1/*2 * Copyright 2000-2001,2004 The Apache Software Foundation.3 * 4 * Licensed under the Apache License, Version 2.0 (the "License");5 * you may not use this file except in compliance with the License.6 * You may obtain a copy of the License at7 * 8 * http://www.apache.org/licenses/LICENSE-2.09 * 10 * Unless required by applicable law or agreed to in writing, software11 * distributed under the License is distributed on an "AS IS" BASIS,12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.13 * See the License for the specific language governing permissions and14 * limitations under the License.15 */1617packageorg.apache.jetspeed.services.security.ldap;
1819import java.util.Enumeration;
20import java.util.Iterator;
21import java.util.Vector;
22import javax.naming.directory.BasicAttributes;
23import javax.servlet.ServletConfig;
24import org.apache.jetspeed.om.security.Permission;
25import org.apache.jetspeed.om.security.ldap.LDAPPermission;
26import org.apache.jetspeed.om.security.ldap.LDAPRole;
27import org.apache.jetspeed.services.JetspeedLDAP;
28import org.apache.jetspeed.services.JetspeedSecurity;
29import org.apache.jetspeed.services.ldap.LDAPURL;
30import org.apache.jetspeed.services.rundata.JetspeedRunData;
31import org.apache.jetspeed.services.rundata.JetspeedRunDataService;
32import org.apache.jetspeed.services.security.JetspeedSecurityCache;
33import org.apache.jetspeed.services.security.JetspeedSecurityException;
34import org.apache.jetspeed.services.security.JetspeedSecurityService;
35import org.apache.jetspeed.services.security.PermissionException;
36import org.apache.jetspeed.services.security.PermissionManagement;
37import org.apache.turbine.services.InitializationException;
38import org.apache.turbine.services.TurbineBaseService;
39import org.apache.turbine.services.TurbineServices;
40import org.apache.turbine.services.resources.ResourceService;
41import org.apache.turbine.services.rundata.RunDataService;
4243/***44 *45 * @author <a href="mailto:ender@kilicoglu.nom.tr">Ender KILICOGLU</a>46 * @author <a href="mailto:sami.leino@netorek.fi">Sami Leino</a>47 *48 * @version $Id: LDAPPermissionManagement.java,v 1.6 2004/02/23 03:52:33 jford Exp $ 49 * 50 */51publicclassLDAPPermissionManagementextends TurbineBaseService
52 implements PermissionManagement53 {
54// Constants55privatefinalstatic String CASCADE_DELETE = "programmatic.cascade.delete";
56privatefinalstatic String CACHING_ENABLE = "caching.enable";
57privatefinalstaticboolean DEFAULT_CASCADE_DELETE = true;
58privatefinalstaticboolean DEFAULT_CACHING_ENABLE = true;
59privatefinalstatic String[] ATTRS = { "ou", "uid", "permissionname" };
6061// Instance variables62privateJetspeedRunDataService runDataService = null;
63privateboolean cascadeDelete = false;
64privateboolean cachingEnable = false;
6566///////////////////////////////////////////////////////////////////////////67// Permission Management Interfaces68///////////////////////////////////////////////////////////////////////////6970/***71 * Retrieves all <code>Permission</code>s for a given roleName principal.72 *73 * The security service may optionally check the current user context74 * to determine if the requestor has permission to perform this action.75 *76 * @param roleName a role name identity to be retrieved.77 * @return Iterator over all permissions associated to the role principal.78 * @exception PermissionException when the security provider has a general failure.79 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege80 */81public Iterator getPermissions(String roleName)
82 throws JetspeedSecurityException83 {
84 Vector perms = new Vector();
85 BasicAttributes attr= new BasicAttributes();
86LDAPRole role;
87LDAPPermission permission;
88 Vector userurls;
8990try91 {
92if (cachingEnable)
93 {
94 Iterator iterator = JetspeedSecurityCache.getPermissions(roleName);
95if (iterator != null)
96 {
97return iterator;
98 }
99 }
100101 userurls = JetspeedLDAP.search(JetspeedLDAP.buildURL("ou=roles"),
102"(&(uid=" + roleName + ")(objectclass=jetspeedrole))", ATTRS, true);
103104if (userurls.size() > 0)
105 {
106 role = newLDAPRole((LDAPURL) ((Vector)userurls.elementAt(0)).firstElement());
107for (Enumeration enum= role.getRolePermissions().elements();enum.hasMoreElements();)
108 {
109 permission = newLDAPPermission((String)enum.nextElement(), false);
110 perms.add(permission);
111 }
112 }
113 }
114catch(Exception e)
115 {
116thrownewPermissionException("Failed to retrieve permissions ", e);
117 }
118119return perms.iterator();
120 }
121122/***123 * Retrieves all <code>Permission</code>s.124 *125 * The security service may optionally check the current user context126 * to determine if the requestor has permission to perform this action.127 *128 * @return Iterator over all permissions.129 * @exception PermissionException when the security provider has a general failure.130 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege131 */132public Iterator getPermissions()
133 throws JetspeedSecurityException134135 {
136 BasicAttributes attr= new BasicAttributes();
137 Vector permissions = new Vector();
138 Vector permissionurls;
