org.jahia.utils.security

Class AccessManagerUtils

java.lang.Object

org.jahia.utils.security.AccessManagerUtils

public class AccessManagerUtils
extends Object

AccessManagerUtils provide functions to work with acls/ace and roles - test if a jahiaPrincipal match permissions for a path - get roles necessary for a given path and a given jahiaPrincipal - get permissions for a given role

Author:

kevan

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	AccessManagerUtils.CompiledAce Ace node representation to be store in cache
static class	AccessManagerUtils.CompiledAcl Acl node representation to be store in cache

Field Summary

Fields

Modifier and Type	Field and Description
static ThreadLocal<Collection<String>>	deniedPathes

Constructor Summary

Constructors

Constructor and Description
AccessManagerUtils()

Method Summary

Modifier and Type	Method and Description
static void	flushMatchingPermissions() Flush matchingPermissions cache
static void	flushPrivilegesInRoles() Flush privilegesInRole cache
static Set<javax.jcr.security.Privilege>	getPermissionsInRole(String role, JahiaPrivilegeRegistry privilegeRegistry) Retrieve permissions of a given role The privilegesInRole cache will be used to read the permissions, if not found we used a system session in default workspace to read the role node
static String	getPrivilegeName(String privilegeName, String workspace) Get the full privilege name combine privilege name with workspace to generate the permission name used in jahia exemple: privilege: Privilege.JCR_REMOVE_NODE and workspace: Constants.EDIT_WORKSPACE result: "{http://www.jcp.org/jcr/1.0}removeNode_default"
static javax.jcr.security.Privilege[]	getPrivileges(javax.jcr.Node node, org.jahia.jaas.JahiaPrincipal jahiaPrincipal, JahiaPrivilegeRegistry privilegeRegistry) Get the list Privilege from granted roles for a given principal on a node, recursive check on parents nodes when the acl node have the "inherit" flag, the getRoles(...) function is used to retrieve the roles.
static javax.jcr.security.Privilege[]	getPrivileges(String absPath, String workspace, org.jahia.jaas.JahiaPrincipal jahiaPrincipal, JahiaPrivilegeRegistry privilegeRegistry) Get the list Privilege from granted roles for a given principal on a node, recursive check on parents nodes when the acl node have the "inherit" flag, the getRoles(...) function is used to retrieve the roles.
static Set<String>	getRoles(javax.jcr.Node node, org.jahia.jaas.JahiaPrincipal jahiaPrincipal) Get the list of granted role for a given principal on a node, recursive check on parents when the acl node have the "inherit" flag
static Set<String>	getRoles(String absPath, String workspace, org.jahia.jaas.JahiaPrincipal jahiaPrincipal) Get the list of granted role for a given principal on a node, recursive check on parents when the acl node have the "inherit" flag
static void	initCaches() Init privilegesInRole and matchingPermissions static cache
static boolean	isAdmin(String siteKey, org.jahia.jaas.JahiaPrincipal jahiaPrincipal) Test if the given JahiaPrincipal is administrator, store the result in the jahiaPrincipal so we don't query the groupService in next calls
static boolean	isGranted(PathWrapper pathWrapper, Set<String> permissions, javax.jcr.Session securitySession, org.jahia.jaas.JahiaPrincipal jahiaPrincipal, String workspaceName, boolean isAliased, Map<String,Boolean> pathPermissionCache, Map<Object,AccessManagerUtils.CompiledAcl> compiledAcls, JahiaPrivilegeRegistry privilegeRegistry) Entry point to test if the given jahiaPrincipal match the given permissions on a node
static boolean	isSystemPrincipal(org.jahia.jaas.JahiaPrincipal jahiaPrincipal) check if the principal is system
static boolean	matchPermission(Set<String> permissions, String role, boolean isAliased, JahiaPrivilegeRegistry privilegeRegistry, String workspaceName) Test if a given role contains the list of permissions
static void	setDeniedPaths(Collection<String> denied) add pathes to list of always denied pathes

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

deniedPathes

public static ThreadLocal<Collection<String>> deniedPathes

Constructor Detail

AccessManagerUtils

public AccessManagerUtils()

Method Detail

initCaches

public static void initCaches()

Init privilegesInRole and matchingPermissions static cache

flushPrivilegesInRoles

public static void flushPrivilegesInRoles()

Flush privilegesInRole cache

flushMatchingPermissions

public static void flushMatchingPermissions()

Flush matchingPermissions cache

getPrivilegeName

public static String getPrivilegeName(String privilegeName,
                                      String workspace)

Get the full privilege name combine privilege name with workspace to generate the permission name used in jahia exemple: privilege: Privilege.JCR_REMOVE_NODE and workspace: Constants.EDIT_WORKSPACE result: "{http://www.jcp.org/jcr/1.0}removeNode_default"

Parameters:

privilegeName - privilege name, like Privilege.JCR_REMOVE_NODE

workspace - workspace name, like Constants.EDIT_WORKSPACE

Returns:

the privilege name

setDeniedPaths

public static void setDeniedPaths(Collection<String> denied)

add pathes to list of always denied pathes

Parameters:

denied - list of path

isSystemPrincipal

public static boolean isSystemPrincipal(org.jahia.jaas.JahiaPrincipal jahiaPrincipal)

check if the principal is system

Parameters:

jahiaPrincipal - jahiaPrincipal to test

Returns:

true if system

isGranted

public static boolean isGranted(PathWrapper pathWrapper,
                                Set<String> permissions,
                                javax.jcr.Session securitySession,
                                org.jahia.jaas.JahiaPrincipal jahiaPrincipal,
                                String workspaceName,
                                boolean isAliased,
                                Map<String,Boolean> pathPermissionCache,
                                Map<Object,AccessManagerUtils.CompiledAcl> compiledAcls,
                                JahiaPrivilegeRegistry privilegeRegistry)
                         throws javax.jcr.RepositoryException

