Author: nfilotto
Date: 2011-02-25 09:23:26 -0500 (Fri, 25 Feb 2011)
New Revision: 4019
Added:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/security/
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/security/ContainerPermissions.java
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryContainer.java
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryServiceImpl.java
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/ExoRepositoryStub.java
kernel/trunk/exo.kernel.component.common/src/test/resources/test.policy
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ConcurrentPicoContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainerContext.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/PortalContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/RootContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionManagerImpl.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/StandaloneContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/definition/PortalContainerConfig.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/management/ManageableContainer.java
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/web/PortalContainerCreator.java
kernel/trunk/exo.kernel.container/src/test/resources/test.policy
ws/trunk/exo.ws.rest.core/src/test/resources/test.policy
ws/trunk/exo.ws.rest.ext/src/test/resources/test.policy
Log:
EXOJCR-1199: The operations on containers have been protected by a RuntimePermission
called manageContainer and adding/removing a component from a container has been protected
by a RuntimePermission called manageComponent
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryContainer.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,6 +18,7 @@
*/
package org.exoplatform.services.jcr.impl;
+import org.exoplatform.commons.utils.SecurityHelper;
import org.exoplatform.container.ExoContainer;
import org.exoplatform.container.component.ComponentPlugin;
import org.exoplatform.container.jmx.MX4JComponentAdapterFactory;
@@ -32,6 +33,7 @@
import org.exoplatform.services.jcr.config.WorkspaceEntry;
import org.exoplatform.services.jcr.core.nodetype.ExtendedNodeTypeManager;
import org.exoplatform.services.jcr.core.nodetype.NodeTypeDataManager;
+import org.exoplatform.services.jcr.core.security.JCRRuntimePermissions;
import org.exoplatform.services.jcr.impl.core.AddNamespacePluginHolder;
import org.exoplatform.services.jcr.impl.core.LocationFactory;
import org.exoplatform.services.jcr.impl.core.NamespaceDataPersister;
@@ -65,6 +67,7 @@
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
+import java.security.PrivilegedAction;
import java.util.List;
import javax.jcr.NamespaceRegistry;
@@ -124,7 +127,7 @@
* @throws RepositoryConfigurationException
* configuration error
*/
- public RepositoryContainer(ExoContainer parent, RepositoryEntry config,
List<ComponentPlugin> addNamespacePlugins)
+ public RepositoryContainer(final ExoContainer parent, RepositoryEntry config,
List<ComponentPlugin> addNamespacePlugins)
throws RepositoryException, RepositoryConfigurationException
{
@@ -137,8 +140,15 @@
this.config = config;
this.addNamespacePlugins = addNamespacePlugins;
this.name = parent.getContext().getName() + "-" + config.getName();
-
- parent.registerComponentInstance(name, this);
+
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ parent.registerComponentInstance(name, this);
+ return null;
+ }
+ });
registerComponents();
}
@@ -154,7 +164,7 @@
* @throws RepositoryConfigurationException
* configuration error
*/
- public RepositoryContainer(ExoContainer parent, RepositoryEntry config) throws
RepositoryException,
+ public RepositoryContainer(final ExoContainer parent, RepositoryEntry config) throws
RepositoryException,
RepositoryConfigurationException
{
@@ -166,8 +176,15 @@
this.config = config;
this.name = parent.getContext().getName() + "-" + config.getName();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ parent.registerComponentInstance(name, this);
+ return null;
+ }
+ });
- parent.registerComponentInstance(name, this);
registerComponents();
}
@@ -239,6 +256,12 @@
public void registerWorkspace(final WorkspaceEntry wsConfig) throws
RepositoryException,
RepositoryConfigurationException
{
+ // Need privileges to manage repository.
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ {
+ security.checkPermission(JCRRuntimePermissions.MANAGE_REPOSITORY_PERMISSION);
+ }
try
{
@@ -247,61 +270,86 @@
if (getWorkspaceContainer(wsConfig.getName()) != null)
throw new RepositoryException("Workspace " + wsConfig.getName() +
" already registered");
- WorkspaceContainer workspaceContainer = new WorkspaceContainer(this, wsConfig);
+ final WorkspaceContainer workspaceContainer = new WorkspaceContainer(this,
wsConfig);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(wsConfig.getName(), workspaceContainer);
- registerComponentInstance(wsConfig.getName(), workspaceContainer);
+ wsConfig.setUniqueName(getName() + "_" + wsConfig.getName());
- wsConfig.setUniqueName(getName() + "_" + wsConfig.getName());
+ workspaceContainer.registerComponentInstance(wsConfig);
- workspaceContainer.registerComponentInstance(wsConfig);
-
-
workspaceContainer.registerComponentImplementation(StandaloneStoragePluginProvider.class);
-
+
workspaceContainer.registerComponentImplementation(StandaloneStoragePluginProvider.class);
+ return null;
+ }
+ });
try
{
- Class<?> containerType =
Class.forName(wsConfig.getContainer().getType());
- workspaceContainer.registerComponentImplementation(containerType);
- if (isSystem)
+ final Class<?> containerType =
Class.forName(wsConfig.getContainer().getType());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
{
- registerComponentInstance(new
SystemDataContainerHolder((WorkspaceDataContainer)workspaceContainer
- .getComponentInstanceOfType(WorkspaceDataContainer.class)));
- }
+ public Void run()
+ {
+ workspaceContainer.registerComponentImplementation(containerType);
+ if (isSystem)
+ {
+ registerComponentInstance(new
SystemDataContainerHolder((WorkspaceDataContainer)workspaceContainer
+ .getComponentInstanceOfType(WorkspaceDataContainer.class)));
+ }
+ return null;
+ }
+ });
}
catch (ClassNotFoundException e)
{
