1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.jetspeed.om.registry.base;
18
19
20 import java.util.HashMap;
21 import java.util.Iterator;
22 import java.util.List;
23 import java.util.Map;
24 import java.util.Vector;
25
26 import org.apache.jetspeed.om.registry.SecurityAccess;
27 import org.apache.jetspeed.om.registry.SecurityAllow;
28 import org.apache.jetspeed.om.registry.SecurityEntry;
29 import org.apache.jetspeed.services.security.GroupManagement;
30 import org.apache.jetspeed.services.security.RoleManagement;
31
32 /***
33 * Interface for manipulatin the Security Entry on the registry entries
34 *
35 * @author <a href="mailto:paulsp@apache.org">Paul Spencer</a>
36 * @author <a href="mailto:weaver@apache.org">Scott T. Weaver</a>
37 * @author <a href="mailto:morciuch@apache.org">Mark Orciuch</a>
38 * @version $Id: BaseSecurityEntry.java,v 1.15 2004/03/23 21:15:24 jford Exp $
39 */
40 public class BaseSecurityEntry extends BaseRegistryEntry implements SecurityEntry, java.io.Serializable
41 {
42
43 /*** Holds value of property accesses. */
44 private Vector accesses = new Vector();
45
46 private transient Map accessMap = null;
47
48 public static final String ALL_ACTIONS = "*";
49
50 public static final String ALL_ROLES = "*";
51
52 public static final String ALL_GROUPS = "*";
53
54 public static final String ALL_GROUP_ROLES = "*";
55
56 public static final String ALL_USERS = "*";
57
58 private static final String OWNER_MAP = "owner";
59
60 private static final String ROLE_MAP = "role";
61
62 private static final String GROUP_MAP = "group";
63
64 private static final String GROUP_ROLE_MAP = "grouprole";
65
66 private static final String USER_MAP = "user";
67
68 private static transient Object accessMapSync = new Object();
69
70 public BaseSecurityEntry()
71 { }
72
73 /***
74 * Implements the equals operation so that 2 elements are equal if
75 * all their member values are equal.
76 */
77 public boolean equals(Object object)
78 {
79 if (object == null)
80 {
81 return false;
82 }
83
84 BaseSecurityEntry obj = (BaseSecurityEntry) object;
85
86 Iterator i = accesses.iterator();
87 Iterator i2 = obj.accesses.iterator();
88 while (i.hasNext())
89 {
90 BaseSecurityAccess c1 = (BaseSecurityAccess) i.next();
91 BaseSecurityAccess c2 = null;
92
93 if (i2.hasNext())
94 {
95 c2 = (BaseSecurityAccess) i2.next();
96 }
97 else
98 {
99 return false;
100 }
101
102 if (!c1.equals(c2))
103 {
104 return false;
105 }
106 }
107
108 if (i2.hasNext())
109 {
110 return false;
111 }
112
113 return super.equals(object);
114 }
115
116 /*** Getter for property accesses.
117 * @return Value of property accesses.
118 */
119 public Vector getAccesses()
120 {
121 return accesses;
122 }
123
124 /*** Setter for property accesses.
125 * @param accesses New value of property accesses.
126 */
127 public void setAccesses(Vector accesses)
128 {
129 this.accesses = accesses;
130 buildAccessMap();
131 }
132
133 /***
134 * Aututhorizes action for a role.
135 *
136 * o If the requested action and the action ALL_ACTIONS
137 * do not exist, then return false.
138 *
139 * o If the requesting role and ALL_ROLES does not exist for the
140 * the action, then return false.
141 *
142 * @param role requesting action
143 * @param action being requested
144 * @return <CODE>true</CODE> if action is allowed for role
145 */
146 public boolean allowsRole(String role, String action)
147 {
148 Map allowMap = null;
149 boolean allow = false;
150
151 if (accessMap == null)
152 {
153 buildAccessMap();
154 }
155
156
157 allowMap = (Map) accessMap.get(action);
158 allow = isInAllowMap(allowMap, ROLE_MAP, role, ALL_ROLES);
159 if (allow == true)
160 {
161 return allow;
162 }
163
164
165 allowMap = (Map) accessMap.get(ALL_ACTIONS);
166 allow = isInAllowMap(allowMap, ROLE_MAP, role, ALL_ROLES);
167
168
169 return allow;
170 }
171
172 /***
173 * Aututhorizes action for a group.
