Files
alfresco-community-repo/config/alfresco/public-services-security-context.xml
2006-09-02 18:19:00 +00:00

731 lines
45 KiB
XML

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<!-- ========================== -->
<!-- Enforcement of permissions -->
<!-- ========================== -->
<!-- -->
<!-- This file defines the beans that intercept method calls to the repository services -->
<!-- and enforce security based on the currently authenticated user. -->
<!-- -->
<beans>
<!-- Because of the way hibernate works, we need to cache when permissions are not -->
<!-- set. -->
<import resource="classpath:alfresco/cache-context.xml" />
<!-- ======================= -->
<!-- Support for permissions -->
<!-- ========================-->
<!-- ================================= -->
<!-- The enterprise permission service -->
<!-- ================================= -->
<bean id='permissionService' class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="proxyInterfaces">
<value>org.alfresco.repo.security.permissions.PermissionServiceSPI</value>
</property>
<property name="transactionManager">
<ref bean="transactionManager" />
</property>
<property name="target">
<ref bean="permissionServiceImpl" />
</property>
<property name="transactionAttributes">
<props>
<prop key="*">${server.transaction.mode.default}</prop>
</props>
</property>
</bean>
<bean id="permissionServiceImpl" class="org.alfresco.repo.security.permissions.impl.PermissionServiceImpl">
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="dictionaryService">
<ref bean="dictionaryService" />
</property>
<property name="permissionsDaoComponent">
<ref bean="permissionsDaoComponent" />
</property>
<property name="modelDAO">
<ref bean="permissionsModelDAO" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponentImpl" />
</property>
<property name="authorityService">
<ref bean="authorityService" />
</property>
<property name="accessCache">
<ref bean="permissionsAccessCache" />
</property>
<property name="policyComponent">
<ref bean="policyComponent" />
</property>
<!-- Dynamic authorites are evaluated in the context of a store/node etc -->
<!-- as opposed to being fixed like user name and groups. -->
<!-- There are two dynamic authorities, the ower of a node and the owner -->
<!-- of a lock on a node. -->
<property name="dynamicAuthorities">
<list>
<ref bean="ownerDynamicAuthority" />
<ref bean="lockOwnerDynamicAuthority" />
</list>
</property>
</bean>
<!-- =================== -->
<!-- Dynamic Authorities -->
<!-- =================== -->
<!-- The provider to evaluate if the current authentication is the owner of a node. -->
<bean id="ownerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.OwnerDynamicAuthority">
<property name="ownableService">
<ref bean="ownableService" />
</property>
</bean>
<!-- The provider to evaluate if the currfent authentication is the local owner on a -->
<!-- node. -->
<bean id="lockOwnerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthority">
<property name="lockService">
<ref bean="lockService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
</bean>
<!-- ===================== -->
<!-- Permissions Model DAO -->
<!-- ===================== -->
<bean id='permissionsModelDAO' class="org.alfresco.repo.security.permissions.impl.model.PermissionModel">
<property name="model">
<value>alfresco/model/permissionDefinitions.xml</value>
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="dictionaryService">
<ref bean="dictionaryService" />
</property>
</bean>
<!-- ====== -->
<!-- Voters -->
<!-- ====== -->
<!-- A voter to allow access base on the current authentication having authorities -->
<!-- starting with the prefix "ROLE_" -->
<!-- Any match grants -->
<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true"
lazy-init="default" autowire="default" dependency-check="default" >
<property name="rolePrefix">
<value>ROLE_</value>
</property>
</bean>
<!-- A voter to allow access base on the current authentication having authorities -->
<!-- starting with the prefix "GROUP_" -->
<!-- Any match grants -->
<bean id="groupVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true"
lazy-init="default" autowire="default" dependency-check="default" >
<property name="rolePrefix">
<value>GROUP_</value>
</property>
</bean>
<!-- A voter to allow access based on node access control. -->
<!-- These start ACL_NODE or ACL_PARENT and are followed by .methodArgumentPosition -->
<!-- then object type (prefix:localname) . permission -->
<!-- -->
<!-- All permissions starting ACL_NODE and ACL_PARENT must be present for access to -->
<!-- be granted. -->
<!-- -->
<!-- Note: ff the context evaluates to null (e.g. doing an exists test on a node -->
<!-- that does not exist) then access will be allowed. -->
<bean id="aclEntryVoter" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter" abstract="false" singleton="true"
lazy-init="default" autowire="default" dependency-check="default" >
