* This class manages security declarations. *
* Note: you probably do not want to access this class from your own code but * rather use the static methods in IJoSecuredObject.Utility. */ public class JoSecurityManager extends NSObject { //TODO: document more //TBD: the unclear thing about this class is whether it should ask/wrap the // object or whether its just the fallback. In the latter case it should // be renamed "DefaultImplementation" I guess (similiar to KVC fallback) protected static final Log log = LogFactory.getLog("JoSecurityManager"); protected WOApplication application; public JoSecurityManager(WOApplication _app) { this.application = _app; } /* accessors */ public WOApplication application() { // TBD: what is this used for? return this.application; } /* validation checks (called by object traversal) */ /** * The method first validates the '_self' object using validateObject(). It * then retrieves the JoClass of the object and extracts the security info for * the given '_name'. *
* If the class has no security info, the default access (allow) will get * checked (Note: only the value 'allow' is relevant, hence everything else * means deny). *
* If it has a security info, it can be 'private', 'public' or some * permission. For the latter validatePermissionOnObject() will be called to * determine whether the user has that permission (in the context of the * object). *
* Note: the name can be protected separately from the value the name points * to. That is, even if access to the name is allowed, the object stored * under this name can be protected (this is checked by validateObject()). * * @param _self - the object to be checked * @param _name - the name which is requested * @param _ctx - the context the object lives in * @return a security exception if the access was denied */ public Exception validateNameOfObject (Object _self, String _name, IJoContext _ctx) { boolean isInfoOn = log.isInfoEnabled(); Exception error; /* find out permission required for object itself */ if ((error = this.validateObject(_self, _ctx)) != null) { if (isInfoOn) log.info("object did not validate: " + _self + ": " + error); return error; } /* find security info for _name */ /* Note: Why do we scan the hierarchy and have no consolidated * "securityInfoForClass()" method which traverses the hierarchy for "the" * info. This is because each info must be checked for the _name. Ie the * security info of a superclass could contain the protections on the * given key. */ JoClass cls = _ctx.joClassRegistry().joClassForJavaObject(_self, _ctx); JoClassSecurityInfo sinfo = null; JoClassSecurityInfo sDefaultInfo = null; for (JoClass pcls = cls; pcls != null; pcls = pcls.joSuperClass()) { sinfo = this.securityInfoForClass(pcls); if (sinfo != null) { if (sinfo.hasProtectionsForKey(_name)) break; else if (isInfoOn) { log.info("security info of class '" + pcls.className() + "'\n has no protections for name '" + _name + "'\n info: " + sinfo); } } if (sDefaultInfo == null && sinfo.hasDefaultAccessDeclaration()) sDefaultInfo = sinfo; sinfo = null; } /* Process default security declaration in case we found no security info * for the key. */ if (sinfo == null) { /* found none for _name */ /* We found no key specific security info. Hence we use the default * access declaration which can be "allow". */ if (sDefaultInfo != null) { /* but we found a default access */ if (isInfoOn) log.info("using default info for name " + _name + ": " +sDefaultInfo); if ("allow".equals(sDefaultInfo.defaultAccess())) { if (isInfoOn) log.info("default access is set to 'allow', name: " + _name); return null /* everything allowed, no specific protection */; } if (isInfoOn) { log.info("rejected because default info is not allow: " + sDefaultInfo); } } else if (isInfoOn) log.info("no name and no default info for name: " + _name); return new JoAccessDeniedException ("attempt to access private name '" + _name + "' in class: " + _self.getClass().getSimpleName()); } else if (isInfoOn) log.info("found security info for name " + _name + ": " + sinfo); /* We found a security declaration for the given name. Check the * protections. */ if (sinfo.isKeyPrivate(_name)) { /* What does it mean to be 'private'. Using private you can always * explicitly forbid access to a JOPE name. Eg if you want that 'abc' * is *never ever* accessed using JoLookup (exposed to the web!), you * can declare it private. * * In JOPE this is the default (if no security info was found and * no default access was defined). I think Zope2 allows access to all * Python slots per default (restricted by ZODB ownership of course). * (just like KVC) * Important: be careful with setting the default access to "allow"! This * reverses the process. */ if (isInfoOn) log.info("name "+ _name + " is marked private in info: " + sinfo); return new JoAccessDeniedException("attempt to access private key"); } if (sinfo.isKeyPublic(_name)) { /* Simple case, public is just that, public :-) */ if (isInfoOn) log.info("name "+ _name + " is marked public in info: " + sinfo); return null; /* key is explicitly declared as public */ } /* OK, name was protected with an explicit permission, eg 'View' or * 'Edit'. In this case we call validatePermissionOnObject() to check * whether the current user has a role which has the necessary permission. */ String permission = sinfo.permissionRequiredForKey(_name); error = this.validatePermissionOnObject(permission, _self, _ctx); if (error != null) { if (isInfoOn) { log.info("could not valid permission for name " + _name + ": " + permission); } return error; } /* validation was ok, we are done. */ if (log.isDebugEnabled()) log.debug(" object/key did validate: " + _self + ": " + _name); return null; } /** * Checks whether the current user is allowed to access the given object in * the given context. *
* This works by retrieving the security info of the objects JoClass. If the * object has no security info, access is rejected. That is access defaults to * "<private>". *
* If an explicit permission is required to use objects of the JoClass * validatePermissionOnObject() will get called. * *
* Eg called by validateNameOfObject() on the given object.
