Framework/Another Lore2009. 4. 30. 11:26

Permissions encompass the restrictions imposed by any access control restrictions that may be in effect upon the content of a repository, either implementation specific or JCR-defined

In repositories that support Access Control this will include the restrictions governed by privileges but may also include any additional policy-internal refinements with effects too fine-grained to be exposed through privilege discovery


Permissions are reported through
     boolean Session.hasPermission(String absPath, String actions)

which returns true if this Session has permission to perform all of the specified actions at the specified absPath and returns false otherwise. Similarly, void Session.checkPermission(String absPath, String actions) throws an AccessDeniedException if the this Session does not have permission to perform the specified actions and returns quietly if it does.


The actions parameter is a comma separated list of action strings, of which there are four, defined as follows:

  create: The permission to add a node at absPath.
  update: The permission to set (add or change) a property at absPath.
  delete: The permission to remove an item at absPath.
  read: The permission to retrieve (and read the value of, in the case of a property) an item at absPath.


The permission actions add_node, set_property and remove will only be relevant in a writable repository. In a read-only repository they will always return false. The information returned through these methods only reflects access controlrelated restrictions, not other kinds of restrictions such as node type constraints.

For example, even though hasPermission may indicate that a particular Session may add a property at /A/B/C, the node type of the node at /A/B may prevent the addition of a property called C.

SampleCode

package com.bleujin.lore.core.security;

import com.bleujin.lore.addon.security.Group;
import com.bleujin.lore.addon.security.IResource;
import com.bleujin.lore.addon.security.IUser;
import com.bleujin.lore.addon.security.Member;
import com.bleujin.lore.addon.security.UserAuthority;
import com.bleujin.lore.addon.security.UserAuthority.Range;
import com.bleujin.lore.addon.security.UserAuthority.Type;
import com.bleujin.lore.core.TestCaseParent;
import com.bleujin.lore.core.exception.ALRepositoryException;
import com.bleujin.lore.core.node.Node;

public class TestSecurity extends TestCaseParent {

  private Group adminGroup = new Group("admin");
  private Group normalGroup = new Group("normal");
  private Member bleujin = new Member("bleujin");

  private Node lvl1 = null;
  private Node lvl2 = null;

  private NodeResource lvl1Resource = null;
  private NodeResource lvl2Resource = null;
  private TransientSecurityFilter sf = null;
  private AuthoritySetting setting = AuthoritySetting.createDefault() ;

  public void setUp() throws Exception {
    super.setUp();

    lvl1 = createNode(objectType, "level1");
    lvl2 = createNode(lvl1, objectType, "level2");

    lvl1Resource = new NodeResource(lvl1);
    lvl2Resource = new NodeResource(lvl2);

    sf = new TransientSecurityFilter(setting);
  }

  private boolean isAllowed(IResource resource, IUser user, NodeAction actionthrows ALRepositoryException{
    return sf.isAllowed(resource, user, action;
  }
  
  public void testResourceInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.GRANT));

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    // test include Sub
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.readAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT))// inherit..
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    UserAuthority lvl2Revoke = new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.REVOKE);
    setting.add(lvl2Revoke);
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

  }

  public void testEqual() throws Exception {
    setting.add(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    setting.remove(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
  }

  public void testAuthorityInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    bleujin = new Member("bleujin");
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    setting.add(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("write")));
  }

  public void testUserInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl1Resource, bleujin, NodeAction.create("manager")));
    assertEquals(false, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    bleujin = new Member("bleujin");
    bleujin.partIn(adminGroup);

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));
  }

  public void testMultiGroup() throws Exception {
    // adminGroup <- bleujin
    // normalGroup <- bleujin
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    setting.add(new UserAuthority(lvl2Resource, normalGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    bleujin.partIn(normalGroup);
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("write")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    normalGroup = new Group("normal");
    bleujin.dropOut(normalGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));
  }

  public void testGroup() throws Exception {
    // adminGroup <- normarGroup <- bleujin
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    setting.add(new UserAuthority(lvl2Resource, normalGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    normalGroup.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(normalGroup);
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
  }
}


'Framework > Another Lore' 카테고리의 다른 글

read & write  (0) 2009.06.25
최근에 책을 읽다가..  (0) 2009.06.11
AL : 현재의 난제들  (0) 2009.04.30
AL : Workspace  (0) 2009.04.28
AL : Property Type Conversion  (0) 2009.04.26
Posted by bleujin