174 *
175 * o If the requested action and the action ALL_ACTIONS
176 * do not exist, then return false.
177 *
178 * o If the requesting role and ALL_GROUP does not exist for the
179 * the action, then return false.
180 *
181 * @param group requesting action
182 * @param action being requested
183 * @return <CODE>true</CODE> if action is allowed for group
184 */
185 public boolean allowsGroup(String group, String action)
186 {
187 Map allowMap = null;
188 boolean allow = false;
189
190 if (accessMap == null)
191 {
192 buildAccessMap();
193 }
194
195
196 allowMap = (Map) accessMap.get(action);
197 allow = isInAllowMap(allowMap, GROUP_MAP, group, ALL_GROUPS);
198 if (allow == true)
199 {
200 return allow;
201 }
202
203
204 allowMap = (Map) accessMap.get(ALL_ACTIONS);
205 allow = isInAllowMap(allowMap, GROUP_MAP, group, ALL_GROUPS);
206
207
208 return allow;
209 }
210
211 /***
212 * Authorizes action for a group role.
213 *
214 * o If the requested action and the action ALL_ACTIONS
215 * do not exist, then return false.
216 *
217 * o If the requesting group role and ALL_GROUPS_ROLES does not exist for the
218 * the action, then return false.
219 *
220 * @param group requesting action
221 * @param role requesting action
222 * @param action being requested
223 * @return <CODE>true</CODE> if action is allowed for group role
224 */
225 public boolean allowsGroupRole(String group, String role, String action)
226 {
227 Map allowMap = null;
228 boolean allow = false;
229
230 if (accessMap == null)
231 {
232 buildAccessMap();
233 }
234
235
236 allowMap = (Map) accessMap.get(action);
237 allow = isInAllowMap(allowMap, GROUP_ROLE_MAP, group+role, ALL_GROUP_ROLES);
238 if (allow == true)
239 {
240 return allow;
241 }
242
243
244 allowMap = (Map) accessMap.get(ALL_ACTIONS);
245 allow = isInAllowMap(allowMap, GROUP_ROLE_MAP, group+role, ALL_GROUP_ROLES);
246
247
248 return allow;
249 }
250
251 /***
252 * Aututhorizes action for a named user
253 *
254 * @param userName requesting action
255 * @param action being requested
256 * @return <CODE>true</CODE> if action is allowed for named user
257 */
258 public boolean allowsUser(String userName, String action)
259 {
260 return allowsUser(userName, action, null);
261 }
262 /***
263 * Aututhorizes action for a named user
264 *
265 * @param userName requesting action
266 * @param action being requested
267 * @param owner User
268 * @return <CODE>true</CODE> if action is allowed for named user
269 */
270 public boolean allowsUser(String userName, String action, String owner)
271 {
272 Map allowMap = null;
273 boolean allow = false;
274
275 if (accessMap == null)
276 {
277 buildAccessMap();
278 }
279 if ((owner != null) && (owner.equals(userName)))
280 {
281
282 allowMap = (Map) accessMap.get(action);
283 allow = isInAllowMap(allowMap, OWNER_MAP, null, null);
284 if (allow == true)
285 {
286 return allow;
287 }
288
289
290 allowMap = (Map) accessMap.get(ALL_ACTIONS);
291 allow = isInAllowMap(allowMap, OWNER_MAP, null, null);
292 if (allow == true)
293 {
294 return allow;
295 }
296 }
297
298
299 allowMap = (Map) accessMap.get(action);
300 allow = isInAllowMap(allowMap, USER_MAP, userName, ALL_USERS);
301 if (allow == true)
302 {
303 return allow;
304 }
305
306
307 allowMap = (Map) accessMap.get(ALL_ACTIONS);
308 allow = isInAllowMap(allowMap, USER_MAP, userName, ALL_USERS);
309
310
311 return allow;
312
313 }
314
315 /***
316 * Checks whether a role is specifically allowed to access the request action
317 * This method ignores the "*" action and is here to play a maintenance role.