throw new RepositoryConfigurationException("Class not found for
workspace data container "
+ wsConfig.getUniqueName() + " : " + e);
}
-
- // cache type
- try
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
{
- String className = wsConfig.getCache().getType();
- if (className != null && className.length() > 0)
+ public Void run()
{
-
workspaceContainer.registerComponentImplementation(Class.forName(className));
+ // cache type
+ try
+ {
+ String className = wsConfig.getCache().getType();
+ if (className != null && className.length() > 0)
+ {
+
workspaceContainer.registerComponentImplementation(Class.forName(className));
+ }
+ else
+
workspaceContainer.registerComponentImplementation(LinkedWorkspaceStorageCacheImpl.class);
+ }
+ catch (ClassNotFoundException e)
+ {
+ log.warn("Workspace cache class not found " +
wsConfig.getCache().getType()
+ + ", will use default. Error : " + e);
+
workspaceContainer.registerComponentImplementation(LinkedWorkspaceStorageCacheImpl.class);
+ }
+
+
workspaceContainer.registerComponentImplementation(CacheableWorkspaceDataManager.class);
+
workspaceContainer.registerComponentImplementation(LocalWorkspaceDataManagerStub.class);
+
workspaceContainer.registerComponentImplementation(ObservationManagerRegistry.class);
+ return null;
}
- else
-
workspaceContainer.registerComponentImplementation(LinkedWorkspaceStorageCacheImpl.class);
- }
- catch (ClassNotFoundException e)
- {
- log.warn("Workspace cache class not found " +
wsConfig.getCache().getType()
- + ", will use default. Error : " + e);
-
workspaceContainer.registerComponentImplementation(LinkedWorkspaceStorageCacheImpl.class);
- }
+ });
-
workspaceContainer.registerComponentImplementation(CacheableWorkspaceDataManager.class);
-
workspaceContainer.registerComponentImplementation(LocalWorkspaceDataManagerStub.class);
-
workspaceContainer.registerComponentImplementation(ObservationManagerRegistry.class);
-
// Lock manager and Lock persister is a optional parameters
if (wsConfig.getLockManager() != null &&
wsConfig.getLockManager().getPersister() != null)
{
try
{
- Class<?> lockPersister =
Class.forName(wsConfig.getLockManager().getPersister().getType());
- workspaceContainer.registerComponentImplementation(lockPersister);
+ final Class<?> lockPersister =
Class.forName(wsConfig.getLockManager().getPersister().getType());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ workspaceContainer.registerComponentImplementation(lockPersister);
+ return null;
+ }
+ });
}
catch (ClassNotFoundException e)
{
@@ -315,8 +363,15 @@
{
try
{
- Class<?> lockManagerType =
Class.forName(wsConfig.getLockManager().getType());
- workspaceContainer.registerComponentImplementation(lockManagerType);
+ final Class<?> lockManagerType =
Class.forName(wsConfig.getLockManager().getType());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+
workspaceContainer.registerComponentImplementation(lockManagerType);
+ return null;
+ }
+ });
}
catch (ClassNotFoundException e)
{
@@ -326,29 +381,49 @@
}
else
{
- workspaceContainer.registerComponentImplementation(LockManagerImpl.class);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+
workspaceContainer.registerComponentImplementation(LockManagerImpl.class);
+ return null;
+ }
+ });
}
-
- // Query handler
- if (wsConfig.getQueryHandler() != null)
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
{
- workspaceContainer.registerComponentImplementation(SearchManager.class);
- workspaceContainer.registerComponentImplementation(QueryManager.class);
-
workspaceContainer.registerComponentImplementation(QueryManagerFactory.class);
- workspaceContainer.registerComponentInstance(wsConfig.getQueryHandler());
- if (isSystem)
+ public Void run()
{
-
workspaceContainer.registerComponentImplementation(SystemSearchManager.class);
+ // Query handler
+ if (wsConfig.getQueryHandler() != null)
+ {
+
workspaceContainer.registerComponentImplementation(SearchManager.class);
+
workspaceContainer.registerComponentImplementation(QueryManager.class);
+
workspaceContainer.registerComponentImplementation(QueryManagerFactory.class);
+
workspaceContainer.registerComponentInstance(wsConfig.getQueryHandler());
+ if (isSystem)
+ {
+
workspaceContainer.registerComponentImplementation(SystemSearchManager.class);
+ }
+ }
+ return null;
}
- }
+ });
// access manager
if (wsConfig.getAccessManager() != null &&
wsConfig.getAccessManager().getType() != null)
{
try
{
- Class<?> am = Class.forName(wsConfig.getAccessManager().getType());
- workspaceContainer.registerComponentImplementation(am);
+ final Class<?> am =
Class.forName(wsConfig.getAccessManager().getType());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ workspaceContainer.registerComponentImplementation(am);
+ return null;
+ }
+ });
}
catch (ClassNotFoundException e)
{
@@ -358,7 +433,7 @@
}
// initializer
- Class<?> initilizerType;
+ final Class<?> initilizerType;
if (wsConfig.getInitializer() != null &&
wsConfig.getInitializer().getType() != null)
{
// use user defined
@@ -377,10 +452,16 @@
// use default
initilizerType = ScratchWorkspaceInitializer.class;
}
- workspaceContainer.registerComponentImplementation(initilizerType);
- workspaceContainer.registerComponentImplementation(SessionFactory.class);
-
- LocalWorkspaceDataManagerStub wsDataManager =
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ workspaceContainer.registerComponentImplementation(initilizerType);
+ workspaceContainer.registerComponentImplementation(SessionFactory.class);
+ return null;
+ }
+ });
+ final LocalWorkspaceDataManagerStub wsDataManager =
(LocalWorkspaceDataManagerStub)workspaceContainer
.getComponentInstanceOfType(LocalWorkspaceDataManagerStub.class);
@@ -388,7 +469,14 @@
{
// system workspace
systemDataManager = wsDataManager;
- registerComponentInstance(systemDataManager);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(systemDataManager);
+ return null;
+ }
+ });
}
wsDataManager.setSystemDataManager(systemDataManager);
@@ -526,52 +614,73 @@
private void registerComponents() throws RepositoryConfigurationException,
RepositoryException
{
-
- registerComponentInstance(config);
- // WorkspaceFileCleanerHolder - is a common holder for all workspaces.
