-<?xml version="1.0" encoding="UTF-8"?>\r
-<project-shared-configuration>\r
+<?xml version="1.0" encoding="UTF-8"?>
+<project-shared-configuration>
<!--
This file contains additional configuration written by modules in the NetBeans IDE.
The configuration is intended to be shared among all the users of project and
therefore it is assumed to be part of version control checkout.
Without this configuration present, some functionality in the IDE may be limited or fail altogether.
--->\r
- <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1">\r
+-->
+ <properties xmlns="http://www.netbeans.org/ns/maven-properties-data/1">
<!--
Properties that influence various parts of the IDE, especially code formatting and the like.
You can copy and paste the single properties, into the pom.xml file and the IDE will pick them up.
That way multiple projects can share the same settings (useful for formatting rules for example).
Any value defined here will override the pom.xml file value but is only applicable to the current project.
--->\r
- <org-netbeans-modules-editor-indent.CodeStyle.usedProfile>default</org-netbeans-modules-editor-indent.CodeStyle.usedProfile>\r
- <org-netbeans-modules-editor-indent.CodeStyle.project.tab-size>8</org-netbeans-modules-editor-indent.CodeStyle.project.tab-size>\r
- <org-netbeans-modules-editor-indent.CodeStyle.project.text-limit-width>80</org-netbeans-modules-editor-indent.CodeStyle.project.text-limit-width>\r
- <netbeans.hint.useExternalMaven>false</netbeans.hint.useExternalMaven>\r
- </properties>\r
-</project-shared-configuration>\r
+-->
+ <org-netbeans-modules-editor-indent.CodeStyle.usedProfile>default</org-netbeans-modules-editor-indent.CodeStyle.usedProfile>
+ <org-netbeans-modules-editor-indent.CodeStyle.project.tab-size>8</org-netbeans-modules-editor-indent.CodeStyle.project.tab-size>
+ <org-netbeans-modules-editor-indent.CodeStyle.project.text-limit-width>80</org-netbeans-modules-editor-indent.CodeStyle.project.text-limit-width>
+ </properties>
+</project-shared-configuration>
<properties>\r
<cs.release>0.5</cs.release>\r
<spring.version>3.0.0.RELEASE</spring.version>\r
- <spring.security.version>3.0.1.RELEASE</spring.security.version>\r
+ <spring.security.version>3.0.2.RELEASE</spring.security.version>\r
</properties>\r
\r
<dependencies>\r
<groupId>org.slf4j</groupId>\r
<artifactId>slf4j-log4j12</artifactId>\r
</dependency>\r
+ <!-- somewhere dependency is added 1.5.8 unnecessarily -->\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>slf4j-simple</artifactId>\r
+ <version>1.5.8</version>\r
+ <scope>test</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>jcl-over-slf4j</artifactId>\r
+ <version>1.5.8</version>\r
+ <scope>test</scope>\r
+ </dependency>\r
+\r
<dependency>\r
<groupId>log4j</groupId>\r
<artifactId>log4j</artifactId>\r
<scope>provided</scope>\r
</dependency>\r
<!-- CollectionSpace dependencies -->\r
+ <dependency>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.service</artifactId>\r
+ <version>${project.version}</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
<dependency>\r
<groupId>org.collectionspace.services</groupId>\r
<artifactId>org.collectionspace.services.common</artifactId>\r
<scope>provided</scope>\r
</dependency>\r
<dependency>\r
- <groupId>org.springframework.security</groupId>\r
- <artifactId>spring-security-acl</artifactId>\r
- <version>${spring.security.version}</version>\r
+ <groupId>org.springframework</groupId>\r
+ <artifactId>spring-context</artifactId>\r
+ <version>${spring.version}</version>\r
<scope>provided</scope>\r
</dependency>\r
<dependency>\r
<groupId>org.springframework</groupId>\r
- <artifactId>spring-context</artifactId>\r
+ <artifactId>spring-context-support</artifactId>\r
<version>${spring.version}</version>\r
<scope>provided</scope>\r
</dependency>\r
<version>${spring.version}</version>\r
<scope>provided</scope>\r
</dependency>\r
+ <!--dependency>\r
+ <groupId>org.springframework.security</groupId>\r
+ <artifactId>spring-security-acl</artifactId>\r
+ <version>${spring.security.version}</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
<dependency>\r
<groupId>org.springframework</groupId>\r
- <artifactId>spring-webmvc</artifactId>\r
+ <artifactId>spring-aop</artifactId>\r
<version>${spring.version}</version>\r
<scope>provided</scope>\r
</dependency>\r
+ <dependency>\r
+ <groupId>aopalliance</groupId>\r
+ <artifactId>aopalliance</artifactId>\r
+ <version>1.0</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
<dependency>\r
<groupId>org.springframework</groupId>\r
- <artifactId>spring-aop</artifactId>\r
+ <artifactId>spring-tx</artifactId>\r
<version>${spring.version}</version>\r
<scope>provided</scope>\r
</dependency>\r
+ <dependency>\r
+ <groupId>net.sf.ehcache</groupId>\r
+ <artifactId>ehcache</artifactId>\r
+ <version>1.6.2</version>\r
+ <optional>true</optional>\r
+ </dependency-->\r
+\r
<!-- javax -->\r
\r
<!-- jboss -->\r
import javax.ws.rs.core.Application;
import java.util.HashSet;
import java.util.Set;
+import org.collectionspace.services.common.security.SecurityInterceptor;
/**
* CollectionSpaceJaxRsApplication, the root application
private Set<Class<?>> empty = new HashSet<Class<?>>();
public CollectionSpaceJaxRsApplication() {
+ singletons.add(new SecurityInterceptor());
singletons.add(new AccountResource());
singletons.add(new CollectionObjectResource());
singletons.add(new IDResource());
<class>org.collectionspace.services.account.AccountTenant</class>
<class>org.collectionspace.services.account.Status</class>
<class>org.collectionspace.services.authentication.User</class>
- <class>org.collectionspace.services.authentication.Role</class>
- <class>org.collectionspace.services.authentication.UserRole</class>
+ <class>org.collectionspace.services.authorization.Role</class>
+ <class>org.collectionspace.services.authorization.UserRole</class>
<properties>
<property name="hibernate.dialect" value="org.hibernate.dialect.MySQLDialect"/>
--- /dev/null
+# To change this template, choose Tools | Templates
+# and open the template in the editor.
+/accounts/**=ROLE_ADMINISTRATOR
\ No newline at end of file
spring security namespace for CS service layer
-->
<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://www.springframework.org/schema/security"
+ xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <s:http use-expressions="true" realm="org.collectionspace.services">
- <s:intercept-url pattern="/**" access="permitAll" />
- <s:http-basic />
- <s:logout />
- <s:anonymous enabled="false"/>
- </s:http>
-
- <s:authentication-manager>
- <s:authentication-provider ref="jaasAuthenticationProvider" user-service-ref="userDetailsService"/>
- </s:authentication-manager>
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+ <!--sec:http use-expressions="true" realm="org.collectionspace.services">
+ <sec:http-basic />
+ <sec:logout />
+ <sec:anonymous enabled="false"/>
+ </sec:http-->
+
+ <sec:global-method-security >
+ <sec:expression-handler ref="expressionHandler"/>
+ </sec:global-method-security>
+
+
+ <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
+ <sec:filter-chain-map path-type="ant">
+ <sec:filter-chain pattern="/**"
+ filters="securityPersistenceFilter,basicAuthenticationFilter,logoutFilter,exTranslationFilter,filterInvocationInterceptor"/>
+ </sec:filter-chain-map>
+ </bean>
+
+ <bean id="securityPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
+
+ <bean id="basicAuthenticationFilter"
+ class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
+ <property name="authenticationManager" ref="authenticationManager"/>
+ <property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
+ </bean>
+
+ <bean id="basicAuthenticationEntryPoint"
+ class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
+ <property name="realmName" value="org.collectionspace.services"/>
+ </bean>
+
+ <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
+ <constructor-arg value="/"/>
+ <constructor-arg>
+ <list>
+ <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
+ </list>
+ </constructor-arg>
+ </bean>
+
+ <bean id="exTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
+ <property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint"/>
+ </bean>
+
+ <bean id="preAuthenticatedProcessingFilterEntryPoint"
+ class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
+
+
+ <sec:authentication-manager alias="authenticationManager">
+ <sec:authentication-provider ref="jaasAuthenticationProvider" user-service-ref="userDetailsService"/>
+ </sec:authentication-manager>
<bean id="jaasAuthenticationProvider"
class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
<bean id="userDetailsService" class="org.collectionspace.authentication.spring.CSpaceUserDetailsService">
</bean>
+
+ <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
+ <property name="authenticationManager" ref="authenticationManager"/>
+ <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
+ <!--property name="securityMetadataSource" ref="cspaceMetadataSource"/-->
+ <property name="securityMetadataSource">
+ <sec:filter-security-metadata-source>
+ <sec:intercept-url pattern="/**" access="ROLE_USERS"/>
+ </sec:filter-security-metadata-source>
+ </property>
+ </bean>
+
+ <bean id="httpRequestAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
+ <property name="allowIfAllAbstainDecisions" value="false"/>
+ <property name="decisionVoters">
+ <list>
+ <ref bean="roleVoter"/>
+ </list>
+ </property>
+ </bean>
+
+ <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/>
+
+ <!--bean id="cspaceMetadataSource" class="org.collectionspace.services.authorization.spring.CSpaceSecurityMetadataSource">
+ <property name="urlProperties">
+ <util:properties location="classpath:urls.properties" />
+ </property>
+ </bean-->
+
</beans>
<url-pattern>/*</url-pattern>
</servlet-mapping>
- <!-- BEGIN-AUTH uncomment the following
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>CollectionSpace Services</web-resource-name>
- <url-pattern>/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>*</role-name>
- </auth-constraint>
-
- <user-data-constraint>
- <transport-guarantee>NONE</transport-guarantee>
- </user-data-constraint>
- </security-constraint>
-
- <login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>CollectionSpace realm</realm-name>
- </login-config>
- END AUTH -->
- <!--resource-ref>
- <description>DB Connection</description>
- <res-ref-name>jdbc/cspaceds</res-ref-name>
- <res-type>javax.sql.DataSource</res-type>
- <res-auth>Container</res-auth>
- </resource-ref-->
</web-app>
<name>services.account.service</name>\r
<packaging>jar</packaging>\r
\r
+ <properties>\r
+ <spring.security.version>3.0.2.RELEASE</spring.security.version>\r
+ </properties>\r
<dependencies>\r
<dependency>\r
<groupId>org.slf4j</groupId>\r
<artifactId>org.collectionspace.services.authentication.jaxb</artifactId>\r
<version>${project.version}</version>\r
</dependency>\r
+ <dependency>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.jaxb</artifactId>\r
+ <version>${project.version}</version>\r
+ </dependency>\r
<dependency>\r
<groupId>org.collectionspace.services</groupId>\r
<artifactId>org.collectionspace.services.account.jaxb</artifactId>\r
<version>1.1.GA</version>\r
</dependency>\r
\r
+ <!-- dependencies on spring security & framework are runtime deps only -->\r
+ <!-- the following list is kept to make sure domain has these packages -->\r
+ <!-- in the cspace/lib directory -->\r
+ <dependency>\r
+ <groupId>org.springframework.security</groupId>\r
+ <artifactId>spring-security-core</artifactId>\r
+ <version>${spring.security.version}</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
\r
</dependencies>\r
\r
import org.jboss.resteasy.util.HttpResponseCodes;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.security.access.prepost.PreAuthorize;
@Path("/accounts")
@Consumes("application/xml")
}
@POST
+ @PreAuthorize("hasPermission('account', 'account', 'create')")
public Response createAccount(AccountsCommon input) {
try {
ServiceContext ctx = createServiceContext(input);
MultivaluedMap<String, String> queryParams = ui.getQueryParameters();
DocumentFilter myFilter = handler.createDocumentFilter();
myFilter.setPagination(queryParams);
- myFilter.setQueryParams(queryParams);
+ myFilter.setQueryParams(queryParams);
handler.setDocumentFilter(myFilter);
getStorageClient(ctx).getFiltered(ctx, handler);
accountList = (AccountsCommonList) handler.getCommonPartList();
<!--
CollectionSpace default (security) identity provider schema (XSD)
- Entity(s) : users, roles, users_roles
+ Entity(s) : users
Used for:
$LastChangedRevision: 916 $
</xs:complexType>
</xs:element>
- <xs:element name="role">
- <xs:complexType>
- <xs:annotation>
- <xs:appinfo>
- <hj:entity>
- <orm:table name="roles"/>
- </hj:entity>
- </xs:appinfo>
- </xs:annotation>
- <xs:sequence>
- <xs:element name="rolename" type="xs:string" minOccurs="1" maxOccurs="1">
- <xs:annotation>
- <xs:appinfo>
- <hj:id>
- <orm:column name="rolename" length="200" nullable="false"/>
- </hj:id>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="rolegroup" type="xs:string" minOccurs="1" maxOccurs="1">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="rolegroup" nullable="false"/>
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="createdAt" type="xs:dateTime">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="created_at" nullable="false"/>
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="updatedAt" type="xs:dateTime">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="updated_at" />
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- </xs:sequence>
- </xs:complexType>
- </xs:element>
-
- <xs:element name="user_role">
- <xs:complexType>
- <xs:annotation>
- <xs:appinfo>
- <hj:entity>
- <orm:table name="users_roles">
- <orm:unique-constraint>
- <!-- combined length should be < 1000 bytes -->
- <orm:column-name>username</orm:column-name>
- <orm:column-name>rolename</orm:column-name>
- </orm:unique-constraint>
- </orm:table>
- </hj:entity>
- </xs:appinfo>
- </xs:annotation>
- <xs:sequence>
- <xs:element name="username" type="xs:string" minOccurs="1" maxOccurs="1">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="username" length="128" nullable="false"/>
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="rolename" type="xs:string" minOccurs="1" maxOccurs="1">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="rolename" length="200" nullable="false"/>
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="createdAt" type="xs:dateTime">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="created_at" nullable="false"/>
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- <xs:element name="updatedAt" type="xs:dateTime">
- <xs:annotation>
- <xs:appinfo>
- <hj:basic>
- <orm:column name="updated_at" />
- </hj:basic>
- </xs:appinfo>
- </xs:annotation>
- </xs:element>
- </xs:sequence>
- </xs:complexType>
- </xs:element>
</xs:schema>
http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:orm="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<persistence-unit name="org.collectionspace.services.authentication">
<class>org.collectionspace.services.authentication.User</class>
- <class>org.collectionspace.services.authentication.Role</class>
- <class>org.collectionspace.services.authentication.UserRole</class>
<properties>
<property name="hibernate.ejb.cfgfile" value="hibernate.cfg.xml"/>
<artifactId>org.collectionspace.services.authentication</artifactId>\r
<name>services.authentication</name>\r
<packaging>pom</packaging>\r
-\r
+ <url>http://www.collectionspace.org</url>\r
<properties>\r
</properties>\r
\r
</dependencies>\r
\r
<build>\r
- <finalName>cspace-services-authentication-client</finalName>\r
+ <finalName>cspace-services-authentication-pstore</finalName>\r
<plugins>\r
<plugin>\r
<artifactId>maven-antrun-plugin</artifactId>\r
-drop table if exists roles;
drop table if exists users;
-drop table if exists users_roles;
-create table roles (rolename varchar(200) not null, created_at datetime not null, rolegroup varchar(255) not null, updated_at datetime, primary key (rolename));
create table users (username varchar(128) not null, created_at datetime not null, passwd varchar(128) not null, updated_at datetime, primary key (username));
-create table users_roles (HJID bigint not null auto_increment, created_at datetime not null, rolename varchar(200) not null, updated_at datetime, username varchar(128) not null, primary key (HJID), unique (username, rolename));
-- You may not use this file except in compliance with this License.
