mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-24 17:32:48 +00:00
b2f9df29d1
were both beyond me, and are just the raw conflict merge data. If Kev can't figure out how they should go together by tomorrow AM (for me) I'll dig back in. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/WCM-DEV2/root@4306 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
731 lines
45 KiB
XML
731 lines
45 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
|
|
|
|
<!-- ========================== -->
|
|
<!-- Enforcement of permissions -->
|
|
<!-- ========================== -->
|
|
|
|
<!-- -->
|
|
<!-- This file defines the beans that intercept method calls to the repository services -->
|
|
<!-- and enforce security based on the currently authenticated user. -->
|
|
<!-- -->
|
|
|
|
|
|
<beans>
|
|
|
|
|
|
<!-- Because of the way hibernate works, we need to cache when permissions are not -->
|
|
<!-- set. -->
|
|
<import resource="classpath:alfresco/cache-context.xml" />
|
|
|
|
<!-- ======================= -->
|
|
<!-- Support for permissions -->
|
|
<!-- ========================-->
|
|
|
|
<!-- ================================= -->
|
|
<!-- The enterprise permission service -->
|
|
<!-- ================================= -->
|
|
|
|
<bean id='permissionService' class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
|
|
<property name="proxyInterfaces">
|
|
<value>org.alfresco.repo.security.permissions.PermissionServiceSPI</value>
|
|
</property>
|
|
<property name="transactionManager">
|
|
<ref bean="transactionManager" />
|
|
</property>
|
|
<property name="target">
|
|
<ref bean="permissionServiceImpl" />
|
|
</property>
|
|
<property name="transactionAttributes">
|
|
<props>
|
|
<prop key="*">${server.transaction.mode.default}</prop>
|
|
</props>
|
|
</property>
|
|
</bean>
|
|
|
|
<bean id="permissionServiceImpl" class="org.alfresco.repo.security.permissions.impl.PermissionServiceImpl">
|
|
<property name="nodeService">
|
|
<ref bean="nodeService" />
|
|
</property>
|
|
<property name="dictionaryService">
|
|
<ref bean="dictionaryService" />
|
|
</property>
|
|
<property name="permissionsDaoComponent">
|
|
<ref bean="permissionsDaoComponent" />
|
|
</property>
|
|
<property name="modelDAO">
|
|
<ref bean="permissionsModelDAO" />
|
|
</property>
|
|
<property name="authenticationComponent">
|
|
<ref bean="authenticationComponentImpl" />
|
|
</property>
|
|
<property name="authorityService">
|
|
<ref bean="authorityService" />
|
|
</property>
|
|
<property name="accessCache">
|
|
<ref bean="permissionsAccessCache" />
|
|
</property>
|
|
<property name="policyComponent">
|
|
<ref bean="policyComponent" />
|
|
</property>
|
|
<!-- Dynamic authorites are evaluated in the context of a store/node etc -->
|
|
<!-- as opposed to being fixed like user name and groups. -->
|
|
<!-- There are two dynamic authorities, the ower of a node and the owner -->
|
|
<!-- of a lock on a node. -->
|
|
<property name="dynamicAuthorities">
|
|
<list>
|
|
<ref bean="ownerDynamicAuthority" />
|
|
<ref bean="lockOwnerDynamicAuthority" />
|
|
</list>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- =================== -->
|
|
<!-- Dynamic Authorities -->
|
|
<!-- =================== -->
|
|
|
|
|
|
<!-- The provider to evaluate if the current authentication is the owner of a node. -->
|
|
<bean id="ownerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.OwnerDynamicAuthority">
|
|
<property name="ownableService">
|
|
<ref bean="ownableService" />
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- The provider to evaluate if the currfent authentication is the local owner on a -->
|
|
<!-- node. -->
|
|
<bean id="lockOwnerDynamicAuthority" class="org.alfresco.repo.security.permissions.dynamic.LockOwnerDynamicAuthority">
|
|
<property name="lockService">
|
|
<ref bean="lockService" />
|
|
</property>
|
|
<property name="nodeService">
|
|
<ref bean="nodeService" />
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ===================== -->
|
|
<!-- Permissions Model DAO -->
|
|
<!-- ===================== -->
|
|
|
|
<bean id='permissionsModelDAO' class="org.alfresco.repo.security.permissions.impl.model.PermissionModel">
|
|
<property name="model">
|
|
<value>alfresco/model/permissionDefinitions.xml</value>
|
|
</property>
|
|
<property name="nodeService">
|
|
<ref bean="nodeService" />
|
|
</property>
|
|
<property name="dictionaryService">
|
|
<ref bean="dictionaryService" />
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ====== -->
|
|
<!-- Voters -->
|
|
<!-- ====== -->
|
|
|
|
<!-- A voter to allow access base on the current authentication having authorities -->
|
|
<!-- starting with the prefix "ROLE_" -->
|
|
<!-- Any match grants -->
|
|
|
|
<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true"
|
|
lazy-init="default" autowire="default" dependency-check="default" >
|
|
<property name="rolePrefix">
|
|
<value>ROLE_</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- A voter to allow access base on the current authentication having authorities -->
|
|