139140try141 {
142 permissionurls = JetspeedLDAP.search(JetspeedLDAP.buildURL("ou=permissions"),
143"(objectclass=jetspeedpermission)", ATTRS, true);
144145if (permissionurls.size() > 0)
146 {
147for (Enumeration enum = permissionurls.elements();enum.hasMoreElements() ;)
148 {
149 permissions.add(newLDAPPermission((LDAPURL) (((Vector)enum.nextElement()).firstElement())));
150 }
151 }
152else153 {
154thrownewPermissionException("No permission ");
155 }
156 }
157catch(Exception e)
158 {
159thrownewPermissionException("Failed to retrieve permissions ", e);
160 }
161return permissions.iterator();
162 }
163164/***165 * Adds a <code>Permission</code> into permanent storage.166 *167 * The security service may optionally check the current user context168 * to determine if the requestor has permission to perform this action.169 *170 * @exception PermissionException when the security provider has a general failure.171 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege172 */173publicvoid addPermission(Permission permission)
174 throws JetspeedSecurityException175 {
176if(permissionExists(permission.getName()))
177 {
178thrownewPermissionException("The permission '" +
179 permission.getName() + "' already exists");
180 }
181try182 {
183newLDAPPermission(permission.getName(), true).update(true);
184 }
185catch(Exception e)
186 {
187thrownewPermissionException("Failed to create permission '" +
188 permission.getName() + "'", e);
189 }
190 }
191192193/***194 * Saves a <code>Permission</code> into permanent storage.195 *196 * The security service may optionally check the current user context197 * to determine if the requestor has permission to perform this action.198 *199 * @exception PermissionException when the security provider has a general failure.200 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege201 */202publicvoid savePermission(Permission permission)
203 throws JetspeedSecurityException204 {
205 }
206207/***208 * Removes a <code>Permission</code> from the permanent store.209 *210 * The security service may optionally check the current user context211 * to determine if the requestor has permission to perform this action.212 *213 * @param permissionName the principal identity of the permission to be retrieved.214 * @exception PermissionException when the security provider has a general failure.215 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege216 */217publicvoid removePermission(String permissionName)
218 throws JetspeedSecurityException219 {
220try221 {
222LDAPPermission permission = newLDAPPermission(permissionName,false);
223 JetspeedLDAP.deleteEntry(permission.getldapurl());
224225if(cascadeDelete)
226 {
227 }
228229if (cachingEnable)
230 {
231 JetspeedSecurityCache.removeAllPermissions(permissionName);
232 }
233 }
234catch(Exception e)
235 {
236thrownewPermissionException("Failed to remove permission '" +
237 permissionName + "'", e);
238 }
239 }
240241/***242 * Grants a permission to a role.243 *244 * The security service may optionally check the current user context245 * to determine if the requestor has permission to perform this action.246 *247 * @param roleName grant a permission to this role.248249 * @param permissionName the permission to grant to the role.250 * @exception PermissionException when the security provider has a general failure retrieving permissions.251 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege252 */253publicvoid grantPermission(String roleName, String permissionName)
254 throws JetspeedSecurityException255 {
256 BasicAttributes attr = new BasicAttributes();
257LDAPRole role;
258LDAPPermission permission;
259260try261 {
262 role = (LDAPRole)JetspeedSecurity.getRole(roleName);
263 permission = (LDAPPermission)JetspeedSecurity.getPermission(permissionName);
264265 role.addRolePermissions(permissionName);
266 role.update(false);
267268if (cachingEnable)
269 {
270 JetspeedSecurityCache.addPermission(roleName, permission);
271 }
272 }
273catch(Exception e)
274 {
275thrownewPermissionException("Grant permission '" + permissionName + "' to role '" + roleName + "' failed: ", e);
276 }
277 }
278279/***280 * Revokes a permission from a role.281 *282 * The security service may optionally check the current user context283 * to determine if the requestor has permission to perform this action.284 *285 * @param roleName grant a permission to this role.286 * @param permissionName the permission to grant to the role.287 * @exception PermissionException when the security provider has a general failure retrieving permissions.288 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege289 */290publicvoid revokePermission(String roleName, String permissionName)
291 throws JetspeedSecurityException292 {
293 BasicAttributes attr= new BasicAttributes();
294LDAPRole role;
295 Vector userurls;
296297try298 {
299 userurls = JetspeedLDAP.search(JetspeedLDAP.buildURL("ou=roles"),
300"(&(uid="+ roleName+")(objectclass=jetspeedrole))", ATTRS, true);
301302if (userurls.size() == 0)
303 {
304thrownewPermissionException("Role '" + roleName + "' does not exist!");
305 }
306else307 {