- // It is used to initialize FileValueStorage
- registerComponentImplementation(FileCleanerHolder.class);
- registerComponentImplementation(LockRemoverHolder.class);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(config);
+ // WorkspaceFileCleanerHolder - is a common holder for all workspaces.
+ // It is used to initialize FileValueStorage
+ registerComponentImplementation(FileCleanerHolder.class);
+ registerComponentImplementation(LockRemoverHolder.class);
+ return null;
+ }
+ });
registerWorkspacesComponents();
registerRepositoryComponents();
}
private void registerRepositoryComponents() throws RepositoryConfigurationException,
RepositoryException
{
- registerComponentImplementation(IdGenerator.class);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentImplementation(IdGenerator.class);
- registerComponentImplementation(RepositoryIndexSearcherHolder.class);
+ registerComponentImplementation(RepositoryIndexSearcherHolder.class);
- registerComponentImplementation(LocationFactory.class);
- registerComponentImplementation(ValueFactoryImpl.class);
+ registerComponentImplementation(LocationFactory.class);
+ registerComponentImplementation(ValueFactoryImpl.class);
- registerComponentInstance(new AddNamespacePluginHolder(addNamespacePlugins));
+ registerComponentInstance(new
AddNamespacePluginHolder(addNamespacePlugins));
- registerComponentImplementation(JCRNodeTypeDataPersister.class);
- registerComponentImplementation(NamespaceDataPersister.class);
- registerComponentImplementation(NamespaceRegistryImpl.class);
+ registerComponentImplementation(JCRNodeTypeDataPersister.class);
+ registerComponentImplementation(NamespaceDataPersister.class);
+ registerComponentImplementation(NamespaceRegistryImpl.class);
- registerComponentImplementation(NodeTypeManagerImpl.class);
- registerComponentImplementation(NodeTypeDataManagerImpl.class);
+ registerComponentImplementation(NodeTypeManagerImpl.class);
+ registerComponentImplementation(NodeTypeDataManagerImpl.class);
- registerComponentImplementation(DefaultAccessManagerImpl.class);
+ registerComponentImplementation(DefaultAccessManagerImpl.class);
- registerComponentImplementation(SessionRegistry.class);
+ registerComponentImplementation(SessionRegistry.class);
- String systemWsname = config.getSystemWorkspaceName();
- WorkspaceEntry systemWsEntry = getWorkspaceEntry(systemWsname);
+ String systemWsname = config.getSystemWorkspaceName();
+ WorkspaceEntry systemWsEntry = getWorkspaceEntry(systemWsname);
- if (systemWsEntry != null && systemWsEntry.getQueryHandler() != null)
- {
- SystemSearchManager systemSearchManager =
-
(SystemSearchManager)getWorkspaceContainer(systemWsname).getComponentInstanceOfType(
- SystemSearchManager.class);
- registerComponentInstance(new SystemSearchManagerHolder(systemSearchManager));
- }
+ if (systemWsEntry != null && systemWsEntry.getQueryHandler() !=
null)
+ {
+ SystemSearchManager systemSearchManager =
+
(SystemSearchManager)getWorkspaceContainer(systemWsname).getComponentInstanceOfType(
+ SystemSearchManager.class);
+ registerComponentInstance(new
SystemSearchManagerHolder(systemSearchManager));
+ }
+ return null;
+ }
+ });
try
{
-
registerComponentImplementation(Class.forName(config.getAuthenticationPolicy()));
+ final Class<?> authenticationPolicyClass =
Class.forName(config.getAuthenticationPolicy());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentImplementation(authenticationPolicyClass);
+ return null;
+ }
+ });
}
catch (ClassNotFoundException e)
{
@@ -579,9 +688,15 @@
}
// Repository
- RepositoryImpl repository = new RepositoryImpl(this);
- registerComponentInstance(repository);
-
+ final RepositoryImpl repository = new RepositoryImpl(this);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(repository);
+ return null;
+ }
+ });
}
private void registerWorkspacesComponents() throws RepositoryException,
RepositoryConfigurationException
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryServiceImpl.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryServiceImpl.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/RepositoryServiceImpl.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,6 +18,7 @@
*/
package org.exoplatform.services.jcr.impl;
+import org.exoplatform.commons.utils.SecurityHelper;
import org.exoplatform.container.ExoContainer;
import org.exoplatform.container.ExoContainerContext;
import org.exoplatform.container.PortalContainer;
@@ -39,6 +40,7 @@
import org.picocontainer.Startable;
import java.io.InputStream;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
@@ -144,16 +146,22 @@
throw new RepositoryConfigurationException("Repository container " +
rEntry.getName() + " already started");
}
- RepositoryContainer repositoryContainer = new RepositoryContainer(parentContainer,
rEntry, addNamespacesPlugins);
+ final RepositoryContainer repositoryContainer = new
RepositoryContainer(parentContainer, rEntry, addNamespacesPlugins);
// Storing and starting the repository container under
// key=repository_name
try
{
repositoryContainers.put(rEntry.getName(), repositoryContainer);
- managerStartChanges.registerListeners(repositoryContainer);
-
- repositoryContainer.start();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ managerStartChanges.registerListeners(repositoryContainer);
+ repositoryContainer.start();
+ return null;
+ }
+ });
}
catch (Throwable t)
{
@@ -418,11 +426,25 @@
repo.internalRemoveWorkspace(wsEntry.getName());
}
repconfig.getWorkspaceEntries().clear();
- RepositoryContainer repositoryContainer = repositoryContainers.get(name);
- repositoryContainer.stop();
+ final RepositoryContainer repositoryContainer = repositoryContainers.get(name);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ repositoryContainer.stop();
+ return null;
+ }
+ });
repositoryContainers.remove(name);
config.getRepositoryConfigurations().remove(repconfig);
- parentContainer.unregisterComponent(repositoryContainer.getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ parentContainer.unregisterComponent(repositoryContainer.getName());