<property name="permissionService">
<ref bean="permissionService"></ref>
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService"></ref>
</property>
<property name="nodeService">
<ref bean="nodeService"></ref>
</property>
<property name="authenticationService">
<ref bean="authenticationService" />
</property>
<property name="authorityService">
<ref bean="authorityService" />
</property>
</bean>
<!-- ======================= -->
<!-- Access decision manager -->
<!-- ======================= -->
<!-- The access decision manager asks voters in order if they should allow access -->
<!-- Role and group access do not require ACL based access -->
<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
<ref local="groupVoter"/>
<ref local="aclEntryVoter"/>
</list>
</property>
</bean>
<!-- ======================================== -->
<!-- Post method call application of security -->
<!-- ======================================== -->
<bean id="afterAcl" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationProvider" abstract="false" singleton="true"
lazy-init="default" autowire="default" dependency-check="default" >
<property name="permissionService">
<ref bean="permissionServiceImpl"></ref>
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService"></ref>
</property>
<property name="nodeService">
<ref bean="nodeService"></ref>
</property>
<property name="authenticationService">
<ref bean="authenticationServiceImpl" />
</property>
</bean>
<!-- Link up after method call security -->
<bean id="afterInvocationManager" class="net.sf.acegisecurity.afterinvocation.AfterInvocationProviderManager">
<property name="providers">
<list>
<ref local="afterAcl"/>
</list>
</property>
</bean>
<!-- ================================ -->
<!-- Beans that enforce secure access -->
<!-- ================================ -->
<!-- Each bean defines a new methos security interceptor wired up with the -->
<!-- authenticationManager, accessDecisionManager and afterInvocationManager, which -->
<!-- can all be reused. -->
<!-- If one method cal requires security enforcement - all methods must gave a -->
<!-- security entry of some sort. ACL_ALLOW can be used to give access to all -->
<!-- ROLE_ADMINISTRATOR can be used to grant access to administrator related methods -->
<!-- The namespace service does not enforce any security requirements -->
<bean id="NamespaceService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- The dictionary service does not enforce any security requirements -->
<bean id="DictionaryService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ======================== -->
<!-- Node service permissions -->
<!-- ======================== -->
<!-- See the NodeService for the parameters required for each method call. -->
<!-- -->
<!-- getStores -->
<!-- returns a list fo the stores to which the curent authentication has Read -->
<!-- permission. (See the permission model defintion for what this means) -->
<!-- createStore -->
<!-- only a user with the administrator role can create new stores -->
<!-- exists -->
<!-- check if a node exists. If the current user does not have read access then -->
<!-- the node will not exist. -->
<!-- getRootNode -->
<!-- get the root node for a store - access will be denied for users who do not -->
<!-- have Read permission for the root node of the store. -->
<!-- createNode -->
<!-- requires that the current authentication has the permission to create -->
<!-- children for the containing node. -->
<!-- moveNode -->
<!-- requires that the current authentication has the permission to delete the -->
<!-- the node in the source folder and create it in the destination folder. -->
<!-- setChildAssociationIndex -->
<!-- required write properties permission on the parent -->
<!-- getType -->
<!-- obtaining the type of a node requires read access -->
<!-- addAspect -->
<!-- adding an aspect updates a multi-valued property so this requires write -->
<!-- access to properties. -->
<!-- removeAspect -->
<!-- removing an aspect updates a multi-valued property so this requires write -->
<!-- access to properties. -->
<!-- hasAspect -->
<!-- querying for an aspect requires read access to a property -->
<!-- getAspects -->
<!-- querying for all aspect requires read access to a property -->
<!-- deleteNode -->
<!-- requires the delete permission -->
<!-- addChild -->
<!-- requires create children on the parent -->
<!-- removeChild -->
<!-- Requires delete permission for the node to be deleted -->
<!-- getProperties -->
<!-- Requires read properties for the node -->
<!-- getProperty -->
<!-- Requires read properties for the node -->
<!-- setProperties -->
<!-- Requires write properties for the node -->
<!-- setProperty -->
<!-- Requires write properties for the node -->
<!-- getParentAssocs -->
<!-- Requires read on the node and returns only parents that can be seen -->
<!-- It is possible that no parents are accessible -->
