pnever 2004/01/15 03:54:42
Modified: src/share/org/apache/slide/common SlideTokenWrapper.java
SlideTokenImpl.java SlideToken.java
NamespaceConfig.java
src/share/org/apache/slide/security SecurityImpl.java
src/conf/webapp Domain.xml
Log:
ACL-draft-12: added support for nested roles (e.g. the ability to specify
a role in DAV:group-member-set of a role).
New namespaceConfig parameter: nested_roles_maxdepth
specifying the expected max depth in nested roles structures (default = 0,
meaning no-nesting).
Revision Changes Path
1.9 +19 -3
jakarta-slide/src/share/org/apache/slide/common/SlideTokenWrapper.java
Index: SlideTokenWrapper.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/common/SlideTokenWrapper.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- SlideTokenWrapper.java 27 Dec 2003 14:50:59 -0000 1.8
+++ SlideTokenWrapper.java 15 Jan 2004 11:54:42 -0000 1.9
@@ -69,6 +69,7 @@
import org.apache.slide.store.ResourceId;
import org.apache.slide.structure.ActionNode;
import org.apache.slide.structure.ObjectNode;
+import org.apache.slide.structure.SubjectNode;
/**
* Slide token class.
@@ -352,6 +353,21 @@
*/
public ResourceId checkResolveCache(Uri uri) {
return wrappedToken.checkResolveCache(uri);
+ }
+
+ /**
+ * Allows to cache the result of a matchPrincipal operation
+ */
+ public void cacheMatchPrincipal(SubjectNode checkSubject, SubjectNode
matchSubject, boolean match) {
+ wrappedToken.cacheMatchPrincipal(checkSubject, matchSubject, match);
+ }
+
+ /**
+ * Checks if the matchPrincipal cache
+ * @return the cached Boolean or null
+ */
+ public Boolean checkMatchPrincipalCache(SubjectNode checkSubject, SubjectNode
matchSubject) {
+ return wrappedToken.checkMatchPrincipalCache(checkSubject, matchSubject);
}
}
1.9 +22 -3
jakarta-slide/src/share/org/apache/slide/common/SlideTokenImpl.java
Index: SlideTokenImpl.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/common/SlideTokenImpl.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- SlideTokenImpl.java 27 Dec 2003 14:50:59 -0000 1.8
+++ SlideTokenImpl.java 15 Jan 2004 11:54:42 -0000 1.9
@@ -71,6 +71,7 @@
import org.apache.slide.store.ResourceId;
import org.apache.slide.structure.ActionNode;
import org.apache.slide.structure.ObjectNode;
+import org.apache.slide.structure.SubjectNode;
/**
* Slide token class.
@@ -161,6 +162,7 @@
private Hashtable permissionCache = new Hashtable();
private Hashtable lockCache = new Hashtable();
private Hashtable resolveCache = new Hashtable();
+ private Hashtable matchPrincipalCache = new Hashtable();
// ------------------------------------------------------------- Properties
@@ -401,6 +403,23 @@
*/
public ResourceId checkResolveCache(Uri uri) {
return (ResourceId)resolveCache.get(uri);
+ }
+
+ /**
+ * Allows to cache the result of a matchPrincipal operation
+ */
+ public void cacheMatchPrincipal(SubjectNode checkSubject, SubjectNode
matchSubject, boolean match) {
+ String key = String.valueOf(checkSubject)+String.valueOf(matchSubject);
+ matchPrincipalCache.put(key, new Boolean(match));
+ }
+
+ /**
+ * Checks if the matchPrincipal cache
+ * @return the cached Boolean or null
+ */
+ public Boolean checkMatchPrincipalCache(SubjectNode checkSubject, SubjectNode
matchSubject) {
+ String key = String.valueOf(checkSubject)+String.valueOf(matchSubject);
+ return (Boolean)matchPrincipalCache.get(key);
}
public void setForceLock(boolean forceLock) {
1.15 +16 -4 jakarta-slide/src/share/org/apache/slide/common/SlideToken.java
Index: SlideToken.java
===================================================================