318 */
319 public boolean allowsSpecificRole( String action, String role)
320 {
321 SecurityAccess access = (SecurityAccess) getAccess(action);
322 if (access.getAllAllows() != null)
323 {
324 Iterator allAllows = access.getAllows().iterator();
325 while (allAllows.hasNext())
326 {
327 SecurityAllow allow = (SecurityAllow) allAllows.next();
328 if (allow.getRole() != null && allow.getRole().equals(role))
329 {
330 return true;
331 }
332 }
333 }
334 return false;
335 }
336
337 /***
338 * Checks whether a group is specifically allowed to access the request action
339 * This method ignores the "*" action and is here to play a maintenance role.
340 */
341 public boolean allowsSpecificGroup(String action, String group)
342 {
343 SecurityAccess access = (SecurityAccess) getAccess(action);
344 if (access.getAllAllows() != null)
345 {
346 Iterator allAllows = access.getAllows().iterator();
347 while (allAllows.hasNext())
348 {
349 SecurityAllow allow = (SecurityAllow) allAllows.next();
350 if (allow.getGroup() != null && allow.getGroup().equals(group))
351 {
352 return true;
353 }
354 }
355 }
356 return false;
357 }
358
359 /***
360 * Checks whether a group role is specifically allowed to access the request action
361 * This method ignores the "*" action and is here to play a maintenance role.
362 */
363 public boolean allowsSpecificGroupRole(String action, String group, String role)
364 {
365 SecurityAccess access = (SecurityAccess) getAccess(action);
366 if (access.getAllAllows() != null)
367 {
368 Iterator allAllows = access.getAllows().iterator();
369 while (allAllows.hasNext())
370 {
371 SecurityAllow allow = (SecurityAllow) allAllows.next();
372 if (allow.getGroup() != null &&
373 allow.getGroup().equals(group) &&
374 allow.getRole() != null &&
375 allow.getRole().equals(role))
376 {
377 return true;
378 }
379 }
380 }
381 return false;
382 }
383
384 /***
385 * Checks whether a role is specifically allowed to access the request action
386 * This method ignores the "*" action and is here to play a maintenance role.
387 * @param String action name of action to check
388 * @param String role name of role to verify access for
389 * @return boolean whether or not the <code>role</code> has access
390 * to this specific action.
391 */
392 public boolean allowsSpecificUser(String action, String user)
393 {
394 BaseSecurityAccess access = (BaseSecurityAccess) getAccess(action);
395 if (access.getAllAllows() != null)
396 {
397 Iterator allAllows = access.getAllows().iterator();
398 while (allAllows.hasNext())
399 {
400 BaseSecurityAllow allow = (BaseSecurityAllow) allAllows.next();
401 if (allow.getUser() != null && allow.getUser().equals(user))
402 {
403 return true;
404 }
405 }
406 }
407 return false;
408 }
409
410
411
412
413 /***
414 * Returns the SecurityAccess object for the <code>action</code>
415 * requested or null if no specific access is defined for this action.
416 * The "*" does change this, if an action is not specifically defined
417 * in the registry, null is returned
418 * @param SecurityEntry entry SecurityEntry to check against
419 * @param String action The action we want the access for.
420 * @return SecurityAccess that is defined for this action or
421 * <code>null</code> if one is not <strong>specifically defined</strong>
422 */
423 public SecurityAccess getAccess(String action)
424 {
425 Iterator itr = getAccesses().iterator();
426 while (itr.hasNext())
427 {
428 BaseSecurityAccess access = (BaseSecurityAccess) itr.next();
429 if (access.getAction().equals(action))
430 {
431 return access;
432 }
433 }
434
435 return null;
436 }
437
438 /***
439 * Grants access for a specific action to a specific role
440 * for this SecurityEntry. This grants specific access ignores
441 * "*" action, if it exists.
442 * @param String action The action we are granting access to.
443 * @param String role The role that will receive access to this action.
444 * @return boolean Whether or not the access was granted. Basically,
445 * a <code>false</code> means that this role already has specific access.
446 */
447 public boolean grantRoleAccess(String action, String role)
448 {
449 if (!allowsSpecificRole(action, role))
450 {
451 SecurityAccess access = getAccess(action);
452 List allows = access.getAllows();
453 if (allows == null)
454 {
455 allows = new Vector();
456 }
457
458 BaseSecurityAllow allow = new BaseSecurityAllow();
459 allow.setRole(role);
460 allows.add(allow);
461
462 buildAccessMap();
463
464 return true;
465 }
466
467 return false;
468 }
469
470 /***
471 * Grants access for a specific action to a specific group
472 * for this SecurityEntry. This grants specific access ignores
473 * "*" action, if it exists.