Entry point to test if the given jahiaPrincipal match the given permissions on a node

Parameters:

pathWrapper - the path to the node

permissions - the permissions ask for check

securitySession - the session used to read the j:acl nodes, it should be a system session to be sure that nodes are readable in any case, the workspace of the session is important because acls under nodes can be different depending on the workspace. Normally the workspace of this session should be the same ot the workspace where you want to do the check of permissions.

jahiaPrincipal - the jahiaPrincipal to test

workspaceName - the workspace to check (used to construct the privilege names)

isAliased - if the current user is aliased

pathPermissionCache - Map used as a cache in memory to store the result of this function, to avoid recalculate everything if check is ask with similar parameters after

compiledAcls - Map used as a cache in memory to store the j:acl result for a given node, to avoid read jcr again to retrieve the acls in next calls

privilegeRegistry - Jahia Privilege registry, used to read Privilege or retrieve them using names.

Returns:

true if the jahiaPrincipal match the permissions for the given path, if not return false

Throws:

javax.jcr.RepositoryException - in case of JCR-related errors

getPermissionsInRole

public static Set<javax.jcr.security.Privilege> getPermissionsInRole(String role,
                                                                     JahiaPrivilegeRegistry privilegeRegistry)
                                                              throws javax.jcr.RepositoryException

Retrieve permissions of a given role The privilegesInRole cache will be used to read the permissions, if not found we used a system session in default workspace to read the role node

Parameters:

role - Role name

privilegeRegistry - JahiaPrivilegeRegistry

Returns:

return Set of Privilege objects

Throws:

javax.jcr.RepositoryException - in case of JCR-related errors

matchPermission

public static boolean matchPermission(Set<String> permissions,
                                      String role,
                                      boolean isAliased,
                                      JahiaPrivilegeRegistry privilegeRegistry,
                                      String workspaceName)
                               throws javax.jcr.RepositoryException

Test if a given role contains the list of permissions

Parameters:

permissions - list of permissions to test

role - the role

isAliased - if the current user is aliased

privilegeRegistry - the JahiaPrivilegedRegistry

workspaceName - the workspace

Returns:

true if the role contain all the permissions

Throws:

javax.jcr.RepositoryException - in case of JCR-related errors

getPrivileges

public static javax.jcr.security.Privilege[] getPrivileges(String absPath,
                                                           String workspace,
                                                           org.jahia.jaas.JahiaPrincipal jahiaPrincipal,
                                                           JahiaPrivilegeRegistry privilegeRegistry)
                                                    throws javax.jcr.PathNotFoundException,
                                                           javax.jcr.RepositoryException

Get the list Privilege from granted roles for a given principal on a node, recursive check on parents nodes when the acl node have the "inherit" flag, the getRoles(...) function is used to retrieve the roles.

Parameters:

absPath - the path to the node

workspace - the workspace

jahiaPrincipal - the principal

privilegeRegistry - the JahiaPrivilegeRegistry

Returns:

the list of privileges from the granted roles for the user on the node

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException - in case of JCR-related errors

getPrivileges

public static javax.jcr.security.Privilege[] getPrivileges(javax.jcr.Node node,
                                                           org.jahia.jaas.JahiaPrincipal jahiaPrincipal,
                                                           JahiaPrivilegeRegistry privilegeRegistry)
                                                    throws javax.jcr.PathNotFoundException,
                                                           javax.jcr.RepositoryException

Get the list Privilege from granted roles for a given principal on a node, recursive check on parents nodes when the acl node have the "inherit" flag, the getRoles(...) function is used to retrieve the roles.

Parameters:

node - the node

jahiaPrincipal - the principal

privilegeRegistry - the JahiaPrivilegeRegistry

Returns:

the list of privileges from the granted roles for the user on the node

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException - in case of JCR-related errors

isAdmin

public static boolean isAdmin(String siteKey,
                              org.jahia.jaas.JahiaPrincipal jahiaPrincipal)

Test if the given JahiaPrincipal is administrator, store the result in the jahiaPrincipal so we don't query the groupService in next calls

Parameters:

siteKey - if set, the test will check if the user is site administrator

jahiaPrincipal - the principal

Returns:

true if the user is administrator

getRoles

public static Set<String> getRoles(String absPath,
                                   String workspace,
                                   org.jahia.jaas.JahiaPrincipal jahiaPrincipal)
                            throws javax.jcr.PathNotFoundException,
                                   javax.jcr.RepositoryException

Get the list of granted role for a given principal on a node, recursive check on parents when the acl node have the "inherit" flag

Parameters:

absPath - the path of the node

workspace - the workspace

jahiaPrincipal - the jahiaPrincipal

Returns:

the list of granted roles for the user on the node

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException - in case of JCR-related errors

getRoles

public static Set<String> getRoles(javax.jcr.Node node,
                                   org.jahia.jaas.JahiaPrincipal jahiaPrincipal)
                            throws javax.jcr.PathNotFoundException,
                                   javax.jcr.RepositoryException

Get the list of granted role for a given principal on a node, recursive check on parents when the acl node have the "inherit" flag

Parameters:

node - the node, the session of the should allow to read under j:acl and ace nodes

jahiaPrincipal - the jahiaPrincipal

Returns:

the list of granted roles for the user on the node

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException - in case of JCR-related errors