<!-- getChildAssocs -->
<!-- Requires read on the node and returns only children that can be seen -->
<!-- It is possible that no children are accessible -->
<!-- getPrimaryParent -->
<!-- Requires read on the node an aceess error will be thrown if the primary -->
<!-- parent can not be read -->
<!-- createAssociation -->
<!-- NOT SET YET -->
<!-- removeAssociation -->
<!-- NOT SET YET -->
<!-- getTargetAssocs -->
<!-- NOT SET YET -->
<!-- getSourceAssocs -->
<!-- NOT SET YET -->
<!-- getPath -->
<!-- Requires read for the node -->
<!-- getPaths -->
<!-- Requires read for the node -->
<bean id="NodeService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.repository.NodeService.getStores=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.repository.NodeService.exists=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren
org.alfresco.service.cmr.repository.NodeService.moveNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.getType=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.Write
org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.Write
org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.Write
org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.deleteNode=ACL_NODE.0.sys:base.DeleteNode
org.alfresco.service.cmr.repository.NodeService.addChild=ACL_NODE.0.sys:base.CreateChildren,ACL_NODE.1.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.removeChild=ACL_NODE.1.sys:base.DeleteChildren
org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties
org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.createAssociation=ROLE_AUTHENTICATED
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ROLE_AUTHENTICATED
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ROLE_AUTHENTICATED
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ROLE_AUTHENTICATED
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.repository.NodeService.restoreNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
</value>
</property>
</bean>
<!-- ============================== -->
<!-- FileFolder Service Permissions -->
<!-- ============================== -->
<bean id="FileFolderService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.model.FileFolderService.list=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.model.FileFolderService.listFiles=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.model.FileFolderService.listFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.model.FileFolderService.search=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.model.FileFolderService.searchSimple=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.model.FileFolderService.rename=ACL_PARENT.0.sys:base.CreateChildren,AFTER_ACL_NODE.sys:base.WriteProperties
org.alfresco.service.cmr.model.FileFolderService.move=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
org.alfresco.service.cmr.model.FileFolderService.copy=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren
org.alfresco.service.cmr.model.FileFolderService.create=ACL_NODE.0.sys:base.CreateChildren
org.alfresco.service.cmr.model.FileFolderService.delete=ACL_NODE.0.sys:base.DeleteNode
org.alfresco.service.cmr.model.FileFolderService.makeFolders=AFTER_ACL_PARENT.sys:base.CreateChildren
org.alfresco.service.cmr.model.FileFolderService.getNamePath=ACL_NODE.1.sys:base.ReadProperties
org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=AFTER_ACL_NODE.sys:base.ReadProperties
org.alfresco.service.cmr.model.FileFolderService.getFileInfo=ACL_NODE.0.sys:base.ReadProperties
org.alfresco.service.cmr.model.FileFolderService.getReader=ACL_NODE.0.sys:base.ReadContent
org.alfresco.service.cmr.model.FileFolderService.getWriter=ACL_NODE.0.sys:base.WriteContent
</value>
</property>
</bean>
<!-- =========================== -->
<!-- Content Service Permissions -->
<!-- =========================== -->
<!-- Reading requires the permission to read content -->
<!-- Writing required the permission to write conent -->
<bean id="ContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.repository.ContentService.getReader=ACL_NODE.0.sys:base.ReadContent
org.alfresco.service.cmr.repository.ContentService.getWriter=ACL_NODE.0.sys:base.WriteContent
org.alfresco.service.cmr.repository.ContentService.isTransformable=ACL_ALLOW
org.alfresco.service.cmr.repository.ContentService.getTransformer=ACL_ALLOW
org.alfresco.service.cmr.repository.ContentService.getImageTransformer=ACL_ALLOW
org.alfresco.service.cmr.repository.ContentService.transform=ACL_ALLOW
org.alfresco.service.cmr.repository.ContentService.getTempWriter=ACL_ALLOW
</value>
</property>
</bean>
<!-- ================ -->
<!-- MimeType Service -->
<!-- ================ -->
<!-- There are no permissions around mime types -->
<bean id="MimetypeService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ============== -->
<!-- Search Service -->
<!-- ============== -->
<!-- All search results are filtered to exclude nodes that the current user can not -->