308 role = newLDAPRole((LDAPURL) ((Vector)userurls.elementAt(0)).firstElement());
309 role.getRolePermissions().remove(permissionName);
310 role.update(false);
311312if (cachingEnable)
313 {
314 JetspeedSecurityCache.removePermission(roleName, permissionName);
315 }
316 }
317 }
318catch(Exception e)
319 {
320thrownewPermissionException("Revoke permission '" + permissionName + "' to role '" + roleName + "' failed: ", e);
321 }
322 }
323324/***325 * Checks for the relationship of role has a permission. Returns true when the role has the given permission.326 *327 * The security service may optionally check the current user context328 * to determine if the requestor has permission to perform this action.329 *330 * @param roleName grant a permission to this role.331 * @param permissionName the permission to grant to the role.332 * @exception PermissionException when the security provider has a general failure retrieving permissions.333 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege334 */335publicboolean hasPermission(String roleName, String permissionName)
336 throws JetspeedSecurityException337 {
338 BasicAttributes attr= new BasicAttributes();
339LDAPRole role;
340 Vector userurls;
341342try343 {
344if (cachingEnable)
345 {
346return JetspeedSecurityCache.hasPermission(roleName, permissionName);
347 }
348349 userurls = JetspeedLDAP.search(JetspeedLDAP.buildURL("ou=roles"),
350"(&(uid="+ roleName+")(objectclass=jetspeedrole))", ATTRS, true);
351352if (userurls.size() > 0)
353 {
354 role = newLDAPRole((LDAPURL) ((Vector)userurls.elementAt(0)).firstElement());
355return role.permissionExists(permissionName);
356 }
357 }
358catch(Exception e)
359 {
360thrownewPermissionException("Grant permission '" + permissionName + "' to role '" + roleName + "' failed: ", e);
361 }
362return false;
363 }
364365/***366 * Retrieves a single <code>Permission</code> for a given permissionName principal.367 *368 * The security service may optionally check the current user context369 * to determine if the requestor has permission to perform this action.370 *371 * @param permissionName a permission principal identity to be retrieved.372 * @return Permission the permission record retrieved.373 * @exception PermissionException when the security provider has a general failure.374 * @exception InsufficientPrivilegeException when the requestor is denied due to insufficient privilege375 */376publicPermission getPermission(String permissionName)
377 throws JetspeedSecurityException378 {
379if (permissionExists(permissionName))
380 {
381returnnewLDAPPermission(permissionName, false);
382 }
383else384 {
385thrownewPermissionException("Unknown permission '" + permissionName + "'");
386 }
387 }
388389///////////////////////////////////////////////////////////////////////////390// Internal391///////////////////////////////////////////////////////////////////////////392393protectedJetspeedRunData getRunData()
394 {
395JetspeedRunData rundata = null;
396397if (this.runDataService != null)
398 {
399 rundata = this.runDataService.getCurrentRunData();
400 }
401402return rundata;
403 }
404405/***406 * Check whether a specified permission exists.407 *408 * The login name is used for looking up the account.409 *410 * @param permissionName the name of the permission to check for existence.411 * @return true if the specified account exists412 * @throws PermissionException if there was a general db access error413 *414 */415protectedboolean permissionExists(String permissionName)
416 throws PermissionException417 {
418 BasicAttributes attr= new BasicAttributes();
419 Vector permissionurls;
420421try422 {
423 permissionurls = JetspeedLDAP.search(JetspeedLDAP.buildURL("ou=permissions"),
424"(&(uid=" + permissionName + ")(objectclass=jetspeedpermission))", ATTRS, true);
425426if (permissionurls.size() > 0)
427 {
428returntrue;
429 }
430else431 {
432return false;
433 }
434 }
435catch(Exception e)
436 {
437 e.printStackTrace();
438thrownewPermissionException("Failed to retrieve permission ", e);
439 }
440 }
441442///////////////////////////////////////////////////////////////////////////443// Service Init444///////////////////////////////////////////////////////////////////////////445446/***447 * This is the early initialization method called by the448 * Turbine <code>Service</code> framework449 * @param conf The <code>ServletConfig</code>450 * @exception throws a <code>InitializationException</code> if the service451 * fails to initialize452 */453publicsynchronizedvoid init(ServletConfig conf)
454 throws InitializationException
455 {
456if (getInit()) return;
457458super.init(conf);
459460// get configuration parameters from Jetspeed Resources461 ResourceService serviceConf = ((TurbineServices)TurbineServices.getInstance())
462 .getResources(JetspeedSecurityService.SERVICE_NAME);
463464this.runDataService =
465 (JetspeedRunDataService)TurbineServices.getInstance()
466 .getService(RunDataService.SERVICE_NAME);
467468 cascadeDelete = serviceConf.getBoolean( CASCADE_DELETE, DEFAULT_CASCADE_DELETE );
469 cachingEnable = serviceConf.getBoolean( CACHING_ENABLE, cachingEnable );
470 setInit(true);
471 }
472 }