Package org.exist.security

Examples of org.exist.security.SecurityManager

103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
    private void setUMask(final DBBroker broker, final Subject currentUser, final String username, final int umask) throws XPathException {
        if(!currentUser.hasDbaRole() && !currentUser.getUsername().equals(username)) {
            throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to set the users umask."));
        }
       
        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
        final Account account = securityManager.getAccount(username);
       
        account.setUserMask(umask);
       
        try {
            securityManager.updateAccount(account);
        } catch(final PermissionDeniedException pde) {
            throw new XPathException(this, pde);
        } catch(final EXistException ee) {
            throw new XPathException(this, ee);
        }
View Full Code Here
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
        final Subject currentUser = broker.getSubject();
        if(currentUser.getName().equals(SecurityManager.GUEST_USER)) {
            throw new XPathException("You must be an authenticated user");
        }

        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
       
        final String strPrincipal = args[0].getStringValue();
        final String metadataAttributeNamespace = args[1].getStringValue();
        final String value = args[2].getStringValue();
           
        final Principal principal;
        if(isCalledAs(qnSetAccountMetadata.getLocalName())) {
            if(!currentUser.hasDbaRole() && !currentUser.getUsername().equals(strPrincipal)) {
                throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to modify the users metadata."));
            }
            principal = securityManager.getAccount(strPrincipal);
        } else if(isCalledAs(qnSetGroupMetadata.getLocalName())) {
           
            //check for a valid group metadata key
            boolean valid = false;
            for(final SchemaType groupMetadataKey : GetPrincipalMetadataFunction.GROUP_METADATA_KEYS) {
                if(groupMetadataKey.getNamespace().equals(metadataAttributeNamespace)) {
                    valid = true;
                    break;
                }
            }
           
            if(!valid) {
                throw new XPathException("The metadata attribute key '" + metadataAttributeNamespace + "' is not valid on a group.");
            }
           
            final Group group = securityManager.getGroup(strPrincipal);
            if(!currentUser.hasDbaRole() && !group.isManager(currentUser)) {
                throw new XPathException(this, new PermissionDeniedException("You must have suitable access rights to modify the groups metadata."));
            }
            principal = group;
        } else {
View Full Code Here
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
    @Override
    public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {

        final DBBroker broker = getContext().getBroker();
        final Subject currentUser = broker.getSubject();
        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();

        final String username = args[0].getStringValue();

        try {
            if(isCalledAs(qnRemoveAccount.getLocalName())) {
                /* remove account */
                if(!currentUser.hasDbaRole()) {
                    throw new XPathException("Only a DBA user may remove accounts.");
                }
               
                if(!securityManager.hasAccount(username)) {
                    throw new XPathException("The user account with username " + username + " does not exist.");
                }

                if(currentUser.getName().equals(username)) {
                    throw new XPathException("You cannot remove yourself i.e. the currently logged in user.");
                }

                securityManager.deleteAccount(username);

            } else {

                final String password = args[1].getStringValue();

                if(isCalledAs(qnPasswd.getLocalName())) {
                    /* change password */

                    if(!(currentUser.getName().equals(username) || currentUser.hasDbaRole())) {
                        throw new XPathException("You may only change your own password, unless you are a DBA.");
                    }

                    final Account account = securityManager.getAccount(username);
                    account.setPassword(password);
                    securityManager.updateAccount(account);

                } else if(isCalledAs(qnCreateAccount.getLocalName())) {
                    /* create account */
                    if(!currentUser.hasDbaRole()) {
                        throw new XPathException("You must be a DBA to create a User Account.");
                    }
                   
                    if(securityManager.hasAccount(username)) {
                        throw new XPathException("The user account with username " + username + " already exists.");
                    }

                    final Account user = new UserAider(username);
                    user.setPassword(password);

                    if(getSignature().getArgumentCount() >= 5) {
                        //set metadata values if present
                        user.setMetadataValue(AXSchemaType.FULLNAME, args[getSignature().getArgumentCount() - 2].toString());
                        user.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
                    }

                    final String[] subGroups;
                    if(getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                        //create the personal group
                        final Group group = new GroupAider(username);
                        group.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + username);
                        group.addManager(currentUser);
                        securityManager.addGroup(group);