<!-- read. Other methods restrict queries to those nodes the user can read -->
<bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.search.SearchService.query=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.SearchService.selectNodes=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read
</value>
</property>
</bean>
<!-- ================ -->
<!-- Category Service -->
<!-- ================ -->
<!-- Category queries are filtered for nodes that are visible to the current user -->
<!-- Other methods are unrestricted at the moment -->
<bean id="CategoryService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.search.CategoryService.getChildren=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.CategoryService.getCategories=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.CategoryService.getClassifications=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.CategoryService.getRootCategories=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.search.CategoryService.getClassificationAspects=ACL_ALLOW
org.alfresco.service.cmr.search.CategoryService.createClassifiction=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.search.CategoryService.createRootCategory=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.search.CategoryService.createCategory=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.search.CategoryService.deleteClassification=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.search.CategoryService.deleteCategory=ACL_METHOD.ROLE_ADMINISTRATOR
</value>
</property>
</bean>
<!-- ============ -->
<!-- Copy Service -->
<!-- ============ -->
<!-- The copy service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="CopyService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ================ -->
<!-- The Lock Service -->
<!-- ================ -->
<!-- Lock and Unlock require the related aspect specific permissions. Querying the -->
<!-- lock status just requires read access to the node. -->
<bean id="LockService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.lock.LockService.lock=ACL_NODE.0.cm:lockable.Lock
org.alfresco.service.cmr.lock.LockService.unlock=ACL_NODE.0.cm:lockable.Unlock
org.alfresco.service.cmr.lock.LockService.getLockStatus=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.lock.LockService.getLockType=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.lock.LockService.checkForLock=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.lock.LockService.getLocks=ACL_NODE.0.sys:base.Read
</value>
</property>
</bean>
<!-- =============== -->
<!-- Version Service -->
<!-- =============== -->
<!-- The version service does not have any restrictions applied at the moment. It -->
<!-- does not use a node service that would apply any permissions. -->
<bean id="VersionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ============================== -->
<!-- The Check-out/Check-in service -->
<!-- ============================== -->
<!-- To check out a node requires that you have permission to check out the node and -->
<!-- create the working copy in the specified location. Check in requires the -->
<!-- the associated permission, as does cancel check out. See the permission model -->
<!-- for how these permissions are granted. -->
<bean id="CheckoutCheckinService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkout=ACL_NODE.0.cm:lockable.CheckOut,ACL_NODE.1.sys:base.CreateChildren
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkin=ACL_NODE.0.cm:lockable.CheckIn
org.alfresco.service.cmr.coci.CheckOutCheckInService.cancelCheckout=ACL_NODE.0.cm:lockable.CancelCheckOut
org.alfresco.service.cmr.coci.CheckOutCheckInService.getWorkingCopy=ACL_NODE.0.sys:base.Read
</value>
</property>
</bean>
<!-- ================ -->
<!-- The Rule Service -->
<!-- ================ -->
<!-- The rule service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ==================== -->
<!-- The Importer Service -->
<!-- ==================== -->
<!-- The importer service does not require any security restrictions, they are -->
<!-- imposed by the node service it uses to do its work. -->
<bean id="ImporterService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ================== -->
<!-- The Action Service -->
<!-- ================== -->
<!-- The action service does not require any security restrictions, they are imposed -->
<!-- by the node service it uses to do its work. -->
<bean id="ActionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ====================== -->
<!-- The Permission Service -->
<!-- ====================== -->
<!-- Requests to this service are controlled by the ReadPermissions and -->
<!-- and ChangePermissions permissions. Access to some methods are not restricted at -->
<!-- the moment. -->
