|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.wiki.auth.AuthorizationManager
public class AuthorizationManager
Manages all access control and authorization; determines what authenticated users are allowed to do.
Privileges in JSPWiki are expressed as Java-standard Permission
classes. There are two types of permissions:
WikiPermission
- privileges that apply
to an entire wiki instance: e.g., editing user profiles, creating pages, creating groupsPagePermission
- privileges that apply
to a single wiki page or range of pages: e.g., reading, editing, renaming
Calling classes determine whether they are entitled to perform a particular action
by constructing the appropriate permission first, then passing it and the current
WikiSession
to the
checkPermission(WikiSession, Permission)
method. If the session's
Subject possesses the permission, the action is allowed.
For WikiPermissions, the decision criteria is relatively simple: the caller either possesses the permission, as granted by the wiki security policy -- or not.
For PagePermissions, the logic is exactly the same if the page being checked does not have an access control list. However, if the page does have an ACL, the authorization decision is made based the union of the permissions granted in the ACL and in the security policy. In other words, the user must be named in the ACL (or belong to a group or role that is named in the ACL) and be granted (at least) the same permission in the security policy. We do this to prevent a user from gaining more permissions than they already have, based on the security policy.
See the checkPermission(WikiSession, Permission)
and
hasRoleOrPrincipal(WikiSession, Principal)
methods for more information
on the authorization logic.
AuthenticationManager
Field Summary | |
---|---|
static String |
DEFAULT_AUTHORIZER
The default external Authorizer is the WebContainerAuthorizer |
protected static String |
DEFAULT_POLICY
Name of the default security policy file, in WEB-INF. |
protected static String |
POLICY
Property that supplies the security policy file name, in WEB-INF. |
static String |
PROP_AUTHORIZER
The property name in jspwiki.properties for specifying the external Authorizer . |
Constructor Summary | |
---|---|
AuthorizationManager()
Constructs a new AuthorizationManager instance. |
Method Summary | |
---|---|
void |
addWikiEventListener(WikiEventListener listener)
Registers a WikiEventListener with this instance. |
protected boolean |
allowedByLocalPolicy(Principal[] principals,
Permission permission)
Checks to see if the local security policy allows a particular static Permission. |
boolean |
checkPermission(WikiSession session,
Permission permission)
Returns true or false , depending on
whether a Permission is allowed for the Subject associated with
a supplied WikiSession. |
protected boolean |
checkStaticPermission(WikiSession session,
Permission permission)
Determines whether a Subject possesses a given "static" Permission as defined in the security policy file. |
protected void |
fireEvent(int type,
Principal user,
Object permission)
Fires a WikiSecurityEvent of the provided type, user, and permission to all registered listeners. |
Authorizer |
getAuthorizer()
Returns the current external Authorizer in use. |
boolean |
hasAccess(WikiContext context,
javax.servlet.http.HttpServletResponse response)
Checks whether the current user has access to the wiki context, by obtaining the required Permission ( WikiContext.requiredPermission() )
and delegating the access check to checkPermission(WikiSession, Permission) . |
boolean |
hasAccess(WikiContext context,
javax.servlet.http.HttpServletResponse response,
boolean redirect)
Checks whether the current user has access to the wiki context (and optionally redirects if not), by obtaining the required Permission ( WikiContext.requiredPermission() )
and delegating the access check to checkPermission(WikiSession, Permission) . |
protected boolean |
hasRoleOrPrincipal(WikiSession session,
Principal principal)
Determines if the Subject associated with a supplied WikiSession contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role. |
void |
initialize(WikiEngine engine,
Properties properties)
Initializes AuthorizationManager with an engine and set of properties. |
protected boolean |
isJAASAuthorized()
Returns true if JSPWiki's JAAS authorization system
is used for authorization in addition to container controls. |
boolean |
isUserInRole(WikiSession session,
Principal principal)
Determines if the Subject associated with a supplied WikiSession contains a desired Role or GroupPrincipal. |
void |
removeWikiEventListener(WikiEventListener listener)
Un-registers a WikiEventListener with this instance. |
Principal |
resolvePrincipal(String name)
Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user). |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String DEFAULT_AUTHORIZER
WebContainerAuthorizer
protected static final String POLICY
protected static final String DEFAULT_POLICY
public static final String PROP_AUTHORIZER
Authorizer
.
Constructor Detail |
---|
public AuthorizationManager()
Method Detail |
---|
public boolean checkPermission(WikiSession session, Permission permission)
true
or false
, depending on
whether a Permission is allowed for the Subject associated with
a supplied WikiSession. The access control algorithm works this way:
Acl
for the page is obtainedWikiSession
is obtainedUnresolvedPrincipal
s (see below).
Then iterate through the Subject's Principal set and determine whether
the user (Subject) possesses any one of these specified Roles or
Principals. The matching process delegates to
hasRoleOrPrincipal(WikiSession, Principal)
.
Note that when iterating through the Acl's list of authorized Principals,
it is possible that one or more of the Acl's Principal entries are of
type UnresolvedPrincipal
. This means that the last time
the ACL was read, the Principal (user, built-in Role, authorizer Role, or
wiki Group) could not be resolved: the Role was not valid, the user
wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
cached) in the GroupManager. If an UnresolvedPrincipal
is
encountered, this method will attempt to resolve it first before
checking to see if the Subject possesses this principal, by calling
resolvePrincipal(String)
. If the (re-)resolution does not
succeed, the access check for the principal will fail by definition (the
Subject should never contain UnresolvedPrincipals).