                        //add the personal group as the primary group
                        user.addGroup(username);

                        subGroups = getGroups(args[2]);
                    } else {
                        //add the primary group as the primary group
                        user.addGroup(args[2].getStringValue());

                        subGroups = getGroups(args[3]);
                    }

                    for(int i = 0; i <  subGroups.length; i++) {
                        user.addGroup(subGroups[i]);
                    }

                    //create the account
                    securityManager.addAccount(user);

                    //if we created a personal group, then add the new account as a manager of their personal group
                    if(getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                        final Group group = securityManager.getGroup(username);
                        group.addManager(securityManager.getAccount(username));
                        securityManager.updateGroup(group);
                    }
                } else {
                    throw new XPathException("Unknown function call: " + getSignature());
                }
            }
View Full Code Here
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
    }

    @Override
    public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {

        final SecurityManager securityManager = context.getBroker().getBrokerPool().getSecurityManager();
        final Subject currentSubject = context.getBroker().getSubject();

        try {
            final String groupName = args[0].itemAt(0).getStringValue();

            if(isCalledAs(qnCreateGroup.getLocalName())) {
                if(securityManager.hasGroup(groupName)) {
                    throw new XPathException("The group with name " + groupName + " already exists.");
                }

                if(!currentSubject.hasDbaRole()) {
                    throw new XPathException("Only DBA users may create a user group.");
                }

                final Group group = new GroupAider(groupName);
                group.addManager(currentSubject);

                if(getSignature().getArgumentCount() == 3) {
                    //set group managers
                    final List<Account> groupManagers = getGroupManagers(securityManager, args[1]);
                    group.addManagers(groupManagers);
                }

                //set metadata
                if(getSignature().getArgumentCount() >= 2) {
                    group.setMetadataValue(EXistSchemaType.DESCRIPTION, args[getSignature().getArgumentCount() - 1].toString());
                }

                securityManager.addGroup(group);

            } else if(isCalledAs(qnRemoveGroup.getLocalName()) || isCalledAs(qnDeleteGroup.getLocalName())) {

                if(!securityManager.hasGroup(groupName)) {
                    throw new XPathException("The group with name " + groupName + " does not exist.");
                }

                final Group successorGroup;
                if(getArgumentCount() == 2) {
                    final String successorGroupName = args[1].itemAt(0).getStringValue();
                    if(!currentSubject.hasGroup(successorGroupName)) {
                        throw new PermissionDeniedException("You must be a member of the group for which permissions should be inherited by");
                    }
                    successorGroup = securityManager.getGroup(successorGroupName);

                } else {
                    successorGroup = securityManager.getGroup("guest");
                }

                try {
                    securityManager.deleteGroup(groupName);
                } catch(final EXistException ee) {
                    throw new XPathException(this, ee);
                }
            } else {
                throw new XPathException("Unknown function call: " + getSignature());
View Full Code Here
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
        if(!isCalledAs(qnGetUserGroups.getLocalName()) && currentUser.getName().equals(SecurityManager.GUEST_USER)) {
            throw new XPathException("You must be an authenticated user");
        }

       
        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();

        final Sequence result;
       
        if(isCalledAs(qnGetUserPrimaryGroup.getLocalName())) {
            final String username = args[0].getStringValue();
            result = new StringValue(securityManager.getAccount(username).getPrimaryGroup());
        } else if(isCalledAs(qnGroupExists.getLocalName())) {
            final String groupName = args[0].getStringValue();
            result = BooleanValue.valueOf(securityManager.hasGroup(groupName));
        } else {
            final List<String> groupNames;
            if(isCalledAs(qnListGroups.getLocalName()) || isCalledAs(qnGetGroups.getLocalName())) {
                groupNames = securityManager.findAllGroupNames();
            } else if(isCalledAs(qnFindGroupsByGroupname.getLocalName())) {
                final String startsWith = args[0].getStringValue();
                groupNames = securityManager.findGroupnamesWhereGroupnameStarts(startsWith);
            } else if(isCalledAs(qnFindGroupsWhereGroupnameContains.getLocalName())) {
                final String fragment = args[0].getStringValue();
                groupNames = securityManager.findGroupnamesWhereGroupnameContains(fragment);
            } else if(isCalledAs(qnGetUserGroups.getLocalName())) {
                final String username = args[0].getStringValue();

                if(!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
                    throw new XPathException("You must be a DBA or enquiring about your own user account!");
                }

                final Account user = securityManager.getAccount(username);
                groupNames = Arrays.asList(user.getGroups());
            } else {
                throw new XPathException("Unknown function");
            }
View Full Code Here
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
        Sequence result = Sequence.EMPTY_SEQUENCE;

        final DBBroker broker = getContext().getBroker();
        final Subject currentUser = broker.getSubject();
        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();

        try {
            if(isCalledAs(qnIsDba.getLocalName())) {
                final String username = args[0].getStringValue();

                if(!securityManager.hasAccount(username)) {
                    throw new XPathException("The user account with username " + username + " does not exist.");
                } else {
                    final Account account = securityManager.getAccount(username);
                    result = BooleanValue.valueOf(securityManager.hasAdminPrivileges(account));
                }
            } else if(isCalledAs(qnSetPrimaryGroup.getLocalName())) {

                final String username = args[0].getStringValue();
                final String groupName = args[1].getStringValue();

                if(!securityManager.hasAccount(username)) {
                    throw new XPathException("The user account with username " + username + " does not exist.");
                }

                if(!securityManager.hasGroup(groupName)) {
                    throw new XPathException("The user group with name " + groupName + " does not exist.");
                }

                final Group group = securityManager.getGroup(groupName);

                if(!isCalledAs(qnGetGroupMembers.getLocalName()) && (!(group.isManager(currentUser) || currentUser.hasDbaRole()))) {
                    throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
                }

                final Account account = securityManager.getAccount(username);

                //set the primary group
                account.setPrimaryGroup(group);
                securityManager.updateAccount(account);

            } else {

                final String groupName = args[0].getStringValue();

                if(!securityManager.hasGroup(groupName)) {
                    throw new XPathException("The user group with name " + groupName + " does not exist.");
                }

                final Group group = securityManager.getGroup(groupName);

                if(!isCalledAs(qnGetGroupMembers.getLocalName()) && (!(group.isManager(currentUser) || currentUser.hasDbaRole()))) {
                    throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
                }

                if(isCalledAs(qnAddGroupMember.getLocalName())) {
                    final List<Account> users = getUsers(securityManager, args[1]);
                    addGroupMembers(securityManager, group, users);
                } else if(isCalledAs(qnRemoveGroupMember.getLocalName())) {
                    final List<Account> users = getUsers(securityManager, args[1]);
                    removeGroupMembers(securityManager, group, users);
                } else if(isCalledAs(qnGetGroupMembers.getLocalName())) {
                    final List<String> groupMembers = securityManager.findAllGroupMembers(groupName);

                    final ValueSequence seq = new ValueSequence();
                    for(final String groupMember : groupMembers) {
                        seq.add(new StringValue(groupMember));
                    }
View Full Code Here
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
        logger.info("Attempting to add user '" + userName + "' to group '" + groupName + "'");

        try {

            final SecurityManager sm = context.getBroker().getBrokerPool().getSecurityManager();

            final Group group = sm.getGroup(groupName);

            final Account account = sm.getAccount(userName);
            if(account != null) {
                account.addGroup(group);
               
