inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-10-01 14:41:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

RM-452: RM seurity context will break core Alfresco if Alfresco's public services change

Browse Source 
* core method security no long redefined within the rm module
 * rm method security defined in a properties file
 * can be overridden/extended by adding rm-method-security.properties to alfresco/extension



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.0-BUG-FIX@39590 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Roy Wetherall
2012-07-23 06:08:10 +00:00
parent 9ca6967e05
commit 4c088728b1
12 changed files with 466 additions and 537 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
rm-server/config/alfresco/module/org_alfresco_module_rm/log4j.properties
View File

@@ -1 +1,2 @@
log4j.logger.org.alfresco.module.org_alfresco_module_rm.caveat=warn
log4j.logger.org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityPostProcessor=warn

1
rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml
View File

@@ -73,6 +73,7 @@
<!-- Import fixed permission definitions for RM -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml"/>
<import resource="classpath:alfresco/module/org_alfresco_module_rm/security/rm-method-security-context.xml"/>
<!-- Import the RM service's -->
<import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-service-context.xml"/>

530
rm-server/config/alfresco/module/org_alfresco_module_rm/rm-public-services-security-context.xml
View File

@@ -172,536 +172,6 @@
</property>
</bean>
<!-- ================================ -->
<!-- Beans that enforce secure access -->
<!-- ================================ -->
<!-- Each bean defines a new methos security interceptor wired up with the -->
<!-- authenticationManager, accessDecisionManager and afterInvocationManager, which -->
<!-- can all be reused. -->
<!-- If one method cal requires security enforcement - all methods must gave a -->
<!-- security entry of some sort. ACL_ALLOW can be used to give access to all -->
<!-- ROLE_ADMINISTRATOR can be used to grant access to administrator related methods -->
<!-- The namespace service does not enforce any security requirements -->
<bean id="NamespaceService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- The dictionary service does not enforce any security requirements -->
<bean id="DictionaryService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ======================== -->
<!-- Node service permissions -->
<!-- ======================== -->
<!-- See the NodeService for the parameters required for each method call. -->
<!-- -->
<!-- getStores -->
<!-- returns a list fo the stores to which the curent authentication has Read -->
<!-- permission. (See the permission model defintion for what this means) -->
<!-- createStore -->
<!-- only a user with the administrator role can create new stores -->
<!-- exists -->
<!-- check if a node exists. If the current user does not have read access then -->
<!-- the node will not exist. -->
<!-- getRootNode -->
<!-- get the root node for a store - access will be denied for users who do not -->
<!-- have Read permission for the root node of the store. -->
<!-- createNode -->
<!-- requires that the current authentication has the permission to create -->
<!-- children for the containing node. -->
<!-- moveNode -->
<!-- requires that the current authentication has the permission to delete the -->
<!-- the node in the source folder and create it in the destination folder. -->
<!-- setChildAssociationIndex -->
<!-- required write properties permission on the parent -->
<!-- getType -->
<!-- obtaining the type of a node requires read access -->
<!-- addAspect -->
<!-- adding an aspect updates a multi-valued property so this requires write -->
<!-- access to properties. -->
<!-- removeAspect -->
<!-- removing an aspect updates a multi-valued property so this requires write -->
<!-- access to properties. -->
<!-- hasAspect -->
<!-- querying for an aspect requires read access to a property -->
<!-- getAspects -->
<!-- querying for all aspect requires read access to a property -->
<!-- deleteNode -->
<!-- requires the delete permission -->
<!-- addChild -->
<!-- requires create children on the parent -->
<!-- removeChild -->
<!-- Requires delete children from the parent and delete for the child -->
<!-- removeChildAssociation -->
<!-- Requires delete children from the parent and delete for the child -->
<!-- getProperties -->
<!-- Requires read properties for the node -->
<!-- getProperty -->
<!-- Requires read properties for the node -->
<!-- setProperties -->
<!-- Requires write properties for the node -->
<!-- setProperty -->
<!-- Requires write properties for the node -->
<!-- getParentAssocs -->
<!-- Requires read on the node and returns only parents that can be seen -->
<!-- It is possible that no parents are accessible -->
<!-- getChildAssocs -->
<!-- Requires read on the node and returns only children that can be seen -->
<!-- It is possible that no children are accessible -->
<!-- getPrimaryParent -->
<!-- Requires read on the node an aceess error will be thrown if the primary -->
<!-- parent can not be read -->
<!-- createAssociation -->
<!-- NOT SET YET -->
<!-- removeAssociation -->
<!-- NOT SET YET -->
