Enabled access control for all the services at the record/procedure type level. Permissions are seeded (authorization-mgt/import) for ROLE_ADMINISTRATOR using the tenant bindings. Seeding still happens through a test driver in the import module...would be moved to a Java main class later.
Test do/should not delete the seeded permissions...fixed those tests that were doing the same. These tests now either do not delete permissions
or create permissions for non-functional services.
Wired delete for account role and permission role sub resources.
All alternate URIs with which a service could be accessed shoudl be in service bindings element named uriPath
test: all tests multiple times
!!NOTE!!
cd trunk/services
ant create_db
mvn clean install -DskipTests
ant undeploy deploy
mvn test
If you are not running all the tests, at least seed default permissions using the following
cd trunk/services/authorization-mgt/import
mvn test
M trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionResource.java
M trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/storage/AuthorizationDelegate.java
M trunk/services/authorization-mgt/service/src/main/java/org/collectionspace/services/authorization/PermissionRoleSubResource.java
M trunk/services/authorization-mgt/import/src/test/java/org/collectionspace/services/authorization/importer/AuthorizationSeedTest.java
M trunk/services/authorization-mgt/import/src/test/resources/applicationContext-authorization-test.xml
M trunk/services/authorization-mgt/import/src/test/resources/log4j.properties
M trunk/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationSeed.java
M trunk/services/authorization-mgt/import/src/main/java/org/collectionspace/services/authorization/importer/AuthorizationGen.java
M trunk/services/authorization-mgt/import/src/main/resources/import-data/import-permissions.xml
M trunk/services/authorization-mgt/import/src/main/resources/import-data/import-permissions-roles.xml
M trunk/services/authorization-mgt/import/pom.xml
M trunk/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionServiceTest.java
M trunk/services/authorization-mgt/client/src/test/java/org/collectionspace/services/authorization/client/test/PermissionRoleServiceTest.java
M trunk/services/pom.xml
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionManager.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringPermissionEvaluator.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java
M trunk/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spi/CSpacePermissionManager.java
M trunk/services/authorization/service/src/main/resources/applicationContext-authorization.xml
_M trunk/services/location/jaxb
M trunk/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaStorageClientImpl.java
M trunk/services/common/src/main/java/org/collectionspace/services/common/storage/jpa/JpaRelationshipStorageClient.java
M trunk/services/common/src/main/java/org/collectionspace/services/common/security/SecurityInterceptor.java
M trunk/services/common/src/main/config/services/tenant-bindings.xml
M trunk/services/common/src/main/resources/service.xsd
M trunk/services/account/service/src/main/java/org/collectionspace/services/account/AccountRoleSubResource.java
M trunk/services/account/service/src/main/java/org/collectionspace/services/account/AccountResource.java
_M trunk/services/note/service
_M trunk/services/note/jaxb
_M trunk/services/note/client
M trunk/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthenticationServiceTest.java
M trunk/services/security/client/src/test/java/org/collectionspace/services/security/client/test/AuthorizationServiceTest.java
return response;
} catch (BadRequestException bre) {
Response response = Response.status(
- Response.Status.BAD_REQUEST).entity(ServiceMessages.POST_FAILED +
- bre.getErrorReason()).type("text/plain").build();
+ Response.Status.BAD_REQUEST).entity(ServiceMessages.POST_FAILED
+ + bre.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (UnauthorizedException ue) {
Response response = Response.status(
- Response.Status.UNAUTHORIZED).entity(ServiceMessages.POST_FAILED +
- ue.getErrorReason()).type("text/plain").build();
+ Response.Status.UNAUTHORIZED).entity(ServiceMessages.POST_FAILED
+ + ue.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (Exception e) {
if (logger.isDebugEnabled()) {
result = (AccountsCommon) ctx.getOutput();
} catch (UnauthorizedException ue) {
Response response = Response.status(
- Response.Status.UNAUTHORIZED).entity(ServiceMessages.GET_FAILED +
- ue.getErrorReason()).type("text/plain").build();
+ Response.Status.UNAUTHORIZED).entity(ServiceMessages.GET_FAILED
+ + ue.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (DocumentNotFoundException dnfe) {
if (logger.isDebugEnabled()) {
}
logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
Response response = Response.status(
- Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.GET_FAILED +
- ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+ Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.GET_FAILED
+ + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
throw new WebApplicationException(response);
}
accountList = (AccountsCommonList) handler.getCommonPartList();
} catch (UnauthorizedException ue) {
Response response = Response.status(
- Response.Status.UNAUTHORIZED).entity(ServiceMessages.LIST_FAILED +
- ue.getErrorReason()).type("text/plain").build();
+ Response.Status.UNAUTHORIZED).entity(ServiceMessages.LIST_FAILED
+ + ue.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (Exception e) {
}
logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
Response response = Response.status(
- Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.LIST_FAILED +
- ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+ Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.LIST_FAILED
+ + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
throw new WebApplicationException(response);
}
return accountList;
result = (AccountsCommon) ctx.getOutput();
} catch (BadRequestException bre) {
Response response = Response.status(
- Response.Status.BAD_REQUEST).entity(ServiceMessages.PUT_FAILED +
- bre.getErrorReason()).type("text/plain").build();
+ Response.Status.BAD_REQUEST).entity(ServiceMessages.PUT_FAILED
+ + bre.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (UnauthorizedException ue) {
Response response = Response.status(
- Response.Status.UNAUTHORIZED).entity(ServiceMessages.PUT_FAILED +
- ue.getErrorReason()).type("text/plain").build();
+ Response.Status.UNAUTHORIZED).entity(ServiceMessages.PUT_FAILED
+ + ue.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (DocumentNotFoundException dnfe) {
if (logger.isDebugEnabled()) {
} catch (Exception e) {
logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
Response response = Response.status(
- Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.PUT_FAILED +
- ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+ Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.PUT_FAILED
+ + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
throw new WebApplicationException(response);
}
return result;
try {
//FIXME ideally the following two ops shoudl be in the same tx CSPACE-658
//delete all relationships
- AccountRoleSubResource subResource = new AccountRoleSubResource();
+ AccountRoleSubResource subResource = new AccountRoleSubResource("accounts/accountroles");
subResource.deleteAccountRole(csid, SubjectType.ROLE);
ServiceContext<AccountsCommon, AccountsCommon> ctx = createServiceContext((AccountsCommon) null,
AccountsCommon.class);
return Response.status(HttpResponseCodes.SC_OK).build();
} catch (UnauthorizedException ue) {
Response response = Response.status(
- Response.Status.UNAUTHORIZED).entity(ServiceMessages.DELETE_FAILED +
- ue.getErrorReason()).type("text/plain").build();
+ Response.Status.UNAUTHORIZED).entity(ServiceMessages.DELETE_FAILED
+ + ue.getErrorReason()).type("text/plain").build();
throw new WebApplicationException(response);
} catch (DocumentNotFoundException dnfe) {
} catch (Exception e) {
logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
Response response = Response.status(
- Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.DELETE_FAILED +
- ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+ Response.Status.INTERNAL_SERVER_ERROR).entity(ServiceMessages.DELETE_FAILED
+ + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
throw new WebApplicationException(response);
}
if (accCsid == null || "".equals(accCsid)) {
logger.error("createAccountRole: missing accCsid!");
Response response = Response.status(Response.Status.BAD_REQUEST).entity(
- ServiceMessages.POST_FAILED + "accountroles account " +
- ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+ ServiceMessages.POST_FAILED + "accountroles account "
+ + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
"text/plain").build();
throw new WebApplicationException(response);
}
try {
- AccountRoleSubResource subResource = new AccountRoleSubResource();
+ AccountRoleSubResource subResource =
+ new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
String accrolecsid = subResource.createAccountRole(input, SubjectType.ROLE);
UriBuilder path = UriBuilder.fromResource(AccountResource.class);
path.path(accCsid + "/accountroles/" + accrolecsid);
logger.error(ServiceMessages.UNKNOWN_ERROR_MSG, e);
Response response = Response.status(
Response.Status.INTERNAL_SERVER_ERROR).entity(
- ServiceMessages.POST_FAILED +
- ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
+ ServiceMessages.POST_FAILED
+ + ServiceMessages.UNKNOWN_ERROR_MSG).type("text/plain").build();
throw new WebApplicationException(response);
}
}
if (accCsid == null || "".equals(accCsid)) {
logger.error("getAccountRole: missing accCsid!");
Response response = Response.status(Response.Status.BAD_REQUEST).entity(
- ServiceMessages.GET_FAILED + "accountroles account " +
- ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+ ServiceMessages.GET_FAILED + "accountroles account "
+ + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
"text/plain").build();
throw new WebApplicationException(response);
}
AccountRole result = null;
try {
- AccountRoleSubResource subResource = new AccountRoleSubResource();
+ AccountRoleSubResource subResource =
+ new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
//get relationships for an account
result = subResource.getAccountRole(accCsid, SubjectType.ROLE);
} catch (UnauthorizedException ue) {
if (accCsid == null || "".equals(accCsid)) {
logger.error("deleteAccountRole: missing accCsid!");
Response response = Response.status(Response.Status.BAD_REQUEST).entity(
- ServiceMessages.DELETE_FAILED + "accountroles account " +
- ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
+ ServiceMessages.DELETE_FAILED + "accountroles account "
+ + ServiceMessages.MISSING_INVALID_CSID + accCsid).type(
"text/plain").build();
throw new WebApplicationException(response);
}
try {
- AccountRoleSubResource subResource = new AccountRoleSubResource();
+ AccountRoleSubResource subResource =
+ new AccountRoleSubResource(AccountRoleSubResource.ACCOUNT_ACCOUNTROLE_SERVICE);
//delete all relationships for an account
subResource.deleteAccountRole(accCsid, SubjectType.ROLE);
return Response.status(HttpResponseCodes.SC_OK).build();
public class AccountRoleSubResource
extends AbstractCollectionSpaceResourceImpl<AccountRole, AccountRole> {
+ final public static String ACCOUNT_ACCOUNTROLE_SERVICE = "accounts/accountroles";
+ final public static String ROLE_ACCOUNTROLE_SERVICE = "roles/accountroles";
+
//this service is never exposed as standalone RESTful service...just use unique
//service name to identify binding
/** The service name. */
- final private String serviceName = "accounts/accountroles";
+ private String serviceName = ACCOUNT_ACCOUNTROLE_SERVICE;
/** The logger. */
final Logger logger = LoggerFactory.getLogger(AccountRoleSubResource.class);
/** The storage client. */
final StorageClient storageClient = new JpaRelationshipStorageClient<AccountRole>();
+ /**
+ *
+ * @param serviceName qualified service path
+ */
+ AccountRoleSubResource(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
/* (non-Javadoc)
* @see org.collectionspace.services.common.AbstractCollectionSpaceResourceImpl#getVersionString()
*/
+
@Override
protected String getVersionString() {
/** The last change revision. */
logger.debug("deleteAccountRole with csid=" + csid);
}
ServiceContext<AccountRole, AccountRole> ctx = createServiceContext((AccountRole) null, subject);
- DocumentHandler handler = createDocumentHandler(ctx);
- getStorageClient(ctx).delete(ctx, csid, handler);
+ getStorageClient(ctx).delete(ctx, csid);
}
}
/** The all resource ids created. */
private List<String> allResourceIdsCreated = new ArrayList<String>();
-
+
+ final private static String TEST_SERVICE_NAME = "fakeservice";
/** The perm values. */
private Hashtable<String, PermissionValue> permValues = new Hashtable<String, PermissionValue>();
*/
@BeforeClass(alwaysRun = true)
public void seedData() {
- String ra = "accounts";
+ String ra = TEST_SERVICE_NAME;
String accPermId = createPermission(ra, EffectType.PERMIT);
PermissionValue pva = new PermissionValue();
pva.setResourceName(ra);
setupCreate(testName);
// Submit the request to the service and store the response.