--
use cspace;
-CREATE INDEX index_rolename ON roles (rolegroup);
-CREATE INDEX index_username ON users_roles (username);
-CREATE INDEX index_rolename ON users_roles (rolename);
+
+
use cspace;\r
\r
insert into `users` (`username`,`passwd`, `created_at`) VALUES ('test','n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=', '2010-02-17 16:31:48');\r
-\r
-insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('kernel', 'kernel', '2010-02-17 16:31:48');\r
-insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('collections_manager', 'collections', '2010-02-17 16:31:48');\r
-insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('collections_registrar', 'collections', '2010-02-17 16:31:48');\r
-\r
-insert into `users_roles`(`username`, `rolename`, `created_at`) values ('test', 'collections_manager', '2010-02-17 16:31:48');\r
-insert into `users_roles`(`username`, `rolename`, `created_at`) values('admin', 'collections_registrar', '2010-02-17 16:31:48');
\ No newline at end of file
http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:orm="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<persistence-unit name="org.collectionspace.services.authentication">
<class>org.collectionspace.services.authentication.User</class>
- <class>org.collectionspace.services.authentication.Role</class>
- <class>org.collectionspace.services.authentication.UserRole</class>
<properties>
<property name="hibernate.ejb.cfgfile" value="hibernate.cfg.xml"/>
<!-- <jboss.version>4.2.3.GA</jboss.version>
<jboss.ejb.version>3.0</jboss.ejb.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> -->
- <spring.security.version>3.0.1.RELEASE</spring.security.version>
+ <spring.security.version>3.0.2.RELEASE</spring.security.version>
</properties>
<dependencies>
- <!-- keep slf4j dependencies on the top -->
+
+ <!-- slf4j not available due to classloading issues running in system classpath -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.14</version>
+ <scope>provided</scope>
+ </dependency>
+ <!-- utilities -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.collectionspace.authentication;
+
+import org.collectionspace.authentication.spring.SpringSecurityContextUtils;
+
+/**
+ * AuthN is a singleton to access various authentication related utilities
+ * accessed by services runtime
+ * @author
+ */
+public class AuthN {
+ /**
+ * volatile is used here to assume about ordering (post JDK 1.5)
+ */
+ private static volatile AuthN self = new AuthN();
+ private SecurityContextUtils securityContextUtils;
+
+ private AuthN() {
+ //hardcoded initialization of a provider
+ //FIXME initialize with the help of configuration meta data
+ securityContextUtils = new SpringSecurityContextUtils();
+ }
+
+ public final static AuthN get() {
+ return self;
+ }
+
+ /**
+ * getAuthn returns authentication utilities
+ * @return
+ */
+ public SecurityContextUtils getSecurityContextUtils() {
+ return securityContextUtils;
+ }
+
+ /**
+ * getUserId returns authenticated user's id (principal name)
+ * @return
+ */
+ public String getUserId() {
+ return securityContextUtils.getUserId();
+ }
+ /**
+ * getTenantIds returns a list of tenant ids the user is associated with
+ * @return
+ */
+ public String[] getTenantIds() {
+ return securityContextUtils.getTenantIds();
+ }
+
+}
private static final long serialVersionUID = 1L;
private String name;
private String id;
- private HashMap members = new HashMap(3);
+ private HashMap<Principal, Principal> members = new HashMap<Principal, Principal>();
public CSpaceTenant(String name, String id) {
if(name == null || id == null) {
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.collectionspace.authentication;
+
+/**
+ * Utilities to be used by Services runtime to interface with authentication service
+ * @author
+ */
+public abstract class SecurityContextUtils {
+
+ /**
+ * getUserId returns authenticated user id
+ * @return
+ */
+ public abstract String getUserId();
+
+ /**
+ * get tenant ids associated with the security context
+ * @return
+ */
+ public abstract String[] getTenantIds();
+}
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
-
package org.collectionspace.authentication.spring;
+
import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import org.springframework.security.authentication.jaas.AuthorityGranter;
/**
- *
+ * CSpaceAuthorityGranter maps a given prinicpal to role names
* @author
*/
public class CSpaceAuthorityGranter implements AuthorityGranter {
-
- public Set<String> grant(Principal principal) {
- Set<String> rtnSet = new HashSet<String>();
-
- return rtnSet;
+ public Set<String> grant(Principal principal) {
+ Set<String> authorities = new HashSet<String>();
+ if (principal instanceof Group) {
+ Group g = (Group) principal;
+ Enumeration members = g.members();
+ while (members.hasMoreElements()) {
+ Principal p = (Principal) members.nextElement();
+ authorities.add(p.getName());
+ }
+ } else {
+ authorities.add(principal.getName());
+ }
+ return authorities;
}
}
/**
* A CollectionSpace UserDetailsService for spring
+ * mockup code to cheat spring config reader...not used by Spring JaasAuthenticationProvider
*/
//FIXME remove test/mockup code
public class CSpaceUserDetailsService implements UserDetailsService {
public CSpaceUserDetailsService() {
users.put("test", new User("test", "", true, true, true, true, auths));
- users.put("valid", new User("valid", "", true, true, true, true, auths));
- users.put("locked", new User("locked", "", true, true, true, false, auths));
- users.put("disabled", new User("disabled", "", false, true, true, true, auths));
- users.put("credentialsExpired", new User("credentialsExpired", "", true, true, false, true, auths));
- users.put("expired", new User("expired", "", true, false, true, true, auths));
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.authentication.spring;
+
+import java.security.acl.Group;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.Set;
+import javax.security.auth.Subject;
+import org.collectionspace.authentication.SecurityContextUtils;
+import org.collectionspace.authentication.CSpaceTenant;
+import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+/**
+ * SpringSecurityContextUtils provides utilities to CSpace services runtime
+ * @author
+ */
+final public class SpringSecurityContextUtils extends SecurityContextUtils {
+ //private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
+
+ public String getUserId() {
+ Authentication authToken = SecurityContextHolder.getContext().getAuthentication();
+ return authToken.getName();
+ }
+
+ /**
+ * retrieve tenant ids from Jaas LoginContext
+ * @return
+ */
+ @Override
+ public String[] getTenantIds() {
+
+ ArrayList<String> tenants = new ArrayList<String>();
+ Subject caller = null;
+ Authentication authToken = SecurityContextHolder.getContext().getAuthentication();
+ JaasAuthenticationToken jaasToken = null;
+ if (authToken instanceof JaasAuthenticationToken) {
+ jaasToken = (JaasAuthenticationToken) authToken;
+ caller = (Subject) jaasToken.getLoginContext().getSubject();
+ }
+ //caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
+ if (caller == null) {
+ String msg = "security not enabled!";
+ //TODO: find out why subject is not null
+ //FIXME: if logger is loaded when authn comes up, use it
+ //logger.warn(msg);
+ System.err.println(msg);
+ return tenants.toArray(new String[0]);
+ }
+ Set<Group> groups = null;
+ groups = caller.getPrincipals(Group.class);
+ if (groups != null && groups.size() == 0) {
+ String msg = "no role(s)/tenant(s) found!";
+ //TODO: find out why no roles / tenants found
+ //FIXME: if logger is loaded when authn comes up, use it
+ //logger.warn(msg);
+ System.err.println(msg);
+ return tenants.toArray(new String[0]);
+ }
+ for (Group g : groups) {
+ if ("Tenants".equals(g.getName())) {
+ Enumeration members = g.members();
+ while (members.hasMoreElements()) {
+ CSpaceTenant tenant = (CSpaceTenant) members.nextElement();
+ tenants.add(tenant.getId());
+ //FIXME: if logger is loaded when authn comes up, use it
+// if (logger.isDebugEnabled()) {
+// logger.debug("found tenant id=" + tenant.getId()
+// + " name=" + tenant.getName());
+// }
+ }
+ }
+ }
+ return tenants.toArray(new String[0]);
+ }
+}
--- /dev/null
+\r
+<project name="authorization" default="package" basedir=".">\r
+ <description>\r
+ authorization service\r
+ </description>\r
+ <!-- set global properties for this build -->\r
+ <property name="services.trunk" value="../.."/>\r
+ <!-- enviornment should be declared before reading build.properties -->\r
+ <property environment="env" />\r
+ <property file="${services.trunk}/build.properties" />\r
+ <property name="mvn.opts" value="" />\r
+ <property name="src" location="src"/>\r
+ <property name="build" location="build"/>\r
+\r
+ <condition property="osfamily-unix">\r
+ <os family="unix" />\r
+ </condition>\r
+ <condition property="osfamily-windows">\r
+ <os family="windows" />\r
+ </condition>\r
+\r
+ <target name="package" depends="package-unix,package-windows"\r
+ description="Package CollectionSpace Services" />\r
+\r
+ <target name="package-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="package-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+\r
+ <target name="install" depends="install-unix,install-windows"\r
+ description="Install" />\r
+ <target name="install-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="install-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="clean" depends="clean-unix,clean-windows"\r
+ description="Delete target directories" >\r
+ <delete dir="${build}"/>\r
+ </target>\r
+ <target name="clean-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="clean-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="test" depends="test-unix,test-windows" description="Run tests" />\r
+ <target name="test-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="test-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="gen_ddl"\r
+ description="generate service-specific tables(s), indices, etc.">\r
+ <ant antfile="pstore/build.xml" target="gen_ddl" inheritAll="false"/>\r
+ </target>\r
+\r
+ <target name="create_db"\r
+ description="create tables(s), indices for authorization service">\r
+ <ant antfile="pstore/build.xml" target="create_db" inheritAll="false"/>\r
+ </target>\r
+\r
+ <target name="deploy" depends="install"\r
+ description="deploy authorization service">\r
+ <ant antfile="pstore/build.xml" target="deploy" inheritAll="false"/>\r
+ <ant antfile="service/build.xml" target="deploy" inheritall="false"/>\r
+ </target>\r
+\r
+ <target name="undeploy"\r
+ description="undeploy authorization service">\r
+ <ant antfile="pstore/build.xml" target="undeploy" inheritAll="false"/>\r
+ <ant antfile="service/build.xml" target="undeploy" inheritall="false"/>\r
+ </target>\r
+\r
+ <target name="dist" depends="package"\r
+ description="distribute authorization service}">\r
+ <!--ant antfile="pstore/build.xml" target="dist" inheritall="false"/-->\r
+ <ant antfile="service/build.xml" target="dist" inheritall="false"/>\r
+ </target>\r
+\r
+</project>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<classpath>\r
+ <classpathentry kind="src" output="target/classes" path="src/main/java"/>\r
+ <classpathentry kind="src" output="target/classes" path="target/generated-sources/xjc"/>\r
+ <classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources"/>\r
+ <classpathentry kind="src" output="target/test-classes" path="src/test/java"/>\r
+ <classpathentry excluding="**" kind="src" output="target/test-classes" path="src/test/resources"/>\r
+ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6"/>\r
+ <classpathentry kind="con" path="org.maven.ide.eclipse.MAVEN2_CLASSPATH_CONTAINER"/>\r
+ <classpathentry kind="output" path="target/classes"/>\r
+</classpath>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<projectDescription>\r
+ <name>org.collectionspace.services.authorization.jaxb</name>\r
+ <comment></comment>\r
+ <projects>\r
+ </projects>\r
+ <buildSpec>\r
+ <buildCommand>\r
+ <name>org.eclipse.jdt.core.javabuilder</name>\r
+ <arguments>\r
+ </arguments>\r
+ </buildCommand>\r
+ <buildCommand>\r
+ <name>org.maven.ide.eclipse.maven2Builder</name>\r
+ <arguments>\r
+ </arguments>\r
+ </buildCommand>\r
+ </buildSpec>\r
+ <natures>\r
+ <nature>org.eclipse.jdt.core.javanature</nature>\r
+ <nature>org.maven.ide.eclipse.maven2Nature</nature>\r
+ </natures>\r
+</projectDescription>\r
--- /dev/null
+#Mon Nov 23 11:54:01 PST 2009\r
+eclipse.preferences.version=1\r
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6\r
+org.eclipse.jdt.core.compiler.compliance=1.6\r
+org.eclipse.jdt.core.compiler.source=1.6\r
--- /dev/null
+#Mon Nov 23 11:53:49 PST 2009\r
+activeProfiles=\r
+eclipse.preferences.version=1\r
+fullBuildGoals=process-test-resources\r
+includeModules=false\r
+resolveWorkspaceProjects=true\r
+resourceFilterGoals=process-resources resources\:testResources\r
+skipCompilerPlugin=true\r
+version=1\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">\r
+\r
+ <parent>\r
+ <artifactId>org.collectionspace.services.authorization</artifactId>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <version>0.6-SNAPSHOT</version>\r
+ </parent>\r
+\r
+ <modelVersion>4.0.0</modelVersion>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.jaxb</artifactId>\r
+ <name>services.authorization.jaxb</name>\r
+ <properties>\r
+ </properties>\r
+ <dependencies>\r
+ <!-- keep slf4j dependencies on the top -->\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>slf4j-api</artifactId>\r
+ <scope>test</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>slf4j-log4j12</artifactId>\r
+ <scope>test</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>com.sun.xml.bind</groupId>\r
+ <artifactId>jaxb-impl</artifactId>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.jvnet.jaxb2-commons</groupId>\r
+ <artifactId>property-listener-injector</artifactId>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.jvnet.jaxb2_commons</groupId>\r
+ <artifactId>runtime</artifactId>\r
+ </dependency>\r
+\r
+ <dependency>\r
+ <groupId>mysql</groupId>\r
+ <artifactId>mysql-connector-java</artifactId>\r
+ </dependency>\r
+\r
+ <dependency>\r
+ <groupId>javax.persistence</groupId>\r
+ <artifactId>persistence-api</artifactId>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.hibernate</groupId>\r
+ <artifactId>hibernate-entitymanager</artifactId>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.jvnet.hyperjaxb3</groupId>\r
+ <artifactId>hyperjaxb3-ejb-runtime</artifactId>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.testng</groupId>\r
+ <artifactId>testng</artifactId>\r
+ <version>5.6</version>\r
+ </dependency>\r
+ </dependencies>\r
+\r
+ <build>\r
+ <finalName>collectionspace-services-authorization-jaxb</finalName>\r
+ <defaultGoal>install</defaultGoal>\r
+ <plugins>\r
+ <plugin>\r
+ <!-- maven-hyperjaxb3-plugin generates jaxb + jpa bindings -->\r
+ <groupId>org.jvnet.hyperjaxb3</groupId>\r
+ <artifactId>maven-hyperjaxb3-plugin</artifactId>\r
+ <executions>\r
+ <execution>\r
+ <goals>\r
+ <goal>generate</goal>\r
+ </goals>\r
+ </execution>\r
+ </executions>\r
+ <configuration>\r
+ <extension>true</extension>\r
+ <jdk5>true</jdk5>\r
+ <ejb3>false</ejb3>\r
+ </configuration>\r
+ </plugin>\r
+ <plugin>\r
+ <artifactId>maven-compiler-plugin</artifactId>\r
+ <configuration>\r
+ <source>1.6</source>\r
+ <target>1.6</target>\r
+ </configuration>\r
+ </plugin>\r
+\r
+ </plugins>\r
+ </build>\r
+\r
+</project>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+
+<!--
+ CollectionSpace default (security) authorization provider schema (XSD)
+
+ Entity(s) : roles, users_roles
+ Used for:
+
+ $LastChangedRevision: 916 $
+ $LastChangedDate: 2009-11-05 16:59:20 -0800 (Thu, 05 Nov 2009) $
+-->
+
+<xs:schema
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
+ xmlns:hj="http://hyperjaxb3.jvnet.org/ejb/schemas/customizations"
+ xmlns:orm="http://java.sun.com/xml/ns/persistence/orm"
+ xmlns:ns="http://collectionspace.org/services/authorization"
+ xmlns="http://collectionspace.org/services/authorization"
+ targetNamespace="http://collectionspace.org/services/authorization"
+ version="0.1"
+ jaxb:extensionBindingPrefixes="hj orm"
+ >
+
+ <!--
+ Avoid XmlRootElement nightmare:
+ See http://weblogs.java.net/blog/kohsuke/archive/2006/03/why_does_jaxb_p.html
+-->
+<!--
+ Notes for MySQL
+ MySQL puts key length limit of 1000 bytes
+ username - rolename constraint should be within 1000 bytes
+ hbm2ddl makes column length >= 256 as long text, such as column cannot be used
+ in defining a key (pk, fk or constraint)
+-->
+ <xs:element name="role">
+ <xs:complexType>
+ <xs:annotation>
+ <xs:documentation>Role definition in CollectionSpace</xs:documentation>
+ <xs:appinfo>
+ <hj:entity>
+ <orm:table name="roles"/>
+ </hj:entity>
+ </xs:appinfo>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:element name="rolename" type="xs:string" minOccurs="1" maxOccurs="1">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:id>
+ <orm:column name="rolename" length="200" nullable="false"/>
+ </hj:id>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="rolegroup" type="xs:string" minOccurs="1" maxOccurs="1">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="rolegroup" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="createdAt" type="xs:dateTime">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="created_at" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="updatedAt" type="xs:dateTime">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="updated_at" />
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="user_role">
+ <xs:complexType>
+ <xs:annotation>
+ <xs:documentation>UserRole defines association between user and role in CollectionSpace</xs:documentation>
+ <xs:appinfo>
+ <hj:entity>
+ <orm:table name="users_roles">
+ <orm:unique-constraint>
+ <!-- combined length should be < 1000 bytes -->
+ <orm:column-name>username</orm:column-name>
+ <orm:column-name>rolename</orm:column-name>
+ </orm:unique-constraint>
+ </orm:table>
+ </hj:entity>
+ </xs:appinfo>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:element name="username" type="xs:string" minOccurs="1" maxOccurs="1">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="username" length="128" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="rolename" type="xs:string" minOccurs="1" maxOccurs="1">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="rolename" length="200" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="createdAt" type="xs:dateTime">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="created_at" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="updatedAt" type="xs:dateTime">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="updated_at" />
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="permission_config_list">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:annotation>
+ <xs:documentation>permission configuration list</xs:documentation>
+ </xs:annotation>
+ <xs:element name="permission" type="permission_config" minOccurs="1" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+
+
+ <xs:complexType name="permission_config">
+ <xs:annotation>
+ <xs:documentation>CspacePermissionConfig describes permission in CollectionSpace</xs:documentation>
+ <xs:appinfo>
+ <hj:ignored/>
+ </xs:appinfo>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:annotation>
+ <xs:documentation>
+ resourceName could be a servicename or a servicename#attribute
+ </xs:documentation>
+ </xs:annotation>
+ <xs:element name="resourceName" type="xs:string" minOccurs="1" maxOccurs="1"/>
+ <xs:element name="action" type="ActionType" minOccurs="1" maxOccurs="unbounded"/>
+ <xs:element name="role" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
+ <xs:element name="user" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="effect" type="EffectType" minOccurs="1" maxOccurs="1"/>
+ </xs:sequence>
+ </xs:complexType>
+
+
+ <xs:simpleType name = "ActionType">
+ <xs:annotation>
+ <xs:documentation>Action describes the actions that coudl be taken</xs:documentation>
+ </xs:annotation>
+ <xs:restriction base = "xs:string">
+ <xs:enumeration value = "CREATE"/>
+ <xs:enumeration value = "READ"/>
+ <xs:enumeration value = "UPDATE"/>
+ <xs:enumeration value = "DELETE"/>
+ <xs:enumeration value = "SEARCH"/>
+ <xs:enumeration value = "START"/>
+ <xs:enumeration value = "STOP"/>
+ <xs:enumeration value = "RUN"/>
+ <xs:enumeration value = "ADMIN"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:simpleType name = "EffectType">
+ <xs:annotation>
+ <xs:documentation>EffectType describes the effect of access control</xs:documentation>
+ </xs:annotation>
+ <xs:restriction base = "xs:string">
+ <xs:enumeration value = "PERMIT"/>
+ <xs:enumeration value = "DENY"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+</xs:schema>
+
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<persistence version="1.0" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd
+http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:orm="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <persistence-unit name="org.collectionspace.services.authorization">
+ <class>org.collectionspace.services.authorization.Role</class>
+ <class>org.collectionspace.services.authorization.UserRole</class>
+ <properties>
+ <property name="hibernate.ejb.cfgfile" value="hibernate.cfg.xml"/>
+
+ <!--property name="hibernate.dialect" value="org.hibernate.dialect.MySQLDialect"/>
+ <property name="hibernate.max_fetch_depth" value="3"/>
+ <property name="hibernate.connection.driver_class" value="com.mysql.jdbc.Driver"/>
+ <property name="hibernate.connection.username" value="test"/>
+ <property name="hibernate.connection.password" value="test"/>
+ <property name="hibernate.connection.url" value="jdbc:mysql://localhost:3306/cspace"/-->
+ </properties>
+ </persistence-unit>
+</persistence>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ Document : hibernate.cfg.xml.xml
+ Created on : November 12, 2009, 12:02 PM
+ Author : sanjaydalal
+ Description:
+ Purpose of the document follows.