<!-- starting with the prefix "GROUP_" -->
|
|
<!-- Any match grants -->
|
|
|
|
<bean id="groupVoter" class="net.sf.acegisecurity.vote.RoleVoter" abstract="false" singleton="true"
|
|
lazy-init="default" autowire="default" dependency-check="default" >
|
|
<property name="rolePrefix">
|
|
<value>GROUP_</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- A voter to allow access based on node access control. -->
|
|
<!-- These start ACL_NODE or ACL_PARENT and are followed by .methodArgumentPosition -->
|
|
<!-- then object type (prefix:localname) . permission -->
|
|
<!-- -->
|
|
<!-- All permissions starting ACL_NODE and ACL_PARENT must be present for access to -->
|
|
<!-- be granted. -->
|
|
<!-- -->
|
|
<!-- Note: ff the context evaluates to null (e.g. doing an exists test on a node -->
|
|
<!-- that does not exist) then access will be allowed. -->
|
|
|
|
<bean id="aclEntryVoter" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter" abstract="false" singleton="true"
|
|
lazy-init="default" autowire="default" dependency-check="default" >
|
|
<property name="permissionService">
|
|
<ref bean="permissionService"></ref>
|
|
</property>
|
|
<property name="namespacePrefixResolver">
|
|
<ref bean="namespaceService"></ref>
|
|
</property>
|
|
<property name="nodeService">
|
|
<ref bean="nodeService"></ref>
|
|
</property>
|
|
<property name="authenticationService">
|
|
<ref bean="authenticationService" />
|
|
</property>
|
|
<property name="authorityService">
|
|
<ref bean="authorityService" />
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!-- ======================= -->
|
|
<!-- Access decision manager -->
|
|
<!-- ======================= -->
|
|
|
|
<!-- The access decision manager asks voters in order if they should allow access -->
|
|
<!-- Role and group access do not require ACL based access -->
|
|
|
|
<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
|
|
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
|
|
<property name="decisionVoters">
|
|
<list>
|
|
<ref local="roleVoter"/>
|
|
<ref local="groupVoter"/>
|
|
<ref local="aclEntryVoter"/>
|
|
</list>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ======================================== -->
|
|
<!-- Post method call application of security -->
|
|
<!-- ======================================== -->
|
|
|
|
<bean id="afterAcl" class="org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationProvider" abstract="false" singleton="true"
|
|
lazy-init="default" autowire="default" dependency-check="default" >
|
|
<property name="permissionService">
|
|
<ref bean="permissionServiceImpl"></ref>
|
|
</property>
|
|
<property name="namespacePrefixResolver">
|
|
<ref bean="namespaceService"></ref>
|
|
</property>
|
|
<property name="nodeService">
|
|
<ref bean="nodeService"></ref>
|
|
</property>
|
|
<property name="authenticationService">
|
|
<ref bean="authenticationServiceImpl" />
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- Link up after method call security -->
|
|
|
|
<bean id="afterInvocationManager" class="net.sf.acegisecurity.afterinvocation.AfterInvocationProviderManager">
|
|
<property name="providers">
|
|
<list>
|
|
<ref local="afterAcl"/>
|
|
</list>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!-- ================================ -->
|
|
<!-- Beans that enforce secure access -->
|
|
<!-- ================================ -->
|
|
|
|
<!-- Each bean defines a new methos security interceptor wired up with the -->
|
|
<!-- authenticationManager, accessDecisionManager and afterInvocationManager, which -->
|
|
<!-- can all be reused. -->
|
|
|
|
<!-- If one method cal requires security enforcement - all methods must gave a -->
|
|
<!-- security entry of some sort. ACL_ALLOW can be used to give access to all -->
|
|
<!-- ROLE_ADMINISTRATOR can be used to grant access to administrator related methods -->
|
|
|
|
|
|
<!-- The namespace service does not enforce any security requirements -->
|
|
<bean id="NamespaceService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- The dictionary service does not enforce any security requirements -->
|
|
<bean id="DictionaryService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ======================== -->
|
|
<!-- Node service permissions -->
|
|
<!-- ======================== -->
|
|
|
|
<!-- See the NodeService for the parameters required for each method call. -->
|
|
<!-- -->
|
|
<!-- getStores -->
|
|
<!-- returns a list fo the stores to which the curent authentication has Read -->
|
|
<!-- permission. (See the permission model defintion for what this means) -->
|
|
<!-- createStore -->
|
|
<!-- only a user with the administrator role can create new stores -->
|
|
<!-- exists -->
|
|
<!-- check if a node exists. If the current user does not have read access then -->
|
|
<!-- the node will not exist. -->
|
|
<!-- getRootNode -->
|
|
<!-- get the root node for a store - access will be denied for users who do not -->
|
|
<!-- have Read permission for the root node of the store. -->
|
|
<!-- createNode -->
|
|