- PermissionValue pv = permValues.get("accounts");
+ PermissionValue pv = permValues.get(TEST_SERVICE_NAME);
PermissionRole permRole = createPermissionRoleInstance(pv,
roleValues.values(), true, true);
PermissionRoleClient client = new PermissionRoleClient();
// Submit the request to the service and store the response.
PermissionRoleClient client = new PermissionRoleClient();
ClientResponse<PermissionRole> res = client.read(
- permValues.get("accounts").getPermissionId(), "123");
+ permValues.get(TEST_SERVICE_NAME).getPermissionId(), "123");
int statusCode = res.getStatus();
// Check the status code of the response: does it match
// Submit the request to the service and store the response.
PermissionRoleClient client = new PermissionRoleClient();
ClientResponse<Response> res = client.delete(
- permValues.get("accounts").getPermissionId(), "123");
+ permValues.get(TEST_SERVICE_NAME).getPermissionId(), "123");
int statusCode = res.getStatus();
// Check the status code of the response: does it match
// Submit the request to the service and store the response.
String method = ServiceRequestType.READ.httpMethodName();
- String url = getResourceURL(permValues.get("accounts").getPermissionId());
+ String url = getResourceURL(permValues.get(TEST_SERVICE_NAME).getPermissionId());
int statusCode = submitRequest(method, url);
// Check the status code of the response: does it match
setupCreate(testName);
// Submit the request to the service and store the response.
List<PermissionAction> actions = PermissionFactory.createDefaultActions();
- Permission permission1 = createPermissionInstance("collectionobjects",
- "default permissions for collectionobjects",
+ Permission permission1 = createPermissionInstance("test-objects",
+ "default permissions for test-objects",
actions,
EffectType.PERMIT,
true,
Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
allResourceIdsCreated.add(extractId(res));
- Permission permission2 = createPermissionInstance("acquisitions",
- "default permissions for acquisitions",
+ Permission permission2 = createPermissionInstance("test-acquisitions",
+ "default permissions for test-acquisitions",
actions,
EffectType.PERMIT,
true,
Assert.assertEquals(statusCode, EXPECTED_STATUS_CODE);
allResourceIdsCreated.add(extractId(res));
- Permission permission3 = createPermissionInstance("ids",
+ Permission permission3 = createPermissionInstance("test-ids",
"default permissions for id service",
actions,
EffectType.PERMIT,
// The only relevant ID may be the one used in updatePermission(), below.
PermissionClient client = new PermissionClient();
List<PermissionAction> actions = PermissionFactory.createDefaultActions();
- Permission permission = createPermissionInstance("acquisitions",
- "default permissions for acquisitions",
+ Permission permission = createPermissionInstance("test-acquisitions",
+ "default permissions for test-acquisitions",
actions,
EffectType.PERMIT,
true,
<scope>test</scope>\r
</dependency>\r
</dependencies>\r
-\r
- <build>\r
- <finalName>cspace-services-authorization-mgt-import</finalName>\r
- <plugins>\r
- <plugin>\r
- <groupId>org.apache.maven.plugins</groupId>\r
- <artifactId>maven-surefire-plugin</artifactId>\r
- <configuration>\r
- <systemProperties>\r
- <property>\r
- <name>log4j.configuration</name>\r
- <value>file:${project.build.directory}/test-classes/log4j.properties</value>\r
- </property>\r
- <property>\r
- <name>importdir</name>\r
- <value>${basedir}/src/main/resources/import-data/</value>\r
- </property>\r
- <property>\r
- <name>exportdir</name>\r
- <value>${basedir}/src/main/resources/import-data/</value>\r
- </property>\r
- <property>\r
- <name>tenantbindings</name>\r
- <value>${basedir}/../../common/src/main/config/services/tenant-bindings.xml</value>\r
- </property>\r
- <property>\r
- <name>spring-beans-config</name>\r
- <value>applicationContext-authorization-test.xml</value>\r
- </property>\r
- </systemProperties>\r
- </configuration>\r
- </plugin>\r
- </plugins>\r
- </build>\r
+ <!-- use profile as this task is not needed for every build and test -->\r
+ <!--profiles>\r
+ <profile>\r
+ <id>import</id-->\r
+ <build>\r
+ <finalName>cspace-services-authorization-mgt-import</finalName>\r
+ <plugins>\r
+ <plugin>\r
+ <groupId>org.apache.maven.plugins</groupId>\r
+ <artifactId>maven-surefire-plugin</artifactId>\r
+ <configuration>\r
+ <systemProperties>\r
+ <property>\r
+ <name>log4j.configuration</name>\r
+ <value>file:${project.build.directory}/test-classes/log4j.properties</value>\r
+ </property>\r
+ <property>\r
+ <name>importdir</name>\r
+ <value>${basedir}/src/main/resources/import-data/</value>\r
+ </property>\r
+ <property>\r
+ <name>exportdir</name>\r
+ <value>${basedir}/src/main/resources/import-data/</value>\r
+ </property>\r
+ <property>\r
+ <name>tenantbindings</name>\r
+ <value>${basedir}/../../common/src/main/config/services/tenant-bindings.xml</value>\r
+ </property>\r
+ <property>\r
+ <name>spring-beans-config</name>\r
+ <value>applicationContext-authorization-test.xml</value>\r
+ </property>\r
+ </systemProperties>\r
+ </configuration>\r
+ </plugin>\r
+ </plugins>\r
+ </build>\r
+ <!--/profile>\r
+ </profiles-->\r
\r
</project>\r
\r
private List<PermissionRole> permRoleList = new ArrayList<PermissionRole>();
private Hashtable<String, TenantBindingType> tenantBindings =
new Hashtable<String, TenantBindingType>();
+ final public static String ROLE_ADMINISTRATOR = "ROLE_ADMINISTRATOR";
public void initialize(String tenantBindingFileName) throws Exception {
TenantBindingConfigReaderImpl tenantBindingConfigReader =
}
}
-
public void createDefaultServicePermissions() {
for (String tenantId : tenantBindings.keySet()) {
List<Permission> perms = createDefaultServicePermissions(tenantId);
ArrayList<Permission> apcList = new ArrayList<Permission>();
TenantBindingType tbinding = tenantBindings.get(tenantId);
for (ServiceBindingType sbinding : tbinding.getServiceBindings()) {
- Permission accPerm = buildCommonPermission(tbinding.getId(),
- sbinding.getName());
- apcList.add(accPerm);
+
+ //add permissions for the main path
+ Permission perm = buildCommonPermission(tbinding.getId(),
+ sbinding.getName().toLowerCase());
+ apcList.add(perm);
+
+ //add permissions for alternate paths
+ List<String> uriPaths = sbinding.getUriPath();
+ for (String uriPath : uriPaths) {
+ perm = buildCommonPermission(tbinding.getId(),
+ uriPath.toLowerCase());
+ apcList.add(perm);
+ }
+
}
return apcList;
}
-
private Permission buildCommonPermission(String tenantId, String resourceName) {
String id = UUID.randomUUID().toString();
Permission perm = new Permission();
return permList;
}
- public void createDefaultPermissionsRoles(String roleName) {
+ public void createDefaultPermissionsRoles() {
for (Permission p : permList) {
- PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
- p.getResourceName(), roleName);
- permRoleList.add(permRole);
+ TenantBindingType tbinding = tenantBindings.get(p.getTenantId());
+// String tenantAdminRole = getTenantAdminRole(tbinding.getName());
+// PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
+// p.getResourceName(), tenantAdminRole, "999");
+// permRoleList.add(permRole);
+
+ //CSpace Administrator has all access
+ PermissionRole permAdmRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
+ p.getResourceName(), ROLE_ADMINISTRATOR, "1");
+ permRoleList.add(permAdmRole);
}
}
- public List<PermissionRole> createPermissionsRoles(List<Permission> perms, String roleName) {
+ public List<PermissionRole> createPermissionsRoles(List<Permission> perms, String roleName, String roleId) {
List<PermissionRole> permRoles = new ArrayList<PermissionRole>();
for (Permission p : perms) {
PermissionRole permRole = buildCommonPermissionRoles(p.getTenantId(), p.getCsid(),
- p.getResourceName(), roleName);
+ p.getResourceName(), roleName, roleId);
permRoles.add(permRole);
}
return permRoles;
}
private PermissionRole buildCommonPermissionRoles(String tenantId, String permId,
- String resName, String roleName) {
+ String resName, String roleName, String roleId) {
PermissionRole pr = new PermissionRole();
pr.setSubject(SubjectType.ROLE);
List<RoleValue> roleValues = new ArrayList<RoleValue>();
RoleValue radmin = new RoleValue();
radmin.setRoleName(roleName.toUpperCase());
- radmin.setRoleId(tenantId);
+ radmin.setRoleId(roleId);
roleValues.add(radmin);
pr.setRoles(roleValues);
return pr;
}
+ /**
+ * getTenantAdminRole generates role for tenant administrator
+ * @param tenantName
+ * @return
+ */
+ private String getTenantAdminRole(String tenantName) {
+ tenantName = tenantName.toUpperCase();
+ tenantName = tenantName.replace(' ', '_');
+ return ROLE_ADMINISTRATOR + "_" + tenantName;
+ }
+
public List<PermissionRole> getDefaultServicePermissionRoles() {
return permRoleList;
}
import org.slf4j.LoggerFactory;
import org.collectionspace.services.authorization.AuthZ;
import org.collectionspace.services.authorization.CSpaceAction;
+import org.collectionspace.services.authorization.EffectType;
import org.collectionspace.services.authorization.Permission;
import org.collectionspace.services.authorization.PermissionAction;
import org.collectionspace.services.authorization.PermissionException;
CSpaceAction action = getAction(permAction.getName());
URIResourceImpl uriRes = new URIResourceImpl(perm.getTenantId(),
perm.getResourceName(), action);
- AuthZ.get().addPermissions(uriRes, principals.toArray(new String[0]));
+ boolean grant = perm.getEffect().equals(EffectType.PERMIT) ? true : false;
+ AuthZ.get().addPermissions(uriRes, principals.toArray(new String[0]), grant);
}
}
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>c254348f-e5d0-4db9-8634-ed0b47887826</permissionId>
+ <permissionId>6d0904e3-1c2a-4944-ad0a-af81137ad241</permissionId>
+ <resourceName>idgenerators</resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>7ca72d08-8540-406f-a209-635260a3e2e3</permissionId>
+ <resourceName>id</resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>98df1810-145f-4366-9f38-8081daf99aba</permissionId>
+ <resourceName>
+ /idgenerators/*/ids
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>1ceb338a-be76-4913-86dc-bb51f29228c9</permissionId>
