Examples of org.exist.security.SecurityManager

• org.exist.security.SecurityManager
  SecurityManager is responsible for managing users and groups. There's only one SecurityManager for each database instance, which may be obtained by {@link BrokerPool#getSecurityManager()}.

     * This is called via RemoteUserManagementService.removeGroup(Account, String)
     */
    public boolean updateAccount(String name, Vector<String> groups, String rgroup) throws EXistException,
    PermissionDeniedException {

      final SecurityManager manager = factory.getBrokerPool().getSecurityManager();

      DBBroker broker = null;

      try {
        broker = factory.getBrokerPool().get(user);

        final Account u = manager.getAccount(name);

        for (final String g : groups) {
          if (g.equals(rgroup)) {
            u.remGroup(g);
          }
        }

        return manager.updateAccount(u);

      } catch (final Exception ex) {
        LOG.debug("removeGroup encountered error", ex);
        return false;
      } finally {

                throw new EXistException("Resource " + docURI + " not found");
            }
            //TODO : register the lock within the transaction ?
            if (!doc.getPermissions().validate(user, Permission.WRITE))
                {throw new PermissionDeniedException("User is not allowed to lock resource " + docURI);}
            final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
            if (!(userName.equals(user.getName()) || manager.hasAdminPrivileges(user)))
                {throw new PermissionDeniedException("User " + user.getName() + " is not allowed " +
                        "to lock the resource for user " + userName);}
            final Account lockOwner = doc.getUserLock();
            if(lockOwner != null && (!lockOwner.equals(user)) && (!manager.hasAdminPrivileges(user)))
                {throw new PermissionDeniedException("Resource is already locked by user " +
                        lockOwner.getName());}
            doc.setUserLock(user);
            broker.storeXMLResource(transaction, doc);
            transact.commit(transaction);

            doc = broker.getXMLResource(docURI, Lock.WRITE_LOCK);
            if (doc == null)
                {throw new EXistException("Resource " + docURI + " not found");}
            if (!doc.getPermissions().validate(user, Permission.WRITE))
                {throw new PermissionDeniedException("User is not allowed to lock resource " + docURI);}
            final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
            final Account lockOwner = doc.getUserLock();
            if(lockOwner != null && (!lockOwner.equals(user)) && (!manager.hasAdminPrivileges(user)))
                {throw new PermissionDeniedException("Resource is already locked by user " +
                        lockOwner.getName());}
            transaction = transact.beginTransaction();
            doc.setUserLock(null);
            broker.storeXMLResource(transaction, doc);

    public HashMap<String, Object> getGroup(final String name) throws EXistException, PermissionDeniedException {
        try {
            return executeWithBroker(new BrokerOperation<HashMap<String, Object>>() {
                @Override
                public HashMap<String, Object> withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                    final SecurityManager securityManager = factory.getBrokerPool().getSecurityManager();
                    final Group group = securityManager.getGroup(name);
                    if(group != null){
                        final HashMap<String, Object> map = new HashMap<String, Object>();
                        map.put("id", group.getId());
                        map.put("realmId", group.getRealmId());
                        map.put("name", name);

     * @exception EXistException if an error occurs
     * @exception PermissionDeniedException if an error occurs
     */
    @Override
    public boolean removeAccount(final String name) throws EXistException, PermissionDeniedException {
        final SecurityManager manager = factory.getBrokerPool().getSecurityManager();

        if(!manager.hasAdminPrivileges(user)) {
            throw new PermissionDeniedException("you are not allowed to remove users");
        }

        try {
            executeWithBroker(new BrokerOperation<Void>() {
                @Override
                public Void withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                    manager.deleteAccount(name);
                    return null;
                }
            });
        } catch (final URISyntaxException use) {
            throw new EXistException(use.getMessage(), use);

      if(passwd.length() == 0) {
            passwd = null;
        }

      final SecurityManager manager = factory.getBrokerPool().getSecurityManager();

      if(manager.hasAccount(name)) {
            throw new PermissionDeniedException("Account '"+name+"' exist");
        }

        if(!manager.hasAdminPrivileges(user)) {
            throw new PermissionDeniedException("Account '"+user.getName()+"' not allowed to create new account");
        }

        final UserAider u = new UserAider(name);
        u.setEncodedPassword(passwd);
        u.setPasswordDigest(passwdDigest);

        for(final String g : groups) {
            if(!u.hasGroup(g)) {
                u.addGroup(g);
            }
        }

