Examples of org.exist.security.SecurityManager

• org.exist.security.SecurityManager
  SecurityManager is responsible for managing users and groups. There's only one SecurityManager for each database instance, which may be obtained by {@link BrokerPool#getSecurityManager()}.

        final Subject currentUser = broker.getSubject();

        if(currentUser.hasGroup(groupName)) {
            return BooleanValue.TRUE;
        } else if(currentUser.hasDbaRole()) {
            final SecurityManager sm = broker.getBrokerPool().getSecurityManager();
            final Group group = sm.getGroup(groupName);
            return BooleanValue.valueOf(group != null);
        } else {
            throw new XPathException("You do not have permission to determine if the group exists");
        }
    }

  private Subject getUser(String user, String password, BrokerPool pool) throws XMLDBException {
    if (user == null) {
      user = SecurityManager.GUEST_USER;
      password = SecurityManager.GUEST_USER;
    }
    final SecurityManager securityManager = pool.getSecurityManager();
    try {
        return securityManager.authenticate(user, password);
  } catch (final AuthenticationException e) {
    throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);
  }
  }

    @Override
    public Sequence eval(Sequence[] args, Sequence contextSequence) throws XPathException {
        final String groupName = args[0].getStringValue();

        //TODO replace with SecurityManager.getUsers(groupName)
        final SecurityManager manager = context.getBroker().getBrokerPool().getSecurityManager();
        final List<Account> users = manager.getGroupMembers(groupName);
        Collections.sort(users, new Comparator<Account>(){
            @Override
            public int compare(Account t, Account t1) {
                return t.getUsername().compareTo(t1.getUsername());
            }

      //get the username and password parameters
      final String userName = args[0].getStringValue();
      final String passwd = args[1].getStringValue();

      //try and validate the user and password
      final SecurityManager security = context.getBroker().getBrokerPool().getSecurityManager();
      Subject user;
      try {
        user = security.authenticate(userName, passwd);
      } catch (final AuthenticationException e) {
        logger.warn("Could not validate user " + userName + " ["+ e.getMessage() + "]");
        return BooleanValue.FALSE;
      }
//      why it was empty if user wasn't found??? -shabanovd

        try {
            Subject user;

            try {
              final SecurityManager sm = BrokerPool.getInstance().getSecurityManager();
              user = sm.authenticate(userName, password);
            } catch (final AuthenticationException e) {
                logger.error("Unable to authenticate user: " + userName + " " + getLocation());
                return BooleanValue.FALSE;
            } catch (final EXistException e) {
                logger.error("Unable to authenticate user: " + userName + " " + getLocation(), e);

        if(!xmldbURL.hasUserInfo()){
            return null;
        }

        final SecurityManager secman = pool.getSecurityManager();
        try {
            return secman.authenticate(xmldbURL.getUsername(), xmldbURL.getPassword());
    } catch (final AuthenticationException e) {
          return null;  // authentication is failed
    }
    }

    }

    @Override
    public void addAccount(final Account u) throws XMLDBException {

        final SecurityManager manager = pool.getSecurityManager();

        if(!manager.hasAdminPrivileges(user)) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, " you are not allowed to change this user");
        }

        if(manager.hasAccount(u.getName())) {
            throw new XMLDBException(ErrorCodes.VENDOR_ERROR, "user " + u.getName() + " exists");
        }

        try {
            executeWithBroker(new BrokerOperation<Void>(){
                @Override
                public Void withBroker(DBBroker broker) throws XMLDBException, LockException, PermissionDeniedException, IOException, EXistException, TriggerException {
                    manager.addAccount(u);
                    return null;
                }
            });
        } catch(final Exception e) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);

        }
    }

    @Override
    public void addGroup(final Group group) throws XMLDBException {
        final SecurityManager manager = pool.getSecurityManager();

        if(!manager.hasAdminPrivileges(user)) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, " you are not allowed to add role");
        }

        if(manager.hasGroup(group.getName())) {
            throw new XMLDBException(ErrorCodes.VENDOR_ERROR, "group '" + group.getName() + "' exists");
        }

        try {
            executeWithBroker(new BrokerOperation<Void>(){
                @Override
                public Void withBroker(DBBroker broker) throws XMLDBException, LockException, PermissionDeniedException, IOException, EXistException, TriggerException {
                    manager.addGroup(group);
                    return null;
                }
            });
        } catch(final Exception e) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);

        }
    }

    @Override
    public void setUserPrimaryGroup(final String username, final String groupName) throws XMLDBException {
        final SecurityManager manager = pool.getSecurityManager();

        if(!manager.hasGroup(groupName)) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, "Group '" + groupName + "' does not exist!");
        }

        if(!manager.hasAdminPrivileges(user)) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, "Not allowed to modify user");
        }

        try {
            executeWithBroker(new BrokerOperation<Void>(){
                @Override
                public Void withBroker(final DBBroker broker) throws XMLDBException, LockException, PermissionDeniedException, IOException, EXistException, TriggerException {
                    final Account account = manager.getAccount(username);
                    final Group group = manager.getGroup(groupName);
                    account.setPrimaryGroup(group);
                    manager.updateAccount(account);
                    return null;
                }
            });
        } catch(final Exception e) {
            throw new XMLDBException(ErrorCodes.PERMISSION_DENIED, e.getMessage(), e);

                        public Void modify(DocumentImpl document) throws PermissionDeniedException, SyntaxException, LockException {
                            if(!document.getPermissions().validate(user, Permission.WRITE)) {
                                throw new PermissionDeniedException("User is not allowed to lock resource " + resourceId);
                            }

                            final SecurityManager manager = broker.getBrokerPool().getSecurityManager();
                            if(!(user.equals(u) || manager.hasAdminPrivileges(user))) {
                                throw new PermissionDeniedException("User " + user.getName() + " is not allowed to lock resource '" + resourceId + "' for user " + u.getName());
                            }

                            final Account lockOwner = document.getUserLock();

                            if(lockOwner != null) {
                                if(lockOwner.equals(u)) {
                                    return null;
                                } else if(!manager.hasAdminPrivileges(user)) {
                                    throw new PermissionDeniedException("Resource '" + resourceId + "' is already locked by user " + lockOwner.getName());
                                }
                            }

                            document.setUserLock(u);