Framework/Another Lore2009. 4. 30. 11:26

AL : Permission


Permissions encompass the restrictions imposed by any access control restrictions that may be in effect upon the content of a repository, either implementation specific or JCR-defined

In repositories that support Access Control this will include the restrictions governed by privileges but may also include any additional policy-internal refinements with effects too fine-grained to be exposed through privilege discovery


Permissions are reported through
     boolean Session.hasPermission(String absPath, String actions)

which returns true if this Session has permission to perform all of the specified actions at the specified absPath and returns false otherwise. Similarly, void Session.checkPermission(String absPath, String actions) throws an AccessDeniedException if the this Session does not have permission to perform the specified actions and returns quietly if it does.


The actions parameter is a comma separated list of action strings, of which there are four, defined as follows:

  create: The permission to add a node at absPath.
  update: The permission to set (add or change) a property at absPath.
  delete: The permission to remove an item at absPath.
  read: The permission to retrieve (and read the value of, in the case of a property) an item at absPath.


The permission actions add_node, set_property and remove will only be relevant in a writable repository. In a read-only repository they will always return false. The information returned through these methods only reflects access controlrelated restrictions, not other kinds of restrictions such as node type constraints.

For example, even though hasPermission may indicate that a particular Session may add a property at /A/B/C, the node type of the node at /A/B may prevent the addition of a property called C.

SampleCode

package com.bleujin.lore.core.security;

import com.bleujin.lore.addon.security.Group;
import com.bleujin.lore.addon.security.IResource;
import com.bleujin.lore.addon.security.IUser;
import com.bleujin.lore.addon.security.Member;
import com.bleujin.lore.addon.security.UserAuthority;
import com.bleujin.lore.addon.security.UserAuthority.Range;
import com.bleujin.lore.addon.security.UserAuthority.Type;
import com.bleujin.lore.core.TestCaseParent;
import com.bleujin.lore.core.exception.ALRepositoryException;
import com.bleujin.lore.core.node.Node;

public class TestSecurity extends TestCaseParent {

  private Group adminGroup = new Group("admin");
  private Group normalGroup = new Group("normal");
  private Member bleujin = new Member("bleujin");

  private Node lvl1 = null;
  private Node lvl2 = null;

  private NodeResource lvl1Resource = null;
  private NodeResource lvl2Resource = null;
  private TransientSecurityFilter sf = null;
  private AuthoritySetting setting = AuthoritySetting.createDefault() ;

  public void setUp() throws Exception {
    super.setUp();

    lvl1 = createNode(objectType, "level1");
    lvl2 = createNode(lvl1, objectType, "level2");

    lvl1Resource = new NodeResource(lvl1);
    lvl2Resource = new NodeResource(lvl2);

    sf = new TransientSecurityFilter(setting);
  }

  private boolean isAllowed(IResource resource, IUser user, NodeAction actionthrows ALRepositoryException{
    return sf.isAllowed(resource, user, action;
  }
  
  public void testResourceInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.GRANT));

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    // test include Sub
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.readAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT))// inherit..
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    UserAuthority lvl2Revoke = new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.REVOKE);
    setting.add(lvl2Revoke);
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

  }

  public void testEqual() throws Exception {
    setting.add(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    setting.remove(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.ONLY_THIS_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
  }

  public void testAuthorityInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, bleujin, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    bleujin = new Member("bleujin");
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    setting.add(new UserAuthority(lvl2Resource, bleujin, setting.readAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("write")));
  }

  public void testUserInherit() throws Exception {
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl1Resource, bleujin, NodeAction.create("manager")));
    assertEquals(false, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    bleujin = new Member("bleujin");
    bleujin.partIn(adminGroup);

    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));
  }

  public void testMultiGroup() throws Exception {
    // adminGroup <- bleujin
    // normalGroup <- bleujin
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    setting.add(new UserAuthority(lvl2Resource, normalGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    bleujin.partIn(normalGroup);
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("write")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));

    normalGroup = new Group("normal");
    bleujin.dropOut(normalGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("write")));
  }

  public void testGroup() throws Exception {
    // adminGroup <- normarGroup <- bleujin
    setting.add(new UserAuthority(lvl1Resource, adminGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.GRANT));
    setting.add(new UserAuthority(lvl2Resource, normalGroup, setting.managerAuthority(), Range.INCLUDE_SUB_RESOURCE, Type.REVOKE));
    assertEquals(true, isAllowed(lvl1Resource, adminGroup, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    normalGroup.partIn(adminGroup);
    assertEquals(true, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));

    bleujin.partIn(normalGroup);
    assertEquals(true, isAllowed(lvl1Resource, bleujin, NodeAction.create("read")));
    assertEquals(false, isAllowed(lvl2Resource, bleujin, NodeAction.create("read")));
  }
}


저작자표시비영리변경금지

'Framework > Another Lore' 카테고리의 다른 글

read & write  (0) 2009.06.25
최근에 책을 읽다가..  (0) 2009.06.11
AL : Permission  (1) 2009.04.30
AL : 현재의 난제들  (0) 2009.04.30
AL : Workspace  (0) 2009.04.28
AL : Property Type Conversion  (0) 2009.04.26
Posted by bleujin
Trackback 0 Comment 1

댓글을 달아 주세요

  1. Mujer Timberland

    Le maire de Bordeaux et ministre de la Défense Alain Juppé a estimé sur son blog qu'il fallait "abandonner purement et simplement" les 35H comme "une vieille idée du siècle dernier, http://www.timberlandbaratas.com Hombre Timberland, en complet décalage avec la réalité économique d'aujourd'hui", http://www.timberlandbaratas.com zapatos timberland. Politique Amara nommée inspectrice générale des Affaires sociales Politique Hippodrome de Compiègne: décision d'un commun accord Agriculture/Bercy (Matignon)Related articles:


    http://blog.yagom.net/415 En attendant l'annonce d'un second épisode

    http://dkfj3423.tistory.com/?page=3 Au lendemain du décès d'un disc-jockey de 33 ans battu à mort au Blanc-Mesnil (Seine-Saint-Denis)

    2012.12.25 13:47 [ ADDR : EDIT/ DEL : REPLY ]