474 * @param String action The action we are granting access to.
475 * @param String group The group that will receive access to this action.
476 * @return boolean Whether or not the access was granted. Basically,
477 * a <code>false</code> means that this group already has specific access.
478 */
479 public boolean grantGroupAccess(String action, String group)
480 {
481 if (!allowsSpecificGroup(action, role))
482 {
483 SecurityAccess access = getAccess(action);
484 List allows = access.getAllows();
485 if (allows == null)
486 {
487 allows = new Vector();
488 }
489
490 BaseSecurityAllow allow = new BaseSecurityAllow();
491 allow.setGroup(group);
492 allows.add(allow);
493
494 buildAccessMap();
495
496 return true;
497 }
498
499 return false;
500 }
501
502 /***
503 * Grants access for a specific action to a specific group fole
504 * for this SecurityEntry. This grants specific access ignores
505 * "*" action, if it exists.
506 * @param String action The action we are granting access to.
507 * @param String group The group that will receive access to this action.
508 * @param String role The role that will receive access to this action.
509 * @return boolean Whether or not the access was granted. Basically,
510 * a <code>false</code> means that this group role already has specific access.
511 */
512 public boolean grantGroupRoleAccess(String action, String group, String role)
513 {
514 if (!allowsSpecificGroupRole(action, group, role))
515 {
516 SecurityAccess access = getAccess(action);
517 List allows = access.getAllows();
518 if (allows == null)
519 {
520 allows = new Vector();
521 }
522
523 BaseSecurityAllow allow = new BaseSecurityAllow();
524 allow.setGroup(group);
525 allow.setRole(role);
526 allows.add(allow);
527
528 buildAccessMap();
529
530 return true;
531 }
532
533 return false;
534 }
535
536 /***
537 * Grants access for a specific action to a specific user
538 * for this SecurityEntry. This grants specific access ignores
539 * "*" action, if it exists.
540 * @param String action The action we are granting access to.
541 * @param String user The user that will receive access to this action.
542 * @return boolean Whether or not the access was granted. Basically,
543 * a <code>false</code> means that this role already has specific access.
544 */
545 public boolean grantUserAccess(String action, String user)
546 {
547 if (!allowsSpecificUser(action, user))
548 {
549 SecurityAccess access = getAccess(action);
550 List allows = access.getAllows();
551 if (allows == null)
552 {
553 allows = new Vector();
554 }
555
556 BaseSecurityAllow allow = new BaseSecurityAllow();
557 allow.setUser(user);
558 allows.add(allow);
559
560 buildAccessMap();
561
562 return true;
563 }
564
565 return false;
566 }
567
568
569 /***
570 * Removes a role's access to a specific action.
571 * @param action Action to remove access from.
572 * @param role The role whose access we are revoking.
573 * @return boolean Whehter or not the access existed and
574 * was removed.
575 */
576 public boolean revokeRoleAccess(String action, String role)
577 {
578 if (allowsSpecificRole(action, role))
579 {
580 SecurityAccess access = getAccess(action);
581 List allows = access.getAllows();
582 if (allows == null || allows.isEmpty())
583 {
584 revokeAccess(action);
585 return false;
586 }
587
588 for (int i = 0; i < allows.size(); i++)
589 {
590 BaseSecurityAllow allow = (BaseSecurityAllow) allows.get(i);
591 if (allow.getRole() != null && allow.getRole().equals(role))
592 {
593 allows.remove(i);
594 if (allows.isEmpty() && access.getOwnerAllows().isEmpty())
595 {
596 revokeAccess(action);
597 }
598
599 return true;
600 }
601 }
602 }
603 return false;
604 }
605
606 /***
607 * Removes a group's access to a specific action.
608 * @param action Action to remove access from.
609 * @param group The group whose access we are revoking.
610 * @return boolean Whehter or not the access existed and
611 * was removed.