<!-- requires that the current authentication has the permission to create -->
|
|
<!-- children for the containing node. -->
|
|
<!-- moveNode -->
|
|
<!-- requires that the current authentication has the permission to delete the -->
|
|
<!-- the node in the source folder and create it in the destination folder. -->
|
|
<!-- setChildAssociationIndex -->
|
|
<!-- required write properties permission on the parent -->
|
|
<!-- getType -->
|
|
<!-- obtaining the type of a node requires read access -->
|
|
<!-- addAspect -->
|
|
<!-- adding an aspect updates a multi-valued property so this requires write -->
|
|
<!-- access to properties. -->
|
|
<!-- removeAspect -->
|
|
<!-- removing an aspect updates a multi-valued property so this requires write -->
|
|
<!-- access to properties. -->
|
|
<!-- hasAspect -->
|
|
<!-- querying for an aspect requires read access to a property -->
|
|
<!-- getAspects -->
|
|
<!-- querying for all aspect requires read access to a property -->
|
|
<!-- deleteNode -->
|
|
<!-- requires the delete permission -->
|
|
<!-- addChild -->
|
|
<!-- requires create children on the parent -->
|
|
<!-- removeChild -->
|
|
<!-- Requires delete permission for the node to be deleted -->
|
|
<!-- getProperties -->
|
|
<!-- Requires read properties for the node -->
|
|
<!-- getProperty -->
|
|
<!-- Requires read properties for the node -->
|
|
<!-- setProperties -->
|
|
<!-- Requires write properties for the node -->
|
|
<!-- setProperty -->
|
|
<!-- Requires write properties for the node -->
|
|
<!-- getParentAssocs -->
|
|
<!-- Requires read on the node and returns only parents that can be seen -->
|
|
<!-- It is possible that no parents are accessible -->
|
|
<!-- getChildAssocs -->
|
|
<!-- Requires read on the node and returns only children that can be seen -->
|
|
<!-- It is possible that no children are accessible -->
|
|
<!-- getPrimaryParent -->
|
|
<!-- Requires read on the node an aceess error will be thrown if the primary -->
|
|
<!-- parent can not be read -->
|
|
<!-- createAssociation -->
|
|
<!-- NOT SET YET -->
|
|
<!-- removeAssociation -->
|
|
<!-- NOT SET YET -->
|
|
<!-- getTargetAssocs -->
|
|
<!-- NOT SET YET -->
|
|
<!-- getSourceAssocs -->
|
|
<!-- NOT SET YET -->
|
|
<!-- getPath -->
|
|
<!-- Requires read for the node -->
|
|
<!-- getPaths -->
|
|
<!-- Requires read for the node -->
|
|
|
|
|
|
<bean id="NodeService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.repository.NodeService.getStores=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW
|
|
org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.repository.NodeService.moveNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.repository.NodeService.setChildAssociationIndex=ACL_PARENT.0.sys:base.WriteProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getType=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.setType=ACL_NODE.0.sys:base.Write
|
|
org.alfresco.service.cmr.repository.NodeService.addAspect=ACL_NODE.0.sys:base.Write
|
|
org.alfresco.service.cmr.repository.NodeService.removeAspect=ACL_NODE.0.sys:base.Write
|
|
org.alfresco.service.cmr.repository.NodeService.hasAspect=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getAspects=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.deleteNode=ACL_NODE.0.sys:base.DeleteNode
|
|
org.alfresco.service.cmr.repository.NodeService.addChild=ACL_NODE.0.sys:base.CreateChildren,ACL_NODE.1.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.removeChild=ACL_NODE.1.sys:base.DeleteChildren
|
|
org.alfresco.service.cmr.repository.NodeService.getProperties=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getProperty=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.setProperties=ACL_NODE.0.sys:base.WriteProperties
|
|
org.alfresco.service.cmr.repository.NodeService.setProperty=ACL_NODE.0.sys:base.WriteProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getParentAssocs=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.getChildAssocs=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.getPrimaryParent=ACL_NODE.0.sys:base.ReadProperties,AFTER_ACL_PARENT.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.createAssociation=ROLE_AUTHENTICATED
|
|
org.alfresco.service.cmr.repository.NodeService.removeAssociation=ROLE_AUTHENTICATED
|
|
org.alfresco.service.cmr.repository.NodeService.getTargetAssocs=ROLE_AUTHENTICATED
|
|
org.alfresco.service.cmr.repository.NodeService.getSourceAssocs=ROLE_AUTHENTICATED
|
|
org.alfresco.service.cmr.repository.NodeService.getPath=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getPaths=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.repository.NodeService.getStoreArchiveNode=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.repository.NodeService.restoreNode=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ============================== -->
|
|
<!-- FileFolder Service Permissions -->
|
|
<!-- ============================== -->
|
|
|
|
