* This interface should be implemented by JoObject's which implement their
* own security strategy, which is often not necessary.
* In all other cases this will pass over control to the JoSecurityManager.
*/
public interface IJoSecuredObject {
/**
* Let the object validate the given _name in the context. This
* is called before the object is looked-up.
*
* @param _name - the name to check (eg 'products')
* @param _ctx - the context with the logged in user
* @return null if access is permitted, an Exception otherwise
*/
public Exception validateName(String _name, IJoContext _ctx);
/**
* Gives the object a chance to validate itself *after* it got looked up.
*
* @param _ctx - the context with the logged in user
* @return null if access is permitted, an Exception otherwise
*/
public Exception validateObject(IJoContext _ctx);
/**
* Checks whether the login user has the given _permissions
* assigned for this object.
*
* @param _permission - permission to check, eg 'View'
* @param _ctx - the context with the logged in user
* @return null if the user has access to the permission, else the Exception
*/
public Exception validatePermission(String _permission, IJoContext _ctx);
/* utility class (use those methods in code to work on arbitrary objects) */
public static class Utility {
private Utility() {} // do not instantiate
/**
* This method wraps IJoObject.lookupName() and ensures that the object and
* key are properly secured. Hence it should be the primary method to
* perform a lookup!
* The method also does the aquisition of the name when requested by the
* path object.
*
* If the lookup fails, the method sets the lastException of the path. * * @param _object - base object to lookup name in * @param _name - the name to lookup in the object * @return the object or null if it was not found */ public static Object lookupName (Object _object, String _name, IJoContext _ctx, boolean _acquire) { if (_object == null) return null; /* ensure that the user is allowed to access the key */ Exception error = IJoSecuredObject.Utility .validateNameOfObject(_object, _name, _ctx); if (error != null) return error; /* lookup object for name */ // TBD: Don't we need to perform the acquisition in here? So that internal // steps are properly protected. Object result = IJoObject.Utility.lookupName (_object, _name, _ctx, _acquire); /* process result object */ if (result == null) return null; /* Catch exceptions. They cannot be returned as results and are not valid * inside lookup hierarchies. */ if (result instanceof Exception) { // TODO: do we need special handling for 404 exceptions? return result; } /* validate access to object if one was found */ error = IJoSecuredObject.Utility .validateValueForNameOfObject(_object, _name, result, _ctx); if (error != null) return error; /* lookup was successful, return value */ return result; } public static Object traversePath (Object _object, String[] _path, IJoContext _ctx, boolean _acquire) { if (_object == null) return null; if (_path == null || _path.length == 0) return _object; Object o = _object; for (int i = 0; i < _path.length && o != null; i++) { o = lookupName(o, _path[i], _ctx, _acquire); if (o instanceof Exception) return o; } return o; } /** * Validates whether the user associated with the context is allowed to * access the given name in the given object. *
* It first checks whether the object is an IJoSecuredObject, hence whether
* it manages the security on its own. If not, it will ask the
* joSecurityManager of the context.
*
* @param _self - the base object
* @param _name - the name of the base object which is requested
* @param _ctx - the context containing the authentication information
* @return null if access is granted, an Exception if not
*/
public static Exception validateNameOfObject
(Object _self, String _name, IJoContext _ctx)
{
if (_self == null)
return null;
if (_self instanceof IJoSecuredObject)
return ((IJoSecuredObject)_self).validateName(_name, _ctx);
if (_ctx == null)
return new JoAccessDeniedException("missing JoContext");
return DefaultImplementation.validateNameOfObject(_self, _name, _ctx);
}
/**
* Validates whether the user associated with the context is allowed to
* access the values looked up for the given name in the given object.
* That is, the lookup was performed and returned a value. Now we check
* whether the value is an object the user is allowed to access.
*
* @param _self - the base object
* @param _name - the name of the base object which was requested
* @param _value - the value the base object returned for the name
* @param _ctx - the context containing the authentication information
* @return null if access is granted, an Exception if not
*/
public static Exception validateValueForNameOfObject
(Object _self, String _name, Object _value, IJoContext _ctx)
{
if (_self == null || _value == null)
return null;
if (_ctx == null)
return new JoAccessDeniedException("missing JoContext");
return DefaultImplementation
.validateValueForNameOfObject(_self, _name, _value, _ctx);
}
/**
* Checks whether the given _user is the owner of the given _object in the
* given context.
*
* @param _user - an IJoUser object
* @param _obj - the object to be checked for ownership
* @param _ctx - the context for the operation
* @return true if the given user owns the given object, no otherwise
*/
public static boolean isUserOwnerOfObjectInContext
(IJoUser _user, Object _obj, IJoContext _ctx)
{
return DefaultImplementation
.isUserOwnerOfObjectInContext(_user, _obj, _ctx);
}
/**
* Checks whether the user authenticated in _ctx owns the given object.