+-->
+<!DOCTYPE hibernate-configuration PUBLIC
+ "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
+ "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
+<hibernate-configuration>
+ <session-factory>
+ <property name="connection.url">jdbc:mysql://localhost:3306/cspace</property>
+ <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
+ <property name="connection.username">test</property>
+ <property name="connection.password">test</property>
+ <property name="dialect">org.hibernate.dialect.MySQLDialect</property>
+ <property name="transaction.factory_class">org.hibernate.transaction.JDBCTransactionFactory</property>
+ <property name="current_session_context_class">thread</property>
+ <property name="hibernate.show_sql">true</property>
+ </session-factory>
+</hibernate-configuration>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <artifactId>org.collectionspace.services.main</artifactId>
+ <groupId>org.collectionspace.services</groupId>
+ <version>0.6-SNAPSHOT</version>
+ </parent>
+ <groupId>org.collectionspace.services</groupId>
+ <artifactId>org.collectionspace.services.authorization</artifactId>
+ <name>services.authorization</name>
+ <packaging>pom</packaging>
+ <url>http://www.collectionspace.org</url>
+ <properties>
+ </properties>
+
+
+ <modules>
+ <module>jaxb</module>
+ <module>pstore</module>
+ <module>service</module>
+ </modules>
+</project>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<classpath>\r
+ <classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources"/>\r
+ <classpathentry excluding="**" kind="src" output="target/test-classes" path="src/test/resources"/>\r
+ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6"/>\r
+ <classpathentry kind="con" path="org.maven.ide.eclipse.MAVEN2_CLASSPATH_CONTAINER"/>\r
+</classpath>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<projectDescription>\r
+ <name>org.collectionspace.services.authorization.pstore</name>\r
+ <comment></comment>\r
+ <projects>\r
+ </projects>\r
+ <buildSpec>\r
+ <buildCommand>\r
+ <name>org.eclipse.jdt.core.javabuilder</name>\r
+ <arguments>\r
+ </arguments>\r
+ </buildCommand>\r
+ <buildCommand>\r
+ <name>org.maven.ide.eclipse.maven2Builder</name>\r
+ <arguments>\r
+ </arguments>\r
+ </buildCommand>\r
+ </buildSpec>\r
+ <natures>\r
+ <nature>org.eclipse.jdt.core.javanature</nature>\r
+ <nature>org.maven.ide.eclipse.maven2Nature</nature>\r
+ </natures>\r
+</projectDescription>\r
--- /dev/null
+\r
+<project name="authorization.pstore" default="package" basedir=".">\r
+ <description>\r
+ collectionspace authorization service\r
+ </description>\r
+ <!-- set global properties for this build -->\r
+ <property name="services.trunk" value="../../.."/>\r
+ <!-- enviornment should be declared before reading build.properties -->\r
+ <property environment="env" />\r
+ <property file="${services.trunk}/build.properties" />\r
+ <property name="mvn.opts" value="" />\r
+ <property name="src" location="src"/>\r
+\r
+ <condition property="osfamily-unix">\r
+ <os family="unix" />\r
+ </condition>\r
+ <condition property="osfamily-windows">\r
+ <os family="windows" />\r
+ </condition>\r
+\r
+ <target name="init">\r
+ <!-- Create the time stamp -->\r
+ <tstamp/>\r
+ </target>\r
+\r
+\r
+ <target name="package" depends="package-unix,package-windows"\r
+ description="Package CollectionSpace Services" />\r
+ <target name="package-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="package-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="install" depends="install-unix,install-windows"\r
+ description="Install" />\r
+ <target name="install-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="install-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="clean" depends="clean-unix,clean-windows"\r
+ description="Delete target directories" >\r
+ <delete dir="${build}"/>\r
+ </target>\r
+ <target name="clean-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="clean-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="test" depends="test-unix,test-windows" description="Run tests" />\r
+ <target name="test-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="test-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="setup_hibernate.cfg" description="replace property keywords in hibernate.cfg.xml">\r
+ <property name="src.hibernate.cfg" value="${basedir}/src/test/resources/hibernate.cfg.xml"/>\r
+ <property name="dest.hibernate.cfg" value="${basedir}/target/test-classes/hibernate.cfg.xml"/>\r
+ <delete file="${dest.hibernate.cfg}" verbose="true" />\r
+ <filter token="DB_URL" value="${db.jdbc.url}" />\r
+ <filter token="DB_DRIVER_CLASS" value="${db.jdbc.driver.class}" />\r
+ <filter token="DB_USER" value="${env.DB_USER}" /> <!-- double-sub from ${db.user} fails -->\r
+ <filter token="DB_PASSWORD" value="${env.DB_PASSWORD}" /> <!-- double-sub from ${db.user.password} fails -->\r
+ <filter token="DB_DIALECT" value="${db.dialect}" />\r
+ <copy todir="${basedir}/target/test-classes" filtering="true">\r
+ <fileset dir="${basedir}/src/test/resources">\r
+ <include name="hibernate.cfg.xml" />\r
+ </fileset>\r
+ </copy>\r
+ </target>\r
+\r
+\r
+ <target name="gen_ddl" depends="gen_ddl-unix,gen_ddl-windows"\r
+ description="geneate ddl" />\r
+ <target name="gen_ddl-unix" if="osfamily-unix" depends="setup_hibernate.cfg">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="-Pddl" />\r
+ <arg value="process-test-resources" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="gen_ddl-windows" if="osfamily-windows" depends="setup_hibernate.cfg">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="-Pddl" />\r
+ <arg value="process-test-resources" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="create_db"\r
+ description="create tables(s), indices for authorization service">\r
+ <sql driver="com.mysql.jdbc.Driver"\r
+ url="jdbc:mysql://${db.host}:${db.port}/cspace"\r
+ userid="${db.user}"\r
+ password="${db.user.password}"\r
+ src="${db.script.dir}/authorization.sql"\r
+ >\r
+ <classpath>\r
+ <pathelement path="${db.driver.jar}"/>\r
+ </classpath>\r
+ </sql>\r
+ <sql driver="com.mysql.jdbc.Driver"\r
+ url="jdbc:mysql://${db.host}:${db.port}/cspace"\r
+ userid="${db.user}"\r
+ password="${db.user.password}"\r
+ src="${db.script.dir}/authorization_index.sql"\r
+ >\r
+ <classpath>\r
+ <pathelement path="${db.driver.jar}"/>\r
+ </classpath>\r
+ </sql>\r
+ <sql driver="com.mysql.jdbc.Driver"\r
+ url="jdbc:mysql://${db.host}:${db.port}/cspace"\r
+ userid="${db.user}"\r
+ password="${db.user.password}"\r
+ src="${db.script.dir}/acl.sql"\r
+ >\r
+ <classpath>\r
+ <pathelement path="${db.driver.jar}"/>\r
+ </classpath>\r
+ </sql>\r
+ <sql driver="com.mysql.jdbc.Driver"\r
+ url="jdbc:mysql://${db.host}:${db.port}/cspace"\r
+ userid="${db.user}"\r
+ password="${db.user.password}"\r
+ src="${db.script.dir}/test_authorization.sql"\r
+ >\r
+ <classpath>\r
+ <pathelement path="${db.driver.jar}"/>\r
+ </classpath>\r
+ </sql>\r
+ </target>\r
+\r
+ <target name="deploy" depends="install"\r
+ description="deploy authorization service in ${jboss.server.cspace}">\r
+ <copy todir="${jboss.server.cspace}/cspace/services">\r
+ <fileset dir="${src}/main/resources/"/>\r
+ </copy>\r
+ </target>\r
+\r
+ <target name="undeploy"\r
+ description="undeploy authorization service from ${jboss.server.cspace}">\r
+ <delete>\r
+ <fileset dir="${jboss.server.cspace}/cspace/services/db/${db}"\r
+ includes="**authorization**.sql"/>\r
+ </delete>\r
+ </target>\r
+\r
+ <target name="dist"\r
+ description="generate distribution for authorization service" depends="package">\r
+ <!-- copy db scripts, etc. -->\r
+ <copy todir="${services.trunk}/${dist.server.cspace}/cspace/services">\r
+ <fileset dir="${src}/main/resources/"/>\r
+ </copy>\r
+ </target>\r
+\r
+</project>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>\r
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">\r
+\r
+ <parent>\r
+ <artifactId>org.collectionspace.services.authorization</artifactId>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <version>0.6-SNAPSHOT</version>\r
+ </parent>\r
+\r
+ <modelVersion>4.0.0</modelVersion>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.pstore</artifactId>\r
+ <name>services.authorization.pstore</name>\r
+ <properties>\r
+ <sql.file>authorization.sql</sql.file>\r
+ <sql.dir>${basedir}/src/main/resources/db/mysql</sql.dir>\r
+ </properties>\r
+ <dependencies>\r
+ <!-- keep slf4j dependencies on the top -->\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>slf4j-api</artifactId>\r
+ <scope>test</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.slf4j</groupId>\r
+ <artifactId>slf4j-log4j12</artifactId>\r
+ <scope>test</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.jaxb</artifactId>\r
+ <version>${project.version}</version>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>org.testng</groupId>\r
+ <artifactId>testng</artifactId>\r
+ <version>5.6</version>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>mysql</groupId>\r
+ <artifactId>mysql-connector-java</artifactId>\r
+ </dependency>\r
+ </dependencies>\r
+\r
+ <build>\r
+ <finalName>cspace-services-authorization-pstore</finalName>\r
+ <plugins>\r
+ <plugin>\r
+ <artifactId>maven-antrun-plugin</artifactId>\r
+ <executions>\r
+ <execution>\r
+ <id>subs-hibernate-config</id>\r
+ <phase>generate-test-resources</phase>\r
+ <goals>\r
+ <goal>run</goal>\r
+ </goals>\r
+ <configuration>\r
+ <tasks>\r
+ <property name="runtime-classpath" refid="maven.runtime.classpath" />\r
+ <ant target="setup_hibernate.cfg" inheritRefs="true" />\r
+ </tasks>\r
+ </configuration>\r
+ </execution>\r
+ </executions>\r
+ </plugin>\r
+ <plugin>\r
+ <groupId>org.apache.maven.plugins</groupId>\r
+ <artifactId>maven-surefire-plugin</artifactId>\r
+ <configuration>\r
+ <systemProperties>\r
+ <property>\r
+ <name>log4j.configuration</name>\r
+ <value>file:target/test-classes/log4j.properties</value>\r
+ </property>\r
+ </systemProperties>\r
+ </configuration>\r
+ </plugin>\r
+ <plugin>\r
+ <artifactId>maven-compiler-plugin</artifactId>\r
+ <version>2.0.2</version>\r
+ <configuration>\r
+ <source>1.6</source>\r
+ <target>1.6</target>\r
+ </configuration>\r
+ </plugin>\r
+ </plugins>\r
+ </build>\r
+ <profiles>\r
+ <profile>\r
+ <!-- use profile as this task is not needed for every build and test -->\r
+ <id>ddl</id>\r
+ <build>\r
+ <plugins>\r
+ <plugin>\r
+ <groupId>org.codehaus.mojo</groupId>\r
+ <artifactId>hibernate3-maven-plugin</artifactId>\r
+ <version>2.2</version>\r
+ <executions>\r
+ <execution>\r
+ <phase>process-test-resources</phase>\r
+ <goals>\r
+ <goal>hbm2ddl</goal>\r
+ </goals>\r
+ </execution>\r
+ </executions>\r
+ <configuration>\r
+ <components>\r
+ <component>\r
+ <name>hbm2ddl</name>\r
+ </component>\r
+ </components>\r
+ <componentProperties>\r
+ <outputfilename>${sql.file}</outputfilename>\r
+ <implementation>jpaconfiguration</implementation>\r
+ <drop>true</drop>\r
+ <create>true</create>\r
+ <export>true</export>\r
+ <jdk5>true</jdk5>\r
+ <ejb3>false</ejb3>\r
+ <persistenceunit>org.collectionspace.services.authorization</persistenceunit>\r
+ </componentProperties>\r
+ </configuration>\r
+ <dependencies>\r
+ <dependency>\r
+ <groupId>mysql</groupId>\r
+ <artifactId>mysql-connector-java</artifactId>\r
+ <version>5.1.5</version>\r
+ </dependency>\r
+ </dependencies>\r
+ </plugin>\r
+ <plugin>\r
+ <artifactId>maven-antrun-plugin</artifactId>\r
+ <executions>\r
+ <execution>\r
+ <phase>process-test-resources</phase>\r
+ <configuration>\r
+ <tasks>\r
+ <copy file="${basedir}/target/hibernate3/sql/${sql.file}" tofile="${sql.dir}/${sql.file}" />\r
+ </tasks>\r
+ </configuration>\r
+ <goals>\r
+ <goal>run</goal>\r
+ </goals>\r
+ </execution>\r
+ </executions>\r
+ </plugin>\r
+\r
+ </plugins>\r
+ </build>\r
+ </profile>\r
+ </profiles>\r
+</project>\r
--- /dev/null
+--
+-- Copyright 2010 University of California at Berkeley
+-- Licensed under the Educational Community License (ECL), Version 2.0.