<resourceName>collectionobjects</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>964b5187-fda0-4e2d-8873-0c235acf1796</permissionId>
+ <permissionId>43ebe549-645a-4c0a-9b77-630d26120a6a</permissionId>
+ <resourceName>
+ /collectionobjects/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>447f0bbf-9025-4fbf-bc1e-e94b33e4fab4</permissionId>
<resourceName>intakes</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>e1eff972-65f0-4213-9d91-e5eaad58fd5d</permissionId>
+ <permissionId>6ae8ba20-9d5c-4022-82fb-2147aaad5db5</permissionId>
+ <resourceName>
+ /intakes/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>457959c6-26b4-4c27-9ef2-702b46388322</permissionId>
<resourceName>loansin</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>ded1f92e-6b57-43ee-bc94-19e32bae9822</permissionId>
+ <permissionId>b6cf71bc-f0f9-429e-b1f8-2179174c26b4</permissionId>
+ <resourceName>
+ /loansin/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>5ed1e42d-ac29-457e-b120-4e90ae64e5c0</permissionId>
<resourceName>loansout</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>428a7c8c-a3cf-4616-a439-65ce41566fba</permissionId>
+ <permissionId>51398d80-c7cb-42bc-ae19-f8785e760d8a</permissionId>
+ <resourceName>
+ /loansout/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>f243161f-b4f7-49d3-a677-011aff503e4b</permissionId>
<resourceName>movements</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>e2189ea7-1710-443a-a2a9-0c3d8ee256b1</permissionId>
+ <permissionId>a4c44ee5-a2e4-4ae1-96f2-d518b52c671d</permissionId>
+ <resourceName>
+ /movements/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>05683f59-425c-4905-a409-afc431575f00</permissionId>
<resourceName>vocabularies</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>9d132fbd-0f5a-42cb-bae3-117b2f71dff8</permissionId>
+ <permissionId>871a2940-e0f5-4b1e-883f-5c82f8b54bc1</permissionId>
<resourceName>vocabularyitems</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>293a5a44-4e91-4bee-b85e-ceacd6e213bb</permissionId>
+ <permissionId>59308529-1b27-4b64-a416-0e7c4111298d</permissionId>
+ <resourceName>
+ /vocabularies/*/items/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>ba1e62dc-a307-43ac-9bf4-c5ebd5b2c5a9</permissionId>
<resourceName>orgauthorities</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>c1a81f3f-e95d-4e04-bbdd-54b9f5c8ff86</permissionId>
+ <permissionId>ea432445-4b14-4f95-8c7c-9df78aca1014</permissionId>
+ <resourceName>
+ /orgauthorities/*/items/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>eb0fcb27-0fa4-4bef-926a-4d2c61fab1ae</permissionId>
<resourceName>organizations</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>986a2192-13cf-4985-a1ce-bf38337a1d2c</permissionId>
+ <permissionId>c1dd9142-3b30-4eda-a0ad-1500363d46f8</permissionId>
+ <resourceName>
+ /orgauthorities/*/items/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>96f95210-28ab-4afc-bac9-60f36fac7f62</permissionId>
+ <resourceName>
+ /orgauthorities/*/items/*/refobjs
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>7edd3f7a-5c1a-49fa-8637-a3a6060f774c</permissionId>
<resourceName>personauthorities</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>a82b6feb-6dce-4029-9046-f2830f8b64fc</permissionId>
+ <permissionId>b349723a-b280-4529-9aec-65cc2c27ff7e</permissionId>
+ <resourceName>
+ /personauthorities/*/items/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>d984acd2-ece2-4237-9e09-a9338c8911dd</permissionId>
+ <resourceName>
+ /personauthorities/*/items/*/refobjs
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>3f497baa-d97f-433b-8a01-b01e8b5a583e</permissionId>
<resourceName>persons</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>314b45b4-b3d0-4b0c-bd9b-c9d4f41bf963</permissionId>
+ <permissionId>cc6ed459-a4c9-4126-8753-ebdef3f6ab56</permissionId>
+ <resourceName>
+ /personauthorities/*/items/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>a045f459-84e0-4f1d-ba4d-33b976b58dac</permissionId>
<resourceName>locationauthorities</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>fd66abf5-6022-4e21-8f83-750ba5dc79be</permissionId>
+ <permissionId>da805588-5f6d-4ae5-8626-8c3d4fcbd6c2</permissionId>
+ <resourceName>
+ /locationauthorities/*/items/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>3521bf00-a2b9-4a61-98c6-f46157bd70e5</permissionId>
<resourceName>locations</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>10b20df4-d9bc-4b51-88bb-9051342c05c9</permissionId>
+ <permissionId>29bbddcd-64e3-4c72-8d4e-c7d2686ee30f</permissionId>
<resourceName>acquisitions</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>0f606175-cf1f-4c8b-9216-8fac556db213</permissionId>
+ <permissionId>a497fed0-b2f9-49f1-aeac-e3a148ce8cde</permissionId>
+ <resourceName>
+ /acquisitions/*/authorityrefs/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>3203c248-2ad3-4b5c-8c9f-04d3608e2370</permissionId>
<resourceName>relations</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>2537caa4-4859-43f4-a92b-630b38336f62</permissionId>
+ <permissionId>78ee728f-35e0-41d1-ae87-af1a84846bc8</permissionId>
+ <resourceName>
+ relations/subject/*/type/*/object/*
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>749e6ff2-db57-40a2-8888-922c516a66db</permissionId>
<resourceName>accounts</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>a1c13748-f404-4a72-a7b2-e0599316828c</permissionId>
+ <permissionId>75c36eaa-ccf5-4122-b3cd-5a4b9a071a15</permissionId>
<resourceName>dimensions</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>ab6d047b-a685-4f7d-b708-846a155f1fea</permissionId>
+ <permissionId>3d1b9ce5-2ad7-4e6a-a7d8-a125bdf2c8b6</permissionId>
<resourceName>contacts</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>d5f1cb1e-1aa7-48a2-a32b-4b9cca3b3169</permissionId>
+ <permissionId>c0937cac-e60d-4d61-b1cc-6ba119e40faa</permissionId>
+ <resourceName>
+ /personauthorities/*/items/*/contacts
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>3c04ae32-03ff-4ef5-a6ed-13af7394417b</permissionId>
+ <resourceName>
+ /orgauthorities/*/items/*/contacts
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>6fc381f7-3220-4fab-a382-76bd1e56d8bf</permissionId>
<resourceName>notes</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>eea3a150-0eb7-4061-937d-d35fbe11f55a</permissionId>
+ <permissionId>b9a7f2b4-443e-4b9c-8a0c-f21885001e10</permissionId>
<resourceName>authorization/roles</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>d694674b-fe0c-4769-8615-9e7f482bbbdc</permissionId>
+ <permissionId>3978c246-704e-4a13-83f7-90c8f8c0e677</permissionId>
<resourceName>authorization/permissions</resourceName>
</permission>
<role>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>d712beb5-bd4c-435f-a631-ab5eccae0462</permissionId>
- <resourceName>authorization/permroles</resourceName>
+ <permissionId>09a1e617-e852-4f42-a4c5-0c30388cd1f2</permissionId>
+ <resourceName>authorization/permissions/permroles</resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>e8260135-bd04-472b-b19b-0a2859ce4710</permissionId>
+ <resourceName>
+ /authorization/permissions/*/permroles/
+ </resourceName>
</permission>
<role>
<roleId>1</roleId>
<permissionRole>
<subject>ROLE</subject>
<permission>
- <permissionId>85a25c1b-0cb7-4df1-a447-eee665e693f9</permissionId>
+ <permissionId>fa6547b0-9539-4cee-b4e0-0110da144f47</permissionId>
<resourceName>accounts/accountroles</resourceName>
</permission>
<role>
<roleName>ROLE_ADMINISTRATOR</roleName>
</role>
</permissionRole>
+ <permissionRole>
+ <subject>ROLE</subject>
+ <permission>
+ <permissionId>9c3fdc8d-907b-4de9-99fd-3b3fe6e20296</permissionId>
+ <resourceName>
+ /accounts/*/accountroles/
+ </resourceName>
+ </permission>
+ <role>
+ <roleId>1</roleId>
+ <roleName>ROLE_ADMINISTRATOR</roleName>
+ </role>
+ </permissionRole>
</ns2:permissions_roles_list>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:permissions_list xmlns:ns2="http://collectionspace.org/services/authorization">
- <permission csid="c254348f-e5d0-4db9-8634-ed0b47887826">
+ <permission csid="6d0904e3-1c2a-4944-ad0a-af81137ad241">
+ <resourceName>idgenerators</resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="7ca72d08-8540-406f-a209-635260a3e2e3">
+ <resourceName>id</resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="98df1810-145f-4366-9f38-8081daf99aba">
+ <resourceName>
+ /idgenerators/*/ids
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="1ceb338a-be76-4913-86dc-bb51f29228c9">
<resourceName>collectionobjects</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="964b5187-fda0-4e2d-8873-0c235acf1796">
+ <permission csid="43ebe549-645a-4c0a-9b77-630d26120a6a">
+ <resourceName>
+ /collectionobjects/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="447f0bbf-9025-4fbf-bc1e-e94b33e4fab4">
<resourceName>intakes</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="e1eff972-65f0-4213-9d91-e5eaad58fd5d">
+ <permission csid="6ae8ba20-9d5c-4022-82fb-2147aaad5db5">
+ <resourceName>
+ /intakes/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="457959c6-26b4-4c27-9ef2-702b46388322">
<resourceName>loansin</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="ded1f92e-6b57-43ee-bc94-19e32bae9822">
+ <permission csid="b6cf71bc-f0f9-429e-b1f8-2179174c26b4">
+ <resourceName>
+ /loansin/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="5ed1e42d-ac29-457e-b120-4e90ae64e5c0">
<resourceName>loansout</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="428a7c8c-a3cf-4616-a439-65ce41566fba">
+ <permission csid="51398d80-c7cb-42bc-ae19-f8785e760d8a">
+ <resourceName>
+ /loansout/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="f243161f-b4f7-49d3-a677-011aff503e4b">
<resourceName>movements</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="e2189ea7-1710-443a-a2a9-0c3d8ee256b1">
+ <permission csid="a4c44ee5-a2e4-4ae1-96f2-d518b52c671d">
+ <resourceName>
+ /movements/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="05683f59-425c-4905-a409-afc431575f00">
<resourceName>vocabularies</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="9d132fbd-0f5a-42cb-bae3-117b2f71dff8">
