @@
import org.wso2.registry.RegistryConstants;
import org.wso2.registry.RegistryException;
import org.wso2.usermanager.*;
+import org.wso2.usermanager.acl.realm.AuthorizingRealm;
+import org.wso2.usermanager.acl.realm.AuthorizingRealmConfig;
import java.util.Map;
/**
- * Handles user related operations in the registry. Checks if the actor is
authorized to perform
- * the requested operation and delegated it to the realm, if authorization
succeeds.
+ * Wrapper to handle user store related operations in the registry. Main task
of this class is to
+ * protect the set of predefined users, roles and authorizations from the
actions of registry
+ * users (e.g. it should NOT be possibe to remove system user, admin user or
anonymous user, it
+ * should NOT be possibe to remove or deny authorizations of system or admin
users). Therefore, all
+ * user manager related operations should be accessed through an instance of
this class.
*/
public class RegistryUserManager {
@@ -41,17 +46,15 @@
private UserStoreAdmin userStoreAdmin;
private UserStoreReader userStoreReader;
- private String actor;
+ public RegistryUserManager(Realm userRealm) throws RegistryException {
- public RegistryUserManager(Realm realm, String userName ) throws
RegistryException {
-
- this.realm = realm;
+ this.realm = userRealm;
try {
- accessControlAdmin = realm.getAccessControlAdmin();
- authorizer= realm.getAuthorizer();
- userStoreAdmin = realm.getUserStoreAdmin();
- userStoreReader = realm.getUserStoreReader();
+ accessControlAdmin = userRealm.getAccessControlAdmin();
+ authorizer= userRealm.getAuthorizer();
+ userStoreAdmin = userRealm.getUserStoreAdmin();
+ userStoreReader = userRealm.getUserStoreReader();
} catch (UserManagerException e) {
@@ -59,8 +62,30 @@
log.error(msg, e);
throw new RegistryException(msg);
}
+ }
+
+ public RegistryUserManager(Realm deafuleRealm, String userName) throws
RegistryException {
+
+ try {
- this.actor = userName;
+ this.realm = new AuthorizingRealm();
+ AuthorizingRealmConfig config = (AuthorizingRealmConfig) this.realm
+ .getRealmConfiguration();
+ config.setRealm(deafuleRealm);
+ config.setAuthenticatedUserName(userName);
+ this.realm.init(config);
+
+ accessControlAdmin = deafuleRealm.getAccessControlAdmin();
+ authorizer= deafuleRealm.getAuthorizer();
+ userStoreAdmin = deafuleRealm.getUserStoreAdmin();
+ userStoreReader = deafuleRealm.getUserStoreReader();
+
+ } catch (UserManagerException e) {
+
+ String msg = "Could not initiate the authorizing realm. Caused by:
" + e.getMessage();
+ log.error(msg, e);
+ throw new RegistryException(msg);
+ }
}
public Realm getRealm() {
@@ -70,23 +95,10 @@
public void addUser(String userName,
String password) throws RegistryException {
- //try {
- // if (!authorizer.isUserAuthorized(
- // actor, RegistryConstants.ROOT_PATH,
ActionConstants.ADD_USER)) {
- // String msg = "Attempted to perform unauthorized operation.";
- // log.info(msg);
- // throw new RegistryException(msg);
- // }
- //} catch (UserManagerException e) {
- // String msg = "Could not check authorization. \nCaused by " +
e.getMessage();
- // log.error(msg, e);
- // throw new RegistryException(msg);
- //}
-
try {
userStoreAdmin.addUser(userName, password);
userStoreAdmin.addUserToRole(userName,
RegistryConstants.EVERYONE_ROLE);
- //In this time we need to create a directory for users and added
that to the registry.