612 */
613 public boolean revokeGroupAccess(String action, String group)
614 {
615 if (allowsSpecificGroup(action, group))
616 {
617 SecurityAccess access = getAccess(action);
618 List allows = access.getAllows();
619 if (allows == null || allows.isEmpty())
620 {
621 revokeAccess(action);
622 return false;
623 }
624
625 for (int i = 0; i < allows.size(); i++)
626 {
627 BaseSecurityAllow allow = (BaseSecurityAllow) allows.get(i);
628 if (allow.getGroup() != null && allow.getGroup().equals(group))
629 {
630 allows.remove(i);
631 if (allows.isEmpty() && access.getOwnerAllows().isEmpty())
632 {
633 revokeAccess(action);
634 }
635
636 return true;
637 }
638 }
639 }
640 return false;
641 }
642
643 /***
644 * Removes a group role's access to a specific action.
645 * @param action Action to remove access from.
646 * @param group The group whose access we are revoking.
647 * @param role The role whose access we are revoking.
648 * @return boolean Whether or not the access existed and
649 * was removed.
650 */
651 public boolean revokeGroupRoleAccess(String action, String group, String role)
652 {
653 if (allowsSpecificGroupRole(action, group, role))
654 {
655 SecurityAccess access = getAccess(action);
656 List allows = access.getAllows();
657 if (allows == null || allows.isEmpty())
658 {
659 revokeAccess(action);
660 return false;
661 }
662
663 for (int i = 0; i < allows.size(); i++)
664 {
665 BaseSecurityAllow allow = (BaseSecurityAllow) allows.get(i);
666 if (allow.getGroup() != null &&
667 allow.getGroup().equals(group) &&
668 allow.getRole() != null &&
669 allow.getRole().equals(role))
670 {
671 allows.remove(i);
672 if (allows.isEmpty() && access.getOwnerAllows().isEmpty())
673 {
674 revokeAccess(action);
675 }
676
677 return true;
678 }
679 }
680 }
681 return false;
682 }
683
684 /***
685 * Removes a user's access to a specific action.
686 * @param action Action to remove access from.
687 * @param role The role whose access we are revoking.
688 * @return boolean Whehter or not the access existed and
689 * was removed.
690 */
691 public boolean revokeUserAccess(String action, String user)
692 {
693 if (allowsSpecificUser(action, user))
694 {
695 SecurityAccess access = getAccess(action);
696 List allows = access.getAllows();
697 if (allows == null || allows.isEmpty())
698 {
699 revokeAccess(action);
700 return false;
701 }
702
703 for (int i = 0; i < allows.size(); i++)
704 {
705 BaseSecurityAllow allow = (BaseSecurityAllow) allows.get(i);
706 if (allow.getUser() != null && allow.getUser().equals(user))
707 {
708 allows.remove(i);
709 if (allows.isEmpty() && access.getOwnerAllows().isEmpty())
710 {
711 revokeAccess(action);
712 }
713
714 return true;
715 }
716 }
717 }
718 return false;
719 }
720
721 /***
722 * Removes a security access for the named action.
723 * This does not take into account the "*" action when
724 * the "*" is not the named action.
725 * @param String access name of access to remove in its entirety
726 */
727 public void revokeAccess(String action)
728 {
729 List list = getAccesses();
730 for (int i = 0; i < list.size(); i++)
731 {
732 BaseSecurityAccess access = (BaseSecurityAccess) list.get(i);
733 if (access.getAction().equals(action))
734 {
735 list.remove(i);
736 return;
737 }
738 }
739 }
740
741
742
743
744
745
746 private void buildAccessMap()
747 {
748 Map actionMap = null;
749 SecurityAccess accessElement = null;
750
751 synchronized (accessMapSync)
752 {
753 if (accessMap == null)
754 {
755 accessMap = new HashMap();
756 }
757
758 accessMap.clear();
759 }
760
761 for (Iterator accessIterator = getAccesses().iterator(); accessIterator.hasNext();)
762 {
763 accessElement = (SecurityAccess) accessIterator.next();
764
765
766 String action = accessElement.getAction();
767
768 if (action == null)
769 {
770 action = ALL_ACTIONS;
771 }
772
773 actionMap = (Map) accessMap.get(action);
774 if (actionMap == null)
775 {
776 actionMap = new HashMap();
777 accessMap.put(action, actionMap);
778 }
779 addAllows(actionMap, accessElement);
780 }
781 }
782
783 /***
784 * Add access elements to the access map. The elements will be
785 * appened to the appropiate map.