*
* @param _self - the object to be checked
* @param _ctx - the context the object lives in
* @return a security exception if the access was denied
*/
public Exception validateObject(Object _self, IJoContext _ctx) {
// TODO: in SOPE we also ask _self isPublicInContext:
JoClass cls = _ctx.joClassRegistry().joClassForJavaObject(_self, _ctx);
JoClassSecurityInfo sinfo = null;
/* first find security info */
for (JoClass pcls = cls; pcls != null; pcls = pcls.joSuperClass()) {
sinfo = this.securityInfoForClass(pcls);
if (log.isDebugEnabled()) {
log.debug("CLASS: " + pcls);
log.debug(" CHECK: " + sinfo);
}
if (sinfo != null && sinfo.hasObjectProtections())
break;
sinfo = null;
}
if (sinfo == null) {
log.error("attempt to access private object:\n" +
" object: " + _self + "\n" +
" class: " + cls);
return new JoAccessDeniedException
("attempt to access private object: " + cls.className());
}
/* check private/public */
if (sinfo.isObjectPrivate())
return new JoAccessDeniedException("attempt to access private object");
if (sinfo.isObjectPublic())
return null; /* we are public */
/* check explicit permission */
String permission = sinfo.permissionRequiredForObject();
Exception error = this.validatePermissionOnObject(permission, _self, _ctx);
if (error != null) return error;
/* validation was ok, we are done. */
if (log.isDebugEnabled())
log.debug(" object did validate: " + _self + ": " + permission);
return null;
}
/**
* First checks whether the user is allowed to access _value by calling
* validateObject() with the _value. It then validates the name
* (during traversal the reverse process is performed, first name then value).
*
* @param _self - the object the value was looked up in
* @param _name - the name the value was looked up with
* @param _value - the value which was returned by the lookup
* @param _ctx - the context all this happens in
* @return a security exception if the access was denied
*/
public Exception validateValueForNameOfObject
(Object _self, String _name, Object _value, IJoContext _ctx)
{
/* this additionally checks object restrictions of the value */
if (_value != null) {
Exception error = this.validateObject(_value, _ctx);
if (error != null) return error;
}
return this.validateNameOfObject(_self, _name, _ctx);
}
public Exception validatePermissionOnObject
(String _permission, Object _self, IJoContext _ctx)
{
boolean isInfoOn = log.isInfoEnabled();
if (_permission == null) {
if (isInfoOn) log.info("got no permission to validate on " + _self);
return null;
}
if ("
* The method currently calls _ctx.activeUser().
*/
public IJoUser userInContextForObject(IJoContext _ctx, Object _obj) {
// TODO: in SOPE this also processes the authenticator, which seems
// superflous given that activeUser already does it?
return _ctx != null ? _ctx.activeUser() : null;
}
/**
* Checks whether the given _user is the owner of the given _object in the
* given context.
*
* @param _user - an IJoUser object
* @param _obj - the object to be checked for ownership
* @param _ctx - the context for the operation
* @return true if the given user owns the given object, no otherwise
*/
public boolean isUserOwnerOfObjectInContext
(IJoUser _user, Object _obj, IJoContext _ctx)
{
// TODO: implement me
return false;
}
/**
* Checks whether the user authenticated in _ctx owns the given object.
*
* @param _obj - the object to be checked
* @param _ctx - the context which contains the authentication information
* @return true if the object is owned by the user or false if not
*/
public boolean isObjectOwnedInContext(Object _obj, IJoContext _ctx) {
if (_obj == null)
return false; // null is not owned by anyone
return this.isUserOwnerOfObjectInContext
(_ctx != null ? _ctx.activeUser() : null, _obj, _ctx);
}
/* description */
@Override
public void appendAttributesToDescription(StringBuilder _d) {
super.appendAttributesToDescription(_d);
if (this.application == null)
_d.append(" no-app");
}
}