Author: nfilotto
Date: 2010-06-24 15:19:47 -0400 (Thu, 24 Jun 2010)
New Revision: 2702
Modified:
jcr/trunk/exo.jcr.component.core/pom.xml
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/core/security/JCRRuntimePermissions.java
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionFactory.java
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/core/security/TestSecurityRepositoryManagment.java
jcr/trunk/exo.jcr.component.core/src/test/resources/test.policy
Log:
EXOJCR-764: To definitively fix the issue I had to check the permission in
SessionFactory.createSession
What has been done:
1. Re-add the security test for the profile run-all
2. Move the permission check from RepositoryImpl.getSystemSession(..) to
SessionFactory.createSession
3. The related unit test added
4. Fix the other tests
5. Renamed the permission "getJCRSystemSession" to
"createSystemSession"
Modified: jcr/trunk/exo.jcr.component.core/pom.xml
===================================================================
--- jcr/trunk/exo.jcr.component.core/pom.xml 2010-06-24 19:19:31 UTC (rev 2701)
+++ jcr/trunk/exo.jcr.component.core/pom.xml 2010-06-24 19:19:47 UTC (rev 2702)
@@ -728,8 +728,6 @@
<exclude>org/apache/jackrabbit/test/api/TestAll.java</exclude>
<exclude>org/apache/jackrabbit/test/api/**/Abstract*.java</exclude>
<exclude>org/apache/jackrabbit/test/api/**/FrozenNodeTest.java</exclude>
- <!-- security -->
-
<exclude>org/exoplatform/services/jcr/impl/core/security/Test*.java</exclude>
</excludes>
</configuration>
</plugin>
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/core/security/JCRRuntimePermissions.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/core/security/JCRRuntimePermissions.java 2010-06-24
19:19:31 UTC (rev 2701)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/core/security/JCRRuntimePermissions.java 2010-06-24
19:19:47 UTC (rev 2702)
@@ -25,7 +25,7 @@
public class JCRRuntimePermissions
{
- public static final RuntimePermission GET_SYSTEM_SESSION_PERMISSION = new
RuntimePermission("getJCRSystemSession");
+ public static final RuntimePermission CREATE_SYSTEM_SESSION_PERMISSION = new
RuntimePermission("createSystemSession");
public static final RuntimePermission MANAGE_REPOSITORY_PERMISSION = new
RuntimePermission("manageRepository");
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java 2010-06-24
19:19:31 UTC (rev 2701)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java 2010-06-24
19:19:47 UTC (rev 2702)
@@ -400,12 +400,6 @@
*/
public SessionImpl getSystemSession(String workspaceName) throws RepositoryException
{
- // Need privileges to get system session.
- SecurityManager security = System.getSecurityManager();
- if (security != null)
- {
- security.checkPermission(JCRRuntimePermissions.GET_SYSTEM_SESSION_PERMISSION);
- }
if (getState() == OFFLINE)
LOG.warn("Repository " + getName() + " is OFFLINE.");
@@ -574,9 +568,9 @@
ConversationState state;
- PrivilegedExceptionAction<Object> action = new
PrivilegedExceptionAction<Object>()
+ PrivilegedExceptionAction<ConversationState> action = new
PrivilegedExceptionAction<ConversationState>()
{
- public Object run() throws Exception
+ public ConversationState run() throws Exception
{
if (credentials != null)
return authenticationPolicy.authenticate(credentials);
@@ -586,7 +580,7 @@
};
try
{
- state = (ConversationState)AccessController.doPrivileged(action);
+ state = AccessController.doPrivileged(action);
}
catch (PrivilegedActionException pae)
{
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionFactory.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionFactory.java 2010-06-24
19:19:31 UTC (rev 2701)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/SessionFactory.java 2010-06-24
19:19:47 UTC (rev 2702)
@@ -21,11 +21,13 @@
import org.exoplatform.container.ExoContainer;
import org.exoplatform.container.ExoContainerContext;
import org.exoplatform.services.jcr.config.WorkspaceEntry;
+import org.exoplatform.services.jcr.core.security.JCRRuntimePermissions;
import
org.exoplatform.services.jcr.impl.dataflow.session.TransactionableResourceManager;
import org.exoplatform.services.jcr.impl.util.io.PrivilegedSystemHelper;
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
import org.exoplatform.services.security.ConversationState;
+import org.exoplatform.services.security.IdentityConstants;
import org.exoplatform.services.transaction.TransactionService;
import javax.jcr.LoginException;
@@ -116,11 +118,20 @@
* Creates Session object by given Credentials
*
* @param credentials
- * @return XASessionImpl if TransactionService present or SessionImpl otherwice
+ * @return XASessionImpl if TransactionService present or SessionImpl otherwise
* @throws RepositoryException
*/
SessionImpl createSession(ConversationState user) throws RepositoryException,
LoginException
{
+ if (IdentityConstants.SYSTEM.equals(user.getIdentity().getUserId()))
+ {
+ // Need privileges to get system session.
