inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM capabilities: no op impl for RM_QUERY; First cut of Action security wrappers; Tidy up for new access API and config changes to support it across all public services (except AVM)

Browse Source 
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@15186 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Andrew Hind
2009-07-14 20:05:58 +00:00
parent 7f0e03e131
commit 0848671c81
3 changed files with 44 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
config/alfresco/public-services-security-context.xml
View File

@@ -196,7 +196,7 @@
<!-- The access decision manager asks voters in order if they should allow access --> <!-- The access decision manager asks voters in order if they should allow access -->
<!-- Role and group access do not require ACL based access --> <!-- Role and group access do not require ACL based access -->
<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased"> <bean id="accessDecisionManager" class="org.alfresco.repo.security.permissions.impl.acegi.AffirmativeBasedAccessDecisionManger">
<property name="allowIfAllAbstainDecisions"><value>false</value></property> <property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters"> <property name="decisionVoters">
<list> <list>
@@ -339,7 +339,7 @@
<!-- Requires read for the node --> <!-- Requires read for the node -->
<bean id="NodeService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -392,7 +392,7 @@
<!-- FileFolder Service Permissions --> <!-- FileFolder Service Permissions -->
<!-- ============================== --> <!-- ============================== -->
<bean id="FileFolderService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="FileFolderService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -428,7 +428,7 @@
<!-- Reading requires the permission to read content --> <!-- Reading requires the permission to read content -->
<!-- Writing required the permission to write conent --> <!-- Writing required the permission to write conent -->
<bean id="ContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="ContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -462,7 +462,7 @@
<!-- All search results are filtered to exclude nodes that the current user can not --> <!-- All search results are filtered to exclude nodes that the current user can not -->
<!-- read. Other methods restrict queries to those nodes the user can read --> <!-- read. Other methods restrict queries to those nodes the user can read -->
<bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="SearchService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -487,7 +487,7 @@
<!-- Uses the public node service for all mutations - access is allowed here and enforced by the public node service --> <!-- Uses the public node service for all mutations - access is allowed here and enforced by the public node service -->
<bean id="CategoryService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="CategoryService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -526,7 +526,7 @@
<!-- Lock and Unlock require the related aspect specific permissions. Querying the --> <!-- Lock and Unlock require the related aspect specific permissions. Querying the -->
<!-- lock status just requires read access to the node. --> <!-- lock status just requires read access to the node. -->
<bean id="LockService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="LockService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -559,7 +559,7 @@
<!-- The version service does not have any restrictions applied at the moment. It --> <!-- The version service does not have any restrictions applied at the moment. It -->
<!-- does not use a node service that would apply any permissions. --> <!-- does not use a node service that would apply any permissions. -->
<bean id="MultilingualContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="MultilingualContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -587,7 +587,7 @@
<!-- Edition Service --> <!-- Edition Service -->
<!-- =================== --> <!-- =================== -->
<bean id="EditionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="EditionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -611,7 +611,7 @@
<!-- the associated permission, as does cancel check out. See the permission model --> <!-- the associated permission, as does cancel check out. See the permission model -->
<!-- for how these permissions are granted. --> <!-- for how these permissions are granted. -->
<bean id="CheckoutCheckinService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="CheckoutCheckinService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -660,7 +660,7 @@
<!-- and ChangePermissions permissions. Access to some methods are not restricted at --> <!-- and ChangePermissions permissions. Access to some methods are not restricted at -->
<!-- the moment. --> <!-- the moment. -->
<bean id="PermissionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="PermissionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -694,7 +694,7 @@
<!-- This service currently has no restrictions. --> <!-- This service currently has no restrictions. -->
<bean id="AuthorityService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="AuthorityService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -740,7 +740,7 @@
<!-- NOTE: Authentication is excluded as it sets or clears authentication --> <!-- NOTE: Authentication is excluded as it sets or clears authentication -->
<!-- The same for validate ticaket --> <!-- The same for validate ticaket -->
<!-- Update authentication checks internally --> <!-- Update authentication checks internally -->
<bean id="AuthenticationService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="AuthenticationService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -775,7 +775,7 @@
<!-- This service currently has no restrictions. --> <!-- This service currently has no restrictions. -->
<!-- TODO: respect the permissions on the ownable service --> <!-- TODO: respect the permissions on the ownable service -->
<bean id="OwnableService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="OwnableService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
@@ -793,7 +793,7 @@
<!-- Person Service --> <!-- Person Service -->
<bean id="PersonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> <bean id="PersonService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>