<!-- getTargetAssocs -->
<!-- NOT SET YET -->
<!-- getSourceAssocs -->
<!-- NOT SET YET -->
<!-- getPath -->
<!-- Requires read for the node -->
<!-- getPaths -->
<!-- Requires read for the node -->
<bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getAllRootNodes=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren,RM.Create.0.3
org.alfresco.service.cmr.repository.NodeService.moveNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren,RM.Move.0.1
org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.getType=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.WriteProperties,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.WriteProperties,RM.Update.0.1.2
org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.WriteProperties,RM.Update.0.1
org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.deleteNode=ACL_NODE.0.sys:base.DeleteNode,RM.Delete.0
org.alfresco.service.cmr.repository.NodeService.addChild=ACL_NODE.0.sys:base.CreateChildren,ACL_NODE.1.sys:base.ReadProperties,RM.Create.0.1.2
org.alfresco.service.cmr.repository.NodeService.removeChild=ACL_NODE.0.sys:base.DeleteChildren,ACL_NODE.1.sys:base.DeleteNode,RM.Delete.0.1
org.alfresco.service.cmr.repository.NodeService.removeChildAssociation=ACL_PARENT.0.sys:base.DeleteChildren,ACL_NODE.0.sys:base.DeleteNode,RM.Delete.0
org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterProperty
org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0,RM.ReadProperty.0.1
org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties,RM.UpdateProperties.0.1
org.alfresco.service.cmr.repository.NodeService.addProperties=ACL_NODE.0.sys:base.WriteProperties,RM.UpdateProperties.0.1
org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties,RM.UpdateProperties.0.1.2
org.alfresco.service.cmr.repository.NodeService.removeProperty=ACL_NODE.0.sys:base.WriteProperties,RM.UpdateProperties.0.1
org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.repository.NodeService.getChildByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.repository.NodeService.getChildrenByName=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.createAssociation=ACL_ALLOW,RM.Assoc.0.1
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ACL_ALLOW,RM.Assoc.0.1
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ACL_ALLOW,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ACL_ALLOW,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getAssoc=ACL_ALLOW,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.restoreNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.getChildAssocsWithoutParentAssocsOfType=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.repository.NodeService.getNodeRef=AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.repository.NodeService.countChildAssocs=ACL_NODE.0.sys:base.ReadChildren,RM.Read.0
org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ============================== -->
<!-- FileFolder Service Permissions -->
<!-- ============================== -->
<bean id="FileFolderService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.model.FileFolderService.list=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.listFiles=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.listFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.listDeepFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.getLocalizedSibling=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ALLOW
org.alfresco.service.cmr.model.FileFolderService.search=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.searchSimple=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read,RM.Read.0,AFTER_RM.FilterNode
org.alfresco.service.cmr.model.FileFolderService.rename=ACL_NODE.0.sys:base.WriteProperties,RM.Update.0
org.alfresco.service.cmr.model.FileFolderService.move=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren,RM.Move.0.1
org.alfresco.service.cmr.model.FileFolderService.moveFrom=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.2.sys:base.CreateChildren,RM.Move.0.2
org.alfresco.service.cmr.model.FileFolderService.copy=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren,RM.Read.0,RM.Create.1.0
org.alfresco.service.cmr.model.FileFolderService.create=ACL_NODE.0.sys:base.CreateChildren,RM.Create.0.2
org.alfresco.service.cmr.model.FileFolderService.delete=ACL_NODE.0.sys:base.DeleteNode,RM.Delete.0
org.alfresco.service.cmr.model.FileFolderService.getNamePath=ACL_NODE.1.sys:base.ReadProperties,RM.Read.1
org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.model.FileFolderService.getFileInfo=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.model.FileFolderService.getReader=ACL_NODE.0.sys:base.ReadContent,RM.Read.0
org.alfresco.service.cmr.model.FileFolderService.getWriter=ACL_NODE.0.sys:base.WriteContent,RM.WriteContent.0
org.alfresco.service.cmr.model.FileFolderService.exists=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.model.FileFolderService.getType=ACL_ALLOW,RM.Read.0
org.alfresco.service.cmr.model.FileFolderService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- =========================== -->
<!-- Content Service Permissions -->
<!-- =========================== -->
<!-- Reading requires the permission to read content -->
<!-- Writing required the permission to write conent -->