*
* @param _obj - the object to be checked
* @param _ctx - the context which contains the authentication information
* @return true if the object is owned by the user or false if not
*/
public static boolean isObjectOwnedInContext(Object _obj, IJoContext _ctx) {
if (_obj == null)
return false; // null is not owned by anyone
return DefaultImplementation.isObjectOwnedInContext(_obj, _ctx);
}
/**
* This first checks whether the permission is null or
* <public>. In those cases the method returns immediatly.
*
* The method uses the rolesForObjectInContext() method of the
* IJoUser object in the context to locate the roles the user has.
*
* @param _permission - permission to check, eg 'View'
* @param _self - the object
* @param _ctx - the context
* @return null if the user has access to the permission, else the Exception
*/
public static Exception validatePermissionOnObject
(String _permission, Object _self, IJoContext _ctx)
{
if (_self instanceof IJoSecuredObject)
return ((IJoSecuredObject)_self).validatePermission(_permission, _ctx);
return DefaultImplementation
.validatePermissionOnObject(_permission, _self, _ctx);
}
/**
* Checks whether the current user is allowed to access the given object in
* the given context.
*
* This works by retrieving the security info of the objects JoClass. If the * object has no security info, access is rejected. That is access defaults to * "<private>". *
* If an explicit permission is required to use objects of the JoClass * validatePermissionOnObject() will get called. * *
* Eg called by validateNameOfObject() on the given object.
*
* @param _self - the object to be checked
* @param _ctx - the context the object lives in
* @return a security exception if the access was denied
*/
public static Exception validateObject(Object _self, IJoContext _ctx) {
if (_self instanceof IJoSecuredObject)
return ((IJoSecuredObject)_self).validateObject(_ctx);
return DefaultImplementation.validateObject(_self, _ctx);
}
}
/* secured objects */
public static class DefaultImplementation {
protected static final Log log = LogFactory.getLog("JoSecurityManager");
private DefaultImplementation() {} // do not instantiate
/**
* Checks whether the given _user is the owner of the given _object in the
* given context.
*
* @param _user - an IJoUser object
* @param _obj - the object to be checked for ownership
* @param _ctx - the context for the operation
* @return true if the given user owns the given object, no otherwise
*/
public static boolean isUserOwnerOfObjectInContext
(IJoUser _user, Object _obj, IJoContext _ctx)
{
return false; // TBD
}
/**
* Checks whether the user authenticated in _ctx owns the given object.
*
* @param _obj - the object to be checked
* @param _ctx - the context which contains the authentication information
* @return true if the object is owned by the user or false if not
*/
public static boolean isObjectOwnedInContext(Object _obj, IJoContext _ctx) {
if (_obj == null || _ctx == null)
return false; // null is not owned by anyone
return Utility.isUserOwnerOfObjectInContext
(_ctx != null ? _ctx.activeUser() : null, _obj, _ctx);
}
/**
* This first checks whether the permission is null or
* <public>. In those cases the method returns immediatly.
*
* The method uses the
* This works by retrieving the security info of the objects JoClass. If the
* object has no security info, access is rejected. That is access defaults to
* "<private>".
*
* If an explicit permission is required to use objects of the JoClass
* validatePermissionOnObject() will get called.
*
*
* Eg called by validateNameOfObject() on the given object.
*
* @param _self - the object to be checked
* @param _ctx - the context the object lives in
* @return a security exception if the access was denied
*/
public static Exception validateObject(Object _self, IJoContext _ctx) {
// TODO: in SOPE we also ask _self isPublicInContext:
JoClass cls = _ctx.joClassRegistry().joClassForJavaObject(_self, _ctx);
JoSecurityInfo sinfo = null;
/* first find security info */
for (JoClass pcls = cls; pcls != null; pcls = pcls.joSuperClass()) {
sinfo = pcls.securityInfo();
if (log.isDebugEnabled()) {
log.debug("CLASS: " + pcls);
log.debug(" CHECK: " + sinfo);
}
if (sinfo != null && sinfo.hasObjectProtections())
break;
sinfo = null;
}
if (sinfo == null) {
log.error("attempt to access private object:\n" +
" object: " + _self + "\n" +
" class: " + cls);
return new JoAccessDeniedException
("attempt to access private object: " + cls.className());
}
/* check private/public */
if (sinfo.isObjectPrivate())
return new JoAccessDeniedException("attempt to access private object");
if (sinfo.isObjectPublic())
return null; /* we are public */
/* check explicit permission */
String permission = sinfo.permissionRequiredForObject();
Exception error =
Utility.validatePermissionOnObject(permission, _self, _ctx);
if (error != null) return error;
/* validation was ok, we are done. */
if (log.isDebugEnabled())
log.debug(" object did validate: " + _self + ": " + permission);
return null;
}
/**
* The method first validates the '_self' object using validateObject(). It
* then retrieves the JoClass of the object and extracts the security info for
* the given '_name'.
*
* If the class has no security info, the default access (allow) will get
* checked (Note: only the value 'allow' is relevant, hence everything else
* means deny).