47
source/java/org/alfresco/repo/security/permissions/impl/PublicServiceAccessServiceImpl.java
View File

@@ -36,7 +36,6 @@ import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.BeanFactoryAware; import org.springframework.beans.factory.BeanFactoryAware;
import org.springframework.beans.factory.ListableBeanFactory; import org.springframework.beans.factory.ListableBeanFactory;
public class PublicServiceAccessServiceImpl implements PublicServiceAccessService, BeanFactoryAware public class PublicServiceAccessServiceImpl implements PublicServiceAccessService, BeanFactoryAware
{ {
@@ -44,36 +43,46 @@ public class PublicServiceAccessServiceImpl implements PublicServiceAccessServic
public AccessStatus hasAccess(String publicService, String methodName, Object... args) public AccessStatus hasAccess(String publicService, String methodName, Object... args)
{ {
MethodSecurityInterceptor msi = (MethodSecurityInterceptor)beanFactory.getBean(publicService+"_security"); Object interceptor = beanFactory.getBean(publicService + "_security");
if(msi == null) if (interceptor == null)
{ {
throw new UnsupportedOperationException("Unknown public service security implementation "+publicService); throw new UnsupportedOperationException("Unknown public service security implementation " + publicService);
} }
if (interceptor instanceof AlwaysProceedMethodInterceptor)
MethodInvocation methodInvocation = null;
Object publicServiceImpl = beanFactory.getBean(publicService);
for(Method method : publicServiceImpl.getClass().getMethods())
{ {
if(method.getName().equals(methodName)) return AccessStatus.ALLOWED;
}
if (interceptor instanceof MethodSecurityInterceptor)
{
MethodSecurityInterceptor msi = (MethodSecurityInterceptor) interceptor;
MethodInvocation methodInvocation = null;
Object publicServiceImpl = beanFactory.getBean(publicService);
for (Method method : publicServiceImpl.getClass().getMethods())
{ {
if(method.getParameterTypes().length == args.length) if (method.getName().equals(methodName))
{ {
methodInvocation = new ReflectiveMethodInvocation(null, null, method, args, null, null); if (method.getParameterTypes().length == args.length)
{
methodInvocation = new ReflectiveMethodInvocation(null, null, method, args, null, null);
}
} }
} }
if (methodInvocation == null)
{
throw new UnsupportedOperationException("Unknown public service security implementation " + publicService + "." + methodName);
}
return msi.pre(methodInvocation);
} }
throw new UnsupportedOperationException("Unknown security interceptor "+interceptor.getClass());
if(methodInvocation == null)
{
throw new UnsupportedOperationException("Unknown public service security implementation "+publicService+"."+methodName);
}
return msi.pre(methodInvocation);
} }
public void setBeanFactory(BeanFactory beanFactory) throws BeansException public void setBeanFactory(BeanFactory beanFactory) throws BeansException
{ {
this.beanFactory = (ListableBeanFactory)beanFactory; this.beanFactory = (ListableBeanFactory) beanFactory;
} }
} }

2
source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.java
View File

@@ -256,7 +256,7 @@ public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean
if (supportedDefinitions.size() == 0) if (supportedDefinitions.size() == 0)
{ {
return AccessDecisionVoter.ACCESS_GRANTED; return AccessDecisionVoter.ACCESS_ABSTAIN;
} }
MethodInvocation invocation = (MethodInvocation) object; MethodInvocation invocation = (MethodInvocation) object;