+-- You may not use this file except in compliance with this License.
+--
+
+use cspace;
+drop table if exists `acl_entry`;
+drop table if exists `acl_object_identity`;
+drop table if exists `acl_sid`;
+drop table if exists `acl_class`;
+
+--
+-- Table structure for table `acl_class`
+--
+
+CREATE TABLE IF NOT EXISTS `acl_class` (
+ `id` bigint(20) NOT NULL auto_increment,
+ `class` varchar(100) NOT NULL,
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `unique_uk_2` (`class`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
+
+--
+-- Dumping data for table `acl_class`
+--
+
+
+--
+-- Table structure for table `acl_sid`
+--
+
+CREATE TABLE IF NOT EXISTS `acl_sid` (
+ `id` bigint(20) NOT NULL auto_increment,
+ `principal` tinyint(1) NOT NULL,
+ `sid` varchar(100) NOT NULL,
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `unique_uk_1` (`principal`,`sid`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+--
+-- Dumping data for table `acl_sid`
+--
+
+--
+-- Table structure for table `acl_entry`
+--
+
+CREATE TABLE IF NOT EXISTS `acl_entry` (
+ `id` bigint(20) NOT NULL auto_increment,
+ `acl_object_identity` bigint(20) NOT NULL,
+ `ace_order` int(11) NOT NULL,
+ `sid` bigint(20) NOT NULL,
+ `mask` int(11) NOT NULL,
+ `granting` tinyint(1) NOT NULL,
+ `audit_success` tinyint(1) NOT NULL,
+ `audit_failure` tinyint(1) NOT NULL,
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `unique_uk_4` (`acl_object_identity`,`ace_order`),
+ KEY `sid` (`sid`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
+
+
+
+--
+-- Dumping data for table `acl_entry`
+--
+
+
+--
+-- Table structure for table `acl_object_identity`
+--
+
+CREATE TABLE IF NOT EXISTS `acl_object_identity` (
+ `id` bigint(20) NOT NULL auto_increment,
+ `object_id_class` bigint(20) NOT NULL,
+ `object_id_identity` bigint(20) NOT NULL,
+ `parent_object` bigint(20) default NULL,
+ `owner_sid` bigint(20) default NULL,
+ `entries_inheriting` tinyint(1) NOT NULL,
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `unique_uk_3` (`object_id_class`,`object_id_identity`),
+ KEY `owner_sid` (`owner_sid`),
+ KEY `parent_object` (`parent_object`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
+
+
+--
+-- Dumping data for table `acl_object_identity`
+--
+
+--
+-- Constraints for table `acl_entry`
+--
+ALTER TABLE `acl_entry`
+ ADD CONSTRAINT `acl_entry_ibfk_1` FOREIGN KEY (`sid`) REFERENCES `acl_sid` (`id`),
+ ADD CONSTRAINT `acl_entry_ibfk_2` FOREIGN KEY (`acl_object_identity`) REFERENCES `acl_object_identity` (`id`);
+
+
+--
+-- Constraints for table `acl_object_identity`
+--
+ALTER TABLE `acl_object_identity`
+ ADD CONSTRAINT `acl_object_identity_ibfk_1` FOREIGN KEY (`owner_sid`) REFERENCES `acl_sid` (`id`),
+ ADD CONSTRAINT `acl_object_identity_ibfk_2` FOREIGN KEY (`object_id_class`) REFERENCES `acl_class` (`id`),
+ ADD CONSTRAINT `acl_object_identity_ibfk_3` FOREIGN KEY (`parent_object`) REFERENCES `acl_object_identity` (`id`);
--- /dev/null
+drop table if exists roles;
+drop table if exists users_roles;
+create table roles (rolename varchar(200) not null, created_at datetime not null, rolegroup varchar(255) not null, updated_at datetime, primary key (rolename));
+create table users_roles (HJID bigint not null auto_increment, created_at datetime not null, rolename varchar(200) not null, updated_at datetime, username varchar(128) not null, primary key (HJID), unique (username, rolename));
--- /dev/null
+--
+-- Copyright 20010 University of California at Berkeley
+-- Licensed under the Educational Community License (ECL), Version 2.0.
+-- You may not use this file except in compliance with this License.
+--
+use cspace;
+CREATE INDEX index_rolename ON roles (rolegroup);
+CREATE INDEX index_username ON users_roles (username);
+CREATE INDEX index_rolename ON users_roles (rolename);
--- /dev/null
+--\r
+-- Copyright 2009 University of California at Berkeley\r
+-- Licensed under the Educational Community License (ECL), Version 2.0.\r
+-- You may not use this file except in compliance with this License.\r
+--\r
+use cspace;\r
+\r
+insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('ROLE_KERNEL', 'kernel', '2010-02-17 16:31:48');\r
+insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('ROLE_USERS', 'collections', '2010-02-17 16:31:48');\r
+insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('ROLE_COLLECTIONS_MANAGER', 'collections', '2010-02-17 16:31:48');\r
+insert into `roles` (`rolename`, `rolegroup`, `created_at`) values ('ROLE_COLLECTIONS_REGISTRAR', 'collections', '2010-02-17 16:31:48');\r
+\r
+insert into `users_roles`(`username`, `rolename`, `created_at`) values ('test', 'ROLE_ADMINISTRATOR', '2010-02-17 16:31:48');\r
+insert into `users_roles`(`username`, `rolename`, `created_at`) values ('test', 'ROLE_USERS', '2010-02-17 16:31:48');\r
+insert into `users_roles`(`username`, `rolename`, `created_at`) values ('test', 'ROLE_COLLECTIONS_MANAGER', '2010-02-17 16:31:48');\r
+\r
+insert into `users_roles`(`username`, `rolename`, `created_at`) values ('barney', 'ROLE_USERS', '2010-02-17 16:31:48');\r
+insert into `users_roles`(`username`, `rolename`, `created_at`) values ('barney', 'ROLE_COLLECTIONS_MANAGER', '2010-02-17 16:31:48');\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<persistence version="1.0" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd
+http://java.sun.com/xml/ns/persistence/orm http://java.sun.com/xml/ns/persistence/orm_1_0.xsd" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:orm="http://java.sun.com/xml/ns/persistence/orm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <persistence-unit name="org.collectionspace.services.authorization">
+ <class>org.collectionspace.services.authorization.Role</class>
+ <class>org.collectionspace.services.authorization.UserRole</class>
+ <properties>
+ <property name="hibernate.ejb.cfgfile" value="hibernate.cfg.xml"/>
+
+ <!--property name="hibernate.dialect" value="org.hibernate.dialect.MySQLDialect"/>
+ <property name="hibernate.max_fetch_depth" value="3"/>
+ <property name="hibernate.connection.driver_class" value="com.mysql.jdbc.Driver"/>
+ <property name="hibernate.connection.username" value="test"/>
+ <property name="hibernate.connection.password" value="test"/>
+ <property name="hibernate.connection.url" value="jdbc:mysql://localhost:3306/cspace"/-->
+ </properties>
+ </persistence-unit>
+</persistence>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ Document : hibernate.cfg.xml
+ Created on :
+ Author :
+ Description:
+ Hibernate configuration file for testing and tools
+-->
+<!DOCTYPE hibernate-configuration PUBLIC
+ "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
+ "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
+<hibernate-configuration>
+ <session-factory>
+ <property name="connection.url">@DB_URL@</property>
+ <property name="connection.driver_class">@DB_DRIVER_CLASS@</property>
+ <property name="connection.username">@DB_USER@</property>
+ <property name="connection.password">@DB_PASSWORD@</property>
+ <property name="dialect">@DB_DIALECT@</property>
+ <property name="transaction.factory_class">org.hibernate.transaction.JDBCTransactionFactory</property>
+ <property name="current_session_context_class">thread</property>
+ <property name="hibernate.show_sql">true</property>
+ </session-factory>
+</hibernate-configuration>
--- /dev/null
+\r
+<project name="authorization.service" default="package" basedir=".">\r
+ <description>\r
+ collectionspace authorization service\r
+ </description>\r
+ <!-- set global properties for this build -->\r
+ <property name="services.trunk" value="../../.."/>\r
+ <!-- enviornment should be declared before reading build.properties -->\r
+ <property environment="env" />\r
+ <property file="${services.trunk}/build.properties" />\r
+ <property name="mvn.opts" value="" />\r
+ <property name="src" location="src"/>\r
+ <property name="authorization.jar" value="cspace-services-authz.jar"/>\r
+ <condition property="osfamily-unix">\r
+ <os family="unix" />\r
+ </condition>\r
+ <condition property="osfamily-windows">\r
+ <os family="windows" />\r
+ </condition>\r
+\r
+ <target name="init">\r
+ <!-- Create the time stamp -->\r
+ <tstamp/>\r
+ </target>\r
+\r
+\r
+ <target name="package" depends="package-unix,package-windows"\r
+ description="Package CollectionSpace Services" />\r
+ <target name="package-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="package-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="package" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="install" depends="install-unix,install-windows"\r
+ description="Install" />\r
+ <target name="install-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="install-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="install" />\r
+ <arg value="-Dmaven.test.skip=true" />\r
+ <arg value="-f" />\r
+ <arg value="${basedir}/pom.xml" />\r
+ <arg value="-N" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="clean" depends="clean-unix,clean-windows"\r
+ description="Delete target directories" >\r
+ <delete dir="${build}"/>\r
+ </target>\r
+ <target name="clean-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="clean-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="clean" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="test" depends="test-unix,test-windows" description="Run tests" />\r
+ <target name="test-unix" if="osfamily-unix">\r
+ <exec executable="mvn" failonerror="true">\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+ <target name="test-windows" if="osfamily-windows">\r
+ <exec executable="cmd" failonerror="true">\r
+ <arg value="/c" />\r
+ <arg value="mvn.bat" />\r
+ <arg value="test" />\r
+ <arg value="${mvn.opts}" />\r
+ </exec>\r
+ </target>\r
+\r
+ <target name="deploy" depends="install"\r
+ description="deploy authorization service in ${jboss.server.cspace}">\r
+ <copy file="${basedir}/target/${authorization.jar}" todir="${jboss.server.cspace}/lib"/>\r
+ <echo message="Check out authorization Service Configuration Guide on wiki.collectionspace.org for more details" />\r
+ </target>\r
+\r
+ <target name="undeploy"\r
+ description="undeploy authorization service from ${jboss.server.cspace}">\r
+ <delete file="${jboss.server.cspace}/lib/${authorization.jar}"/>\r
+ <echo message="Check out authorization Service Configuration Guide on wiki.collectionspace.org for more details"/>\r
+ </target>\r
+\r
+ <target name="dist"\r
+ description="generate distribution for authorization service" depends="package">\r
+ <!-- copy db scripts, etc. -->\r
+ <copy todir="${services.trunk}/${dist.server.cspace}/cspace/services">\r
+ <fileset dir="${src}/main/resources/"/>\r
+ </copy>\r
+ </target>\r
+\r
+</project>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <artifactId>org.collectionspace.services.authorization</artifactId>
+ <groupId>org.collectionspace.services</groupId>
+ <version>0.6-SNAPSHOT</version>
+ </parent>
+ <groupId>org.collectionspace.services</groupId>
+ <artifactId>org.collectionspace.services.authorization.service</artifactId>
+ <packaging>jar</packaging>
+ <name>services.authorization.service</name>
+ <url>http://www.collectionspace.org</url>
+
+ <properties>
+ <jboss.version>4.2.3.GA</jboss.version>
+ <jboss.ejb.version>3.0</jboss.ejb.version>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <spring.version>3.0.0.RELEASE</spring.version>
+ <spring.security.version>3.0.2.RELEASE</spring.security.version>
+ </properties>
+
+ <dependencies>
+
+ <!-- utilities -->
+
+ <!-- slf4j not available due to classloading issues running in system classpath -->
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>1.1.1</version>
+ </dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.14</version>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- slf4j used for testing only -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.testng</groupId>
+ <artifactId>testng</artifactId>
+ <version>5.6</version>
+ <scope>test</scope>
+ </dependency>
+ <!-- javax -->
+ <dependency>
+ <groupId>javax.security</groupId>
+ <artifactId>jaas</artifactId>
+ <version>1.0.01</version>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- jboss -->
+ <dependency>
+ <groupId>org.jboss.logging</groupId>
+ <artifactId>jboss-logging-log4j</artifactId>
+ <version>2.1.0.GA</version>
+ </dependency>
+ <dependency>
+ <groupId>jboss</groupId>
+ <artifactId>jbosssx</artifactId>
+ <version>4.2.3.GA</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ <version>${spring.security.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-config</artifactId>
+ <version>${spring.security.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-acl</artifactId>
+ <version>${spring.security.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-web</artifactId>
+ <version>${spring.security.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${spring.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context-support</artifactId>
+ <version>${spring.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-aop</artifactId>
+ <version>${spring.version}</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>aopalliance</groupId>
+ <artifactId>aopalliance</artifactId>
+ <version>1.0</version>
+ <scope>provided</scope>
+ </dependency>
+ <!--dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-tx</artifactId>
+ <version>${spring.version}</version>
+ <scope>provided</scope>
+ </dependency-->
+ <dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache</artifactId>
+ <version>1.6.2</version>
+ <optional>true</optional>
+ </dependency>
+ <dependency>
+ <groupId>mysql</groupId>
+ <artifactId>mysql-connector-java</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.collectionspace.services</groupId>
+ <artifactId>org.collectionspace.services.authorization.jaxb</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ </dependencies>
+
+ <build>
+ <finalName>cspace-services-authz</finalName>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <systemProperties>
+ <property>
+ <name>log4j.configuration</name>
+ <value>file:target/test-classes/log4j.properties</value>
+ </property>
+ <property>
+ <name>spring-beans-config</name>
+ <value>applicationContext-authorization-test.xml</value>
+ </property>
+ </systemProperties>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization;
+
+import java.util.List;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.collectionspace.services.authorization.spi.CSpaceAuthorizationProvider;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+
+/**
+ * AuthZ is the authorization service singleton used by the services runtime
+ * @author
+ */
+public class AuthZ {
+
+ /**
+ * volatile is used here to assume about ordering (post JDK 1.5)
+ */
+ private static volatile AuthZ self = new AuthZ();
+ private CSpaceAuthorizationProvider provider;
+ final Log log = LogFactory.getLog(AuthZ.class);
+
+ private AuthZ() {
+ setupProvider();
+ }
+
+ /**
+ *
+ * @return
+ */
+ public final static AuthZ get() {
+ return self;
+ }
+
+ private void setupProvider() {
+ String beanConfig = "applicationContext-authorization.xml";
+ //system property is only set in test environment
+ String beanConfigProp = System.getProperty("spring-beans-config");
+ if (beanConfigProp != null && !beanConfigProp.isEmpty()) {
+ beanConfig = beanConfigProp;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug("reading beanConfig=" + beanConfig);
+ }
+ ClassPathXmlApplicationContext appContext = new ClassPathXmlApplicationContext(
+ new String[]{beanConfig});
+ provider = (CSpaceAuthorizationProvider) appContext.getBean("cspaceAuthorizationProvider");
+ if (log.isDebugEnabled()) {
+ log.debug("initialized the authz provider");
+ }
+ }
+
+ /**
+ * addPermissions add permissions from given permission configuration
+ * @param permission configuration
+ */
+ public void addPermissions(PermissionConfig pConfig) {
+ List<String> principals = pConfig.getRole();
+ List<String> users = pConfig.getUser();
+ principals.addAll(users);
+ List<ActionType> actions = pConfig.getAction();
+ for (ActionType action : actions) {
+ URIResourceImpl uriRes = new URIResourceImpl(pConfig.getResourceName(),
+ action);
+ addPermission(uriRes, principals.toArray(new String[0]));