+ return null;
+ }
+ });
}
catch (RepositoryConfigurationException e)
{
Modified:
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
jcr/trunk/exo.jcr.component.core/src/main/java/org/exoplatform/services/jcr/impl/core/RepositoryImpl.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,6 +18,7 @@
*/
package org.exoplatform.services.jcr.impl.core;
+import org.exoplatform.commons.utils.SecurityHelper;
import org.exoplatform.services.jcr.access.AuthenticationPolicy;
import org.exoplatform.services.jcr.access.SystemIdentity;
import org.exoplatform.services.jcr.config.RepositoryConfigurationException;
@@ -45,6 +46,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
@@ -217,16 +219,30 @@
}
catch (RepositoryConfigurationException e)
{
- WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(wsConfig.getName());
- repositoryContainer.unregisterComponentByInstance(workspaceContainer);
- repositoryContainer.unregisterComponent(wsConfig.getName());
+ final WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(wsConfig.getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ repositoryContainer.unregisterComponentByInstance(workspaceContainer);
+ repositoryContainer.unregisterComponent(wsConfig.getName());
+ return null;
+ }
+ });
throw new RepositoryConfigurationException(e);
}
catch (RepositoryException e)
{
- WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(wsConfig.getName());
- repositoryContainer.unregisterComponentByInstance(workspaceContainer);
- repositoryContainer.unregisterComponent(wsConfig.getName());
+ final WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(wsConfig.getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ repositoryContainer.unregisterComponentByInstance(workspaceContainer);
+ repositoryContainer.unregisterComponent(wsConfig.getName());
+ return null;
+ }
+ });
throw new RepositoryException(e);
}
}
@@ -269,9 +285,14 @@
+ " is not configured. Use RepositoryImpl.configWorkspace()
method");
repositoryContainer.getWorkspaceContainer(workspaceName).getWorkspaceInitializer().initWorkspace();
-
- wsContainer.start();
-
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ wsContainer.start();
+ return null;
+ }
+ });
LOG.info("Workspace " + workspaceName + "@" + this.name +
" is initialized");
}
@@ -447,7 +468,7 @@
* @param workspaceName workspace name
* @throws RepositoryException error of remove
*/
- public void internalRemoveWorkspace(String workspaceName) throws RepositoryException
+ public void internalRemoveWorkspace(final String workspaceName) throws
RepositoryException
{
// Need privileges to manage repository.
SecurityManager security = System.getSecurityManager();
@@ -456,17 +477,31 @@
security.checkPermission(JCRRuntimePermissions.MANAGE_REPOSITORY_PERMISSION);
}
- WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(workspaceName);
+ final WorkspaceContainer workspaceContainer =
repositoryContainer.getWorkspaceContainer(workspaceName);
try
{
- workspaceContainer.stop();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ workspaceContainer.stop();
+ return null;
+ }
+ });
}
catch (Exception e)
{
throw new RepositoryException(e);
}
- repositoryContainer.unregisterComponentByInstance(workspaceContainer);
- repositoryContainer.unregisterComponent(workspaceName);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ repositoryContainer.unregisterComponentByInstance(workspaceContainer);
+ repositoryContainer.unregisterComponent(workspaceName);
+ return null;
+ }
+ });
}
/**
Modified:
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/ExoRepositoryStub.java
===================================================================
---
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/ExoRepositoryStub.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
jcr/trunk/exo.jcr.component.core/src/test/java/org/exoplatform/services/jcr/ExoRepositoryStub.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -145,16 +145,6 @@
if (!shoutDown)
{
- Runtime.getRuntime().addShutdownHook(new Thread()
- {
- public void run()
- {
- // database.close();
- servicesManager.stop();
-
- System.out.println("The container is stopped");
- }
- });
shoutDown = true;
}
Modified: kernel/trunk/exo.kernel.component.common/src/test/resources/test.policy
===================================================================
--- kernel/trunk/exo.kernel.component.common/src/test/resources/test.policy 2011-02-25
12:07:35 UTC (rev 4018)
+++ kernel/trunk/exo.kernel.component.common/src/test/resources/test.policy 2011-02-25
14:23:26 UTC (rev 4019)
@@ -10,6 +10,10 @@
permission java.lang.RuntimePermission "accessRPCService";
};
+grant codeBase "@TEST_CLASSES@-"{
+ permission java.lang.RuntimePermission "manageContainer";
+};
+
grant codeBase "@MAIN_CLASSES@../../../exo.kernel.commons.test/-"{
permission java.security.AllPermission;
};
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ConcurrentPicoContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ConcurrentPicoContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ConcurrentPicoContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -16,6 +16,7 @@
*/
package org.exoplatform.container;
+import org.exoplatform.container.security.ContainerPermissions;
import org.picocontainer.ComponentAdapter;
import org.picocontainer.MutablePicoContainer;
import org.picocontainer.Parameter;
@@ -218,6 +219,10 @@
public ComponentAdapter registerComponent(ComponentAdapter componentAdapter)
throws DuplicateComponentKeyRegistrationException
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_COMPONENT_PERMISSION);
+
Object componentKey = componentAdapter.getComponentKey();
if (componentKeyToAdapterCache.putIfAbsent(componentKey, componentAdapter) !=
null)
@@ -230,6 +235,10 @@
public ComponentAdapter unregisterComponent(Object componentKey)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_COMPONENT_PERMISSION);
+