<bean id="ContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.repository.ContentService.getStoreTotalSpace=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getStoreFreeSpace=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getRawReader=ACL_METHOD.ROLE_ADMINISTRATOR,RM_ABSTAIN
org.alfresco.service.cmr.repository.ContentService.getReader=ACL_NODE.0.sys:base.ReadContent,RM.Read.0
org.alfresco.service.cmr.repository.ContentService.getWriter=ACL_NODE.0.sys:base.WriteContent,RM.WriteContent.0
org.alfresco.service.cmr.repository.ContentService.isTransformable=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getTransformer=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getMaxSourceSizeBytes=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getImageTransformer=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.transform=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.getTempWriter=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.repository.ContentService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ================ -->
<!-- MimeType Service -->
<!-- ================ -->
<!-- There are no permissions around mime types -->
<bean id="MimetypeService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ============== -->
<!-- Search Service -->
<!-- ============== -->
<!-- All search results are filtered to exclude nodes that the current user can not -->
<!-- read. Other methods restrict queries to those nodes the user can read -->
<bean id="SearchService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.search.SearchService.query=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read,RM_QUERY,AFTER_RM.FilterNode
org.alfresco.service.cmr.search.SearchService.selectNodes=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read,RM_QUERY,AFTER_RM.FilterNode
org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.search.SearchService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ================ -->
<!-- Category Service -->
<!-- ================ -->
<!-- Category queries are filtered for nodes that are visible to the current user -->
<!-- Other methods are unrestricted at the moment -->
<!-- Uses the public node service for all mutations - access is allowed here and enforced by the public node service -->
<bean id="CategoryService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.search.CategoryService.getChildren=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.getCategories=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.getClassifications=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.getRootCategories=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.getClassificationAspects=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.createClassification=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.createRootCategory=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.createCategory=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.deleteClassification=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.deleteCategory=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.getTopCategories=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.search.CategoryService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ============ -->
<!-- Copy Service -->
<!-- ============ -->
<!-- The copy service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="CopyService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ================ -->
<!-- The Lock Service -->
<!-- ================ -->
<!-- Lock and Unlock require the related aspect specific permissions. Querying the -->
<!-- lock status just requires read access to the node. -->
<bean id="LockService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.lock.LockService.lock=ACL_NODE.0.cm:lockable.Lock,RM_ABSTAIN
org.alfresco.service.cmr.lock.LockService.unlock=ACL_NODE.0.cm:lockable.Unlock,RM_ABSTAIN
org.alfresco.service.cmr.lock.LockService.getLockStatus=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.lock.LockService.getLockType=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.lock.LockService.checkForLock=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.lock.LockService.getLocks=ACL_NODE.0.sys:base.ReadProperties,RM.Read.0
org.alfresco.service.cmr.lock.LockService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- =============== -->
<!-- Version Service -->
<!-- =============== -->
<!-- The version service does not have any restrictions applied at the moment. It -->
<!-- does not use a node service that would apply any permissions. -->
<bean id="VersionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- =============================== -->
<!-- Multilingual Content Service -->
<!-- =============================== -->
<!-- The version service does not have any restrictions applied at the moment. It -->
<!-- does not use a node service that would apply any permissions. -->
