From 0848671c81b5c007d32b7dce259b1c21325dc7e0 Mon Sep 17 00:00:00 2001
From: Andrew Hind <andy.hind@alfresco.com>
Date: Tue, 14 Jul 2009 20:05:58 +0000
Subject: [PATCH] RM capabilities: no op impl for RM_QUERY; First cut of Action
 security wrappers; Tidy up for new access API and config changes to support
 it across all public services (except AVM)

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15186 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../public-services-security-context.xml      | 30 ++++++------
 .../impl/PublicServiceAccessServiceImpl.java  | 47 +++++++++++--------
 .../permissions/impl/acegi/ACLEntryVoter.java |  2 +-
 3 files changed, 44 insertions(+), 35 deletions(-)

diff --git a/config/alfresco/public-services-security-context.xml b/config/alfresco/public-services-security-context.xml
index de4560b988..4852a1b561 100644
--- a/config/alfresco/public-services-security-context.xml
+++ b/config/alfresco/public-services-security-context.xml
@@ -196,7 +196,7 @@
     <!-- The access decision manager asks voters in order if they should allow access    -->
     <!-- Role and group access do not require ACL based access                           -->
 
-    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
+    <bean id="accessDecisionManager" class="org.alfresco.repo.security.permissions.impl.acegi.AffirmativeBasedAccessDecisionManger">
         <property name="allowIfAllAbstainDecisions"><value>false</value></property>
         <property name="decisionVoters">
             <list>
@@ -339,7 +339,7 @@
     <!--      Requires read for the node                                                 -->
 
 
-    <bean id="NodeService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -392,7 +392,7 @@
     <!-- FileFolder Service Permissions -->
     <!-- ============================== -->
 
-    <bean id="FileFolderService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="FileFolderService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -428,7 +428,7 @@
     <!-- Reading requires the permission to read content                                 -->
     <!-- Writing required the permission to write conent                                 -->
 
-    <bean id="ContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="ContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -462,7 +462,7 @@
     <!-- All search results are filtered to exclude nodes that the current user can not        -->
     <!-- read. Other methods restrict queries to those nodes the user can read                 -->
 
-    <bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="SearchService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -487,7 +487,7 @@
 	
 	<!-- Uses the public node service for all mutations -  access is allowed here and enforced by the public node service -->
 
-    <bean id="CategoryService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="CategoryService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -526,7 +526,7 @@
     <!-- Lock and Unlock require the related aspect specific permissions. Querying the   -->
     <!-- lock status just requires read access to the node.                              -->
 
-    <bean id="LockService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="LockService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -559,7 +559,7 @@
     <!-- The version service does not have any restrictions applied at the moment. It    -->
     <!-- does not use a node service that would apply any permissions.                   -->
 
-    <bean id="MultilingualContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="MultilingualContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
     <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -587,7 +587,7 @@
     <!-- Edition  Service    -->
     <!-- =================== -->
 
-    <bean id="EditionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="EditionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
     <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -611,7 +611,7 @@
     <!-- the associated permission, as does cancel check out. See the permission model   -->
     <!-- for how these permissions are granted.                                          -->
 
-    <bean id="CheckoutCheckinService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="CheckoutCheckinService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -660,7 +660,7 @@
     <!-- and ChangePermissions permissions. Access to some methods are not restricted at -->
     <!-- the moment.                                                                     -->
 
-    <bean id="PermissionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="PermissionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -694,7 +694,7 @@
 
     <!-- This service currently has no restrictions.                                     -->
 
-    <bean id="AuthorityService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="AuthorityService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -740,7 +740,7 @@
    <!-- NOTE: Authentication is excluded as it sets or clears authentication -->
    <!-- The same for validate ticaket -->
    <!-- Update authentication checks internally -->
-   <bean id="AuthenticationService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+   <bean id="AuthenticationService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -775,7 +775,7 @@
     <!-- This service currently has no restrictions.                                     -->
     <!-- TODO: respect the permissions on the ownable service                            -->
 
-    <bean id="OwnableService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+    <bean id="OwnableService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -793,7 +793,7 @@
 
     <!-- Person Service -->
 
-     <bean id="PersonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+     <bean id="PersonService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
         <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
         <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/PublicServiceAccessServiceImpl.java b/source/java/org/alfresco/repo/security/permissions/impl/PublicServiceAccessServiceImpl.java
index 656fbe8c8b..99e07d05c6 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/PublicServiceAccessServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/PublicServiceAccessServiceImpl.java
@@ -36,7 +36,6 @@ import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.BeanFactoryAware;
 import org.springframework.beans.factory.ListableBeanFactory;
 
-
 public class PublicServiceAccessServiceImpl implements PublicServiceAccessService, BeanFactoryAware
 {
 
@@ -44,36 +43,46 @@ public class PublicServiceAccessServiceImpl implements PublicServiceAccessServic
 
     public AccessStatus hasAccess(String publicService, String methodName, Object... args)
     {
-        MethodSecurityInterceptor msi = (MethodSecurityInterceptor)beanFactory.getBean(publicService+"_security");
-        if(msi == null)
+        Object interceptor = beanFactory.getBean(publicService + "_security");
+        if (interceptor == null)
         {
-            throw new UnsupportedOperationException("Unknown public service security implementation "+publicService);
+            throw new UnsupportedOperationException("Unknown public service security implementation " + publicService);
         }
-        
-        MethodInvocation methodInvocation = null;
-        Object publicServiceImpl = beanFactory.getBean(publicService);
-        for(Method  method : publicServiceImpl.getClass().getMethods())
+        if (interceptor instanceof AlwaysProceedMethodInterceptor)
         {
-            if(method.getName().equals(methodName))
+            return AccessStatus.ALLOWED;
+        }
+
+        if (interceptor instanceof MethodSecurityInterceptor)
+        {
+            MethodSecurityInterceptor msi = (MethodSecurityInterceptor) interceptor;
+
+            MethodInvocation methodInvocation = null;
+            Object publicServiceImpl = beanFactory.getBean(publicService);
+            for (Method method : publicServiceImpl.getClass().getMethods())
             {
-                if(method.getParameterTypes().length == args.length)
+                if (method.getName().equals(methodName))
                 {
-                    methodInvocation = new ReflectiveMethodInvocation(null, null, method, args, null, null);
+                    if (method.getParameterTypes().length == args.length)
+                    {
+                        methodInvocation = new ReflectiveMethodInvocation(null, null, method, args, null, null);
+                    }
                 }
             }
+
+            if (methodInvocation == null)
+            {
+                throw new UnsupportedOperationException("Unknown public service security implementation " + publicService + "." + methodName);
+            }
+
+            return msi.pre(methodInvocation);
         }
-        
-        if(methodInvocation == null)
-        {
-            throw new UnsupportedOperationException("Unknown public service security implementation "+publicService+"."+methodName);
-        }
-        
-        return msi.pre(methodInvocation);
+        throw new UnsupportedOperationException("Unknown security interceptor "+interceptor.getClass());
     }
 
     public void setBeanFactory(BeanFactory beanFactory) throws BeansException
     {
-        this.beanFactory = (ListableBeanFactory)beanFactory;
+        this.beanFactory = (ListableBeanFactory) beanFactory;
     }
 
 }
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
index 9698d472ad..a7b356a548 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
@@ -256,7 +256,7 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
 
         if (supportedDefinitions.size() == 0)
         {
-            return AccessDecisionVoter.ACCESS_GRANTED;
+            return AccessDecisionVoter.ACCESS_ABSTAIN;
         }
 
         MethodInvocation invocation = (MethodInvocation) object;