+ }
+ }
+
+ /**
+ * addPermission for given principals to access given resource
+ * -permission is retrieved from the resource
+ * @param res
+ * @param principals
+ */
+ public void addPermission(CSpaceResource res, String[] principals) {
+ CSpaceAction action = res.getAction();
+ addPermission(res, principals, action);
+ }
+
+ /**
+ * addPermission add given permission for given principals to access given resource
+ * @param res
+ * @param principals
+ * @param perm
+ */
+ public void addPermission(CSpaceResource res, String[] principals, CSpaceAction action) {
+ provider.getPermissionManager().addPermission(res, principals, action);
+ if (log.isDebugEnabled()) {
+ log.debug("added permission resource=" + res.getId() + " action=" + action.name());
+ }
+ }
+
+ /**
+ * deletePermission for given principals for given resource
+ * permission is retrieve from the resource
+ * @param res
+ * @param principals
+ */
+ public void deletePermission(CSpaceResource res, String[] principals) {
+ CSpaceAction action = res.getAction();
+ deletePermission(res, principals, action);
+ }
+
+ /**
+ * deletePermission given permission for given principals for given resource
+ * @param res
+ * @param principals
+ * @param perm
+ */
+ public void deletePermission(CSpaceResource res, String[] principals, CSpaceAction action) {
+ provider.getPermissionManager().deletePermission(res, principals, action);
+ if (log.isDebugEnabled()) {
+ log.debug("removed permission resource=" + res.getId() + " action=" + action.name());
+ }
+ }
+
+ /**
+ * isAccessAllowed check if authenticated principal is allowed to access
+ * given resource, permission is retrieved from the resource
+ * @param res
+ * @return
+ */
+ public boolean isAccessAllowed(CSpaceResource res) {
+ CSpaceAction action = res.getAction();
+ return isAccessAllowed(res, action);
+ }
+
+ /**
+ * isAccessAllowed check if authenticated principal is allowed to access
+ * given resource per given permission
+ * @param res
+ * @param perm
+ * @return
+ */
+ public boolean isAccessAllowed(CSpaceResource res, CSpaceAction action) {
+ return provider.getPermissionEvaluator().hasPermission(res, action);
+ }
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization;
+
+/**
+ * CollectionSpace permission for a resource. A resource could be an entity, a
+ * procedure/activity, an attribute or an action
+ * @author
+ */
+public enum CSpaceAction {
+
+ /**
+ * permission to create a collectionspace resource
+ */
+ CREATE,
+ /**
+ * permission to retrieve a collectionspace resource
+ */
+ READ,
+ /**
+ * permission to update a collectionspace resource
+ */
+ UPDATE,
+ /**
+ * to delete a collectionspace resource
+ */
+ DELETE,
+ /**
+ * permission to search a collectionspace service resource
+ */
+ SEARCH,
+ /**
+ * permission to execute/run a collectionspace service resource
+ */
+ RUN,
+ /**
+ * permission to start a collectionspace service activity/procedure
+ */
+ START,
+ /**
+ * permission to stop a collectionspace service activity/procedure
+ */
+ STOP,
+ /**
+ * permission to administer any collectionspace service resource, involves
+ * all the permissions described above
+ */
+ ADMIN
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.collectionspace.services.authorization;
+
+/**
+ * CSpaceResource represents the resource to secure
+ * @author
+ */
+public interface CSpaceResource {
+
+ public enum TYPE {
+ URI,
+ CLASS,
+ OBJECT,
+ ATTRIBUTE
+ }
+ public String getId();
+
+ public TYPE getType();
+
+ /**
+ * getAction is a conveneniece method to get corresponding action to be invoked
+ * on the resource for which permission is sought
+ * @return
+ */
+ public CSpaceAction getAction();
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization;
+
+/**
+ * CSpaceResourceImpl abstract resource implementation
+ * @author
+ */
+public abstract class CSpaceResourceImpl implements CSpaceResource {
+
+ private String id;
+ private TYPE type;
+
+ public CSpaceResourceImpl() {
+ }
+
+ public CSpaceResourceImpl(String id, TYPE type) {
+ if (id == null || id.isEmpty() || type == null) {
+ throw new IllegalArgumentException("id and/or type cannot be null or empty");
+ }
+ this.id = id;
+ this.type = type;
+ }
+
+ @Override
+ public String getId() {
+ return id;
+ }
+
+ @Override
+ public TYPE getType() {
+ return type;
+ }
+
+ @Override
+ public abstract CSpaceAction getAction();
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.collectionspace.services.authorization;
+
+import java.util.StringTokenizer;
+
+/**
+ * A security resource that represents URI and method invoked on it
+ * @author
+ */
+public class URIResourceImpl extends CSpaceResourceImpl {
+
+ private String uri;
+ private String method;
+ private CSpaceAction action;
+
+ /**
+ * constructor that is usually called from service runtime
+ * @param uri
+ * @param method an http method
+ */
+ public URIResourceImpl(String uri, String method) {
+ super(getParent(uri) + "#" + getAction(method).toString(), TYPE.URI);
+ action = getAction(method);
+ this.uri = uri;
+ this.method = method;
+ }
+
+ /**
+ * constructor that is usually called from administrative interface
+ * @param resourceName
+ * @param actionType
+ */
+ public URIResourceImpl(String resourceName, ActionType actionType) {
+ //FIXME more validation might be needed
+ super(resourceName + "#" + getAction(actionType).toString(), TYPE.URI);
+ action = getAction(actionType);
+ }
+
+ /**
+ * @return the uri
+ */
+ public String getUri() {
+ return uri;
+ }
+
+ /**
+ * @param uri the uri to set
+ */
+ public void setUri(String uri) {
+ this.uri = uri;
+ }
+
+ /**
+ * @return the method
+ */
+ public String getMethod() {
+ return method;
+ }
+
+ /**
+ * @param method the method to set
+ */
+ public void setMethod(String method) {
+ this.method = method;
+ }
+
+ /**
+ * getAction a convenience method to get action invoked on the resource
+ */
+ @Override
+ public CSpaceAction getAction() {
+ return action;
+ }
+
+ private static String getParent(String uri) {
+ StringTokenizer stz = new StringTokenizer(uri, "/");
+ //FIXME the following ignores sub resources as well as object instances
+ return stz.nextToken();
+ }
+
+ /**
+ * getAction is a conveneniece method to get action
+ * for given HTTP method invoked on the resource
+ * @param method http method
+ * @return
+ */
+ public static CSpaceAction getAction(String method) {
+
+ if ("POST".equalsIgnoreCase(method)) {
+ return CSpaceAction.CREATE;
+ } else if ("GET".equalsIgnoreCase(method)) {
+ return CSpaceAction.READ;
+ } else if ("PUT".equalsIgnoreCase(method)) {
+ return CSpaceAction.UPDATE;
+ } else if ("DELETE".equalsIgnoreCase(method)) {
+ return CSpaceAction.DELETE;
+ }
+ throw new IllegalStateException("no method found!");
+ }
+
+ /**
+ * getAction is a convenience method to get corresponding action for
+ * given ActionType
+ * @param action
+ * @return
+ */
+ public static CSpaceAction getAction(ActionType action) {
+ if (ActionType.CREATE.equals(action)) {
+ return CSpaceAction.CREATE;
+ } else if (ActionType.READ.equals(action)) {
+ return CSpaceAction.READ;
+ } else if (ActionType.UPDATE.equals(action)) {
+ return CSpaceAction.UPDATE;
+ } else if (ActionType.DELETE.equals(action)) {
+ return CSpaceAction.DELETE;
+ } else if (ActionType.SEARCH.equals(action)) {
+ return CSpaceAction.SEARCH;
+ } else if (ActionType.ADMIN.equals(action)) {
+ return CSpaceAction.ADMIN;
+ } else if (ActionType.START.equals(action)) {
+ return CSpaceAction.START;
+ } else if (ActionType.STOP.equals(action)) {
+ return CSpaceAction.STOP;
+ }
+ throw new IllegalArgumentException("action = " + action.toString());
+ }
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.collectionspace.services.authorization.spi;
+
+/**
+ * CSpaceAuthorizationProvider acts as a main interface to access the provider
+ * specific information
+ * @author
+ */
+public interface CSpaceAuthorizationProvider {
+
+ public String getName();
+
+ public String getVersion();
+
+ public CSpacePermissionEvaluator getPermissionEvaluator();
+
+ public CSpacePermissionManager getPermissionManager();
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.collectionspace.services.authorization.spi;
+
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.CSpaceAction;
+
+/**
+ * Permission evaluation interface for CSpace services
+ * @author
+ */
+public interface CSpacePermissionEvaluator {
+
+ public boolean hasPermission(CSpaceResource res, CSpaceAction perm);
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.collectionspace.services.authorization.spi;
+
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.CSpaceAction;
+
+/**
+ * Permission management interface for CSpace services
+ * @author
+ */
+public interface CSpacePermissionManager {
+
+ public void addPermission(CSpaceResource res, String[] principals, CSpaceAction perm);
+
+ public void deletePermission(CSpaceResource res, String[] principals, CSpaceAction perm);
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization.spring;
+
+import java.util.Collection;
+import java.util.Properties;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+
+/**
+ *
+ * @author
+ */
+public class CSpaceSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
+
+ private Properties urlProperties;
+
+ public Collection<ConfigAttribute> getAllConfigAttributes() {
+ return null;
+ }
+
+ public Collection<ConfigAttribute> getAttributes(Object filter)
+ throws IllegalArgumentException {
+ FilterInvocation filterInvocation = (FilterInvocation) filter;
+ String url = filterInvocation.getRequestUrl();
+
+ //get the roles for requested page from the property file
+ String urlPropsValue = urlProperties.getProperty(url);
+ StringBuilder rolesStringBuilder = new StringBuilder();
+ if (urlPropsValue != null) {
+ rolesStringBuilder.append(urlPropsValue).append(",");
+ }
+
+ if (!url.endsWith("/")) {
+ int lastSlashIndex = url.lastIndexOf("/");
+ url = url.substring(0, lastSlashIndex + 1);
+ }
+
+
+ String[] urlParts = url.split("/");
+
+ StringBuilder urlBuilder = new StringBuilder();
+ for (String urlPart : urlParts) {
+ if (urlPart.trim().length() == 0) {
+ continue;
+ }
+ urlBuilder.append("/").append(urlPart);
+ urlPropsValue = urlProperties.getProperty(urlBuilder.toString() + "/**");
+
+ if (urlPropsValue != null) {
+ rolesStringBuilder.append(urlPropsValue).append(",");
+ }
+ }
+
+ if (rolesStringBuilder.toString().endsWith(",")) {
+ rolesStringBuilder.deleteCharAt(rolesStringBuilder.length() - 1);
+ }
+
+
+ if (rolesStringBuilder.length() == 0) {
+ return null;
+ }
+
+ return SecurityConfig.createListFromCommaDelimitedString(rolesStringBuilder.toString());
+ }
+
+ public boolean supports(Class<?> arg0) {
+ return true;
+ }
+
+ public void setUrlProperties(Properties urlProperties) {
+ this.urlProperties = urlProperties;
+ }
+
+ public Properties getUrlProperties() {
+ return urlProperties;
+ }
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization.spring;
+
+import java.util.ArrayList;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.collectionspace.services.authorization.CSpaceAction;
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.spi.CSpaceAuthorizationProvider;
+import org.collectionspace.services.authorization.spi.CSpacePermissionEvaluator;
+import org.collectionspace.services.authorization.spi.CSpacePermissionManager;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.acls.domain.BasePermission;
+import org.springframework.security.acls.domain.GrantedAuthoritySid;
+import org.springframework.security.acls.domain.ObjectIdentityImpl;
+import org.springframework.security.acls.model.MutableAclService;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.Permission;
+import org.springframework.security.acls.model.Sid;
+
+/**
+ * SpringAuthorizationProvider Spring Security provider
+ * @author
+ */
+public class SpringAuthorizationProvider implements CSpaceAuthorizationProvider {
+
+ final Log log = LogFactory.getLog(SpringPermissionEvaluator.class);
+ @Autowired
+ private MutableAclService providerAclService;
+ @Autowired
+ private PermissionEvaluator providerPermissionEvaluator;
+ private SpringPermissionEvaluator permissionEvaluator;
+ private SpringPermissionManager permissionManager;
+ private String version = "1.0";
+
+ public SpringAuthorizationProvider() {
+ permissionManager = new SpringPermissionManager(this);
+ permissionEvaluator = new SpringPermissionEvaluator(this);
+ }
+
+ MutableAclService getProviderAclService() {
+ return providerAclService;
+ }
+
+ public void setProviderAclService(MutableAclService mutableAclService) {
+ this.providerAclService = mutableAclService;
+ if (log.isDebugEnabled()) {
+ log.debug("mutableAclService set");
+ }
+ }
+
+ @Override
+ public String getName() {
+ return this.getClass().getSimpleName();
+ }
+
+ @Override
+ public String getVersion() {
+ return version;
+ }
+
+ PermissionEvaluator getProviderPermissionEvaluator() {
+ return providerPermissionEvaluator;
+ }
+
+ public void setProviderPermissionEvaluator(PermissionEvaluator permEval) {
+ this.providerPermissionEvaluator = permEval;
+ if (log.isDebugEnabled()) {
+ log.debug("permission evaluator set");
+ }
+ }
+
+ @Override
+ public CSpacePermissionEvaluator getPermissionEvaluator() {
+ return permissionEvaluator;
+ }
+
+ @Override
+ public CSpacePermissionManager getPermissionManager() {
+ return permissionManager;
+ }
+
+ static ObjectIdentity mapResource(CSpaceResource res) {
+ return new ObjectIdentityImpl(res.getType().toString(), Long.valueOf(res.getId().hashCode()));
+ }
+
+ static Sid[] mapPrincipal(String[] principals) {
+ ArrayList<Sid> sids = new ArrayList<Sid>();
+ for (String principal : principals) {
+ sids.add(new GrantedAuthoritySid(principal));
+ }
+ return sids.toArray(new Sid[0]);
+ }
+
+ static Permission mapPermssion(CSpaceAction perm) {
+ switch (perm) {
+ case ADMIN:
+ return BasePermission.ADMINISTRATION;
+ case CREATE:
+ return BasePermission.CREATE;
+ case READ:
+ return BasePermission.READ;
+ case UPDATE:
+ return BasePermission.WRITE;
+ case DELETE:
+ return BasePermission.DELETE;
+ }
+ return null;
+ }
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.collectionspace.services.authorization.spring;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.collectionspace.services.authorization.CSpaceAction;
+import org.collectionspace.services.authorization.spi.CSpacePermissionEvaluator;
+
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.acls.model.Permission;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+/**
+ * SpringPermissionEvaluator evaluates permissions in Spring Security
+ * @author
+ */
+public class SpringPermissionEvaluator implements CSpacePermissionEvaluator {
+
+ final Log log = LogFactory.getLog(SpringPermissionEvaluator.class);
+ private SpringAuthorizationProvider provider;
+
+ SpringPermissionEvaluator(SpringAuthorizationProvider provider) {
+ this.provider = provider;
+ }
+
+ @Override
+ public boolean hasPermission(CSpaceResource res, CSpaceAction perm) {
+ PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
+ Permission p = SpringAuthorizationProvider.mapPermssion(perm);
+ Authentication authToken = SecurityContextHolder.getContext().getAuthentication();
+ return eval.hasPermission(authToken, Long.valueOf(res.getId().hashCode()), res.getType().toString(), p);
+ }
+}
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.collectionspace.services.authorization.spring;
+
+import java.util.List;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.collectionspace.services.authorization.CSpaceAction;
+import org.collectionspace.services.authorization.spi.CSpacePermissionManager;
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.springframework.security.acls.model.AccessControlEntry;
+import org.springframework.security.acls.model.MutableAcl;
+import org.springframework.security.acls.model.MutableAclService;
+import org.springframework.security.acls.model.NotFoundException;
+import org.springframework.security.acls.model.ObjectIdentity;
+import org.springframework.security.acls.model.Permission;
+import org.springframework.security.acls.model.Sid;
+
+/**
+ * Manages permissions in Spring Security
+ * @author
+ */