ComponentAdapter adapter = componentKeyToAdapterCache.remove(componentKey);
componentAdapters.remove(adapter);
orderedComponentAdapters.remove(adapter);
@@ -504,11 +513,19 @@
public boolean addChildContainer(PicoContainer child)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
return children.add(child);
}
public boolean removeChildContainer(PicoContainer child)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
return children.remove(child);
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -19,9 +19,11 @@
package org.exoplatform.container;
import org.exoplatform.commons.utils.PropertyManager;
+import org.exoplatform.commons.utils.SecurityHelper;
import org.exoplatform.container.component.ComponentLifecyclePlugin;
import org.exoplatform.container.configuration.ConfigurationManager;
import org.exoplatform.container.management.ManageableContainer;
+import org.exoplatform.container.security.ContainerPermissions;
import org.exoplatform.container.util.ContainerUtil;
import org.exoplatform.container.xml.Configuration;
import org.exoplatform.container.xml.InitParams;
@@ -31,6 +33,7 @@
import org.picocontainer.defaults.ComponentAdapterFactory;
import java.lang.reflect.Constructor;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
@@ -96,27 +99,46 @@
public ExoContainer()
{
- context = new ExoContainerContext(this);
- context.setName(this.getClass().getName());
- registerComponentInstance(context);
+ context = new ExoContainerContext(this, this.getClass().getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(context);
+ return null;
+ }
+ });
+
this.parent = null;
}
public ExoContainer(PicoContainer parent)
{
super(parent);
- context = new ExoContainerContext(this);
- context.setName(this.getClass().getName());
- registerComponentInstance(context);
+ context = new ExoContainerContext(this, this.getClass().getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(context);
+ return null;
+ }
+ });
this.parent = parent;
}
public ExoContainer(ComponentAdapterFactory factory, PicoContainer parent)
{
super(factory, parent);
- context = new ExoContainerContext(this);
- context.setName(this.getClass().getName());
- registerComponentInstance(context);
+ context = new ExoContainerContext(this, this.getClass().getName());
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(context);
+ return null;
+ }
+ });
this.parent = parent;
}
@@ -168,6 +190,10 @@
@Override
public void dispose()
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
destroyContainerInternal();
super.dispose();
}
@@ -178,6 +204,10 @@
*/
public void start(boolean init)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
if (init)
{
// Initialize the container first
@@ -189,6 +219,9 @@
@Override
public void start()
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
super.start();
startContainerInternal();
}
@@ -196,6 +229,10 @@
@Override
public void stop()
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
stopContainerInternal();
super.stop();
}
@@ -271,6 +308,10 @@
public void addComponentLifecylePlugin(ComponentLifecyclePlugin plugin)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
List<String> list = plugin.getManageableComponents();
for (String component : list)
componentLifecylePlugin_.put(component, plugin);
@@ -278,6 +319,10 @@
public void addContainerLifecylePlugin(ContainerLifecyclePlugin plugin)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
containerLifecyclePlugin_.add(plugin);
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainerContext.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainerContext.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/ExoContainerContext.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,10 +18,12 @@
*/
package org.exoplatform.container;
+import org.exoplatform.container.security.ContainerPermissions;
import org.exoplatform.services.log.ExoLogger;
import org.exoplatform.services.log.Log;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Set;
/**
@@ -39,7 +41,7 @@
private HashMap<String, Object> attributes = new HashMap<String,
Object>();
- private ExoContainer container;
+ private final ExoContainer container;
private String name;
@@ -50,6 +52,12 @@
this.container = container;
}
+ public ExoContainerContext(ExoContainer container, String name)
+ {
+ this.container = container;
+ this.name = name;
+ }
+
public ExoContainer getContainer()
{
return container;
@@ -114,6 +122,9 @@
public void setName(String name)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
this.name = name;
}
@@ -126,6 +137,10 @@
static void setTopContainer(ExoContainer cont)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
if (topContainer != null && cont != null)
throw new IllegalStateException("Two top level containers created, but must
be only one.");
log.info("Set the top container in its context");
@@ -150,6 +165,9 @@
public static void setCurrentContainer(ExoContainer instance)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
currentContainer.set(instance);
}
@@ -164,7 +182,8 @@
public Set<String> getAttributeNames()
{
- return attributes.keySet();
+ // Gives a safe copy
+ return new HashSet<String>(attributes.keySet());
}
public Object getAttribute(String name)
@@ -174,6 +193,10 @@
public void setAttribute(String name, Object value)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
attributes.put(name, value);
}
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/PortalContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/PortalContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/PortalContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -23,6 +23,7 @@
import org.exoplatform.container.RootContainer.PortalContainerInitTask;
import org.exoplatform.container.definition.PortalContainerConfig;
import org.exoplatform.container.jmx.MX4JComponentAdapterFactory;
+import org.exoplatform.container.security.ContainerPermissions;
import org.exoplatform.container.xml.Configuration;
import org.exoplatform.container.xml.PortalContainerInfo;