<bean id="MultilingualContentService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationContainer=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.getTranslations=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationForLocale=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.getMissingTranslations=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.getPivotTranslation=ACL_NODE.0.sys:base.Read,AFTER_ACL_NODE.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.isTranslation=ACL_NODE.0.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.makeTranslation=ACL_NODE.0.sys:base.Write,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.unmakeTranslation=ACL_NODE.0.sys:base.Write,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.addTranslation=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.Write,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.addEmptyTranslation=ACL_NODE.0.sys:base.Read,ACL_NODE.0.sys:base.CreateChildren,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.copyTranslationContainer=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.moveTranslationContainer=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.deleteTranslationContainer=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.0.sys:base.DeleteChildren,RM_ABSTAIN
org.alfresco.service.cmr.ml.MultilingualContentService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- =================== -->
<!-- Edition Service -->
<!-- =================== -->
<bean id="EditionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.ml.EditionService.createEdition=ACL_NODE.0.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.EditionService.getEditions=ACL_NODE.0.sys:base.Read,RM_ABSTAIN
org.alfresco.service.cmr.ml.EditionService.getVersionedTranslations=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.ml.EditionService.getVersionedMetadatas=ACL_ALLOW,RM_ABSTAIN
org.alfresco.service.cmr.ml.EditionService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ============================== -->
<!-- The Check-out/Check-in service -->
<!-- ============================== -->
<!-- To check out a node requires that you have permission to check out the node and -->
<!-- create the working copy in the specified location. Check in requires the -->
<!-- the associated permission, as does cancel check out. See the permission model -->
<!-- for how these permissions are granted. -->
<bean id="CheckOutCheckInService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkout=ACL_NODE.0.cm:lockable.CheckOut,RM_ABSTAIN
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkin=ACL_NODE.0.cm:lockable.CheckIn,RM_ABSTAIN
org.alfresco.service.cmr.coci.CheckOutCheckInService.cancelCheckout=ACL_NODE.0.cm:lockable.CancelCheckOut,RM_ABSTAIN
org.alfresco.service.cmr.coci.CheckOutCheckInService.getWorkingCopy=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.coci.CheckOutCheckInService.getCheckedOut=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.coci.CheckOutCheckInService.isWorkingCopy=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.coci.CheckOutCheckInService.isCheckedOut=ACL_NODE.0.sys:base.Read,RM.Read.0
org.alfresco.service.cmr.coci.CheckOutCheckInService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ================ -->
<!-- The Rule Service -->
<!-- ================ -->
<!-- The rule service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ==================== -->
<!-- The Importer Service -->
<!-- ==================== -->
<!-- The importer service does not require any security restrictions, they are -->
<!-- imposed by the node service it uses to do its work. -->
<bean id="ImporterService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ================== -->
<!-- The Action Service -->
<!-- ================== -->
<!-- The action service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="ActionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"/>
<!-- ====================== -->
<!-- The Permission Service -->
<!-- ====================== -->
<!-- Requests to this service are controlled by the ReadPermissions and -->
<!-- and ChangePermissions permissions. Access to some methods are not restricted at -->
<!-- the moment. -->
<bean id="PermissionService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<property name="afterInvocationManager">
<ref local="afterInvocationManager"/>
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
org.alfresco.service.cmr.security.PermissionService.getOwnerAuthority=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.getAllAuthorities=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.getAllPermission=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.getPermissions=ACL_NODE.0.sys:base.ReadPermissions,RM.Read.0
org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_NODE.0.sys:base.ReadPermissions,RM.Read.0
org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.hasPermission=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.deletePermissions=ACL_NODE.0.sys:base.ChangePermissions,RM.Capability.0
org.alfresco.service.cmr.security.PermissionService.deletePermission=ACL_NODE.0.sys:base.ChangePermissions,RM.Capability.0
org.alfresco.service.cmr.security.PermissionService.setPermission=ACL_NODE.0.sys:base.ChangePermissions,RM.Capability.0
org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions,RM.Capability.0
org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW,RM_ALLOW
org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions,RM.Capability.0
org.alfresco.service.cmr.security.PermissionService.*=ACL_DENY,RM_DENY
]]>
</value>
</property>
</bean>
<!-- ===================== -->
<!-- The Authority Service -->
<!-- ===================== -->