+ <permission csid="871a2940-e0f5-4b1e-883f-5c82f8b54bc1">
<resourceName>vocabularyitems</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="293a5a44-4e91-4bee-b85e-ceacd6e213bb">
+ <permission csid="59308529-1b27-4b64-a416-0e7c4111298d">
+ <resourceName>
+ /vocabularies/*/items/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="ba1e62dc-a307-43ac-9bf4-c5ebd5b2c5a9">
<resourceName>orgauthorities</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="c1a81f3f-e95d-4e04-bbdd-54b9f5c8ff86">
+ <permission csid="ea432445-4b14-4f95-8c7c-9df78aca1014">
+ <resourceName>
+ /orgauthorities/*/items/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="eb0fcb27-0fa4-4bef-926a-4d2c61fab1ae">
<resourceName>organizations</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="986a2192-13cf-4985-a1ce-bf38337a1d2c">
+ <permission csid="c1dd9142-3b30-4eda-a0ad-1500363d46f8">
+ <resourceName>
+ /orgauthorities/*/items/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="96f95210-28ab-4afc-bac9-60f36fac7f62">
+ <resourceName>
+ /orgauthorities/*/items/*/refobjs
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="7edd3f7a-5c1a-49fa-8637-a3a6060f774c">
<resourceName>personauthorities</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="a82b6feb-6dce-4029-9046-f2830f8b64fc">
+ <permission csid="b349723a-b280-4529-9aec-65cc2c27ff7e">
+ <resourceName>
+ /personauthorities/*/items/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="d984acd2-ece2-4237-9e09-a9338c8911dd">
+ <resourceName>
+ /personauthorities/*/items/*/refobjs
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="3f497baa-d97f-433b-8a01-b01e8b5a583e">
<resourceName>persons</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="314b45b4-b3d0-4b0c-bd9b-c9d4f41bf963">
+ <permission csid="cc6ed459-a4c9-4126-8753-ebdef3f6ab56">
+ <resourceName>
+ /personauthorities/*/items/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="a045f459-84e0-4f1d-ba4d-33b976b58dac">
<resourceName>locationauthorities</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="fd66abf5-6022-4e21-8f83-750ba5dc79be">
+ <permission csid="da805588-5f6d-4ae5-8626-8c3d4fcbd6c2">
+ <resourceName>
+ /locationauthorities/*/items/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="3521bf00-a2b9-4a61-98c6-f46157bd70e5">
<resourceName>locations</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="10b20df4-d9bc-4b51-88bb-9051342c05c9">
+ <permission csid="29bbddcd-64e3-4c72-8d4e-c7d2686ee30f">
<resourceName>acquisitions</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="0f606175-cf1f-4c8b-9216-8fac556db213">
+ <permission csid="a497fed0-b2f9-49f1-aeac-e3a148ce8cde">
+ <resourceName>
+ /acquisitions/*/authorityrefs/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="3203c248-2ad3-4b5c-8c9f-04d3608e2370">
<resourceName>relations</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="2537caa4-4859-43f4-a92b-630b38336f62">
+ <permission csid="78ee728f-35e0-41d1-ae87-af1a84846bc8">
+ <resourceName>
+ relations/subject/*/type/*/object/*
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="749e6ff2-db57-40a2-8888-922c516a66db">
<resourceName>accounts</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="a1c13748-f404-4a72-a7b2-e0599316828c">
+ <permission csid="75c36eaa-ccf5-4122-b3cd-5a4b9a071a15">
<resourceName>dimensions</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="ab6d047b-a685-4f7d-b708-846a155f1fea">
+ <permission csid="3d1b9ce5-2ad7-4e6a-a7d8-a125bdf2c8b6">
<resourceName>contacts</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="d5f1cb1e-1aa7-48a2-a32b-4b9cca3b3169">
+ <permission csid="c0937cac-e60d-4d61-b1cc-6ba119e40faa">
+ <resourceName>
+ /personauthorities/*/items/*/contacts
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="3c04ae32-03ff-4ef5-a6ed-13af7394417b">
+ <resourceName>
+ /orgauthorities/*/items/*/contacts
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="6fc381f7-3220-4fab-a382-76bd1e56d8bf">
<resourceName>notes</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="eea3a150-0eb7-4061-937d-d35fbe11f55a">
+ <permission csid="b9a7f2b4-443e-4b9c-8a0c-f21885001e10">
<resourceName>authorization/roles</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="d694674b-fe0c-4769-8615-9e7f482bbbdc">
+ <permission csid="3978c246-704e-4a13-83f7-90c8f8c0e677">
<resourceName>authorization/permissions</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="d712beb5-bd4c-435f-a631-ab5eccae0462">
- <resourceName>authorization/permroles</resourceName>
+ <permission csid="09a1e617-e852-4f42-a4c5-0c30388cd1f2">
+ <resourceName>authorization/permissions/permroles</resourceName>
<action>
<name>CREATE</name>
</action>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
- <permission csid="85a25c1b-0cb7-4df1-a447-eee665e693f9">
+ <permission csid="e8260135-bd04-472b-b19b-0a2859ce4710">
+ <resourceName>
+ /authorization/permissions/*/permroles/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
+ <permission csid="fa6547b0-9539-4cee-b4e0-0110da144f47">
<resourceName>accounts/accountroles</resourceName>
<action>
<name>CREATE</name>
<effect>PERMIT</effect>
<tenant_id>1</tenant_id>
</permission>
+ <permission csid="9c3fdc8d-907b-4de9-99fd-3b3fe6e20296">
+ <resourceName>
+ /accounts/*/accountroles/
+ </resourceName>
+ <action>
+ <name>CREATE</name>
+ </action>
+ <action>
+ <name>READ</name>
+ </action>
+ <action>
+ <name>UPDATE</name>
+ </action>
+ <action>
+ <name>DELETE</name>
+ </action>
+ <action>
+ <name>SEARCH</name>
+ </action>
+ <effect>PERMIT</effect>
+ <tenant_id>1</tenant_id>
+ </permission>
</ns2:permissions_list>
String tenantBindingFile = getTenantBindingFile();
authzGen.initialize(tenantBindingFile);
authzGen.createDefaultServicePermissions();
- authzGen.createDefaultPermissionsRoles("ROLE_ADMINISTRATOR");
+ //create default role(s) for the tenant and assign permissions
+ authzGen.createDefaultPermissionsRoles();
String exportDir = getExportDir();
authzGen.exportPermissions(exportDir + PERMISSION_FILE);
authzGen.exportPermissionRoles(exportDir + PERMISSION_ROLE_FILE);
<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<constructor-arg ref="dataSource"/>
<constructor-arg ref="aclCache"/>
+ <constructor-arg ref="aclAuthorizationStrategy"/>
<constructor-arg>
- <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
- <constructor-arg>
- <list>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- </list>
- </constructor-arg>
- </bean>
+ <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
</constructor-arg>
+ </bean>
+
+ <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<constructor-arg>
- <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
+ <list>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ </list>
</constructor-arg>
</bean>
log4j.logger.org.jboss.resteasy=INFO\r
log4j.logger.org.hibernate=INFO\r
log4j.logger.org.hibernate.cfg=WARN\r
+log4j.logger.org.springframework=INFO\r
}
Permission result = null;
try {
- ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+ ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
DocumentHandler handler = createDocumentHandler(ctx);
getStorageClient(ctx).get(ctx, csid, handler);
result = (Permission) ctx.getOutput();
@Context UriInfo ui) {
PermissionsList permissionList = new PermissionsList();
try {
- ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+ ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
DocumentHandler handler = createDocumentHandler(ctx);
MultivaluedMap<String, String> queryParams = ui.getQueryParameters();
DocumentFilter myFilter = handler.createDocumentFilter();
try {
//FIXME ideally the following two ops shoudl be in the same tx CSPACE-658
//delete all relationships for this permission
- PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+ PermissionRoleSubResource subResource =
+ new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
subResource.deletePermissionRole(csid, SubjectType.ROLE);
//delete permissions at the provider too
//at the PermissionRoleSubResource/DocHandler levels, there is no visibility
//if permission is deleted
AuthorizationDelegate.deletePermissions(csid);
-
- ServiceContext<Permission, Permission> ctx = createServiceContext((Permission)null, Permission.class);
+
+ ServiceContext<Permission, Permission> ctx = createServiceContext((Permission) null, Permission.class);
getStorageClient(ctx).delete(ctx, csid);
return Response.status(HttpResponseCodes.SC_OK).build();
} catch (UnauthorizedException ue) {
throw new WebApplicationException(response);
}
try {
- PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+ PermissionRoleSubResource subResource =
+ new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
String permrolecsid = subResource.createPermissionRole(input, SubjectType.ROLE);
UriBuilder path = UriBuilder.fromResource(PermissionResource.class);
path.path(permCsid + "/permroles/" + permrolecsid);
}
PermissionRole result = null;
try {
- PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+ PermissionRoleSubResource subResource =
+ new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
//get relationships for a permission
result = subResource.getPermissionRole(permCsid, SubjectType.ROLE);
} catch (UnauthorizedException ue) {
throw new WebApplicationException(response);
}
try {
- PermissionRoleSubResource subResource = new PermissionRoleSubResource();
+ PermissionRoleSubResource subResource =
+ new PermissionRoleSubResource(PermissionRoleSubResource.PERMISSION_PERMROLE_SERVICE);
//delete all relationships for a permission
subResource.deletePermissionRole(permCsid, SubjectType.ROLE);
return Response.status(HttpResponseCodes.SC_OK).build();
public class PermissionRoleSubResource
extends AbstractCollectionSpaceResourceImpl<PermissionRole, PermissionRole> {
+ public final static String ROLE_PERMROLE_SERVICE = "authorization/roles/permroles";
+ public final static String PERMISSION_PERMROLE_SERVICE = "authorization/permissions/permroles";
//this service is never exposed as standalone RESTful service...just use unique
//service name to identify binding
/** The service name. */
- final private String serviceName = "authorization/permroles";