import org.exoplatform.management.annotations.Managed;
@@ -141,14 +142,28 @@
*/
final ServletContext portalContext;
- public PortalContainer(RootContainer parent, ServletContext portalContext)
+ public PortalContainer(RootContainer parent, final ServletContext portalContext)
{
super(new MX4JComponentAdapterFactory(), parent);
- registerComponentInstance(ServletContext.class, portalContext);
- context.setName(portalContext.getServletContextName());
+ this.name = portalContext.getServletContextName();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ context.setName(name);
+ return null;
+ }
+ });
pinfo_ = new PortalContainerInfo(portalContext);
- registerComponentInstance(PortalContainerInfo.class, pinfo_);
- this.name = portalContext.getServletContextName();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(ServletContext.class, portalContext);
+ registerComponentInstance(PortalContainerInfo.class, pinfo_);
+ return null;
+ }
+ });
final PortalContainerConfig config = parent.getPortalContainerConfig();
final List<String> dependencies = config == null ? null :
config.getDependencies(name);
if (dependencies == null || dependencies.isEmpty())
@@ -239,6 +254,9 @@
*/
public synchronized void registerContext(ServletContext context)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
final WebAppInitContext webappCtx = new WebAppInitContext(context);
if (!webAppContexts.contains(webappCtx))
{
@@ -263,6 +281,10 @@
*/
public synchronized void unregisterContext(ServletContext context)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
final WebAppInitContext webappCtx = new WebAppInitContext(context);
if (webAppContexts.contains(webappCtx))
{
@@ -309,6 +331,10 @@
public SessionContainer createSessionContainer(String id, String owner)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
SessionContainer scontainer = getSessionManager().getSessionContainer(id);
if (scontainer != null)
getSessionManager().removeSessionContainer(id);
@@ -321,6 +347,10 @@
public void removeSessionContainer(String sessionID)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
getSessionManager().removeSessionContainer(sessionID);
}
@@ -351,7 +381,15 @@
if (container == null)
{
container =
RootContainer.getInstance().getPortalContainer(DEFAULT_PORTAL_CONTAINER_NAME);
- PortalContainer.setInstance(container);
+ final PortalContainer currentPortalContainer = container;
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ PortalContainer.setInstance(currentPortalContainer);
+ return null;
+ }
+ });
}
return container;
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/RootContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/RootContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/RootContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -29,6 +29,7 @@
import org.exoplatform.container.definition.PortalContainerDefinition;
import org.exoplatform.container.monitor.jvm.J2EEServerInfo;
import org.exoplatform.container.monitor.jvm.OperatingSystemInfo;
+import org.exoplatform.container.security.ContainerPermissions;
import org.exoplatform.container.util.ContainerUtil;
import org.exoplatform.container.xml.Configuration;
import org.exoplatform.management.annotations.Managed;
@@ -123,7 +124,14 @@
}
});
this.profiles = profiles;
- this.registerComponentInstance(J2EEServerInfo.class, serverenv_);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(J2EEServerInfo.class, serverenv_);
+ return null;
+ }
+ });
}
public OperatingSystemInfo getOSEnvironment()
@@ -162,7 +170,7 @@
return serverenv_;
}
- public PortalContainer getPortalContainer(String name)
+ public PortalContainer getPortalContainer(final String name)
{
PortalContainer pcontainer = (PortalContainer)this.getComponentInstance(name);
if (pcontainer == null)
@@ -174,14 +182,29 @@
{
MockServletContext scontext = new MockServletContext(name);
pcontainer = new PortalContainer(this, scontext);
- PortalContainer.setInstance(pcontainer);
- ConfigurationManagerImpl cService = new
MockConfigurationManagerImpl(scontext);
+ final PortalContainer currentPortalContainer = pcontainer;
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ PortalContainer.setInstance(currentPortalContainer);
+ return null;
+ }
+ });
+ final ConfigurationManagerImpl cService = new
MockConfigurationManagerImpl(scontext);
cService.addConfiguration(ContainerUtil.getConfigurationURL("conf/portal/configuration.xml"));
cService.addConfiguration(ContainerUtil.getConfigurationURL("conf/portal/test-configuration.xml"));
cService.processRemoveConfiguration();
- pcontainer.registerComponentInstance(ConfigurationManager.class,
cService);
- registerComponentInstance(name, pcontainer);
- pcontainer.start(true);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+
currentPortalContainer.registerComponentInstance(ConfigurationManager.class, cService);
+ registerComponentInstance(name, currentPortalContainer);
+ currentPortalContainer.start(true);
+ return null;
+ }
+ });
}
catch (Exception ex)
{
@@ -200,6 +223,10 @@
*/
public void registerPortalContainer(ServletContext context)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
PortalContainerConfig config = getPortalContainerConfig();
if (config.hasDefinition())
{
@@ -286,6 +313,10 @@
public synchronized void createPortalContainer(ServletContext context)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
// Keep the old ClassLoader
final ClassLoader currentClassLoader =
Thread.currentThread().getContextClassLoader();
boolean hasChanged = false;
@@ -399,6 +430,10 @@
synchronized public void removePortalContainer(ServletContext servletContext)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
this.unregisterComponent(servletContext.getServletContextName());
}
@@ -417,8 +452,8 @@
{
try
{
- RootContainer rootContainer = new RootContainer();
- ConfigurationManagerImpl service = new
ConfigurationManagerImpl(rootContainer.profiles);
+ final RootContainer rootContainer = new RootContainer();
+ final ConfigurationManagerImpl service = new