+public class SpringPermissionManager implements CSpacePermissionManager {
+
+ final Log log = LogFactory.getLog(SpringPermissionEvaluator.class);
+ private SpringAuthorizationProvider provider;
+
+ SpringPermissionManager(SpringAuthorizationProvider provider) {
+ this.provider = provider;
+ }
+
+ @Override
+ public void addPermission(CSpaceResource res, String[] principals, CSpaceAction perm) {
+ ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
+ Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
+ Permission p = SpringAuthorizationProvider.mapPermssion(perm);
+ for (Sid sid : sids) {
+ addPermission(oid, sid, p);
+ }
+ }
+
+ private void addPermission(ObjectIdentity oid, Sid recipient, Permission permission) {
+ MutableAcl acl;
+ MutableAclService mutableAclService = provider.getProviderAclService();
+ try {
+ acl = (MutableAcl) mutableAclService.readAclById(oid);
+ } catch (NotFoundException nfe) {
+ acl = mutableAclService.createAcl(oid);
+ }
+
+ acl.insertAce(acl.getEntries().size(), permission, recipient, true);
+ mutableAclService.updateAcl(acl);
+
+ }
+
+ @Override
+ public void deletePermission(CSpaceResource res, String[] principals, CSpaceAction perm) {
+ ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
+ Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
+ Permission p = SpringAuthorizationProvider.mapPermssion(perm);
+ for (Sid sid : sids) {
+ deletePermission(oid, sid, p);
+ }
+ }
+
+ private void deletePermission(ObjectIdentity oid, Sid recipient, Permission permission) {
+
+ MutableAclService mutableAclService = provider.getProviderAclService();
+ MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);
+
+ // Remove all permissions associated with this particular recipient (string equality to KISS)
+ List<AccessControlEntry> entries = acl.getEntries();
+
+ for (int i = 0; i < entries.size(); i++) {
+ if (entries.get(i).getSid().equals(recipient)
+ && entries.get(i).getPermission().equals(permission)) {
+ acl.deleteAce(i);
+ }
+ }
+ mutableAclService.updateAcl(acl);
+ }
+}
--- /dev/null
+<!--
+ Document : applicationContext-security.xml
+ Created on :
+ Author :
+ Copyright 2010 University of California at Berkeley
+ Description:
+ spring security namespace for CS service layer
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://www.springframework.org/schema/security"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+ <!-- application context containing the ACL beans. -->
+
+ <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
+ <property name="permissionEvaluator" ref="permissionEvaluator"/>
+ </bean>
+
+ <bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator">
+ <constructor-arg ref="aclService"/>
+ </bean>
+
+ <bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
+ <constructor-arg ref="dataSource"/>
+ <constructor-arg ref="lookupStrategy"/>
+ <constructor-arg ref="aclCache"/>
+ <property name="classIdentityQuery" value="SELECT @@IDENTITY"/>
+ <property name="sidIdentityQuery" value="SELECT @@IDENTITY"/>
+ </bean>
+
+ <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
+ <property name="jndiName" value="CspaceDS"/>
+ </bean>
+
+ <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
+ <constructor-arg ref="dataSource"/>
+ <constructor-arg ref="aclCache"/>
+ <constructor-arg>
+ <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
+ <constructor-arg>
+ <list>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+ </constructor-arg>
+ <constructor-arg>
+ <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
+ </constructor-arg>
+ </bean>
+
+ <bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
+ <constructor-arg>
+ <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+ <property name="cacheManager">
+ <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
+ </property>
+ <property name="cacheName" value="aclCache"/>
+ </bean>
+ </constructor-arg>
+ </bean>
+
+
+ <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
+ <property name="dataSource" ref="dataSource"/>
+ </bean>
+
+ <tx:annotation-driven transaction-manager="transactionManager" />
+
+ <bean id="cspaceAuthorizationProvider" class="org.collectionspace.services.authorization.spring.SpringAuthorizationProvider">
+ <property name="providerAclService" ref="aclService"/>
+ <property name="providerPermissionEvaluator" ref="permissionEvaluator"/>
+ </bean>
+</beans>
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.authorization.test;
+
+import java.io.File;
+import java.io.InputStream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.HashSet;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import org.collectionspace.services.authorization.ActionType;
+import org.collectionspace.services.authorization.AuthZ;
+import org.collectionspace.services.authorization.PermissionConfig;
+import org.collectionspace.services.authorization.EffectType;
+import org.collectionspace.services.authorization.PermissionConfigList;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.transaction.TransactionDefinition;
+import org.springframework.transaction.TransactionStatus;
+import org.springframework.transaction.support.DefaultTransactionDefinition;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+/**
+ *
+ * @author
+ */
+public class AuthorizationSeedTest {
+
+ final Logger logger = LoggerFactory.getLogger(AuthorizationSeedTest.class);
+
+ /**
+ * Returns the name of the currently running test.
+ *
+ * Note: although the return type is listed as Object[][],
+ * this method instead returns a String.
+ *
+ * @param m The currently running test method.
+ *
+ * @return The name of the currently running test method.
+ */
+ @DataProvider(name = "testName")
+ public static Object[][] testName(Method m) {
+ return new Object[][]{
+ new Object[]{m.getName()}
+ };
+ }
+
+ @BeforeClass(alwaysRun = true)
+ public void seedData() {
+ ClassPathXmlApplicationContext appContext = new ClassPathXmlApplicationContext(
+ new String[]{"applicationContext-authorization-test.xml"});
+ GrantedAuthority gauth = new GrantedAuthorityImpl("ROLE_ADMINISTRATOR");
+ HashSet<GrantedAuthority> gauths = new HashSet<GrantedAuthority>();
+ gauths.add(gauth);
+ Authentication authRequest = new UsernamePasswordAuthenticationToken("test", "test", gauths);
+
+ SecurityContextHolder.getContext().setAuthentication(authRequest);
+ AuthZ authZ = AuthZ.get();
+
+ org.springframework.jdbc.datasource.DataSourceTransactionManager txManager =
+ (org.springframework.jdbc.datasource.DataSourceTransactionManager) appContext.getBean("transactionManager");
+ DefaultTransactionDefinition def = new DefaultTransactionDefinition();
+ // explicitly setting the transaction name is something that can only be done programmatically
+ def.setName("seedData");
+ def.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRED);
+
+ TransactionStatus status = txManager.getTransaction(def);
+ try {
+ seedRoles();
+ seedPermissions();
+ } catch (Exception ex) {
+ txManager.rollback(status);
+ ex.printStackTrace();
+ throw new RuntimeException(ex);
+ }
+ txManager.commit(status);
+
+ }
+
+ public void seedRoles() throws Exception {
+ }
+
+ public void seedPermissions() throws Exception {
+
+ PermissionConfigList pcList =
+ (PermissionConfigList) fromFile(PermissionConfigList.class,
+ "./test-data/test-permissions.xml");
+ AuthZ authZ = AuthZ.get();
+ for (PermissionConfig pc : pcList.getPermission()) {
+ if(logger.isDebugEnabled()) {
+ logger.debug("adding permission for res=" + pc.getResourceName());
+ }
+ authZ.addPermissions(pc);
+ }
+ }
+
+ private void genPermissions() {
+ PermissionConfigList pcList = new PermissionConfigList();
+ ArrayList<PermissionConfig> apcList = new ArrayList<PermissionConfig>();
+ pcList.setPermission(apcList);
+ PermissionConfig pc = new PermissionConfig();
+ pc.setResourceName("accounts");
+ pc.setEffect(EffectType.PERMIT);
+ ArrayList<String> roles = new ArrayList<String>();
+ roles.add("ROLE_USERS");
+ roles.add("ROLE_ADMINISTRATOR");
+ pc.setRole(roles);
+ ArrayList<ActionType> actions = new ArrayList<ActionType>();
+ actions.add(ActionType.CREATE);
+ actions.add(ActionType.READ);
+ actions.add(ActionType.UPDATE);
+ actions.add(ActionType.DELETE);
+ pc.setAction(actions);
+ apcList.add(pc);
+ toFile(pcList, PermissionConfigList.class, "./target/test-permissions.xml");
+
+ }
+
+ private void toFile(Object o, Class jaxbClass, String fileName) {
+ File f = new File(fileName);
+ try {
+ JAXBContext jc = JAXBContext.newInstance(jaxbClass);
+ Marshaller m = jc.createMarshaller();
+ m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT,
+ Boolean.TRUE);
+ m.marshal(o, f);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ private Object fromFile(Class jaxbClass, String fileName) throws Exception {
+ ClassLoader tccl = Thread.currentThread().getContextClassLoader();
+ InputStream is = tccl.getResourceAsStream(fileName);
+ JAXBContext context = JAXBContext.newInstance(jaxbClass);
+ Unmarshaller unmarshaller = context.createUnmarshaller();
+ //note: setting schema to null will turn validator off
+ unmarshaller.setSchema(null);
+ return jaxbClass.cast(unmarshaller.unmarshal(is));
+ }
+
+ @Test(dataProvider = "testName", dataProviderClass = AuthorizationSeedTest.class)
+ public void test(String testName) {
+ if (logger.isDebugEnabled()) {
+ logger.debug(testName);
+ }
+ }
+}
--- /dev/null
+<!--
+ Document : applicationContext-security.xml
+ Created on :
+ Author :
+ Copyright 2010 University of California at Berkeley
+ Description:
+ spring security namespace for CS service layer
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:sec="http://www.springframework.org/schema/security"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+
+ <!-- application context containing the ACL beans. -->
+
+ <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
+ <property name="permissionEvaluator" ref="permissionEvaluator"/>
+ </bean>
+
+ <bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator">
+ <constructor-arg ref="aclService"/>
+ </bean>
+
+ <bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
+ <constructor-arg ref="dataSource"/>
+ <constructor-arg ref="lookupStrategy"/>
+ <constructor-arg ref="aclCache"/>
+ <property name="classIdentityQuery" value="SELECT @@IDENTITY"/>
+ <property name="sidIdentityQuery" value="SELECT @@IDENTITY"/>
+ </bean>
+
+ <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+ <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
+ <property name="url" value="jdbc:mysql://localhost:3306/cspace"/>
+ <property name="username" value="test"/>
+ <property name="password" value="test"/>
+ </bean>
+
+ <bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
+ <constructor-arg ref="dataSource"/>
+ <constructor-arg ref="aclCache"/>
+ <constructor-arg>
+ <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
+ <constructor-arg>
+ <list>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+ </constructor-arg>
+ <constructor-arg>
+ <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
+ </constructor-arg>
+ </bean>
+
+ <bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
+ <constructor-arg>
+ <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
+ <property name="cacheManager">
+ <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
+ </property>
+ <property name="cacheName" value="aclCache"/>
+ </bean>
+ </constructor-arg>
+ </bean>
+
+
+ <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
+ <property name="dataSource" ref="dataSource"/>
+ </bean>
+
+ <tx:annotation-driven transaction-manager="transactionManager" />
+
+ <bean id="cspaceAuthorizationProvider" class="org.collectionspace.services.authorization.spring.SpringAuthorizationProvider">
+ <property name="providerAclService" ref="aclService"/>
+ <property name="providerPermissionEvaluator" ref="permissionEvaluator"/>
+ </bean>
+</beans>
log4j.logger.org.collectionspace=DEBUG\r
log4j.logger.org.apache=INFO\r
log4j.logger.httpclient=INFO\r
-log4j.logger.org.jboss.resteasy=WARN\r
+log4j.logger.org.jboss.resteasy=INFO\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:permission_config_list xmlns:ns2="http://collectionspace.org/services/authorization">
+ <permission>
+ <resourceName>accounts</resourceName>
+ <action>CREATE</action>
+ <action>READ</action>
+ <action>UPDATE</action>
+ <action>DELETE</action>
+ <role>ROLE_ADMINISTRATOR</role>
+ <effect>PERMIT</effect>
+ </permission>
+ <permission>
+ <resourceName>collectionobjects</resourceName>
+ <action>CREATE</action>
+ <action>READ</action>
+ <action>UPDATE</action>
+ <action>DELETE</action>
+ <role>ROLE_USERS</role>
+ <role>ROLE_ADMINISTRATOR</role>
+ <effect>PERMIT</effect>
+ </permission>
+</ns2:permission_config_list>
<target name="gen_ddl"\r
description="generate service-specific tables(s), indices, etc.">\r
<ant antfile="authentication/build.xml" target="gen_ddl" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="gen_ddl" inheritAll="false"/>\r
<ant antfile="account/build.xml" target="gen_ddl" inheritAll="false"/>\r
</target>\r
\r
<target name="create_db"\r
description="create service-specific tables(s), indices, etc.">\r
<ant antfile="authentication/build.xml" target="create_db" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="create_db" inheritAll="false"/>\r
<ant antfile="account/build.xml" target="create_db" inheritAll="false"/>\r
<ant antfile="id/build.xml" target="create_db" inheritAll="false"/>\r
</target>\r
<target name="deploy" depends="install"\r
description="deploy services in ${jboss.server.cspace}">\r
<ant antfile="authentication/build.xml" target="deploy" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="deploy" inheritAll="false"/>\r
<ant antfile="common/build.xml" target="deploy" inheritAll="false"/>\r
<ant antfile="account/build.xml" target="deploy" inheritAll="false"/>\r
<ant antfile="relation/build.xml" target="deploy" inheritAll="false"/>\r
<ant antfile="relation/build.xml" target="undeploy" inheritAll="false"/>\r
<ant antfile="account/build.xml" target="undeploy" inheritAll="false"/>\r
<ant antfile="common/build.xml" target="undeploy" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="undeploy" inheritAll="false"/>\r
<ant antfile="authentication/build.xml" target="undeploy" inheritAll="false"/>\r
</target>\r
\r
<target name="dist" depends="doc"\r
description="create distribution for services">\r
<ant antfile="authentication/build.xml" target="dist" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="dist" inheritAll="false"/>\r
+ <ant antfile="account/build.xml" target="dist" inheritAll="false"/>\r
<ant antfile="common/build.xml" target="dist" inheritAll="false"/>\r
<ant antfile="relation/build.xml" target="dist" inheritAll="false"/>\r
<ant antfile="id/build.xml" target="dist" inheritAll="false"/>\r
<ant antfile="organization/build.xml" target="dist_installer" inheritAll="false"/>\r
<ant antfile="person/build.xml" target="dist_installer" inheritAll="false"/>\r
<!--\r
+ <ant antfile="account/build.xml" target="dist_installer" inheritAll="false"/>\r
<ant antfile="common/build.xml" target="dist_installer" inheritAll="false"/>\r
+ <ant antfile="authorization/build.xml" target="dist_installer" inheritAll="false"/>\r
<ant antfile="authentication/build.xml" target="dist_installer" inheritAll="false"/>\r
<ant antfile="relation/build.xml" target="dist_installer" inheritAll="false"/>\r
<ant antfile="intake/build.xml" target="dist_installer" inheritAll="false"/>\r
}
}
- @Test
+// @Test
public void serviceSecure() {
String url = serviceClient.getBaseURL() + "collectionobjects";
GetMethod method = new GetMethod(url);
<target name="undeploy"
description="undeploy common elements from ${jboss.server.cspace}">
+ <antcall target="undeploy_spring" />
<copy tofile="${jboss.server.cspace}/conf/jboss-log4j.xml"
file="${jboss.server.cspace}/conf/jboss-log4j.xml.org"
overwrite="true" failonerror="false" />
<delete failonerror="false" dir="${jboss.server.cspace}/cspace/config/services"/>
</target>
+
+ <target name="undeploy_spring"
+ description="undeploy spring binaries from ${jboss.server.cspace}">
+ <delete>
+ <fileset dir="${jboss.server.cspace}/lib" includes="org.springframework.*.jar"/>
+ <fileset dir="${jboss.server.cspace}/lib" includes="spring-security*.jar"/>
+ </delete>