20
rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security-context.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="rm-method-security-properties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
<property name="locations">
<list>
<value>classpath*:alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties</value>
<!-- Override -->
<value>classpath*:alfresco/extension/rm-method-security.properties</value>
</list>
</property>
</bean>
<bean id="rm-method-security-post-processor" class="org.alfresco.module.org_alfresco_module_rm.security.RMMethodSecurityPostProcessor">
<property name="properties" ref="rm-method-security-properties"/>
</bean>
</beans>

178
rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties Normal file
View File

@@ -0,0 +1,178 @@
##
# RM Method security for Alfresco code services
#
# Note: add alfresco/extension/rm-method-security.properties to extend
##
## Node Service
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getStores=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.createStore=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.exists=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getNodeStatus=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getAllRootNodes=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getRootNode=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.createNode=RM.Create.0.3
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.moveNode=RM.Move.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getType=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.setType=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.addAspect=RM.Update.0.1.2
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.removeAspect=RM.Update.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.hasAspect=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getAspects=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.deleteNode=RM.Delete.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.addChild=RM.Create.0.1.2
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.removeChild=RM.Delete.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.removeChildAssociation=RM.Delete.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getProperties=RM.Read.0,AFTER_RM.FilterProperty
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getProperty=RM.Read.0,RM.ReadProperty.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.setProperties=RM.UpdateProperties.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.addProperties=RM.UpdateProperties.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.setProperty=RM.UpdateProperties.0.1.2
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.removeProperty=RM.UpdateProperties.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getParentAssocs=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildAssocs=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildByName=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildrenByName=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.createAssociation=RM.Assoc.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.removeAssociation=Assoc.0.1
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getAssoc=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getPath=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getPaths=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.restoreNode=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildAssocsWithoutParentAssocsOfType=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getNodeRef=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.getChildAssocsByPropertyValue=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.countChildAssocs=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.NodeService.*=RM_DENY
## File Folder Service
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.list=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.listFiles=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.listFolders=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.listDeepFolders=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getLocalizedSibling=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.search=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.searchSimple=RM.Read.0,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.rename=RM.Update.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.move=RM.Move.0.1
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.moveFrom=RM.Move.0.2
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.copy=RM.Read.0,RM.Create.1.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.create=RM.Create.0.2
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.delete=RM.Delete.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getNamePath=RM.Read.1
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getFileInfo=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getReader=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getWriter=RM.WriteContent.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.exists=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.getType=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.model.FileFolderService.*=RM_DENY
## Content Service
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getStoreTotalSpace=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getStoreFreeSpace=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getRawReader=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getReader=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getWriter=RM.WriteContent.0
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.isTransformable=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getTransformer=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getMaxSourceSizeBytes=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getImageTransformer=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.transform=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.getTempWriter=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.repository.ContentService.*=RM_DENY
## Search Service
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.query=RM_QUERY,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.selectNodes=RM_QUERY,AFTER_RM.FilterNode
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.selectProperties=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.contains=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.like=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.search.SearchService.*=RM_DENY
## Category Service
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getChildren=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getCategories=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getClassifications=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getRootCategories=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getClassificationAspects=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.createClassification=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.createRootCategory=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.createCategory=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.deleteClassification=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.deleteCategory=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.getTopCategories=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.search.CategoryService.*=RM_DENY
## Lock Service
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.lock=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.unlock=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.getLockStatus=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.getLockType=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.checkForLock=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.getLocks=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.lock.LockService.*=RM_DENY
## Multilingual Content Service
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationContainer=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.getTranslations=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.getTranslationForLocale=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.getMissingTranslations=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.getPivotTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.isTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.makeTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.unmakeTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.addTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.addEmptyTranslation=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.copyTranslationContainer=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.moveTranslationContainer=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.deleteTranslationContainer=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.MultilingualContentService.*=RM_DENY
## Edition Service
rm.methodsecurity.org.alfresco.service.cmr.ml.EditionService.createEdition=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.EditionService.getEditions=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.EditionService.getVersionedTranslations=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.EditionService.getVersionedMetadatas=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.ml.EditionService.*=RM_DENY
## Check Out Check In Service
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.checkout=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.checkin=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.cancelCheckout=RM_ABSTAIN
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.getWorkingCopy=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.getCheckedOut=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.isWorkingCopy=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.isCheckedOut=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.coci.CheckOutCheckInService.*=RM_DENY
## Permission Service
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getOwnerAuthority=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getAllAuthorities=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getAllPermission=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getPermissions=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=RM.Read.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.hasPermission=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermissions=RM.Capability.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.deletePermission=RM.Capability.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermission=RM.Capability.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0
rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY

184
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RMMethodSecurityPostProcessor.java Normal file
View File

@@ -0,0 +1,184 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.security;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.beans.PropertyValue;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanFactoryPostProcessor;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.config.TypedStringValue;
/**
* Records management method security post processor.
* <p>
* Combines RM method security configuration with that of the core server before the security
* bean is instantiated.
*
* @author Roy Wetherall
*/
public class RMMethodSecurityPostProcessor implements BeanFactoryPostProcessor
{
private static Log logger = LogFactory.getLog(RMMethodSecurityPostProcessor.class);
public static final String RM_BEAN_NAME_PREFIX = "RM_";
public static final String PROP_OBJECT_DEFINITION_SOURCE = "objectDefinitionSource";
/** Security bean names */
private Set<String> securityBeanNames;
private Set<String> securityBeanNameCache;
/** Configuration properties */
private Properties properties;
/**
* Set of security beans to apply RM configuration to.
* <p>
* Used in the case where the security bean does not follow the standard naming convention.
*
* @param securityBeanNames security bean names
*/
public void setSecurityBeanNames(Set<String> securityBeanNames)
{
this.securityBeanNames = securityBeanNames;
}
/**
* @param properties configuration properties
*/
public void setProperties(Properties properties)
{
this.properties = properties;
}
/**
* @see org.springframework.beans.factory.config.BeanFactoryPostProcessor#postProcessBeanFactory(org.springframework.beans.factory.config.ConfigurableListableBeanFactory)
*/
@Override
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException
{
for (String bean : getSecurityBeanNames(beanFactory))
{
if (beanFactory.containsBeanDefinition(bean) == true)
{
System.out.println("For security bean defintion: " + bean);
BeanDefinition beanDef = beanFactory.getBeanDefinition(bean);
PropertyValue beanValue = beanDef.getPropertyValues().getPropertyValue(PROP_OBJECT_DEFINITION_SOURCE);
String beanStringValue = (String)((TypedStringValue)beanValue.getValue()).getValue();
String mergedStringValue = merge(beanStringValue);
beanDef.getPropertyValues().addPropertyValue(PROP_OBJECT_DEFINITION_SOURCE, new TypedStringValue(mergedStringValue));
}
}
}
private Set<String> getSecurityBeanNames(ConfigurableListableBeanFactory beanFactory)
{
if (securityBeanNameCache == null)
{
securityBeanNameCache = new HashSet<String>(21);
if (securityBeanNames != null)
{
securityBeanNameCache.addAll(securityBeanNames);
}
for (Object key : properties.keySet())
{
String[] split = ((String)key).split("\\.");
int index = split.length - 2;
String securityBeanName = split[index] + "_security";
if (securityBeanNameCache.contains(securityBeanName) == false && beanFactory.containsBean(securityBeanName) == true)
{
securityBeanNameCache.add(securityBeanName);
}
}
}
return securityBeanNameCache;
}
/**
* @param beanStringValue
* @param rmBeanStringValue
* @return
*/
private String merge(String beanStringValue)
{
Map<String, String> map = convertToMap(beanStringValue);
for (Map.Entry<String, String> entry : map.entrySet())
{
String key = entry.getKey();
String propKey = "rm.methodsecurity." + key;
if (properties.containsKey(propKey) == true)
{
map.put(key, entry.getValue() + "," + properties.getProperty(propKey));
}
else
{
if (logger.isWarnEnabled() == true)
{
logger.warn("Missing RM security definition for method " + key);
}
System.out.println("Missing RM security definition for method " + key);
}
}
return convertToString(map);
}
/**
* @param stringValue
* @return
*/
private Map<String, String> convertToMap(String stringValue)
{
String[] values = stringValue.trim().split("\n");
Map<String, String> map = new HashMap<String, String>(values.length);
for (String value : values)
{
String[] pair = value.trim().split("=");
map.put(pair[0], pair[1]);
}
return map;
}
/**
* @param map
* @return
*/
private String convertToString(Map<String, String> map)
{
StringBuffer buffer = new StringBuffer(256);
for (Map.Entry<String, String> entry : map.entrySet())
{
buffer.append(entry.getKey()).append("=").append(entry.getValue()).append("\n");
}
return buffer.toString();
}
}