<bean id="FileFolderService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.model.FileFolderService.list=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.model.FileFolderService.listFiles=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.model.FileFolderService.listFolders=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.model.FileFolderService.search=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.model.FileFolderService.searchSimple=ACL_NODE.0.sys:base.ReadChildren,AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.model.FileFolderService.rename=AFTER_ACL_NODE.sys:base.WriteProperties
|
|
org.alfresco.service.cmr.model.FileFolderService.move=ACL_NODE.0.sys:base.DeleteNode,ACL_NODE.1.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.model.FileFolderService.copy=ACL_NODE.0.sys:base.Read,ACL_NODE.1.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.model.FileFolderService.create=ACL_NODE.0.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.model.FileFolderService.delete=ACL_NODE.0.sys:base.DeleteNode
|
|
org.alfresco.service.cmr.model.FileFolderService.makeFolders=AFTER_ACL_PARENT.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.model.FileFolderService.getNamePath=ACL_NODE.1.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.model.FileFolderService.resolveNamePath=AFTER_ACL_NODE.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.model.FileFolderService.getFileInfo=ACL_NODE.0.sys:base.ReadProperties
|
|
org.alfresco.service.cmr.model.FileFolderService.getReader=ACL_NODE.0.sys:base.ReadContent
|
|
org.alfresco.service.cmr.model.FileFolderService.getWriter=ACL_NODE.0.sys:base.WriteContent
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- =========================== -->
|
|
<!-- Content Service Permissions -->
|
|
<!-- =========================== -->
|
|
|
|
<!-- Reading requires the permission to read content -->
|
|
<!-- Writing required the permission to write conent -->
|
|
|
|
<bean id="ContentService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.repository.ContentService.getReader=ACL_NODE.0.sys:base.ReadContent
|
|
org.alfresco.service.cmr.repository.ContentService.getWriter=ACL_NODE.0.sys:base.WriteContent
|
|
org.alfresco.service.cmr.repository.ContentService.isTransformable=ACL_ALLOW
|
|
org.alfresco.service.cmr.repository.ContentService.getTransformer=ACL_ALLOW
|
|
org.alfresco.service.cmr.repository.ContentService.getImageTransformer=ACL_ALLOW
|
|
org.alfresco.service.cmr.repository.ContentService.transform=ACL_ALLOW
|
|
org.alfresco.service.cmr.repository.ContentService.getTempWriter=ACL_ALLOW
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!-- ================ -->
|
|
<!-- MimeType Service -->
|
|
<!-- ================ -->
|
|
|
|
<!-- There are no permissions around mime types -->
|
|
<bean id="MimetypeService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ============== -->
|
|
<!-- Search Service -->
|
|
<!-- ============== -->
|
|
|
|
<!-- All search results are filtered to exclude nodes that the current user can not -->
|
|
<!-- read. Other methods restrict queries to those nodes the user can read -->
|
|
|
|
<bean id="SearchService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.search.SearchService.query=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.SearchService.selectNodes=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.SearchService.selectProperties=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.search.SearchService.contains=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.search.SearchService.like=ACL_NODE.0.sys:base.Read
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ================ -->
|
|
<!-- Category Service -->
|
|
<!-- ================ -->
|
|
|
|
<!-- Category queries are filtered for nodes that are visible to the current user -->
|
|
<!-- Other methods are unrestricted at the moment -->
|
|
|
|
<bean id="CategoryService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.search.CategoryService.getChildren=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.CategoryService.getCategories=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.CategoryService.getClassifications=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.CategoryService.getRootCategories=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.search.CategoryService.getClassificationAspects=ACL_ALLOW
|
|
org.alfresco.service.cmr.search.CategoryService.createClassifiction=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.search.CategoryService.createRootCategory=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.search.CategoryService.createCategory=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.search.CategoryService.deleteClassification=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.search.CategoryService.deleteCategory=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!-- ============ -->
|
|
<!-- Copy Service -->
|
|
<!-- ============ -->
|
|
|
|
<!-- The copy service does not require any security restrictions, they are imposed -->
|
|
<!-- by the node service it uses to do its work. -->
|
|
|
|
<bean id="CopyService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ================ -->