+ </target>
+
<target name="dist_jpa"
description="dist jpa binaries in ${dist.server.cspace}">
<copy todir="${services.trunk}/${dist.server.cspace}/lib">
<packaging>jar</packaging>\r
\r
<dependencies>\r
+\r
<!-- CollectionSpace dependencies -->\r
<dependency>\r
<groupId>org.collectionspace.services</groupId>\r
<version>${project.version}</version>\r
<scope>provided</scope>\r
</dependency> \r
+ <dependency>\r
+ <groupId>org.collectionspace.services</groupId>\r
+ <artifactId>org.collectionspace.services.authorization.service</artifactId>\r
+ <version>${project.version}</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
+\r
<!-- Utilities -->\r
+\r
<dependency>\r
<groupId>junit</groupId>\r
<artifactId>junit</artifactId>\r
<groupId>org.slf4j</groupId>\r
<artifactId>slf4j-log4j12</artifactId>\r
</dependency>\r
+ <dependency>\r
+ <groupId>log4j</groupId>\r
+ <artifactId>log4j</artifactId>\r
+ <version>1.2.14</version>\r
+ <scope>provided</scope>\r
+ </dependency>\r
+ <dependency>\r
+ <groupId>junit</groupId>\r
+ <artifactId>junit</artifactId>\r
+ <version>4.1</version>\r
+ <scope>test</scope>\r
+ </dependency>\r
+\r
<!-- javax -->\r
<dependency>\r
<groupId>javax.servlet</groupId>\r
<?xml version="1.0" encoding="UTF-8"?><!-- ===================================================================== --><!-- --><!-- Log4j Configuration --><!-- --><!-- ===================================================================== --><!-- $Id: jboss-log4j.xml 75507 2008-07-08 20:15:07Z stan.silvert@jboss.com $ --><!--
| For more configuration infromation and examples see the Jakarta Log4j
| owebsite: http://jakarta.apache.org/log4j
- --><!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+--><!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false" threshold="null">
- <!-- ================================= -->
+ <!-- ================================= -->
<!-- Preserve messages in a local file -->
<!-- ================================= -->
<!-- A time/date based rolling appender -->
- <appender name="FILE"
- class="org.jboss.logging.appender.DailyRollingFileAppender">
- <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
- <param name="File" value="${jboss.server.log.dir}/server.log"/>
- <param name="Append" value="false"/>
- <param name="DatePattern" value="'.'yyyy-MM-dd"/>
- <param name="Threshold" value="INFO"/>
- <layout class="org.apache.log4j.PatternLayout">
- <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
- </layout>
- </appender>
-
-
- <!-- A size based file rolling appender
+ class="org.jboss.logging.appender.DailyRollingFileAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+
<param name="File" value="${jboss.server.log.dir}/server.log"/>
+
<param name="Append" value="false"/>
+
<param name="DatePattern" value="'.'yyyy-MM-dd"/>
+
<param name="Threshold" value="INFO"/>
+ <layout class="org.apache.log4j.PatternLayout">
+
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
+ </layout>
+ </appender>
+
+
+ <!-- A size based file rolling appender
<appender name="FILE" class="org.jboss.logging.appender.RollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="File" value="${jboss.server.log.dir}/server.log"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
- </layout>
+ </layout>
</appender>
-->
<!-- Append messages to the console -->
<!-- ============================== -->
- <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
- <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
- <param name="Target" value="System.out"/>
- <param name="Threshold" value="INFO"/>
+
<appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+
<param name="Target" value="System.out"/>
+
<param name="Threshold" value="INFO"/>
- <layout class="org.apache.log4j.PatternLayout">
- <!-- The default pattern: Date Priority [Category] Message\n -->
- <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
- </layout>
- </appender>
-
- <!-- ====================== -->
+ <layout class="org.apache.log4j.PatternLayout">
+ <!-- The default pattern: Date Priority [Category] Message\n -->
+
<param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
+ </layout>
+ </appender>
+
+ <!-- ====================== -->
<!-- More Appender examples -->
<!-- ====================== -->
<!-- Emit events as JMX notifications
<appender name="JMX" class="org.jboss.monitor.services.JMXNotificationAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
-
+
<param name="Threshold" value="WARN"/>
<param name="ObjectName" value="jboss.system:service=Logging,type=JMXNotificationAppender"/>
-
+
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] %m"/>
</layout>
-->
<!-- collectionspace appender -->
- <appender name="CSLOG" class="org.jboss.logging.appender.FileAppender">
- <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
- <param name="Append" value="false"/>
- <param name="DatePattern" value="'.'yyyy-MM-dd"/>
- <param name="File" value="${jboss.server.log.dir}/collectionspace.log"/>
- <layout class="org.apache.log4j.PatternLayout">
- <param name="ConversionPattern" value="%d %-5p [%t] [%c:%L] %m%n"/>
- </layout>
- <!--filter class="org.jboss.logging.filter.TCLFilter">
+ <appender name="CSLOG" class="org.jboss.logging.appender.DailyRollingFileAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+
<param name="Append" value="false"/>
+
<param name="DatePattern" value="'.'yyyy-MM-dd"/>
+
<param name="File" value="${jboss.server.log.dir}/collectionspace.log"/>
+ <layout class="org.apache.log4j.PatternLayout">
+
<param name="ConversionPattern" value="%d %-5p [%t] [%c:%L] %m%n"/>
+ </layout>
+ <!--filter class="org.jboss.logging.filter.TCLFilter">
<param name="AcceptOnMatch" value="true"/>
<param name="DeployURL" value="cspace-services.war"/>
- </filter>
+ </filter>
<filter class="org.apache.log4j.varia.DenyAllFilter"></filter-->
-
- </appender>
+ </appender>
-
- <!-- ================ -->
+
+
+ <!-- ================ -->
<!-- Limit categories -->
<!-- ================ -->
-
+
<!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
<category name="org.apache" additivity="true">
- <priority value="INFO"/>
- </category>
-
- <!-- Limit JBoss categories
+ <priority value="INFO"/>
+ </category>
+
+ <!-- enable catalina.core to debug spring bean configuration -->
+ <category name="org.apache.catalina.core" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+ <!-- Limit JBoss categories
<category name="org.jboss">
<priority value="INFO"/>
</category>
-->
<category name="org.jboss.security.auth">
- <priority value="INFO"/>
+
<priority value="INFO"/>
</category>
<category name="com.arjuna"><priority value="INFO"/></category>
<category name="org.jboss.ejb3"><priority value="INFO"/></category>
<category name="org.jboss.ejb3.cache.simple.StatefulSessionFilePersistenceManager"><priority value="INFO"/></category>
<category name="org.jboss.seam">
- <priority value="INFO"/>
+
<priority value="INFO"/>
</category>
<category name="org.jboss.seam.contexts.Contexts"><priority value="WARN"/></category>
<category name="org.jboss.seam.contexts.Lifecycle"><priority value="WARN"/></category>
<category name="javax.enterprise.resource.webcontainer.jsf.renderkit"><priority value="INFO"/></category>
<category name="javax.enterprise.resource.webcontainer.jsf.application"><priority value="INFO"/></category>
<category name="javax.enterprise.resource.webcontainer.jsf.lifecycle"><priority value="INFO"/></category>
-
- <!-- Limit the jacorb category to WARN as its INFO is verbose -->
- <category name="jacorb" additivity="true">
- <priority value="WARN"/>
- </category>
-
- <!-- Limit the org.jgroups category to WARN as its INFO is verbose -->
- <category name="org.jgroups" additivity="true">
- <priority value="WARN"/>
- </category>
-
- <!-- Limit the org.quartz category to INFO as its DEBUG is verbose -->
- <category name="org.quartz" additivity="true">
- <priority value="INFO"/>
- </category>
- <!-- Limit JSF logging to DEBUG. FINER and FINEST will not be logged -->
- <category name="javax.enterprise.resource.webcontainer.jsf" additivity="true">
- <priority value="INFO"/>
- </category>
-
+ <!-- Limit the jacorb category to WARN as its INFO is verbose -->
+ <category name="jacorb" additivity="true">
+ <priority value="WARN"/>
+ </category>
+
+ <!-- Limit the org.jgroups category to WARN as its INFO is verbose -->
+ <category name="org.jgroups" additivity="true">
+ <priority value="WARN"/>
+ </category>
+
+ <!-- Limit the org.quartz category to INFO as its DEBUG is verbose -->
+ <category name="org.quartz" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+ <!-- Limit JSF logging to DEBUG. FINER and FINEST will not be logged -->
+ <category name="javax.enterprise.resource.webcontainer.jsf" additivity="true">
+ <priority value="INFO"/>
+ </category>
- <!-- Limit the JSR77 categories -->
- <category name="org.jboss.management" additivity="true">
- <priority value="INFO"/>
- </category>
- <!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max]
+ <!-- Limit the JSR77 categories -->
+ <category name="org.jboss.management" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+ <!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max]
<category name="org.jboss.resource.connectionmanager.JBossManagedConnectionPool">
<priority value="TRACE"/>
</category>
-->
-
+
<!-- Limit the org.jboss.serial (jboss-serialization) to INFO as its DEBUG is verbose -->
- <category name="org.jboss.serial" additivity="true">
- <priority value="INFO"/>
- </category>
-
- <!-- Decrease the priority threshold for the org.jboss.varia category
+ <category name="org.jboss.serial" additivity="true">
+
<priority value="INFO"/>
+ </category>
+
+ <!-- Decrease the priority threshold for the org.jboss.varia category
<category name="org.jboss.varia">
<priority value="DEBUG"/>
</category>
<priority value="TRACE"/>
</category>
-->
-
+
<!--
| Logs these events to SNMP:
- server starts/stops
- cluster evolution (node death/startup)
- When an EJB archive is deployed (and associated verified messages)
- When an EAR archive is deployed
-
+
<category name="org.jboss.system.server.Server">
<priority value="INFO" />
<appender-ref ref="TRAP_LOG"/>
</category>
-
+
<category name="org.jboss.ha.framework.interfaces.HAPartition.lifecycle">
<priority value="INFO" />
<appender-ref ref="TRAP_LOG"/>
<priority value="ERROR" />
<appender-ref ref="TRAP_LOG"/>
</category>
-
+
<category name="org.jboss.ejb.EJBDeployer">
<priority value="INFO" />
<appender-ref ref="TRAP_LOG"/>
</category>
-
+
<category name="org.jboss.deployment.EARDeployer">
<priority value="INFO" />
<appender-ref ref="TRAP_LOG"/>
- <category name="org.springframework">
- <priority value="INFO" />
- <appender-ref ref="CSLOG"/>
- </category>
+ <category name="org.springframework">
+
<priority value="INFO" />
+
<appender-ref ref="CSLOG"/>
+ </category>
- <category name="org.springframework.security">
- <priority value="INFO" />
- <appender-ref ref="CSLOG"/>
- </category>
+ <category name="org.springframework.security">
+
<priority value="INFO" />
+
<appender-ref ref="CSLOG"/>
+ </category>
- <category name="org.nuxeo">
- <priority value="INFO" />
- <appender-ref ref="CSLOG"/>
- </category>
+ <category name="org.nuxeo">
+
<priority value="INFO" />
+
<appender-ref ref="CSLOG"/>
+ </category>
- <category name="nuxeo">
- <priority value="INFO" />
- <appender-ref ref="CSLOG"/>
- </category>
+ <category name="nuxeo">
+
<priority value="INFO" />
+
<appender-ref ref="CSLOG"/>
+ </category>
- <category name="org.collectionspace">
- <priority value="INFO" />
- <appender-ref ref="CSLOG"/>
- </category>
+ <category name="org.collectionspace">
+
<priority value="INFO" />
+
<appender-ref ref="CSLOG"/>
+ </category>
-
- <!-- ======================= -->
+
+ <!-- ======================= -->
<!-- Setup the Root category -->
<!-- ======================= -->
- <root>
- <appender-ref ref="CONSOLE"/>
- <appender-ref ref="FILE"/>
- <appender-ref ref="CSLOG"/>
- </root>
+ <root>
+
<appender-ref ref="CONSOLE"/>
+
<appender-ref ref="FILE"/>
+
<appender-ref ref="CSLOG"/>
+ </root>
</log4j:configuration>
<?xml version="1.0" encoding="UTF-8"?><!-- ===================================================================== --><!-- --><!-- Log4j Configuration --><!-- --><!-- ===================================================================== --><!-- $Id: jboss-log4j.xml 75507 2008-07-08 20:15:07Z stan.silvert@jboss.com $ --><!--
| For more configuration infromation and examples see the Jakarta Log4j
| owebsite: http://jakarta.apache.org/log4j
- --><!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">\r
-<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false" threshold="null">\r
-\r
- <!-- ================================= -->\r
- <!-- Preserve messages in a local file -->\r
- <!-- ================================= -->\r
-\r
- <!-- A time/date based rolling appender -->\r
+ --><!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false" threshold="null">
+
+ <!-- ================================= -->
+ <!-- Preserve messages in a local file -->
+ <!-- ================================= -->
+
+ <!-- A time/date based rolling appender -->
<appender name="FILE"
class="org.jboss.logging.appender.DailyRollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
</layout>
- </appender>\r
+ </appender>
+
-\r
<!-- A size based file rolling appender
<appender name="FILE" class="org.jboss.logging.appender.RollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
</layout>
</appender>
- -->\r
-\r
- <!-- ============================== -->\r
- <!-- Append messages to the console -->\r
- <!-- ============================== -->\r
-\r
- <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">\r
- <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>\r
- <param name="Target" value="System.out"/>\r
- <param name="Threshold" value="INFO"/>\r
-\r
- <layout class="org.apache.log4j.PatternLayout">\r
- <!-- The default pattern: Date Priority [Category] Message\n -->\r
- <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>\r
- </layout>\r
- </appender>\r
- \r
- <!-- ====================== -->\r
- <!-- More Appender examples -->\r
- <!-- ====================== -->\r
-\r
+ -->
+
+ <!-- ============================== -->
+ <!-- Append messages to the console -->
+ <!-- ============================== -->
+
+ <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
+ <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+ <param name="Target" value="System.out"/>
+ <param name="Threshold" value="INFO"/>
+
+ <layout class="org.apache.log4j.PatternLayout">
+ <!-- The default pattern: Date Priority [Category] Message\n -->
+ <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
+ </layout>
+ </appender>
+
+ <!-- ====================== -->
+ <!-- More Appender examples -->
+ <!-- ====================== -->
+
<!-- Buffer events and log them asynchronously
<appender name="ASYNC" class="org.apache.log4j.AsyncAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="SMTP"/>
</appender>
- -->\r
-\r
+ -->
+
<!-- EMail events to an administrator
<appender name="SMTP" class="org.apache.log4j.net.SMTPAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="ConversionPattern" value="[%d{ABSOLUTE},%c{1}] %m%n"/>
</layout>
</appender>
- -->\r
-\r
+ -->
+
<!-- Syslog events
<appender name="SYSLOG" class="org.apache.log4j.net.SyslogAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="ConversionPattern" value="[%d{ABSOLUTE},%c{1}] %m%n"/>
</layout>
</appender>
- -->\r
-\r
+ -->
+
<!-- Log events to JMS (requires a topic to be created)
<appender name="JMS" class="org.apache.log4j.net.JMSAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="TopicConnectionFactoryBindingName" value="java:/ConnectionFactory"/>
<param name="TopicBindingName" value="topic/MyErrorsTopic"/>
</appender>
- -->\r
-\r
+ -->
+
<!-- Log events through SNMP
<appender name="TRAP_LOG" class="org.apache.log4j.ext.SNMPTrapAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="ConversionPattern" value="%d,%p,[%t],[%c],%m%n"/>
</layout>
</appender>
- -->\r
-\r
+ -->
+
<!-- Emit events as JMX notifications
<appender name="JMX" class="org.jboss.monitor.services.JMXNotificationAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="ConversionPattern" value="%d %-5p [%c] %m"/>
</layout>
</appender>
- -->\r
+ -->
<!-- collectionspace appender -->
- <appender name="CSLOG" class="org.jboss.logging.appender.FileAppender">
+ <appender name="CSLOG" class="org.jboss.logging.appender.DailyRollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="Append" value="false"/>
<param name="DatePattern" value="'.'yyyy-MM-dd"/>
</appender>
- \r
- <!-- ================ -->\r
- <!-- Limit categories -->\r
- <!-- ================ -->\r
- <!-- Limit the org.apache category to INFO as its DEBUG is verbose -->\r
- <category name="org.apache" additivity="true">\r
- <priority value="INFO"/>\r
- </category>
+ <!-- ================ -->
+ <!-- Limit categories -->
+ <!-- ================ -->
+ <!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
+ <category name="org.apache" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+ <!-- enable catalina.core to debug spring bean configuration -->
+ <category name="org.apache.catalina.core" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
<!-- Limit JBoss categories
<category name="org.jboss">
<priority value="INFO"/>
</category>
- -->\r
+ -->
<category name="org.jboss.security.auth">
<priority value="INFO"/>
- </category>\r
- <category name="com.arjuna"><priority value="INFO"/></category>\r
- <category name="org.jboss.ejb3"><priority value="INFO"/></category>\r
- <category name="org.jboss.ejb3.cache.simple.StatefulSessionFilePersistenceManager"><priority value="INFO"/></category>\r
+ </category>
+ <category name="com.arjuna"><priority value="INFO"/></category>
+ <category name="org.jboss.ejb3"><priority value="INFO"/></category>
+ <category name="org.jboss.ejb3.cache.simple.StatefulSessionFilePersistenceManager"><priority value="INFO"/></category>
<category name="org.jboss.seam">
<priority value="INFO"/>
- </category>\r
- <category name="org.jboss.seam.contexts.Contexts"><priority value="WARN"/></category>\r
- <category name="org.jboss.seam.contexts.Lifecycle"><priority value="WARN"/></category>\r
- <category name="org.jboss.mx.loading"><priority value="INFO"/></category>\r
- <category name="org.jboss.remoting"><priority value="INFO"/></category>\r
- <category name="org.jboss.resteasy"><priority value="INFO"/></category>\r
- <category name="org.ajax4jsf"><priority value="INFO"/></category>\r
- <category name="org.hibernate"><priority value="WARN"/></category>\r
- <category name="org.hibernate.engine.StatefulPersistenceContext.ProxyWarnLog"><priority value="ERROR"/></category>\r
- <category name="org.hibernate.impl.SessionFactoryObjectFactory"><priority value="ERROR"/></category>\r
- <category name="org.hibernate.cache.EhCacheProvider"><priority value="ERROR"/></category>\r
- <category name="org.hibernate.hql.ast.tree.FromElementType"><priority value="ERROR"/></category>\r
- <category name="org.jbpm"><priority value="INFO"/></category>\r
- <category name="org.jbpm.jpdl.xml.JpdlXmlReader"><priority value="ERROR"/></category>\r
- <category name="org.compass.core.transaction"><priority value="INFO"/></category>\r
- <category name="org.compass.core.lucene.engine.optimizer.ScheduledLuceneSearchEngineOptimizer"><priority value="INFO"/></category>\r
- <category name="org.apache.jackrabbit.core.query.lucene.IndexMerger"><priority value="WARN"/></category>\r
-
- <category name="org.nuxeo.ecm.platform.ui.web.auth"><priority value="INFO"/></category>\r
- <category name="org.nuxeo.runtime.osgi.OSGiRuntimeService"><priority value="INFO"/></category>\r
-
- <category name="org.apache.myfaces.renderkit.html.util.DefaultAddResource"><priority value="ERROR"/></category>\r
- <category name="javax.enterprise.resource.webcontainer.jsf.renderkit"><priority value="INFO"/></category>\r
- <category name="javax.enterprise.resource.webcontainer.jsf.application"><priority value="INFO"/></category>\r
+ </category>
+ <category name="org.jboss.seam.contexts.Contexts"><priority value="WARN"/></category>
+ <category name="org.jboss.seam.contexts.Lifecycle"><priority value="WARN"/></category>
+ <category name="org.jboss.mx.loading"><priority value="INFO"/></category>
+ <category name="org.jboss.remoting"><priority value="INFO"/></category>
+ <category name="org.jboss.resteasy"><priority value="INFO"/></category>
+ <category name="org.ajax4jsf"><priority value="INFO"/></category>
+ <category name="org.hibernate"><priority value="WARN"/></category>
+ <category name="org.hibernate.engine.StatefulPersistenceContext.ProxyWarnLog"><priority value="ERROR"/></category>
+ <category name="org.hibernate.impl.SessionFactoryObjectFactory"><priority value="ERROR"/></category>
+ <category name="org.hibernate.cache.EhCacheProvider"><priority value="ERROR"/></category>
+ <category name="org.hibernate.hql.ast.tree.FromElementType"><priority value="ERROR"/></category>
+ <category name="org.jbpm"><priority value="INFO"/></category>
+ <category name="org.jbpm.jpdl.xml.JpdlXmlReader"><priority value="ERROR"/></category>
+ <category name="org.compass.core.transaction"><priority value="INFO"/></category>
+ <category name="org.compass.core.lucene.engine.optimizer.ScheduledLuceneSearchEngineOptimizer"><priority value="INFO"/></category>
+ <category name="org.apache.jackrabbit.core.query.lucene.IndexMerger"><priority value="WARN"/></category>
+
+ <category name="org.nuxeo.ecm.platform.ui.web.auth"><priority value="INFO"/></category>
+ <category name="org.nuxeo.runtime.osgi.OSGiRuntimeService"><priority value="INFO"/></category>
+
+ <category name="org.apache.myfaces.renderkit.html.util.DefaultAddResource"><priority value="ERROR"/></category>
+ <category name="javax.enterprise.resource.webcontainer.jsf.renderkit"><priority value="INFO"/></category>
+ <category name="javax.enterprise.resource.webcontainer.jsf.application"><priority value="INFO"/></category>
<category name="javax.enterprise.resource.webcontainer.jsf.lifecycle"><priority value="INFO"/></category>
- \r
- <!-- Limit the jacorb category to WARN as its INFO is verbose -->\r
- <category name="jacorb" additivity="true">\r
- <priority value="WARN"/>\r
- </category>\r
- \r
- <!-- Limit the org.jgroups category to WARN as its INFO is verbose -->\r
- <category name="org.jgroups" additivity="true">\r
- <priority value="WARN"/>\r
- </category>\r
- \r
- <!-- Limit the org.quartz category to INFO as its DEBUG is verbose -->\r
- <category name="org.quartz" additivity="true">\r
- <priority value="INFO"/>\r
- </category>\r
-\r
- <!-- Limit JSF logging to DEBUG. FINER and FINEST will not be logged -->\r
- <category name="javax.enterprise.resource.webcontainer.jsf" additivity="true">\r
- <priority value="INFO"/>\r
- </category>\r
- \r
-\r
-\r
- <!-- Limit the JSR77 categories -->\r
- <category name="org.jboss.management" additivity="true">\r
- <priority value="INFO"/>\r
- </category>\r
-\r
+
+ <!-- Limit the jacorb category to WARN as its INFO is verbose -->
+ <category name="jacorb" additivity="true">
+ <priority value="WARN"/>
+ </category>
+
+ <!-- Limit the org.jgroups category to WARN as its INFO is verbose -->
+ <category name="org.jgroups" additivity="true">
+ <priority value="WARN"/>
+ </category>
+
+ <!-- Limit the org.quartz category to INFO as its DEBUG is verbose -->
+ <category name="org.quartz" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+ <!-- Limit JSF logging to DEBUG. FINER and FINEST will not be logged -->
+ <category name="javax.enterprise.resource.webcontainer.jsf" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
+
+
+ <!-- Limit the JSR77 categories -->
+ <category name="org.jboss.management" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
<!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max]
<category name="org.jboss.resource.connectionmanager.JBossManagedConnectionPool">
<priority value="TRACE"/>
</category>
- -->\r
- \r
- <!-- Limit the org.jboss.serial (jboss-serialization) to INFO as its DEBUG is verbose -->\r
- <category name="org.jboss.serial" additivity="true">\r
- <priority value="INFO"/>\r
- </category>\r
- \r
+ -->
+
+ <!-- Limit the org.jboss.serial (jboss-serialization) to INFO as its DEBUG is verbose -->
+ <category name="org.jboss.serial" additivity="true">
+ <priority value="INFO"/>
+ </category>
+
<!-- Decrease the priority threshold for the org.jboss.varia category
<category name="org.jboss.varia">
<priority value="DEBUG"/>
</category>
- -->\r
-\r
+ -->
+
<!-- Enable JBossWS message tracing
<category name="org.jboss.ws.core.MessageTrace">
<priority value="TRACE"/>
</category>
- -->\r
-\r
+ -->
+
<!--
| An example of enabling the custom TRACE level priority that is used
| by the JBoss internals to diagnose low level details. This example
<category name="org.jboss.ejb.plugins">
<priority value="TRACE"/>
</category>
- -->\r
- \r
+ -->
+
<!--
| Logs these events to SNMP:
- server starts/stops
<priority value="INFO" />
<appender-ref ref="TRAP_LOG"/>
</category>
- -->\r
-\r
- <!-- Clustering logging -->\r
+ -->
+
+ <!-- Clustering logging -->
<!-- Uncomment the following to redirect the org.jgroups and
org.jboss.ha categories to a cluster.log file.
<priority value="DEBUG" />
<appender-ref ref="CLUSTER"/>
</category>
- -->\r
+ -->
<appender-ref ref="CSLOG"/>
</category>
- \r
- <!-- ======================= -->\r
- <!-- Setup the Root category -->\r
- <!-- ======================= -->\r
-\r
- <root>\r
- <appender-ref ref="CONSOLE"/>\r
- <appender-ref ref="FILE"/>\r
- <appender-ref ref="CSLOG"/>\r
- </root>\r
-\r
+
+ <!-- ======================= -->
+ <!-- Setup the Root category -->
+ <!-- ======================= -->
+
+ <root>
+ <appender-ref ref="CONSOLE"/>
+ <appender-ref ref="FILE"/>
+ <appender-ref ref="CSLOG"/>
+ </root>
+
</log4j:configuration>
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
+import org.collectionspace.authentication.AuthN;
import org.collectionspace.authentication.CSpaceTenant;
import org.collectionspace.services.common.ClientType;
ServiceBindingUtils.getPartsMetadata(getServiceBinding(), objectPartMap);
return objectPartMap;
}
-
+
public List<PropertyType> getPropertiesForPart(String partLabel) {
- Map<String, ObjectPartType> partMap = getPartsMetadata();
- ObjectPartType part = partMap.get(partLabel);
- if(part==null) {
- throw new RuntimeException("No such part found: "+partLabel);
- }
- return part.getProperties();
+ Map<String, ObjectPartType> partMap = getPartsMetadata();
+ ObjectPartType part = partMap.get(partLabel);
+ if (part == null) {
+ throw new RuntimeException("No such part found: " + partLabel);
+ }
+ return part.getProperties();
}
public List<String> getPropertyValuesForPart(String partLabel, String propName) {
}
public List<PropertyType> getCommonPartProperties() {
- return getPropertiesForPart(getCommonPartLabel());
+ return getPropertiesForPart(getCommonPartLabel());
}
public List<String> getCommonPartPropertyValues(String propName) {
- return getPropertyValuesForPart(getCommonPartLabel(), propName);
+ return getPropertyValuesForPart(getCommonPartLabel(), propName);
}
@Override
public void setProperty(String name, Object o) {
properties.put(name, o);
}
- private static final String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
+
private String retrieveTenantId() throws UnauthorizedException {
- String tenantId = null;
- Subject caller = null;
- Set<Group> groups = null;
- try {
- caller = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
- if (caller == null) {
- //logger.warn("security not enabled...");
- return tenantId;
- }
- groups = caller.getPrincipals(Group.class);
- if (groups != null && groups.size() == 0) {
- //TODO: find out why subject is not null
- if (logger.isDebugEnabled()) {
- logger.debug("no tenant(s) found!");
- }
- return tenantId;
- }
- } catch (PolicyContextException pce) {
- String msg = "Could not retrieve principal information";
- logger.error(msg, pce);
- throw new UnauthorizedException(msg);
- }
- for (Group g : groups) {
- if ("Tenants".equals(g.getName())) {
- Enumeration members = g.members();
- while (members.hasMoreElements()) {
- CSpaceTenant tenant = (CSpaceTenant) members.nextElement();
- tenantId = tenant.getId();
- if (logger.isDebugEnabled()) {
- logger.debug("found tenant id=" + tenant.getId()
- + " name=" + tenant.getName());
- }
- }
- }
- }
- //TODO: if a user is associated with more than one tenants, the tenant
- //id should be matched with sent over the wire
- if (tenantId == null) {
+ String[] tenantIds = AuthN.get().getTenantIds();
+ if (tenantIds.length == 0) {
String msg = "Could not find tenant context";
logger.error(msg);
throw new UnauthorizedException(msg);
}
- return tenantId;
+ //TODO: if a user is associated with more than one tenants, the tenant
+ //id should be matched with the one sent over the wire
+ return tenantIds[0];
}
@Override
if (DocumentHandler.class.isAssignableFrom(c)) {
docHandler = (DocumentHandler) c.newInstance();
} else {
- throw new IllegalArgumentException("Not of type " +
- DocumentHandler.class.getCanonicalName());
+ throw new IllegalArgumentException("Not of type "
+ + DocumentHandler.class.getCanonicalName());
}
docHandler.setServiceContext(this);
return docHandler;
--- /dev/null
+/**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *//**
+ * This document is a part of the source code and related artifacts
+ * for CollectionSpace, an open source collections management system
+ * for museums and related institutions:
+
+ * http://www.collectionspace.org
+ * http://wiki.collectionspace.org
+
+ * Copyright 2009 University of California at Berkeley
+
+ * Licensed under the Educational Community License (ECL), Version 2.0.
+ * You may not use this file except in compliance with this License.
+
+ * You may obtain a copy of the ECL 2.0 License at
+
+ * https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.services.common.security;
+
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+import org.jboss.resteasy.annotations.interception.SecurityPrecedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import org.collectionspace.authentication.AuthN;
+import org.collectionspace.services.authorization.AuthZ;
+import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.URIResourceImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * RESTeasy interceptor for access control
+ * @version $Revision: 1 $
+ */
+@SecurityPrecedence
+@ServerInterceptor
+public class SecurityInterceptor implements PreProcessInterceptor {
+
+ private static final Logger logger = LoggerFactory.getLogger(SecurityInterceptor.class);
+
+ @Override
+ public ServerResponse preProcess(HttpRequest request, ResourceMethod method)
+ throws Failure, WebApplicationException {
+ String httpMethod = request.getHttpMethod();
+ String uriPath = request.getUri().getPath();
+ if (logger.isDebugEnabled()) {
+ logger.debug("received " + httpMethod + " on " + uriPath);
+ }
+ AuthZ authZ = AuthZ.get();
+ CSpaceResource res = new URIResourceImpl(uriPath, httpMethod);
+// if (!authZ.isAccessAllowed(res)) {
+// logger.error("Access to " + res.getId() + " is NOT allowed to " +
+// " user=" + AuthN.get().getUserId());
+// Response response = Response.status(
+// Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
+// throw new WebApplicationException(response);
+// }
+ if(logger.isDebugEnabled()) {
+ logger.debug("Access to " + res.getId() + " is allowed to " +
+ " user=" + AuthN.get().getUserId());
+ }
+ return null;
+ }
+}
<modules>
<module>jaxb</module>
<module>authentication</module>
+ <module>authorization</module>
<module>common</module>
<module>client</module>
<module>account</module>
<module>dimension</module>
<module>contact</module>
<module>JaxRsServiceProvider</module>
- <module>sdk</module>
+ <!--module>sdk</module-->
<module>IntegrationTests</module>
<module>PerformanceTests</module>
<module>security</module>
<jbossHome>${jboss.dir}</jbossHome>
</configuration>
</plugin>
-
+
<plugin>
<groupId>org.jvnet.hyperjaxb3</groupId>
<artifactId>maven-hyperjaxb3-plugin</artifactId>
<version>0.5.4</version>
</plugin>
-
+
<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<version>0.7.2</version>
</plugin>
-
+
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</dependency>
</dependencies>
</dependencyManagement>
-</project>
+</project>
\ No newline at end of file
projects / tmp / jakarta-migration.git / commitdiff