RCS file: /home/cvs/jakarta-slide/src/share/org/apache/slide/common/SlideToken.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- SlideToken.java 27 Dec 2003 14:50:59 -0000 1.14
+++ SlideToken.java 15 Jan 2004 11:54:42 -0000 1.15
@@ -69,6 +69,7 @@
import org.apache.slide.store.ResourceId;
import org.apache.slide.structure.ActionNode;
import org.apache.slide.structure.ObjectNode;
+import org.apache.slide.structure.SubjectNode;
/**
* The SlideToken interface identifies the current acting principal and its
@@ -273,6 +274,17 @@
* Allows to cache the result of a resolve operation
*/
public void cacheResolve(Uri uri, ResourceId resourceId);
+
+ /**
+ * Allows to cache the result of a matchPrincipal operation
+ */
+ public void cacheMatchPrincipal(SubjectNode checkSubject, SubjectNode
matchSubject, boolean match);
+
+ /**
+ * Checks if the matchPrincipal cache
+ * @return the cached Boolean or null
+ */
+ public Boolean checkMatchPrincipalCache(SubjectNode checkSubject, SubjectNode
matchSubject);
/**
* Checks if the resolve cache contains an entry for the specified uri.
1.33 +22 -9
jakarta-slide/src/share/org/apache/slide/common/NamespaceConfig.java
Index: NamespaceConfig.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/common/NamespaceConfig.java,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- NamespaceConfig.java 5 Nov 2003 14:24:36 -0000 1.32
+++ NamespaceConfig.java 15 Jan 2004 11:54:42 -0000 1.33
@@ -100,13 +100,17 @@
private final static String
- ACL_INHERIT_TYPE = "acl_inheritance_type";
+ ACL_INHERIT_TYPE = "acl_inheritance_type",
+ NESTED_ROLES_MAXDEPTH = "nested_roles_maxdepth";
+
+ private final static int
+ NESTED_ROLES_MAXDEPTH_DEFAULT = 0;
public final static int
- ACL_INHERIT_TYPE_NONE = 0,
- ACL_INHERIT_TYPE_ROOT = 1,
- ACL_INHERIT_TYPE_PATH = 2,
- ACL_INHERIT_TYPE_FULL = 3;
+ ACL_INHERIT_TYPE_NONE = 0,
+ ACL_INHERIT_TYPE_ROOT = 1,
+ ACL_INHERIT_TYPE_PATH = 2,
+ ACL_INHERIT_TYPE_FULL = 3;
// ----------------------------------------------------- Instance Variables
@@ -658,6 +662,15 @@
}
}
+ public int getNestedRolesMaxDepth() {
+ int result = NESTED_ROLES_MAXDEPTH_DEFAULT;
+ String nestedRolesMaxDepthStr = getParameter(NESTED_ROLES_MAXDEPTH);
+ try {
+ result = Integer.parseInt(nestedRolesMaxDepthStr);
+ }
+ catch (NumberFormatException e) {}
+ return result;
+ }
// -------------------------------------------------------- Package Methods
1.43 +50 -9
jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java
Index: SecurityImpl.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- SecurityImpl.java 1 Dec 2003 12:10:49 -0000 1.42
+++ SecurityImpl.java 15 Jan 2004 11:54:42 -0000 1.43
@@ -1200,7 +1200,7 @@
*
* @param token a SlideToken
* @param checkSubject the "current" principal
- * @param permSubject the principal to check against (e.g. user
+ * @param matchSubject the principal to check against (e.g. user
* or group from NodePermission or NodeLock)
*
* @return a boolean
@@ -1208,19 +1208,60 @@
* @throws ServiceAccessException
*
*/
- public boolean matchPrincipal(SlideToken token, SubjectNode checkSubject,
SubjectNode permSubject) throws ServiceAccessException {
- if (permSubject.equals(checkSubject)) {
+ public boolean matchPrincipal(SlideToken token, SubjectNode checkSubject,
SubjectNode matchSubject) throws ServiceAccessException {
+ Boolean b = token.checkMatchPrincipalCache(checkSubject, matchSubject);
+ if (b != null) {
+ return b.booleanValue();
+ }
+ else {
+ boolean match = matchPrincipal(token, checkSubject, matchSubject,
namespaceConfig.getNestedRolesMaxDepth());
+ token.cacheMatchPrincipal(checkSubject, matchSubject, match);
+ return match;
+ }
+ }
+
+ /**
+ * Return true, if-and-only-if checkSubject matches permSubject.