<bean id="PermissionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.PermissionService.getOwnerAuthority=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.getAllAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.getAllPermission=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.getPermissions=ACL_NODE.0.sys:base.ReadPermissions
org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_NODE.0.sys:base.ReadPermissions
org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.hasPermission=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.deletePermissions=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.deletePermission=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.setPermission=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions
org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW
org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions
</value>
</property>
</bean>
<!-- ===================== -->
<!-- The Authority Service -->
<!-- ===================== -->
<!-- This service currently has no restrictions. -->
<bean id="AuthorityService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.AuthorityService.hasAdminAuthority=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAllAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getAllRootAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.addAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.removeAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.deleteAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthorityService.getContainedAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getContainingAuthorities=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_METHOD.ROLE_ADMINISTRATOR
</value>
</property>
</bean>
<!-- =============================================== -->
<!-- The Authentication Service security interceptor -->
<!-- =============================================== -->
<!-- Authentication is excluded as it sets or cleas authentication -->
<!-- The same for validate ticaket -->
<!-- Update authentication checks internally -->
<bean id="AuthenticationService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.AuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.updateAuthentication=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.invalidateUserSession=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.AuthenticationService.invalidateTicket=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.getCurrentTicket=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.clearCurrentSecurityContext=ACL_ALLOW
org.alfresco.service.cmr.security.AuthenticationService.isCurrentUserTheSystemUser=ACL_ALLOW
</value>
</property>
</bean>
<!-- =================== -->
<!-- The Ownable Service -->
<!-- =================== -->
<!-- This service currently has no restrictions. -->
<!-- TODO: respect the permissions on the ownable service -->
<bean id="OwnableService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.OwnableService.getOwner=ACL_NODE.0.sys:base.Read
org.alfresco.service.cmr.security.OwnableService.setOwner=ACL_NODE.0.cm:ownable.SetOwner
org.alfresco.service.cmr.security.OwnableService.takeOwnership=ACL_NODE.0.cm:ownable.TakeOwnership
org.alfresco.service.cmr.security.OwnableService.hasOwner=ACL_NODE.0.sys:base.Read
</value>
</property>
</bean>
<!-- Person Service -->
<bean id="PersonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
org.alfresco.service.cmr.security.PersonService.getPerson=AFTER_ACL_NODE.sys:base.Read
org.alfresco.service.cmr.security.PersonService.personExists=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.createMissingPeople=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.setCreateMissingPeople=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.getMutableProperties=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.setPersonProperties=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.isMutable=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.createPerson=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.deletePerson=ACL_METHOD.ROLE_ADMINISTRATOR
org.alfresco.service.cmr.security.PersonService.getAllPeople=ACL_ALLOW
org.alfresco.service.cmr.security.PersonService.getPeopleContainer=ACL_ALLOW
</value>
</property>
</bean>
<!-- ==================== -->
<!-- The Template Service -->
<!-- ==================== -->
<!-- This service currently has no restrictions. -->
<bean id="TemplateService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ==================== -->
<!-- The Script Service -->
<!-- ==================== -->
<!-- This service currently has no restrictions. -->
<bean id="ScriptService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ================ -->
<!-- Workflow Service -->
<!-- ================ -->
<!-- TODO: Add workflow security -->
<bean id="WorkflowService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
<!-- ============= -->
<!-- Audit Service -->
<!-- ============= -->
<!-- TODO: Add audit security -->
<bean id="AuditService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
</beans>