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ {
+
security.checkPermission(JCRRuntimePermissions.CREATE_SYSTEM_SESSION_PERMISSION);
+ }
+ }
if (tService == null)
{
if (SessionReference.isStarted())
Modified:
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/core/security/TestSecurityRepositoryManagment.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/core/security/TestSecurityRepositoryManagment.java 2010-06-24
19:19:31 UTC (rev 2701)
+++
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/impl/core/security/TestSecurityRepositoryManagment.java 2010-06-24
19:19:47 UTC (rev 2702)
@@ -20,8 +20,10 @@
package org.exoplatform.services.jcr.impl.core.security;
import org.exoplatform.services.jcr.config.WorkspaceEntry;
+import org.exoplatform.services.jcr.core.CredentialsImpl;
import org.exoplatform.services.jcr.core.ManageableRepository;
import
org.exoplatform.services.jcr.impl.dataflow.serialization.TesterItemsPersistenceListener;
+import org.exoplatform.services.security.IdentityConstants;
import java.security.AccessControlException;
import java.security.PrivilegedExceptionAction;
@@ -85,6 +87,32 @@
}
}
+ public void testGetSystemSessionFail2()
+ {
+ PrivilegedExceptionAction<Object> action = new
PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ repository.login(new CredentialsImpl(IdentityConstants.SYSTEM,
"".toCharArray()), repository.getSystemWorkspaceName());
+ return null;
+ }
+
+ };
+ try
+ {
+ doPrivilegedAction(action);
+ fail("Must not be able get system session.");
+ }
+ catch (AccessControlException ace)
+ {
+ // OK
+ }
+ catch (Throwable t)
+ {
+ t.printStackTrace();
+ fail();
+ }
+ }
public void testAddItemPersistenceListenerSuccess()
{
PrivilegedExceptionAction<Object> action = new
PrivilegedExceptionAction<Object>()
@@ -174,9 +202,30 @@
fail();
}
- // remove configured workspace
- repository.createWorkspace("testConfigWorkspaceSuccess");
- repository.internalRemoveWorkspace("testConfigWorkspaceSuccess");
+ action = new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ // remove configured workspace
+ repository.createWorkspace("testConfigWorkspaceSuccess");
+ repository.internalRemoveWorkspace("testConfigWorkspaceSuccess");
+ return null;
+ }
+
+ };
+ try
+ {
+ doPrivilegedActionStaticPermissions(action);
+ }
+ catch (AccessControlException ace)
+ {
+ fail("Must be able config workspace. We are under static
permissions");
+ }
+ catch (Throwable t)
+ {
+ t.printStackTrace();
+ fail();
+ }
}
public void testConfigWorkspaceFail() throws Exception
@@ -223,7 +272,7 @@
WorkspaceEntry defConfig =
(WorkspaceEntry)session.getContainer().getComponentInstanceOfType(WorkspaceEntry.class);
- WorkspaceEntry wsConfig = new WorkspaceEntry();
+ final WorkspaceEntry wsConfig = new WorkspaceEntry();
wsConfig.setName("testCreateWorkspaceSuccess");
wsConfig.setAccessManager(defConfig.getAccessManager());
@@ -231,12 +280,11 @@
wsConfig.setContainer(defConfig.getContainer());
wsConfig.setLockManager(defConfig.getLockManager());
- repository.configWorkspace(wsConfig);
-
PrivilegedExceptionAction<Object> action = new
PrivilegedExceptionAction<Object>()
{
public Object run() throws Exception
{
+ repository.configWorkspace(wsConfig);
repository.createWorkspace("testCreateWorkspaceSuccess");
return null;
}
@@ -255,9 +303,30 @@
t.printStackTrace();
fail();
}
+ action = new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ // remove configured workspace
+ repository.internalRemoveWorkspace("testCreateWorkspaceSuccess");
+ return null;
+ }
- // remove configured workspace
- repository.internalRemoveWorkspace("testCreateWorkspaceSuccess");
+ };
+ try
+ {
+ doPrivilegedActionStaticPermissions(action);
+ }
+ catch (AccessControlException ace)
+ {
+ fail("Must be able config workspace. We are under static
permissions");
+ }
+ catch (Throwable t)
+ {
+ t.printStackTrace();
+ fail();
+ }
+
}
public void testCreateWorkspaceFail()
@@ -293,7 +362,7 @@
WorkspaceEntry defConfig =
(WorkspaceEntry)session.getContainer().getComponentInstanceOfType(WorkspaceEntry.class);
- WorkspaceEntry wsConfig = new WorkspaceEntry();
+ final WorkspaceEntry wsConfig = new WorkspaceEntry();
wsConfig.setName("testInternalRemoveWorkspaceSuccess");
wsConfig.setAccessManager(defConfig.getAccessManager());
@@ -301,13 +370,13 @@
wsConfig.setContainer(defConfig.getContainer());
wsConfig.setLockManager(defConfig.getLockManager());
- repository.configWorkspace(wsConfig);
- repository.createWorkspace("testInternalRemoveWorkspaceSuccess");
PrivilegedExceptionAction<Object> action = new
PrivilegedExceptionAction<Object>()
{
public Object run() throws Exception
{
+ repository.configWorkspace(wsConfig);
+ repository.createWorkspace("testInternalRemoveWorkspaceSuccess");
repository.internalRemoveWorkspace("testInternalRemoveWorkspaceSuccess");
return null;
}
Modified: jcr/trunk/exo.jcr.component.core/src/test/resources/test.policy
===================================================================
--- jcr/trunk/exo.jcr.component.core/src/test/resources/test.policy 2010-06-24 19:19:31
UTC (rev 2701)
+++ jcr/trunk/exo.jcr.component.core/src/test/resources/test.policy 2010-06-24 19:19:47
UTC (rev 2702)
@@ -7,6 +7,6 @@
};
grant codeBase "@TEST_CLASSES@-"{
- permission java.lang.RuntimePermission "getJCRSystemSession";
+ permission java.lang.RuntimePermission "createSystemSession";
permission java.lang.RuntimePermission "manageRepository";
};
Show replies by date