                //TEMP - ESCALATE TO DBA :-(
                /**
                 * Security Manager has a fundamental flaw
                 * Group Membership is stored in the Account XML: so you cannot
                 * add a user to a group without modifying the users XML
                 * this is a security issue as if you are not that user
                 * you have to escalate to DBA - must redesign
                 * Consider Unix /etc/groups design!
                 * See XMLDBCreateGroup and XMLDRemoveUserFromGroup
                 */
                final Subject currentSubject = context.getBroker().getSubject();
                try {
                    //escalate
                    context.getBroker().setSubject(sm.getSystemSubject());

                    //perform action
                    sm.updateAccount(account);
                } finally {
                    context.getBroker().setSubject(currentSubject);
                }
                //END TEMP

View Full Code Here
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
   
    @Override
    public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
        final DBBroker broker = getContext().getBroker();
        final Subject currentUser = broker.getSubject();
        final SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
       
        final String username = args[0].getStringValue();
       
        if(isCalledAs(qnIsAccountEnabled.getLocalName())) {
            if(!currentUser.hasDbaRole() && !currentUser.getName().equals(username)) {
                throw new XPathException("You must be a DBA or be enquiring about your own account!");
            }
            final Account account = securityManager.getAccount(username);
            return new BooleanValue(account.isEnabled());
        } else if(isCalledAs(qnSetAccountEnabled.getLocalName())) {
            if(!currentUser.hasDbaRole()) {
                throw new XPathException("You must be a DBA to change the status of an account!");
            }
           
            final boolean enable = args[1].effectiveBooleanValue();
           
            final Account account = securityManager.getAccount(username);
            account.setEnabled(enable);
           
            try {
                account.save(broker);
                return Sequence.EMPTY_SEQUENCE;
View Full Code Here
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
        logger.info("Attempting to remove user '" + userName + "' from group '" + groupName + "'");

        try {

            final SecurityManager sm = context.getBroker().getBrokerPool().getSecurityManager();

            final Account account = sm.getAccount(userName);

            account.remGroup(groupName);

            //TEMP - ESCALATE TO DBA :-(
            //START TEMP - Whilst we can remove the group from the user
            //we cannot update the user because we do not have sufficient permissions
            //in the real world we should not be able to do either. The modelling of group
            //membership as a concern of user data is wrong! Should follow Unix approach.
            //see XMLDBAddUserToGroup also
            final Subject currentSubject = context.getBroker().getSubject();
            try {
                //escalate
                context.getBroker().setSubject(sm.getSystemSubject());

                //perform action
                sm.updateAccount(account);
            } finally {
                context.getBroker().setSubject(currentSubject);
            }
            //END TEMP
View Full Code Here
74
75
76
77
78
79
80
81
82
83
84
85
86
87
        }
       
        final Sequence password = getArgument(1).eval(contextSequence, contextItem);
        final String username = usernameResult.getStringValue();
       
        final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
        Subject user;
        try {
            user = sm.authenticate(username, password.getStringValue());
        } catch(final AuthenticationException e) {
            final XPathException exception = new XPathException(this, "Authentication failed", e);
            logger.error("Authentication failed for [" + username + "] because of [" + e.getMessage() + "].", exception);
            throw exception;
        }
View Full Code Here
TOP

Related Classes of org.exist.security.SecurityManager

  • org.exist.config.ConfigurationDocumentTrigger
  • org.exist.dom.DocumentImpl
  • org.exist.dom.DocumentImplTest
  • org.exist.http.servlets.BasicAuthenticator
  • org.exist.http.servlets.DigestAuthenticator
  • org.exist.protocolhandler.embedded.EmbeddedUser
  • org.exist.scheduler.Job
  • org.exist.security.realm.ldap.xquery.AccountFunctions
  • org.exist.webdav.ExistResource
  • org.exist.xmldb.DatabaseImpl
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.