        if(enabled != null) {
            u.setEnabled(enabled);
        }

        if(umask != null) {
            u.setUserMask(umask);
        }

        if(metadata != null) {
            for(final String key : metadata.keySet()) {
                if(AXSchemaType.valueOfNamespace(key) != null) {
                    u.setMetadataValue(AXSchemaType.valueOfNamespace(key), metadata.get(key));
                } else if(EXistSchemaType.valueOfNamespace(key) != null) {
                    u.setMetadataValue(EXistSchemaType.valueOfNamespace(key), metadata.get(key));
                }
            }
        }

        try {
            executeWithBroker(new BrokerOperation<Void>() {
                @Override
                public Void withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                    manager.addAccount(u);
                    return null;
                }
            });
        } catch(final URISyntaxException use) {
            throw new EXistException(use.getMessage(), use);

                    account.setMetadataValue(EXistSchemaType.valueOfNamespace(key), metadata.get(key));
                }
            }
        }

        final SecurityManager manager = factory.getBrokerPool().getSecurityManager();
        try {
            return executeWithBroker(new BrokerOperation<Boolean>() {
                @Override
                public Boolean withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                    return manager.updateAccount(account);
                }
            });
        } catch (final URISyntaxException use) {
            throw new EXistException(use.getMessage(), use);
        }

    }

    @Override
    public boolean addGroup(String name, Map<String, String> metadata) throws EXistException, PermissionDeniedException {

      final SecurityManager manager = factory.getBrokerPool().getSecurityManager();

      if(!manager.hasGroup(name)) {

            if(!manager.hasAdminPrivileges(user)) {
                throw new PermissionDeniedException("Not allowed to create group");
            }

            final Group role = new GroupAider(name);

            for(final String key : metadata.keySet()) {
                if(AXSchemaType.valueOfNamespace(key) != null) {
                    role.setMetadataValue(AXSchemaType.valueOfNamespace(key), metadata.get(key));
                } else if(EXistSchemaType.valueOfNamespace(key) != null) {
                    role.setMetadataValue(EXistSchemaType.valueOfNamespace(key), metadata.get(key));
                }
            }


            try {
                executeWithBroker(new BrokerOperation<Void>() {
                    @Override
                    public Void withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                        manager.addGroup(role);
                        return null;
                    }
                });
                return true;
            } catch (final URISyntaxException use) {

      return false;
    }

    public boolean setUserPrimaryGroup(final String username, final String groupName) throws EXistException, PermissionDeniedException {
        final SecurityManager manager = factory.getBrokerPool().getSecurityManager();

      if(!manager.hasGroup(groupName)) {
            throw new EXistException("Group '" + groupName + "' does not exist!");
        }

        if(!manager.hasAdminPrivileges(user)) {
            throw new PermissionDeniedException("Not allowed to modify user");
        }

        try {
            executeWithBroker(new BrokerOperation<Void>() {
                @Override
                public Void withBroker(final DBBroker broker) throws EXistException, URISyntaxException, PermissionDeniedException {
                    final Account account = manager.getAccount(username);
                    final Group group = manager.getGroup(groupName);
                    account.setPrimaryGroup(group);
                    manager.updateAccount(account);
                    return null;
                }
            });
            return true;
        } catch (final URISyntaxException use) {

        BrokerPool mockBrokerPool = EasyMock.createMock(BrokerPool.class);
        Database mockDatabase = EasyMock.createMock(Database.class);
        Subject mockCurrentSubject = EasyMock.createMock(Subject.class);
        Group mockCurrentSubjectGroup= EasyMock.createMock(Group.class);
        SecurityManager mockSecurityManager = EasyMock.createMock(SecurityManager.class);
        PermissionFactory.sm = mockSecurityManager;

        //test values
        final DocumentMetadata otherMetadata = new DocumentMetadata();

        //expectations
        expect(mockSecurityManager.getDatabase()).andReturn(mockDatabase).times(2);
        expect(mockDatabase.getSubject()).andReturn(mockCurrentSubject).times(2);
        expect(mockCurrentSubject.getUserMask()).andReturn(Permission.DEFAULT_UMASK).times(2);
        expect(mockCurrentSubject.getId()).andReturn(RealmImpl.SYSTEM_ACCOUNT_ID).times(2);
        expect(mockCurrentSubject.getDefaultGroup()).andReturn(mockCurrentSubjectGroup).times(2);
        expect(mockCurrentSubjectGroup.getId()).andReturn(RealmImpl.DBA_GROUP_ID).times(2);