ConfigurationManagerImpl(rootContainer.profiles);
service.addConfiguration(ContainerUtil.getConfigurationURL("conf/configuration.xml"));
if (PrivilegedSystemHelper.getProperty("maven.exoplatform.dir") !=
null)
{
@@ -432,13 +467,23 @@
service.addConfiguration("file:" + overrideConf);
}
service.processRemoveConfiguration();
- rootContainer.registerComponentInstance(ConfigurationManager.class, service);
- rootContainer.start(true);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ rootContainer.registerComponentInstance(ConfigurationManager.class,
service);
+ rootContainer.start(true);
+ return null;
+ }
+ });
return rootContainer;
}
catch (Exception e)
{
log.error("Could not build root container", e);
+ // The logger is not necessary configured so we have to use the standard
+ // output stream
+ e.printStackTrace();
return null;
}
}
@@ -475,8 +520,15 @@
{
time += System.currentTimeMillis();
log.info("Root container is built (build time " + time
+ "ms)");
- ExoContainerContext.setTopContainer(result);
singleton_ = result;
+ SecurityHelper.doPrivilegedAction(new
PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ ExoContainerContext.setTopContainer(singleton_);
+ return null;
+ }
+ });
log.info("Root container booted");
}
else
@@ -497,6 +549,10 @@
static public void setInstance(RootContainer rcontainer)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
singleton_ = rcontainer;
}
@@ -536,6 +592,10 @@
*/
public void addInitTask(ServletContext context, PortalContainerInitTask task, String
portalContainer)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
final PortalContainer container = getPortalContainer(portalContainer);
if (!task.alreadyExists(container))
{
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -19,6 +19,7 @@
package org.exoplatform.container;
import org.exoplatform.container.client.ClientInfo;
+import org.exoplatform.container.security.ContainerPermissions;
import java.util.HashMap;
@@ -28,7 +29,7 @@
*/
public class SessionContainer extends HashMap<Object, Object>
{
- private static ThreadLocal threadLocal_ = new ThreadLocal();
+ private static ThreadLocal<SessionContainer> threadLocal_ = new
ThreadLocal<SessionContainer>();
final public static int INIT_STATUS = 0;
@@ -149,7 +150,7 @@
public static Object getComponent(Class key)
{
- SessionContainer scontainer = (SessionContainer)threadLocal_.get();
+ SessionContainer scontainer = getInstance();
return scontainer.get(key);
}
@@ -170,11 +171,15 @@
static public SessionContainer getInstance()
{
- return (SessionContainer)threadLocal_.get();
+ return threadLocal_.get();
}
static public void setInstance(SessionContainer scontainer)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
threadLocal_.set(scontainer);
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionManagerImpl.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionManagerImpl.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/SessionManagerImpl.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,6 +18,8 @@
*/
package org.exoplatform.container;
+import org.exoplatform.container.security.ContainerPermissions;
+
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
@@ -43,11 +45,19 @@
final public void removeSessionContainer(String id)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
remove(id);
}
final public void addSessionContainer(SessionContainer scontainer)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
put(scontainer.getSessionId(), scontainer);
}
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/StandaloneContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/StandaloneContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/StandaloneContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -36,6 +36,7 @@
import java.io.File;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.List;
@@ -83,8 +84,15 @@
//
configurationManager = new ConfigurationManagerImpl(configClassLoader,
ExoContainer.getProfiles());
- this.registerComponentInstance(ConfigurationManager.class, configurationManager);
- registerComponentImplementation(SessionManagerImpl.class);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ registerComponentInstance(ConfigurationManager.class, configurationManager);
+ registerComponentImplementation(SessionManagerImpl.class);
+ return null;
+ }
+ });
}
/**
@@ -137,7 +145,14 @@
if (container == null)
{
container = new StandaloneContainer(configClassLoader);
- ExoContainerContext.setTopContainer(container);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ ExoContainerContext.setTopContainer(container);
+ return null;
+ }
+ });
if (useDefault)
container.initDefaultConf();
// initialize configurationURL
@@ -145,7 +160,14 @@
container.populate(configurationURL);
if (components != null)
container.registerArray(components);
- container.start();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ container.start();
+ return null;
+ }
+ });
PrivilegedSystemHelper.setProperty("exo.standalone-container",
StandaloneContainer.class.getName());
System.out.println("StandaloneContainer initialized using: " +
configurationURL);
}
@@ -401,7 +423,14 @@
{
configurationManager.addConfiguration(conf);
configurationManager.processRemoveConfiguration();
- ContainerUtil.addComponents(this, configurationManager);
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ ContainerUtil.addComponents(StandaloneContainer.this, configurationManager);
+ return null;
+ }
+ });
}
}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/definition/PortalContainerConfig.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/definition/PortalContainerConfig.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/definition/PortalContainerConfig.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -25,6 +25,7 @@
import org.exoplatform.container.RootContainer;
import org.exoplatform.container.configuration.ConfigurationManager;
import org.exoplatform.container.monitor.jvm.J2EEServerInfo;
+import org.exoplatform.container.security.ContainerPermissions;