*
* If it has a security info, it can be 'private', 'public' or some
* permission. For the latter validatePermissionOnObject() will be called to
* determine whether the user has that permission (in the context of the
* object).
*
* Note: the name can be protected separately from the value the name points
* to. That is, even if access to the name is allowed, the object stored
* under this name can be protected (this is checked by validateObject()).
*
* @param _self - the object to be checked
* @param _name - the name which is requested
* @param _ctx - the context the object lives in
* @return a security exception if the access was denied
*/
public static Exception validateNameOfObject
(Object _self, String _name, IJoContext _ctx)
{
boolean isInfoOn = log.isInfoEnabled();
Exception error;
/* find out permission required for object itself */
if ((error = Utility.validateObject(_self, _ctx)) != null){
if (isInfoOn)
log.info("object did not validate: " + _self + ": " + error);
return error;
}
/* find security info for _name */
/* Note: Why do we scan the hierarchy and have no consolidated
* "securityInfoForClass()" method which traverses the hierarchy for "the"
* info. This is because each info must be checked for the _name. Ie the
* security info of a superclass could contain the protections on the
* given key.
*/
JoClassRegistry reg = _ctx != null ? _ctx.joClassRegistry() : null;
if (reg == null) {
log.warn("did not find joClassRegistry in ctx: " + _ctx);
return null;
}
JoClass cls = reg.joClassForJavaObject(_self, _ctx);
JoSecurityInfo sinfo = null;
JoSecurityInfo sDefaultInfo = null;
for (JoClass pcls = cls; pcls != null; pcls = pcls.joSuperClass()) {
sinfo = pcls.securityInfo();
if (sinfo != null) {
if (sinfo.hasProtectionsForKey(_name))
break;
else if (isInfoOn) {
log.info("security info of class '" + pcls.className() +
"'\n has no protections for name '" + _name +
"'\n info: " + sinfo);
}
}
if (sDefaultInfo == null && sinfo.hasDefaultAccessDeclaration())
sDefaultInfo = sinfo;
sinfo = null;
}
/* Process default security declaration in case we found no security info
* for the key.
*/
if (sinfo == null) { /* found none for _name */
/* We found no key specific security info. Hence we use the default
* access declaration which can be "allow".
*/
if (sDefaultInfo != null) { /* but we found a default access */
if (isInfoOn)
log.info("using default info for name " + _name + ": " +sDefaultInfo);
if ("allow".equals(sDefaultInfo.defaultAccess())) {
if (isInfoOn)
log.info("default access is set to 'allow', name: " + _name);
return null /* everything allowed, no specific protection */;
}
if (isInfoOn) {
log.info("rejected because default info is not allow: " +
sDefaultInfo);
}
}
else if (isInfoOn)
log.info("no name and no default info for name: " + _name);
return new JoAccessDeniedException
("attempt to access private name '" + _name + "' in class: " +
_self.getClass().getSimpleName());
}
else if (isInfoOn)
log.info("found security info for name " + _name + ": " + sinfo);
/* We found a security declaration for the given name. Check the
* protections.
*/
if (sinfo.isKeyPrivate(_name)) {
/* What does it mean to be 'private'. Using private you can always
* explicitly forbid access to a JOPE name. Eg if you want that 'abc'
* is *never ever* accessed using JoLookup (exposed to the web!), you
* can declare it private.
*
* In JOPE this is the default (if no security info was found and
* no default access was defined). I think Zope2 allows access to all
* Python slots per default (restricted by ZODB ownership of course).
* (just like KVC)
* Important: be careful with setting the default access to "allow"! This
* reverses the process.
*/
if (isInfoOn)
log.info("name "+ _name + " is marked private in info: " + sinfo);
return new JoAccessDeniedException("attempt to access private key");
}
if (sinfo.isKeyPublic(_name)) {
/* Simple case, public is just that, public :-) */
if (isInfoOn)
log.info("name "+ _name + " is marked public in info: " + sinfo);
return null; /* key is explicitly declared as public */
}
/* OK, name was protected with an explicit permission, eg 'View' or
* 'Edit'. In this case we call validatePermissionOnObject() to check
* whether the current user has a role which has the necessary permission.
*/
// TBD: here think this might be wrong. It validates the permission against
// the container, while the role is probably on the 'name'd object.
// I guess this assumes that the 'security policy' is always on
// exactly one object, while *we* may have the container defined
// specific policies for names (rolesForObjectInContext() method of the
* IJoUser object in the context to locate the roles the user has.
*
* @param _permission - permission to check, eg 'View'
* @param _self - the object
* @param _ctx - the context
* @return null if the user has access to the permission, else the Exception
*/
public static Exception validatePermissionOnObject
(String _permission, Object _self, IJoContext _ctx)
{
// TBD: NO LOCAL ROLES PROCESSING YET
boolean isInfoOn = log.isInfoEnabled();
if (_permission == null) {
if (isInfoOn) log.info("got no permission to validate on " + _self);
return null;
}
if ("