786 *
787 * @param accessMap to receive accessElements
788 * @param accessElement to copy to access map
789 */
790 private void addAllows(Map accessMap, SecurityAccess accessElement)
791 {
792 SecurityAllow allowElement = null;
793 String role = null;
794 String group = null;
795 Map ownerMap = null;
796 Map roleMap = null;
797 Map groupMap = null;
798 Map groupRoleMap = null;
799 Map userMap = null;
800 String userName = null;
801
802 if (accessElement.getAllAllows() == null)
803 {
804 return;
805 }
806
807
808 for (Iterator allowIterator = accessElement.getAllAllows().iterator(); allowIterator.hasNext();)
809 {
810 allowElement = (SecurityAllow) allowIterator.next();
811 role = null;
812 userName = null;
813 group = null;
814
815
816 if (allowElement.isOwner() == true)
817 {
818 ownerMap = (Map) accessMap.get(OWNER_MAP);
819 if (ownerMap == null)
820 {
821 ownerMap = new HashMap();
822 accessMap.put(OWNER_MAP, ownerMap);
823 }
824 ownerMap.put(null, null);
825 }
826
827
828 role = allowElement.getRole();
829 if (role != null)
830 {
831
832 roleMap = (Map) accessMap.get(ROLE_MAP);
833 if (roleMap == null)
834 {
835 roleMap = new HashMap();
836 accessMap.put(ROLE_MAP, roleMap);
837 }
838 roleMap.put(role, null);
839
840
841 groupRoleMap = (Map) accessMap.get(GROUP_ROLE_MAP);
842 if (groupRoleMap == null)
843 {
844 groupRoleMap = new HashMap();
845 accessMap.put(GROUP_ROLE_MAP, groupRoleMap);
846 }
847 if (group == null)
848 {
849 group = GroupManagement.DEFAULT_GROUP_NAME;
850 }
851 groupRoleMap.put(group+role, null);
852
853 }
854
855
856 group = allowElement.getGroup();
857 if (group != null)
858 {
859
860 groupMap = (Map) accessMap.get(GROUP_MAP);
861 if (groupMap == null)
862 {
863 groupMap = new HashMap();
864 accessMap.put(GROUP_MAP, groupMap);
865 }
866 groupMap.put(group, null);
867
868
869 groupRoleMap = (Map) accessMap.get(GROUP_ROLE_MAP);
870 if (groupRoleMap == null)
871 {
872 groupRoleMap = new HashMap();
873 accessMap.put(GROUP_ROLE_MAP, groupRoleMap);
874 }
875 if (role == null)
876 {
877 role = RoleManagement.DEFAULT_ROLE_NAME;
878 }
879 groupRoleMap.put(group+role, null);
880
881 }
882
883
884 userName = allowElement.getUser();
885 if (userName != null)
886 {
887 userMap = (Map) accessMap.get(USER_MAP);
888 if (userMap == null)
889 {
890 userMap = new HashMap();
891 accessMap.put(USER_MAP, userMap);
892 }
893 userMap.put(userName, null);
894 }
895 }
896 }
897
898 /***
899 * Search allow map of user/role or "all user/role"
900 *
901 * @param allowMap Map of allow-if
902 * @param mapType ROLE_MAP or USER_MAP or GROUP_MAP or GROUP_ROLE_MAP
903 * @param mapKey role or user to test
904 * @param allKey ALL_ROLE or ALL_USER or ALL_GROUP or ALL_GROUP_ROLE
905 * @return <CODE>true</CODE> or <CODE>false</CODE>
906 */
907 private boolean isInAllowMap(Map allowMap, String mapType, String mapKey, String allKey)
908 {
909 boolean allow = false;
910 if (allowMap != null)
911 {
912 Map allowTypeMap = (Map) allowMap.get(mapType);
913 if (allowTypeMap == null)
914 {
915 return allowMap.isEmpty();
916 }
917 allow = allowTypeMap.containsKey(mapKey);
918 if (allow == false)
919 {
920 allow = allowTypeMap.containsKey(allKey);
921 }
922 return allow;
923 }
924
925
926 return allow;
927 }
928 }
929