+ *
+ * @param token a SlideToken
+ * @param checkSubject the "current" principal
+ * @param matchSubject the principal to check against (e.g. user
+ * or group from NodePermission or NodeLock)
+ *
+ * @return a boolean
+ *
+ * @throws ServiceAccessException
+ *
+ */
+ public boolean matchPrincipal(SlideToken token, SubjectNode checkSubject,
SubjectNode matchSubject, int level) throws ServiceAccessException {
+ if (matchSubject.equals(checkSubject)) {
return true;
}
else {
- Uri groupUri = namespace.getUri(token, permSubject.getUri());
+ Uri groupUri = namespace.getUri(token, matchSubject.getUri());
try {
NodeRevisionDescriptor nrd =
groupUri.getStore().retrieveRevisionDescriptor(groupUri, new
NodeRevisionNumber());
NodeProperty membersetProp = nrd.getProperty("group-member-set");
if (membersetProp != null && membersetProp.getValue() != null) {
XMLValue xmlVal = new
XMLValue((String)membersetProp.getValue());
- return xmlVal.getHrefNodes().contains(checkSubject);
+ List memberNodes = xmlVal.getHrefNodes();
+ if (memberNodes.contains(checkSubject)) {
+ return true;
+ }
+ else if (level > 0) {
+ int nextLevel = level - 1;
+ boolean match = false;
+ Iterator i = memberNodes.iterator();
+ while (!match && i.hasNext()) {
+ SubjectNode nextMatchNode = (SubjectNode)i.next();
+ match = matchPrincipal(token, checkSubject,
nextMatchNode, nextLevel);
+ }
+ return match;
+ }
+ else {
+ return false;
+ }
}
else {
return false;
1.49 +6 -4 jakarta-slide/src/conf/webapp/Domain.xml
Index: Domain.xml
===================================================================
RCS file: /home/cvs/jakarta-slide/src/conf/webapp/Domain.xml,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- Domain.xml 14 Jan 2004 15:44:20 -0000 1.48
+++ Domain.xml 15 Jan 2004 11:54:42 -0000 1.49
@@ -56,6 +56,8 @@
<parameter name="dav">true</parameter>
<parameter name="standalone">true</parameter>
<parameter name="acl_inheritance_type">path</parameter>
+ <!-- Nested roles: 0 means no nesting (default), 1 means one sublevel,
etc. -->
+ <parameter name="nested_roles_maxdepth">0</parameter>
</configuration>
<data>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/">
@@ -80,24 +82,24 @@
<!-- /users/root represents the administrator -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/root">
<revision>
- <property namespace="http://jakarta.apache.org/slide/";
name="password"></property>
+ <property namespace="http://jakarta.apache.org/slide/";
name="password"/>
</revision>
</objectnode>
<!-- /users/john and /users/john2 represent authenticated users
-->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/john">
<revision>
- <property namespace="http://jakarta.apache.org/slide/";
name="password"></property>
+ <property namespace="http://jakarta.apache.org/slide/";
name="password"/>
</revision>
</objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/john2">
<revision>
- <property namespace="http://jakarta.apache.org/slide/";
name="password"></property>
+ <property namespace="http://jakarta.apache.org/slide/";
name="password"/>
</revision>
</objectnode>
<!-- /users/guest represents an authenticated or
unauthenticated guest user -->
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/users/guest">
<revision>
- <property namespace="http://jakarta.apache.org/slide/";
name="password"></property>
+ <property namespace="http://jakarta.apache.org/slide/";
name="password"/>
</revision>
</objectnode>
</objectnode>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