+ private String serviceName = "authorization/permroles";
/** The logger. */
final Logger logger = LoggerFactory.getLogger(PermissionRoleSubResource.class);
/** The storage client. */
final StorageClient storageClient = new JpaRelationshipStorageClient<PermissionRole>();
+ public PermissionRoleSubResource(String serviceName) {
+ this.serviceName = serviceName;
+ }
/* (non-Javadoc)
* @see org.collectionspace.services.common.AbstractCollectionSpaceResourceImpl#getVersionString()
*/
logger.debug("deletePermissionRole with csid=" + csid);
}
ServiceContext<PermissionRole, PermissionRole> ctx = createServiceContext((PermissionRole) null, subject);
- DocumentHandler handler = createDocumentHandler(ctx);
- getStorageClient(ctx).delete(ctx, csid, handler);
+ getStorageClient(ctx).delete(ctx, csid);
}
}
import org.collectionspace.services.authorization.AuthZ;
import org.collectionspace.services.authorization.CSpaceAction;
import org.collectionspace.services.authorization.CSpaceResource;
+import org.collectionspace.services.authorization.EffectType;
import org.collectionspace.services.authorization.Permission;
import org.collectionspace.services.authorization.PermissionAction;
import org.collectionspace.services.authorization.PermissionException;
-import org.collectionspace.services.authorization.PermissionNotFoundException;
import org.collectionspace.services.authorization.PermissionRole;
import org.collectionspace.services.authorization.PermissionValue;
import org.collectionspace.services.authorization.RoleValue;
import org.collectionspace.services.authorization.SubjectType;
import org.collectionspace.services.authorization.URIResourceImpl;
import org.collectionspace.services.common.context.ServiceContext;
+import org.collectionspace.services.common.document.DocumentNotFoundException;
import org.collectionspace.services.common.storage.jpa.JpaStorageUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
AuthZ authz = AuthZ.get();
if (subject.equals(SubjectType.ROLE)) {
PermissionValue pv = pr.getPermissions().get(0);
- CSpaceResource[] resources = getResources(pv.getPermissionId());
+ Permission p = getPermission(pv.getPermissionId());
+ if (p == null) {
+ String msg = "addPermissions: No permission found for id=" + pv.getPermissionId();
+ logger.error(msg);
+ throw new DocumentNotFoundException(msg);
+ }
+ CSpaceResource[] resources = getResources(p);
String[] roles = getRoles(pr.getRoles());
for (CSpaceResource res : resources) {
- authz.addPermissions(res, roles);
+ boolean grant = p.getEffect().equals(EffectType.PERMIT) ? true : false;
+ authz.addPermissions(res, roles, grant);
}
} else if (SubjectType.PERMISSION.equals(subject)) {
RoleValue rv = pr.getRoles().get(0);
String[] roles = {rv.getRoleName()};
for (PermissionValue pv : pr.getPermissions()) {
- CSpaceResource[] resources = getResources(pv.getPermissionId());
+ Permission p = getPermission(pv.getPermissionId());
+ if (p == null) {
+ String msg = "addPermissions: No permission found for id=" + pv.getPermissionId();
+ logger.error(msg);
+ continue;
+ }
+ CSpaceResource[] resources = getResources(p);
for (CSpaceResource res : resources) {
- authz.addPermissions(res, roles);
+ boolean grant = p.getEffect().equals(EffectType.PERMIT) ? true : false;
+ authz.addPermissions(res, roles, grant);
}
}
}
* @throws Exception
*/
static public void deletePermissions(String permCsid) throws Exception {
- CSpaceResource[] resources = getResources(permCsid);
+ Permission p = getPermission(permCsid);
+ if (p == null) {
+ String msg = "deletePermissions: No permission found for id=" + permCsid;
+ logger.error(msg);
+ throw new DocumentNotFoundException(msg);
+ }
+ CSpaceResource[] resources = getResources(p);
AuthZ authz = AuthZ.get();
for (CSpaceResource res : resources) {
authz.deletePermissions(res);
} catch (PermissionException pe) {
//perms are created downthere only if roles are related to the permissions
- logger.info("no permissions found in authz service provider for " +
- "permCsid=" + permCsid + " res=" + res.getId());
+ logger.info("no permissions found in authz service provider for "
+ + "permCsid=" + permCsid + " res=" + res.getId());
}
}
}
-
-
/**
* getRoles get roles (string) array from given RoleValue list
* @param rvl rolevalue list
* @see PermissionValue
* @see CSpaceResource
*/
- private static CSpaceResource[] getResources(String permCsid) {
+ private static CSpaceResource[] getResources(Permission p) {
List<CSpaceResource> rl = new ArrayList<CSpaceResource>();
- Permission p = (Permission) JpaStorageUtils.getEntity(permCsid,
- Permission.class);
- if (p != null) {
- for (PermissionAction pa : p.getActions()) {
- CSpaceResource res = new URIResourceImpl(p.getResourceName(),
- getAction(pa.getName()));
- rl.add(res);
- }
+ for (PermissionAction pa : p.getActions()) {
+
+ CSpaceResource res = new URIResourceImpl(p.getResourceName(),
+ getAction(pa.getName()));
+ rl.add(res);
}
return rl.toArray(new CSpaceResource[0]);
}
+ private static Permission getPermission(String permCsid) {
+ Permission p = (Permission) JpaStorageUtils.getEntity(permCsid,
+ Permission.class);
+ return p;
+ }
+
/**
* getAction is a convenience method to get corresponding action for
* given ActionType
* -action info is retrieved from the resource
* @param res
* @param principals
+ * * @param grant true to grant false to deny
*/
- public void addPermissions(CSpaceResource res, String[] principals) throws PermissionException {
+ public void addPermissions(CSpaceResource res, String[] principals, boolean grant) throws PermissionException {
CSpaceAction action = res.getAction();
- addPermissions(res, action, principals);
+ addPermissions(res, action, principals, grant);
}
/**
* @param res
* @parm action
* @param principals
+ * @param grant true to grant false to deny
*/
- public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+ public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
throws PermissionException {
- provider.getPermissionManager().addPermissions(res, action, principals);
+ provider.getPermissionManager().addPermissions(res, action, principals, grant);
}
/**
return isAccessAllowed(res, action);
}
-
/**
* isAccessAllowed check if authenticated principal is allowed to invoke
* given action on given resource
if (id == null || id.isEmpty()) {
throw new IllegalArgumentException("id cannot be null or empty");
}
- this.id = id;
+ this.id = id.toLowerCase();
if (type == null) {
throw new IllegalArgumentException("type cannot be null");
}
* @param method an http method
*/
public URIResourceImpl(String uri, String method) {
- super(buildId(getParent(uri), getAction(method)),
+ super(buildId(uri, getAction(method)),
getAction(method), TYPE.URI);
this.uri = uri;
this.method = method;
* @param method an http method
*/
public URIResourceImpl(String tenantId, String uri, String method) {
- super(tenantId, buildId(getParent(uri), getAction(method)),
+ super(tenantId, buildId(uri, getAction(method)),
getAction(method), TYPE.URI);
this.uri = uri;
this.method = method;
/**
* constructor that is usually called from administrative interface
* uses current tenant id from the context
- * @param resourceName
+ * @param resourceName no leading / and no trailing / needed
* @param actionType
*/
public URIResourceImpl(String resourceName, CSpaceAction action) {
/**
* constructor that is usually called from administrative interface
* @param tenantId id of the tenant to which this resource is associated
- * @param resourceName
+ * @param resourceName no leading / and no trailing / needed
* @param actionType
*/
public URIResourceImpl(String tenantId, String resourceName, CSpaceAction action) {
}
private static String buildId(String resourceName, CSpaceAction action) {
- return resourceName + SEPARATOR_HASH + action.toString();
+ return sanitize(resourceName) + SEPARATOR_HASH + action.toString();
}
private static String getParent(String uri) {
return stz.nextToken();
}
+ private static String sanitize(String uri) {
+ uri = uri.trim();
+ if (uri.startsWith("/")) {
+ uri = uri.substring(1);
+ }
+ if (uri.endsWith("/")) {
+ uri = uri.substring(0, uri.length() - 1);
+ }
+ if (uri.endsWith("/*")) {
+ uri = uri.substring(0, uri.length() - 2);
+ }
+ return uri;
+ }
+
/**
* getAction is a conveneniece method to get action
* for given HTTP method invoked on the resource
return CSpaceAction.UPDATE;
} else if ("DELETE".equalsIgnoreCase(method)) {
return CSpaceAction.DELETE;
+ } else {
+ //for HEAD, OPTIONS, etc. return READ
+ return CSpaceAction.READ;
}
- throw new IllegalStateException("no method found!");
}
@Override
* @param res resource
* @param principals an array of principal names
* @action action on the resource
+ * @grant true to grant, false to deny
* @throws PermissionException
* @see CSpaceResource
* @see CSpaceAction
*/
- public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+ public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
throws PermissionException;
/**
return permissionManager;
}
- static ObjectIdentity mapResource(CSpaceResource res) {
- return new ObjectIdentityImpl(res.getType().toString(),
- Long.valueOf(res.getId().hashCode()));
+ static Long getObjectIdentityIdentifier(CSpaceResource res) {
+ return Long.valueOf(res.getId().hashCode());
}
- static Sid[] mapPrincipal(String[] principals) {
+ static String getObjectIdentityType(CSpaceResource res) {
+ return res.getType().toString();
+ }
+
+ static ObjectIdentity getObjectIdentity(CSpaceResource res) {
+ return new ObjectIdentityImpl(getObjectIdentityType(res),
+ getObjectIdentityIdentifier(res));
+ }
+
+ static Sid[] getSids(String[] principals) {
ArrayList<Sid> sids = new ArrayList<Sid>();
for (String principal : principals) {
sids.add(new GrantedAuthoritySid(principal));
return sids.toArray(new Sid[0]);
}
- static Permission mapAction(CSpaceAction perm) {
+ static Permission getPermission(CSpaceAction perm) {
switch (perm) {
case ADMIN:
return BasePermission.ADMINISTRATION;
*/
package org.collectionspace.services.authorization.spring;
+import java.io.Serializable;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.collectionspace.services.authorization.CSpaceAction;
}
@Override
- public boolean hasPermission(CSpaceResource res, CSpaceAction perm) {
- PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
- Permission p = SpringAuthorizationProvider.mapAction(perm);
+ public boolean hasPermission(CSpaceResource res, CSpaceAction action) {
+ Permission perm = SpringAuthorizationProvider.getPermission(action);
Authentication authToken = SecurityContextHolder.getContext().getAuthentication();
+ Serializable objectIdId = SpringAuthorizationProvider.getObjectIdentityIdentifier(res);
+ String objectIdType = SpringAuthorizationProvider.getObjectIdentityType(res);
+ PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
return eval.hasPermission(authToken,
- Long.valueOf(res.getId().hashCode()),
- res.getType().toString(),
- p);
+ objectIdId, objectIdType, perm);
}
}
*/
public class SpringPermissionManager implements CSpacePermissionManager {
- final Log log = LogFactory.getLog(SpringPermissionEvaluator.class);
+ final Log log = LogFactory.getLog(SpringPermissionManager.class);
private SpringAuthorizationProvider provider;
SpringPermissionManager(SpringAuthorizationProvider provider) {
}
@Override
- public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals)
+ public void addPermissions(CSpaceResource res, CSpaceAction action, String[] principals, boolean grant)
throws PermissionException {
- ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
- Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
- Permission p = SpringAuthorizationProvider.mapAction(action);
+ ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+ Sid[] sids = SpringAuthorizationProvider.getSids(principals);
+ Permission p = SpringAuthorizationProvider.getPermission(action);
TransactionStatus status = provider.beginTransaction("addPermssions");
//add permission for each sid
for (Sid sid : sids) {
try {
- addPermission(oid, p, sid);
+ addPermission(oid, p, sid, grant);
if (log.isDebugEnabled()) {
- log.debug("addpermissions(res,action,prin[]), success for "
+ log.debug("addpermissions(res,action,prin[], grant), success for "
+ " res=" + res.toString()
+ " action=" + action.toString()
+ + " grant=" + grant
+ " oid=" + oid.toString()
+ " perm=" + p.toString()
+ " sid=" + sid.toString());
} catch (AlreadyExistsException aex) {
if (log.isWarnEnabled()) {
- log.warn("addpermissions(res,action,prin[]) failed,"
+ log.warn("addpermissions(res,action,prin[], grant) failed,"
+ " oid=" + oid.toString()
+ " res=" + res.toString()
+ + " grant=" + grant
+ " action=" + action.toString()
+ " oid=" + oid.toString()
+ " perm=" + p.toString(), aex);
}
//keep going
} catch (Exception ex) {
- String msg = "addpermissions(res,action,prin[]) failed,"
+ String msg = "addpermissions(res,action,prin[], grant) failed,"
+ " oid=" + oid.toString()
+ " res=" + res.toString()
+ " action=" + action.toString()
+ " oid=" + oid.toString()
- + " perm=" + p.toString();
+ + " perm=" + p.toString()
+ + " grant=" + grant;
if (log.isDebugEnabled()) {
log.debug(msg, ex);
}
}//rof
provider.commitTransaction(status);
if (log.isDebugEnabled()) {
- log.debug("addpermissions(res,action,prin[]), success for "
+ log.debug("addpermissions(res,action,prin[], grant), success for "
+ " res=" + res.toString()
+ " action=" + action.toString()
+ + " grant=" + grant
+ " oid=" + oid.toString()
+ " perm=" + p.toString()
+ " sids=" + sids.toString());
@Override
public void deletePermissions(CSpaceResource res, CSpaceAction action, String[] principals)
throws PermissionNotFoundException, PermissionException {
- ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
- Sid[] sids = SpringAuthorizationProvider.mapPrincipal(principals);
- Permission p = SpringAuthorizationProvider.mapAction(action);
+ ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+ Sid[] sids = SpringAuthorizationProvider.getSids(principals);
+ Permission p = SpringAuthorizationProvider.getPermission(action);
TransactionStatus status = provider.beginTransaction("deletePermssions");
//delete permission for each sid
for (Sid sid : sids) {
@Override
public void deletePermissions(CSpaceResource res, CSpaceAction action)
throws PermissionNotFoundException, PermissionException {
- ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
- Permission p = SpringAuthorizationProvider.mapAction(action);
+ ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
+ Permission p = SpringAuthorizationProvider.getPermission(action);
TransactionStatus status = provider.beginTransaction("deletePermssions");
try {
deletePermissions(oid, p, null);
@Override
public void deletePermissions(CSpaceResource res)
throws PermissionNotFoundException, PermissionException {
- ObjectIdentity oid = SpringAuthorizationProvider.mapResource(res);
+ ObjectIdentity oid = SpringAuthorizationProvider.getObjectIdentity(res);
TransactionStatus status = provider.beginTransaction("deletePermssion");
try {
provider.getProviderAclService().deleteAcl(oid, true);
}
private void addPermission(ObjectIdentity oid, Permission permission,
- Sid sid) throws PermissionException {
+ Sid sid, boolean grant) throws PermissionException {
MutableAcl acl;
try {
log.debug("addPermission: acl not found for oid=" + oid.toString()
+ " perm=" + permission.toString()
+ " sid=" + sid.toString()
+ + " grant=" + grant
+ " adding...");
}
acl = provider.getProviderAclService().createAcl(oid);
}
- acl.insertAce(acl.getEntries().size(), permission, sid, true);
+ acl.insertAce(acl.getEntries().size(), permission, sid, grant);
provider.getProviderAclService().updateAcl(acl);
if (log.isDebugEnabled()) {
log.debug("addPermission: added acl for oid=" + oid.toString()
+ " perm=" + permission.toString()
- + " sid=" + sid.toString());
+ + " sid=" + sid.toString()
+ + " grant=" + grant);
}
}
<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<constructor-arg ref="dataSource"/>
<constructor-arg ref="aclCache"/>
- <constructor-arg>
- <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
- <constructor-arg>
- <list>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
- </bean>
- </list>
- </constructor-arg>
- </bean>
- </constructor-arg>
+ <constructor-arg ref="aclAuthorizationStrategy"/>
<constructor-arg>
<bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
</constructor-arg>
</bean>
+ <bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
+ <constructor-arg>
+ <list>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
+ <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+
<bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<constructor-arg>
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
>
<!-- begin movingimages.us tenant meta-data -->
<tenant:tenantBinding
- id="1" name="movingimages.us" displayName="Museum of Moving Images" version="0.1" repositoryDomain="default-domain">
+ id="1" name="movingimage.us" displayName="Museum of Moving Images" version="0.1" repositoryDomain="default-domain">
+ <!-- begin idgenerators service meta-data -->
+ <tenant:serviceBindings name="idgenerators" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
+ </tenant:serviceBindings>
+ <!-- end idgenerator service meta-data -->
+ <!-- begin id service meta-data -->
+ <tenant:serviceBindings name="id" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /idgenerators/*/ids
+ </service:uriPath>
+ </tenant:serviceBindings>
<tenant:serviceBindings name="CollectionObjects" type="object" version="0.1">
<!-- begin collectionobject service meta-data -->
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /collectionobjects/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.collectionobject.nuxeo.CollectionObjectValidatorHandler
</service:validatorHandler>
- <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
- <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item>
- <types:item><types:key>objectNumberProperty</types:key><types:value>objectNumber</types:value></types:item>
- </service:properties>
- <service:object name="CollectionObject" version="0.1"
+ <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+ <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item>
+ <types:item><types:key>objectNumberProperty</types:key><types:value>objectNumber</types:value></types:item>
+ </service:properties>
+ <!-- end id service meta-data -->
+ <service:object name="CollectionObject" version="0.1"
xmlns:service='http://collectionspace.org/services/common/service'>
<service:part id="0" control_group="Managed"
versionable="true" auditable="false"
<!--end collectionobject service meta-data -->
<!-- begin intake service meta-data -->
<tenant:serviceBindings name="Intakes" type="procedure" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /intakes/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.intake.nuxeo.IntakeValidatorHandler
</service:validatorHandler>
- <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
- <!-- What to use for name???
- <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
- <types:item><types:key>objectNumberProperty</types:key><types:value>entryNumber</types:value></types:item>
- </service:properties>
+ <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+ <!-- What to use for name???
+ <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+ <types:item><types:key>objectNumberProperty</types:key><types:value>entryNumber</types:value></types:item>
+ </service:properties>
<service:object name="Intake" version="0.1"
xmlns:service='http://collectionspace.org/services/common/service'>
<service:part id="0" control_group="Managed"
<!-- end intake service meta-data -->
<!-- begin loanin service meta-data -->
<tenant:serviceBindings name="Loansin" type="procedure" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /loansin/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.loanin.nuxeo.LoaninValidatorHandler
</service:validatorHandler>
- <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
- <!-- What to use for name???
- <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
- <types:item><types:key>objectNumberProperty</types:key><types:value>loanInNumber</types:value></types:item>
- </service:properties>
+ <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+ <!-- What to use for name???
+ <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+ <types:item><types:key>objectNumberProperty</types:key><types:value>loanInNumber</types:value></types:item>
+ </service:properties>
<service:object name="Loanin" version="0.1"
xmlns:service='http://collectionspace.org/services/common/service'>
<service:part id="0" control_group="Managed"
<!-- end loanin service meta-data -->
<!-- begin loanout service meta-data -->
<tenant:serviceBindings name="Loansout" type="procedure" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /loansout/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<types:item><types:key>authRef</types:key><types:value>borrowersContact</types:value></types:item>
<types:item><types:key>authRef</types:key><types:value>lendersAuthorizer</types:value></types:item>
<types:item><types:key>authRef</types:key><types:value>lendersContact</types:value></types:item>
- </service:properties>
+ </service:properties>
<service:content contentType="application/xml">
<service:xmlContent
namespaceURI="http://collectionspace.org/services/loanout"
<!-- end loanout service meta-data -->
<!-- begin movement service meta-data -->
<tenant:serviceBindings name="Movements" type="procedure" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /movements/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- <types:item><types:key>authRef</types:key><types:value>currentLocation</types:value></types:item> -->
<!-- <types:item><types:key>authRef</types:key><types:value>normalLocation</types:value></types:item> -->
<types:item><types:key>authRef</types:key><types:value>movementContact</types:value></types:item>
- </service:properties>
+ </service:properties>
<service:content contentType="application/xml">
<service:xmlContent
namespaceURI="http://collectionspace.org/services/movement"
<!-- end movement service meta-data -->
<!-- begin vocabulary service meta-data -->
<tenant:serviceBindings name="Vocabularies" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
Repository workspace so we have to configure that.
-->
<tenant:serviceBindings name="Vocabularyitems" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /vocabularies/*/items/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end vocabulary service meta-data -->
<!-- begin orgauthority service meta-data -->
<tenant:serviceBindings name="Orgauthorities" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /orgauthorities/*/items/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
Repository workspace so we have to configure that.
-->
<tenant:serviceBindings name="Organizations" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /orgauthorities/*/items/
+ </service:uriPath>
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /orgauthorities/*/items/*/refObjs
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<service:part id="1" control_group="Managed"
versionable="true" auditable="false"
label="organizations_common" updated="" order="1">
- <service:properties>
- <types:item><types:key>authRef</types:key><types:value>contactName</types:value></types:item>
- </service:properties>
+ <service:properties>
+ <types:item><types:key>authRef</types:key><types:value>contactName</types:value></types:item>
+ </service:properties>
<service:content contentType="application/xml">
<service:xmlContent
<!-- end organization service meta-data -->
<!-- begin personauthority service meta-data -->
<tenant:serviceBindings name="Personauthorities" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /personauthorities/*/items/
+ </service:uriPath>
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /personauthorities/*/items/*/refObjs
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
Repository workspace so we have to configure that.
-->
<tenant:serviceBindings name="Persons" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /personauthorities/*/items/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end person service meta-data -->
<!-- begin locationauthority service meta-data -->
<tenant:serviceBindings name="Locationauthorities" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /locationauthorities/*/items/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end location service meta-data -->
<!-- begin acquisition service meta-data -->
<tenant:serviceBindings name="Acquisitions" type="procedure" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /acquisitions/*/authorityrefs/
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.acquisition.nuxeo.AcquisitionValidatorHandler
</service:validatorHandler>
- <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
- <!-- What to use for name???
- <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
- <types:item><types:key>objectNumberProperty</types:key><types:value>acquisitionReferenceNumber</types:value></types:item>
- </service:properties>
+ <service:properties xmlns:service='http://collectionspace.org/services/common/service'>
+ <!-- What to use for name???
+ <types:item><types:key>objectNameProperty</types:key><types:value>objectName</types:value></types:item> -->
+ <types:item><types:key>objectNumberProperty</types:key><types:value>acquisitionReferenceNumber</types:value></types:item>
+ </service:properties>
<service:object name="Acquisition" version="0.1"
xmlns:service='http://collectionspace.org/services/common/service'>
<service:part id="0" control_group="Managed"
<!-- end acquisition service meta-data -->
<!-- begin relation service meta-data -->
<tenant:serviceBindings name="Relations" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->'
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ relations/subject/*/type/*/object/*
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end relation service meta-data -->
<!-- begin account service meta-data -->
<tenant:serviceBindings name="Accounts" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
<service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.account.storage.AccountDocumentHandler
</service:documentHandler>
<!-- end account service meta-data -->
<!-- begin dimension service meta-data -->
<tenant:serviceBindings name="Dimensions" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end dimension service meta-data -->
<!-- begin contact service meta-data -->
<tenant:serviceBindings name="Contacts" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /personauthorities/*/items/*/contacts
+ </service:uriPath>
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /orgauthorities/*/items/*/contacts
+ </service:uriPath>
<service:repositoryClient xmlns:service='http://collectionspace.org/services/common/service'>
nuxeo-java
</service:repositoryClient>
<!-- end note service meta-data -->
<!-- begin role service meta-data -->
<tenant:serviceBindings name="authorization/roles" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
<service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.authorization.storage.RoleDocumentHandler
</service:documentHandler>
<!-- end role service meta-data -->
<!-- begin permission service meta-data -->
<tenant:serviceBindings name="authorization/permissions" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+
<service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.authorization.storage.PermissionDocumentHandler
</service:documentHandler>
</tenant:serviceBindings>
<!-- end permission service meta-data -->
<!-- begin permission-role service meta-data -->
- <tenant:serviceBindings name="authorization/permroles" version="0.1">
+ <tenant:serviceBindings name="authorization/permissions/permroles" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /authorization/permissions/*/permroles/
+ </service:uriPath>
<service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.authorization.storage.PermissionRoleDocumentHandler
</service:documentHandler>
<!-- end permission-role service meta-data -->
<!-- begin account-role service meta-data -->
<tenant:serviceBindings name="accounts/accountroles" version="0.1">
+ <!-- other URI paths using which this service could be accessed -->
+ <service:uriPath xmlns:service='http://collectionspace.org/services/common/service'>
+ /accounts/*/accountroles/
+ </service:uriPath>
<service:documentHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.account.storage.AccountRoleDocumentHandler
</service:documentHandler>
<!--service:validatorHandler xmlns:service='http://collectionspace.org/services/common/service'>
org.collectionspace.services.account.storage.AccountRoleDocumentHandler
</service:validatorHandler-->
- <service:object name="PermissionRole" version="0.1"
+ <service:object name="AccountRole" version="0.1"
xmlns:service='http://collectionspace.org/services/common/service'>
<service:part id="0" control_group="Managed"
versionable="true" auditable="false"
import org.jboss.resteasy.spi.HttpRequest;
import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import org.collectionspace.authentication.AuthN;
import org.collectionspace.services.authorization.AuthZ;
if (logger.isDebugEnabled()) {
logger.debug("received " + httpMethod + " on " + uriPath);
}
+ String resName = getResourceName(request.getUri());
checkActive();
- if (uriPath.startsWith("dimensions")) {
- AuthZ authZ = AuthZ.get();
- CSpaceResource res = new URIResourceImpl(uriPath, httpMethod);
- if (!authZ.isAccessAllowed(res)) {
- logger.error("Access to " + res.getId() + " is NOT allowed to "
- + " user=" + AuthN.get().getUserId());
- Response response = Response.status(
- Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
- throw new WebApplicationException(response);
- }
- if (logger.isDebugEnabled()) {
- logger.debug("Access to " + res.getId() + " is allowed to "
- + " user=" + AuthN.get().getUserId());
- }
+// if (uriPath.startsWith("dimensions")) {
+ AuthZ authZ = AuthZ.get();
+ CSpaceResource res = new URIResourceImpl(resName, httpMethod);
+ if (!authZ.isAccessAllowed(res)) {
+ logger.error("Access to " + res.getId() + " is NOT allowed to "
+ + " user=" + AuthN.get().getUserId());
+ Response response = Response.status(
+ Response.Status.FORBIDDEN).entity(uriPath + " " + httpMethod).type("text/plain").build();
+ throw new WebApplicationException(response);
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("Access to " + res.getId() + " is allowed to "
+ + " user=" + AuthN.get().getUserId());
}
+// }
return null;
}
throw new WebApplicationException(response);
}
}
+
+ private String getResourceName(UriInfo uriInfo) {
+ String uriPath = uriInfo.getPath();
+ MultivaluedMap<String, String> pathParams = uriInfo.getPathParameters();
+ for (String pathParamName : pathParams.keySet()) {
+ //assumption : path params for csid for any entity has substring csid in name
+ String pathParamValue = pathParams.get(pathParamName).get(0);
+ if ((pathParamName.toLowerCase().indexOf("csid") > -1)) {
+ //replace csids with wildcard
+ uriPath = uriPath.replace(pathParamValue, "*");
+ }
+ if ((pathParamName.toLowerCase().indexOf("predicate") > -1)) {
+ //replace csids with wildcard
+ uriPath = uriPath.replace(pathParamValue, "*");
+ }
+ if (pathParamName.toLowerCase().indexOf("specifier") > -1) {
+ //replace name and specifiers with wildcard
+ uriPath = uriPath.replace("urn:cspace:name(" + pathParamValue
+ + ")", "*");
+ }
+ }
+ uriPath = uriPath.replace("//", "/");
+ return uriPath;
+ }
}
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaRelationshipStorageClient.create : ctx is missing");
+ "create : ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaRelationshipStorageClient.create: handler is missing");
+ "create: handler is missing");
}
EntityManagerFactory emf = null;
EntityManager em = null;
throws DocumentNotFoundException, DocumentException {
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaRelationshipStorageClient.get: ctx is missing");