+
} catch (UserManagerException e) {
String msg = "Could not add the user. \nCaused by " +
e.getMessage();
log.error(msg, e);
@@ -96,19 +108,6 @@
public void addRole(String roleName) throws RegistryException {
- //try {
- // if (!authorizer.isUserAuthorized(
- // actor, RegistryConstants.ROOT_PATH,
ActionConstants.ADD_ROLE)) {
- // String msg = "Attempted to perform unauthorized operation.";
- // log.info(msg);
- // throw new RegistryException(msg);
- // }
- //} catch (UserManagerException e) {
- // String msg = "Could not check authorization. \nCaused by " +
e.getMessage();
- // log.error(msg, e);
- // throw new RegistryException(msg);
- //}
-
try {
userStoreAdmin.addRole(roleName);
} catch (UserManagerException e) {
@@ -126,18 +125,17 @@
throw new RegistryException(msg);
}
- //try {
- // if (!authorizer.isUserAuthorized(
- // actor, RegistryConstants.ROOT_PATH,
ActionConstants.REMOVE_USER)) {
- // String msg = "Attempted to perform unauthorized operation.";
- // log.info(msg);
- // throw new RegistryException(msg);
- // }
- //} catch (UserManagerException e) {
- // String msg = "Could not check authorization. \nCaused by " +
e.getMessage();
- // log.error(msg, e);
- // throw new RegistryException(msg);
- //}
+ if (userName.equals(RegistryConstants.SYSTEM_USER)) {
+ String msg = "Cannot remove the system user.";
+ log.info(msg);
+ throw new RegistryException(msg);
+ }
+
+ if (userName.equals(RegistryConstants.ANONYMOUS_USER)) {
+ String msg = "Cannot remove the anonymous user.";
+ log.info(msg);
+ throw new RegistryException(msg);
+ }
try {
userStoreAdmin.deleteUser(userName);
@@ -150,24 +148,17 @@
public void removeRole(String roleName) throws RegistryException {
- if (roleName.equals(RegistryConstants.ADMIN_USER)) {
+ if (roleName.equals(RegistryConstants.ADMIN_ROLE)) {
String msg = "Cannot remove the administrator role.";
log.info(msg);
throw new RegistryException(msg);
}
- //try {
- // if (!authorizer.isUserAuthorized(
- // actor, RegistryConstants.ROOT_PATH,
ActionConstants.REMOVE_ROLE)) {
- // String msg = "Attempted to perform unauthorized operation.";
- // log.info(msg);
- // throw new RegistryException(msg);
- // }
- //} catch (UserManagerException e) {
- // String msg = "Could not check authorization. \nCaused by " +
e.getMessage();
- // log.error(msg, e);
- // throw new RegistryException(msg);
- //}
+ if (roleName.equals(RegistryConstants.EVERYONE_ROLE)) {
+ String msg = "Cannot remove the everyone role.";
+ log.info(msg);
+ throw new RegistryException(msg);
+ }
try {
userStoreAdmin.deleteRole(roleName);
@@ -239,7 +230,7 @@
return (String) properties.get(propName);
} catch (UserManagerException e) {
throw new RegistryException(e.getMessage());
- }
+ }
}
public void setUserProperty(String userName, String name, String value)
throws RegistryException {
@@ -287,6 +278,12 @@
throw new RegistryException(msg);
}
+ if (userName.equals(RegistryConstants.SYSTEM_USER)) {
+ String msg = "Cannot deny access for the system user.";
+ log.info(msg);
+ throw new RegistryException(msg);
+ }
+
try {
accessControlAdmin.denyUser(userName, resourceID, action);
} catch (UserManagerException e) {
Modified:
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/SecureRegistry.java
==============================================================================
---
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/SecureRegistry.java
(original)
+++
trunk/registry/modules/core/src/main/java/org/wso2/registry/secure/SecureRegistry.java
Wed Dec 12 23:47:31 2007
@@ -86,7 +86,7 @@
this.userID = userID;
this.registry = registry;
- this.userManager = new RegistryUserManager(userRealm, userID);
+ this.userManager = new RegistryUserManager(userRealm);
}
/**
@@ -121,7 +121,7 @@
this.userID = userID;
this.registry = registry;
- this.userManager = new RegistryUserManager(userRealm, userID);
+ this.userManager = new RegistryUserManager(userRealm);
}
public String getUserID() {
_______________________________________________
Registry-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