|
|
<!-- The Lock Service -->
|
|
<!-- ================ -->
|
|
|
|
<!-- Lock and Unlock require the related aspect specific permissions. Querying the -->
|
|
<!-- lock status just requires read access to the node. -->
|
|
|
|
<bean id="LockService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.lock.LockService.lock=ACL_NODE.0.cm:lockable.Lock
|
|
org.alfresco.service.cmr.lock.LockService.unlock=ACL_NODE.0.cm:lockable.Unlock
|
|
org.alfresco.service.cmr.lock.LockService.getLockStatus=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.lock.LockService.getLockType=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.lock.LockService.checkForLock=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.lock.LockService.getLocks=ACL_NODE.0.sys:base.Read
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- =============== -->
|
|
<!-- Version Service -->
|
|
<!-- =============== -->
|
|
|
|
<!-- The version service does not have any restrictions applied at the moment. It -->
|
|
<!-- does not use a node service that would apply any permissions. -->
|
|
|
|
<bean id="VersionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ============================== -->
|
|
<!-- The Check-out/Check-in service -->
|
|
<!-- ============================== -->
|
|
|
|
<!-- To check out a node requires that you have permission to check out the node and -->
|
|
<!-- create the working copy in the specified location. Check in requires the -->
|
|
<!-- the associated permission, as does cancel check out. See the permission model -->
|
|
<!-- for how these permissions are granted. -->
|
|
|
|
<bean id="CheckoutCheckinService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkout=ACL_NODE.0.cm:lockable.CheckOut,ACL_NODE.1.sys:base.CreateChildren
|
|
org.alfresco.service.cmr.coci.CheckOutCheckInService.checkin=ACL_NODE.0.cm:lockable.CheckIn
|
|
org.alfresco.service.cmr.coci.CheckOutCheckInService.cancelCheckout=ACL_NODE.0.cm:lockable.CancelCheckOut
|
|
org.alfresco.service.cmr.coci.CheckOutCheckInService.getWorkingCopy=ACL_NODE.0.sys:base.Read
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ================ -->
|
|
<!-- The Rule Service -->
|
|
<!-- ================ -->
|
|
|
|
<!-- The rule service does not require any security restrictions, they are imposed -->
|
|
<!-- by the node service it uses to do its work. -->
|
|
|
|
<bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ==================== -->
|
|
<!-- The Importer Service -->
|
|
<!-- ==================== -->
|
|
|
|
<!-- The importer service does not require any security restrictions, they are -->
|
|
<!-- imposed by the node service it uses to do its work. -->
|
|
|
|
<bean id="ImporterService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ================== -->
|
|
<!-- The Action Service -->
|
|
<!-- ================== -->
|
|
|
|
<!-- The action service does not require any security restrictions, they are imposed -->
|
|
<!-- by the node service it uses to do its work. -->
|
|
<bean id="ActionService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ====================== -->
|
|
<!-- The Permission Service -->
|
|
<!-- ====================== -->
|
|
|
|
<!-- Requests to this service are controlled by the ReadPermissions and -->
|
|
<!-- and ChangePermissions permissions. Access to some methods are not restricted at -->
|
|
<!-- the moment. -->
|
|
|
|
<bean id="PermissionService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.security.PermissionService.getOwnerAuthority=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.getAllAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.getAllPermission=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.getPermissions=ACL_NODE.0.sys:base.ReadPermissions
|
|
org.alfresco.service.cmr.security.PermissionService.getAllSetPermissions=ACL_NODE.0.sys:base.ReadPermissions
|
|
org.alfresco.service.cmr.security.PermissionService.getSettablePermissions=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.hasPermission=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.deletePermissions=ACL_NODE.0.sys:base.ChangePermissions
|
|
org.alfresco.service.cmr.security.PermissionService.deletePermission=ACL_NODE.0.sys:base.ChangePermissions
|
|
org.alfresco.service.cmr.security.PermissionService.setPermission=ACL_NODE.0.sys:base.ChangePermissions
|
|
org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=ACL_NODE.0.sys:base.ChangePermissions
|
|
org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PermissionService.clearPermission=ACL_NODE.0.sys:base.ChangePermissions
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ===================== -->
|
|
<!-- The Authority Service -->
|
|
<!-- ===================== -->
|
|
|
|
<!-- This service currently has no restrictions. -->
|
|
|
|