+ "get: ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaRelationshipStorageClient.get: handler is missing");
+ "get: handler is missing");
}
if (getObject(ctx, id) == null) {
- String msg = "JpaRelationshipStorageClient.get: "
+ String msg = "get: "
+ "could not find the object entity with id=" + id;
logger.error(msg);
throw new DocumentNotFoundException(msg);
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
}
- String msg = "JpaRelationshipStorageClient.get: "
+ String msg = "get: "
+ " could not find entity with id=" + id;
logger.error(msg, nre);
throw new DocumentNotFoundException(msg, nre);
}
if (rl.size() == 0) {
- String msg = "JpaRelationshipStorageClient.get: "
+ String msg = "get: "
+ " could not find entity with id=" + id;
logger.error(msg);
throw new DocumentNotFoundException(msg);
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaRelationshipStorageClient.delete : ctx is missing");
+ "delete : ctx is missing");
}
if (getObject(ctx, id) == null) {
- String msg = "JpaRelationshipStorageClient.delete : "
+ String msg = "delete : "
+ "could not find the object entity with id=" + id;
logger.error(msg);
throw new DocumentNotFoundException(msg);
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.create: ctx is missing");
+ "create: ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.create: handler is missing");
+ "create: handler is missing");
}
EntityManagerFactory emf = null;
EntityManager em = null;
throws DocumentNotFoundException, DocumentException {
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.get: ctx is missing");
+ "get: ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.get: handler is missing");
+ "get: handler is missing");
}
DocumentFilter docFilter = handler.getDocumentFilter();
if (docFilter == null) {
throws DocumentNotFoundException, DocumentException {
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.getFiltered: ctx is missing");
+ "getFiltered: ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.getFiltered: handler is missing");
+ "getFiltered: handler is missing");
}
DocumentFilter docFilter = handler.getDocumentFilter();
DocumentException {
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.update: ctx is missing");
+ "update: ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.update: handler is missing");
+ "update: handler is missing");
}
EntityManagerFactory emf = null;
EntityManager em = null;
DocumentException {
if (logger.isDebugEnabled()) {
- logger.debug("deleting entity with id=" + id);
+ logger.debug("delete(ctx, id): deleting entity with id=" + id);
}
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.delete: ctx is missing");
+ "delete(ctx, id): ctx is missing");
}
EntityManagerFactory emf = null;
EntityManager em = null;
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
}
- String msg = "could not find entity with id=" + id;
+ String msg = "delete(ctx, id): could not find entity with id=" + id;
logger.error(msg);
throw new DocumentNotFoundException(msg);
}
throw de;
} catch (Exception e) {
if (logger.isDebugEnabled()) {
- logger.debug("Caught exception ", e);
+ logger.debug("delete(ctx, id): Caught exception ", e);
}
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.deleteWhere: ctx is missing");
+ "deleteWhere(ctx, id) : ctx is missing");
}
if (logger.isDebugEnabled()) {
- logger.debug("deleting entity with id=" + id);
+ logger.debug("deleteWhere(ctx, id): deleting entity with id=" + id);
}
EntityManagerFactory emf = null;
EntityManager em = null;
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
}
- String msg = "could not find entity with id=" + id;
+ String msg = "deleteWhere(ctx, id) could not find entity with id=" + id;
logger.error(msg);
throw new DocumentNotFoundException(msg);
}
throw de;
} catch (Exception e) {
if (logger.isDebugEnabled()) {
- logger.debug("Caught exception ", e);
+ logger.debug("deleteWhere(ctx, id) Caught exception ", e);
}
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
}
}
+ /*
+ * delete removes entity and its child entities but calls back to given handler
+ * cost: a get before delete
+ * @see org.collectionspace.services.common.storage.StorageClient#delete(org.collectionspace.services.common.context.ServiceContext, java.lang.String)
+ */
@Override
public void delete(ServiceContext ctx, String id, DocumentHandler handler)
throws DocumentNotFoundException, DocumentException {
if (ctx == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.delete: ctx is missing");
+ "delete(ctx, ix, handler): ctx is missing");
}
if (handler == null) {
throw new IllegalArgumentException(
- "JpaStorageClient.delete: handler is missing");
+ "delete(ctx, ix, handler): handler is missing");
}
EntityManagerFactory emf = null;
EntityManager em = null;
try {
handler.prepare(Action.DELETE);
- Object entity = handler.getCommonPart();
- DocumentWrapper<Object> wrapDoc = new DocumentWrapperImpl<Object>(entity);
+ emf = JpaStorageUtils.getEntityManagerFactory();
+ em = emf.createEntityManager();
+
+ em.getTransaction().begin();
+ Object entityFound = getEntity(ctx, em, id);
+ if (entityFound == null) {
+ if (em != null && em.getTransaction().isActive()) {
+ em.getTransaction().rollback();
+ }
+ String msg = "delete(ctx, ix, handler) could not find entity with id=" + id;
+ logger.error(msg);
+ throw new DocumentNotFoundException(msg);
+ }
+ DocumentWrapper<Object> wrapDoc = new DocumentWrapperImpl<Object>(entityFound);
handler.handle(Action.DELETE, wrapDoc);
+ em.remove(entityFound);
+ em.getTransaction().commit();
+
handler.complete(Action.DELETE, wrapDoc);
} catch (DocumentException de) {
if (em != null && em.getTransaction().isActive()) {
throw de;
} catch (Exception e) {
if (logger.isDebugEnabled()) {
- logger.debug("Caught exception ", e);
+ logger.debug("delete(ctx, ix, handler): Caught exception ", e);
}
if (em != null && em.getTransaction().isActive()) {
em.getTransaction().rollback();
<xs:complexType name="ServiceBindingType">
<xs:sequence>
+ <!-- other URI paths using which this service binding could be accessed -->
+ <xs:element name="uriPath" type="xs:string" minOccurs="1" maxOccurs="unbounded"/>
<!-- object representation served by the service -->
<xs:element name="object" type="ServiceObjectType" minOccurs="1" maxOccurs="1"/>
<!-- document handler to be used to process the content (need to be in classpath) -->
<!-- repositoryWorkspaceId could be workspace id -->
<!-- used only for Nuxeo rest client -->
<xs:element name="repositoryWorkspaceId" type="xs:string" minOccurs="0" maxOccurs="1"/>
- <xs:element name="properties" type="types:PropertyType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element name="properties" type="types:PropertyType" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
+ <!-- name of the service, this is also the default URI path to access this service binding -->
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="type" type="xs:string" use="optional"/>
<xs:attribute name="version" type="types:VersionType" use="required"/>
<name>services.main</name>
<packaging>pom</packaging>
+ <!--
+ !!!!!PLEASE READ!!!!!
+ Make sure you add modules below in the order of dependency. Security and
+ infrastructure modules should be built first. For example the authorization-mgt
+ module would also import default permissions. Domain specific services should only
+ be built after the security module and common modules are built
+ -->
<modules>
<module>authentication</module>
<module>authorization</module>
<module>common</module>
<module>authorization-mgt</module> <!-- relies on authorization -->
<module>common-test</module>
- <module>account</module> <!-- relies on authorization-mgt.client -->
+ <module>account</module> <!-- relies on authorization-mgt.import -->
<module>note</module>
<module>relation</module>
<!-- <module>query</module> -->
if (logger.isDebugEnabled()) {
logger.debug("create: status = " + res.getStatus());
}
+ //so it does not have any permissions out-of-the-box to create a
+ //collection object
Assert.assertEquals(res.getStatus(),
- Response.Status.CREATED.getStatusCode(), "expected "
- + Response.Status.CREATED.getStatusCode());
+ Response.Status.FORBIDDEN.getStatusCode(), "expected "
+ + Response.Status.FORBIDDEN.getStatusCode());
// Store the ID returned from this create operation for additional tests
// below.
- knownResourceId = extractId(res);
res.releaseConnection();
}
dependsOnMethods = {"create"})
public void delete(String testName) {
setupDelete(testName);
- CollectionObjectClient collectionObjectClient = new CollectionObjectClient();
- collectionObjectClient = new CollectionObjectClient();
- collectionObjectClient.setAuth(true, "test", true, "test", true);
- if (logger.isDebugEnabled()) {
- logger.debug("Calling deleteCollectionObject:" + knownResourceId);
- }
- ClientResponse<Response> res = collectionObjectClient.delete(knownResourceId);
- if (logger.isDebugEnabled()) {
- logger.debug("deleteCollectionObject: status = " + res.getStatus());
- }
- Assert.assertEquals(res.getStatus(),
- Response.Status.OK.getStatusCode(), "expected " + Response.Status.OK.getStatusCode());
- res.releaseConnection();
+
}
@Test(dataProvider = "testName", dataProviderClass = AbstractServiceTestImpl.class,
private Hashtable<String, RoleValue> roleValues = new Hashtable<String, RoleValue>();
private String bigbirdPermId;
private String elmoPermId;
+ private final static String TEST_SERVICE_NAME = "dimensions";
/*
* This method is called only by the parent class, AbstractServiceTestImpl
*/
}
private void seedPermissions() {
- String res = "dimensions";
+ String res = TEST_SERVICE_NAME;
PermissionAction pac = new PermissionAction();
pac.setName(ActionType.CREATE);
}
private void seedRoles() {
- String rn1 = "ROLE_MMI_CM";
+ String rn1 = "ROLE_TEST_CM";
String r1RoleId = createRole(rn1);
RoleValue rv1 = new RoleValue();
rv1.setRoleId(r1RoleId);
rv1.setRoleName(rn1);
roleValues.put(rv1.getRoleName(), rv1);
- String rn2 = "ROLE_MMI_INTERN";
+ String rn2 = "ROLE_TEST_INTERN";
String r2RoleId = createRole(rn2);
RoleValue rv2 = new RoleValue();
rv2.setRoleId(r2RoleId);
private void seedAccountRoles() {
List<RoleValue> bigbirdRoleValues = new ArrayList<RoleValue>();
- bigbirdRoleValues.add(roleValues.get("ROLE_MMI_CM"));
+ bigbirdRoleValues.add(roleValues.get("ROLE_TEST_CM"));
createAccountRole(accValues.get("bigbird2010"), bigbirdRoleValues);
List<RoleValue> elmoRoleValues = new ArrayList<RoleValue>();
- elmoRoleValues.add(roleValues.get("ROLE_MMI_INTERN"));
+ elmoRoleValues.add(roleValues.get("ROLE_TEST_INTERN"));
createAccountRole(accValues.get("elmo2010"), elmoRoleValues);
}
private void seedPermissionRoles() {
List<RoleValue> bigbirdRoleValues = new ArrayList<RoleValue>();
- bigbirdRoleValues.add(roleValues.get("ROLE_MMI_CM"));
+ bigbirdRoleValues.add(roleValues.get("ROLE_TEST_CM"));
createPermissionRole(permValues.get(bigbirdPermId), bigbirdRoleValues);
List<RoleValue> elmoRoleValues = new ArrayList<RoleValue>();
- elmoRoleValues.add(roleValues.get("ROLE_MMI_INTERN"));
+ elmoRoleValues.add(roleValues.get("ROLE_TEST_INTERN"));
createPermissionRole(permValues.get(elmoPermId), elmoRoleValues);
}
logger.debug("Cleaning up temporary resources created for testing ...");
}
- deletePermissionRoles();
+ //FIXME delete on permission role deletes all roles associated with the permission
+ //this would delete association with ROLE_ADMINISTRATION too
+ //deletePermissionRoles();
deleteAccountRoles();
- deletePermissions();
+ //FIXME delete on permission role deletes all roles associated with the permission
+ //this would delete association with ROLE_ADMINISTRATION too
+ //deletePermissions();
deleteRoles();
deleteAccounts();
}
projects / tmp / jakarta-migration.git / commitdiff