2
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RecordsManagementSecurityService.java
View File

@@ -18,12 +18,10 @@
*/
package org.alfresco.module.org_alfresco_module_rm.security;
import java.util.Map;
import java.util.Set;
import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.namespace.QName;
/**

3
rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/security/RecordsManagementSecurityServiceImpl.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
* Copyright (C) 2005-2012 Alfresco Software Limited.
*
* This file is part of Alfresco
*
@@ -39,7 +39,6 @@ import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.policy.Behaviour.NotificationFrequency;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;

2
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/CapabilitiesTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
* Copyright (C) 2005-2012 Alfresco Software Limited.
*
* This file is part of Alfresco
*

2
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/CompositeCapabilityTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
* Copyright (C) 2005-2012 Alfresco Software Limited.
*
* This file is part of Alfresco
*

2
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/capabilities/DeclarativeCapabilityTest.java
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2005-2011 Alfresco Software Limited.
* Copyright (C) 2005-2012 Alfresco Software Limited.
*
* This file is part of Alfresco
*

78
rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/security/MethodSecurityTest.java Normal file
View File

@@ -0,0 +1,78 @@
/*
* Copyright (C) 2005-2012 Alfresco Software Limited.
*
* This file is part of Alfresco
*
* Alfresco is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Alfresco is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
*/
package org.alfresco.module.org_alfresco_module_rm.test.security;
import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase;
/**
* Tests method level security of core alfresco services.
*
* @author Roy Wetherall
* @since 2.0
*/
public class MethodSecurityTest extends BaseRMTestCase implements RMPermissionModel
{
/**
* Indicate this is a user test.
*
* @see org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMTestCase#isUserTest()
*/
@Override
protected boolean isUserTest()
{
return true;
}
/**
* Test node service security access
*/
public void testNodeService()
{
doTestInTransaction(new FailureTest
(
"We don't have permission to access this node."
)
{
@Override
public void run()
{
nodeService.getProperties(rmContainer);
}
}, rmUserName);
doTestInTransaction(new Test<Void>()
{
@Override
public Void run()
{
securityService.setPermission(rmContainer, rmUserName, READ_RECORDS);
return null;
}
@Override
public void test(Void result) throws Exception
{
nodeService.getProperties(rmContainer);
}
}, rmUserName);
}
}