<bean id="AuthorityService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.security.AuthorityService.hasAdminAuthority=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getAllAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getAllRootAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.createAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthorityService.addAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthorityService.removeAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthorityService.deleteAuthority=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthorityService.getContainedAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getContainingAuthorities=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getShortName=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.getName=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthorityService.authorityExists=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- =============================================== -->
|
|
<!-- The Authentication Service security interceptor -->
|
|
<!-- =============================================== -->
|
|
|
|
<!-- Authentication is excluded as it sets or cleas authentication -->
|
|
<!-- The same for validate ticaket -->
|
|
<!-- Update authentication checks internally -->
|
|
<bean id="AuthenticationService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.security.AuthenticationService.createAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.updateAuthentication=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthenticationService.setAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.deleteAuthentication=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.setAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.getAuthenticationEnabled=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.authenticationExists=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.getCurrentUserName=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthenticationService.invalidateUserSession=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.AuthenticationService.invalidateTicket=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthenticationService.getCurrentTicket=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthenticationService.clearCurrentSecurityContext=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.AuthenticationService.isCurrentUserTheSystemUser=ACL_ALLOW
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- =================== -->
|
|
<!-- The Ownable Service -->
|
|
<!-- =================== -->
|
|
|
|
<!-- This service currently has no restrictions. -->
|
|
<!-- TODO: respect the permissions on the ownable service -->
|
|
|
|
<bean id="OwnableService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.security.OwnableService.getOwner=ACL_NODE.0.sys:base.Read
|
|
org.alfresco.service.cmr.security.OwnableService.setOwner=ACL_NODE.0.cm:ownable.SetOwner
|
|
org.alfresco.service.cmr.security.OwnableService.takeOwnership=ACL_NODE.0.cm:ownable.TakeOwnership
|
|
org.alfresco.service.cmr.security.OwnableService.hasOwner=ACL_NODE.0.sys:base.Read
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!-- Person Service -->
|
|
|
|
<bean id="PersonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
|
|
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
|
|
<property name="objectDefinitionSource">
|
|
<value>
|
|
org.alfresco.service.cmr.security.PersonService.getPerson=AFTER_ACL_NODE.sys:base.Read
|
|
org.alfresco.service.cmr.security.PersonService.personExists=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PersonService.createMissingPeople=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PersonService.setCreateMissingPeople=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.PersonService.getMutableProperties=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PersonService.setPersonProperties=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.PersonService.isMutable=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PersonService.createPerson=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.PersonService.deletePerson=ACL_METHOD.ROLE_ADMINISTRATOR
|
|
org.alfresco.service.cmr.security.PersonService.getAllPeople=ACL_ALLOW
|
|
org.alfresco.service.cmr.security.PersonService.getPeopleContainer=ACL_ALLOW
|
|
</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- ==================== -->
|
|
<!-- The Template Service -->
|
|
<!-- ==================== -->
|
|
|
|
<!-- This service currently has no restrictions. -->
|
|
|
|
<bean id="TemplateService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ==================== -->
|
|
<!-- The Script Service -->
|
|
<!-- ==================== -->
|
|
|
|
<!-- This service currently has no restrictions. -->
|
|
|
|
<bean id="ScriptService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ================ -->
|
|
<!-- Workflow Service -->
|
|
<!-- ================ -->
|
|
|
|
<!-- TODO: Add workflow security -->
|
|
|
|
<bean id="WorkflowService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
<!-- ============= -->
|
|
<!-- Audit Service -->
|
|
<!-- ============= -->
|
|
|
|
<!-- TODO: Add audit security -->
|
|
|
|
<bean id="AuditService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor" />
|
|
|
|
</beans> |