import org.exoplatform.container.util.ContainerUtil;
import org.exoplatform.container.xml.Deserializer;
import org.exoplatform.container.xml.InitParams;
@@ -375,6 +376,10 @@
*/
public synchronized void disablePortalContainer(String name)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
if (!portalContainerNamesDisabled.contains(name))
{
if (PropertyManager.isDevelopping())
@@ -437,6 +442,10 @@
*/
public synchronized void registerPortalContainerName(String name)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
if (!portalContainerNames.contains(name) &&
!portalContainerNamesDisabled.contains(name))
{
final List<String> lPortalContainerNames = new
ArrayList<String>(portalContainerNames.size() + 1);
@@ -452,6 +461,10 @@
*/
public synchronized void unregisterPortalContainerName(String name)
{
+ SecurityManager security = System.getSecurityManager();
+ if (security != null)
+ security.checkPermission(ContainerPermissions.MANAGE_CONTAINER_PERMISSION);
+
if (portalContainerNames.contains(name))
{
final List<String> lPortalContainerNames = new
ArrayList<String>(portalContainerNames);
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/management/ManageableContainer.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/management/ManageableContainer.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/management/ManageableContainer.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -32,7 +32,6 @@
import org.picocontainer.PicoException;
import org.picocontainer.PicoRegistrationException;
import org.picocontainer.defaults.ComponentAdapterFactory;
-import org.picocontainer.defaults.DuplicateComponentKeyRegistrationException;
import java.util.Collection;
import java.util.Collections;
@@ -156,13 +155,6 @@
return server;
}
- @Override
- public ComponentAdapter registerComponent(ComponentAdapter componentAdapter)
- throws DuplicateComponentKeyRegistrationException
- {
- return super.registerComponent(componentAdapter);
- }
-
public ComponentAdapter registerComponentInstance(Object componentKey, Object
componentInstance)
throws PicoRegistrationException
{
Added:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/security/ContainerPermissions.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/security/ContainerPermissions.java
(rev 0)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/security/ContainerPermissions.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2011 eXo Platform SAS.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.exoplatform.container.security;
+
+import java.security.Permission;
+
+/**
+ * This interface defines all the permissions used by the project kernel.container
+ *
+ * @author <a href="mailto:nicolas.filotto@exoplatform.com">Nicolas
Filotto</a>
+ * @version $Id$
+ *
+ */
+public interface ContainerPermissions
+{
+ /**
+ * Any operations applied on a container have to be protected with this permission
+ */
+ public static final Permission MANAGE_CONTAINER_PERMISSION = new
RuntimePermission("manageContainer");
+
+ /**
+ * Any component modifications have to be protected with this permission
+ */
+ public static final Permission MANAGE_COMPONENT_PERMISSION = new
RuntimePermission("manageComponent");
+}
Modified:
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/web/PortalContainerCreator.java
===================================================================
---
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/web/PortalContainerCreator.java 2011-02-25
12:07:35 UTC (rev 4018)
+++
kernel/trunk/exo.kernel.container/src/main/java/org/exoplatform/container/web/PortalContainerCreator.java 2011-02-25
14:23:26 UTC (rev 4019)
@@ -18,9 +18,12 @@
*/
package org.exoplatform.container.web;
+import org.exoplatform.commons.utils.SecurityHelper;
import org.exoplatform.container.RootContainer;
import org.exoplatform.container.util.EnvSpecific;
+import java.security.PrivilegedAction;
+
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
@@ -53,8 +56,15 @@
try
{
EnvSpecific.initThreadEnv(ctx);
- RootContainer rootContainer = RootContainer.getInstance();
- rootContainer.createPortalContainers();
+ final RootContainer rootContainer = RootContainer.getInstance();
+ SecurityHelper.doPrivilegedAction(new PrivilegedAction<Void>()
+ {
+ public Void run()
+ {
+ rootContainer.createPortalContainers();
+ return null;
+ }
+ });
}
finally
{
Modified: kernel/trunk/exo.kernel.container/src/test/resources/test.policy
===================================================================
--- kernel/trunk/exo.kernel.container/src/test/resources/test.policy 2011-02-25 12:07:35
UTC (rev 4018)
+++ kernel/trunk/exo.kernel.container/src/test/resources/test.policy 2011-02-25 14:23:26
UTC (rev 4019)
@@ -7,6 +7,8 @@
};
grant codeBase "@TEST_CLASSES@-"{
+ permission java.lang.RuntimePermission "manageContainer";
+ permission java.lang.RuntimePermission "manageComponent";
};
grant codeBase "@MAIN_CLASSES@../../../exo.kernel.commons.test/-"{
Modified: ws/trunk/exo.ws.rest.core/src/test/resources/test.policy
===================================================================
--- ws/trunk/exo.ws.rest.core/src/test/resources/test.policy 2011-02-25 12:07:35 UTC (rev
4018)
+++ ws/trunk/exo.ws.rest.core/src/test/resources/test.policy 2011-02-25 14:23:26 UTC (rev
4019)
@@ -7,6 +7,7 @@
};
grant codeBase "@TEST_CLASSES@-"{
+ permission java.lang.RuntimePermission "manageComponent";
};
grant codeBase "@MAIN_CLASSES@../../../exo.ws.frameworks.json/-"{
Modified: ws/trunk/exo.ws.rest.ext/src/test/resources/test.policy
===================================================================
--- ws/trunk/exo.ws.rest.ext/src/test/resources/test.policy 2011-02-25 12:07:35 UTC (rev
4018)
+++ ws/trunk/exo.ws.rest.ext/src/test/resources/test.policy 2011-02-25 14:23:26 UTC (rev
4019)
@@ -7,6 +7,7 @@
};
grant codeBase "@TEST_CLASSES@-" {
+ permission java.lang.RuntimePermission "manageComponent";
};
grant codeBase "@MAIN_CLASSES@../../../exo.ws.commons/-"{