If security not set to JAAS, will return true.
session
- the current wiki sessionpermission
- the Permission being checked
hasRoleOrPrincipal(WikiSession, Principal)
public boolean isUserInRole(WikiSession session, Principal principal)
Determines if the Subject associated with a supplied WikiSession contains a desired Role or GroupPrincipal. The algorithm simply checks to see if the Subject possesses the Role or GroupPrincipal it in its Principal set. Note that any user (anonymous, asserted, authenticated) can possess a built-in role. But a user must be authenticated to possess a role other than one of the built-in ones. We do this to prevent privilege escalation.
For all other cases, this method returns false
.
Note that this method does not consult the external Authorizer or GroupManager; it relies on the Principals that have been injected into the user's Subject at login time, or after group creation/modification/deletion.
session
- the current wiki session, which must be non-null. If null,
the result of this method always returns false
principal
- the Principal (role or group principal) to look
for, which must be non-null
. If null
,
the result of this method always returns false
true
if the Subject supplied with the WikiContext
posesses the Role or GroupPrincipal, false
otherwisepublic Authorizer getAuthorizer() throws WikiSecurityException
Authorizer
in use. This method
is guaranteed to return a properly-initialized Authorizer, unless
it could not be initialized. In that case, this method throws
a WikiSecurityException
.
WikiSecurityException
- if the Authorizer could
not be initializedprotected boolean hasRoleOrPrincipal(WikiSession session, Principal principal)
Determines if the Subject associated with a supplied WikiSession contains a desired user Principal or built-in Role principal, OR is a member a Group or external Role. The rules are as follows:
isUserInRole(WikiSession, Principal)
and
return the result.Note: if the Principal parameter is a user principal, the session must be authenticated in order for the user to "possess it". Anonymous or asserted sessions will never posseess a named user principal.
session
- the current wiki session, which must be non-null. If null,
the result of this method always returns false
principal
- the Principal (role, group, or user principal) to look
for, which must be non-null. If null, the result of this
method always returns false
true
if the Subject supplied with the WikiContext
posesses the Role, GroupPrincipal or desired
user Principal, false
otherwisepublic boolean hasAccess(WikiContext context, javax.servlet.http.HttpServletResponse response) throws IOException
WikiContext.requiredPermission()
)
and delegating the access check to checkPermission(WikiSession, Permission)
.
If the user is allowed, this method returns true
;
false
otherwise. If access is allowed,
the wiki context will be added to the request as an attribute
with the key name WikiTagBase.ATTR_CONTEXT
.
Note that this method will automatically redirect the user to
a login or error page, as appropriate, if access fails. This is
NOT guaranteed to be default behavior in the future.
context
- wiki context to check if it is accesibleresponse
- the http response
IOException
- In case something goes wrongpublic boolean hasAccess(WikiContext context, javax.servlet.http.HttpServletResponse response, boolean redirect) throws IOException
WikiContext.requiredPermission()
)
and delegating the access check to checkPermission(WikiSession, Permission)
.
If the user is allowed, this method returns true
;
false
otherwise. If access is allowed,
the wiki context will be added to the request as attribute
with the key name WikiTagBase.ATTR_CONTEXT
.
context
- wiki context to check if it is accesibleresponse
- The servlet response objectredirect
- If true, makes an automatic redirect to the response
IOException
- If something goes wrongpublic void initialize(WikiEngine engine, Properties properties) throws WikiException
engine
- the wiki engineproperties
- the set of properties used to initialize the wiki engine
WikiException
- if the AuthorizationManager cannot be initializedprotected boolean isJAASAuthorized()
true
if JSPWiki's JAAS authorization system
is used for authorization in addition to container controls.
protected boolean allowedByLocalPolicy(Principal[] principals, Permission permission)
checkPermission(WikiSession, Permission)
instead.
principals
- the Principals to checkpermission
- the Permission
protected boolean checkStaticPermission(WikiSession session, Permission permission)
codeBase
is effectively this class,
not that of the caller. Therefore, this method will work best when what
matters in the policy is who makes the permission check, not
what the caller's code source is. Internally, this method works by
executing Subject.doAsPrivileged
with a privileged action
that simply calls AccessController.checkPermission(Permission)
.
session
- the WikiSession whose permission status is being queriedpermission
- the Permission the Subject must possess
true
if the Subject possesses the permission,
false
otherwise. A
caught exception (or lack thereof) determines whether the privilege
is absent (or present).
public Principal resolvePrincipal(String name)
Given a supplied string representing a Principal's name from an Acl, this method resolves the correct type of Principal (role, group, or user). This method is guaranteed to always return a Principal. The algorithm is straightforward:
Role
names,
return that built-in RoleAuthorizer
, return that RoleGroupManager
, return that GroupUserDatabase
, find the
first user who matches the supplied name by calling
UserDatabase.find(String)
.UnresolvedPrincipal
name
- the name of the Principal to resolve
public void addWikiEventListener(WikiEventListener listener)
listener
- the event listenerpublic void removeWikiEventListener(WikiEventListener listener)
listener
- the event listenerprotected void fireEvent(int type, Principal user, Object permission)
type
- the event type to be fireduser
- the user associated with the eventpermission
- the permission the subject must possessWikiSecurityEvent
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |