com.jalios.jcms.accesscontrol

Class AccessControlManager

java.lang.Object

com.jalios.jcms.ChannelListener

com.jalios.jcms.accesscontrol.AccessControlManager

All Implemented Interfaces:

AccessControlConstants, PluginComponent, StoreListener, JPropertiesListener, java.lang.Comparable

public class AccessControlManager
extends ChannelListener
implements JPropertiesListener, AccessControlConstants, StoreListener

Manager of Access Control in JCMS.

Since:

jcms-7.0

Version:

$Revision: 125539 $

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	REVISION

Fields inherited from class com.jalios.jcms.ChannelListener

order

Fields inherited from interface com.jalios.jcms.accesscontrol.AccessControlConstants

ADMIN_RESOURCE, CTXT_DATA, CTXT_WORKSPACE, DBMBR_EDIT_RESOURCE, GRP_EDIT_RESOURCE, MBR_EDIT_RESOURCE, WORKSPACE_ADMIN_RESOURCE, WS_EDIT_RESOURCE, WSGRP_EDIT_RESOURCE, WSMBR_EDIT_RESOURCE

Method Summary

Modifier and Type	Method and Description
boolean	checkAccess(Member member, java.lang.String resource, java.util.Map<java.lang.String,java.lang.Object> context) Check if the specified member is authorized to access the specified resource.
boolean	checkAccessIfAclExists(Member member, java.lang.String resource, java.util.Map<java.lang.String,java.lang.Object> context) Check if the specified member is authorized to access the specified resource IF AND ONLY IF resource has been configured.
java.util.Set<java.lang.String>	getDeclaredResources() Retrieve the resources declared in properties.
static AccessControlManager	getInstance()
java.util.Set<java.lang.String>	getValidResources() Retrieve the resources allowed to be accessed (those declared in properties and the associated zone).
void	handleCommitUpdate(Storable acl, Storable oldAcl, boolean firstTime) This method gets called when after a storable has been updated.
void	handleCreate(Storable acl, boolean firstTime) This method gets called when a storable is created.
void	handleDelete(Storable acl, boolean firstTime) This method gets called when a storable is deleted.
void	handleFinalize() Called when the channel is finalized
void	handlePrepareUpdate(Storable acl, java.util.Map<java.lang.String,java.lang.String> attributes, boolean firstTime) This method gets called when before a storable will be updated.
void	init()
void	initAfterStoreLoad() Called just after the store has been loaded and the channel has been initialized.
void	initBeforeStoreLoad() Called just before the store has been loaded.
protected static boolean	internalCheckWorkspaceDataAccess(java.lang.String resource, Group aclGroup, Workspace ws, Data data, Member mbr) This method is invoked when a Data ACL has been granted for a member, in such case, we check the minimum requirement to validate the authorization or not.
void	propertiesChange(JProperties properties) Invoked after properties have been modified in JCMS and save on disk.
void	reloadProperties()

Methods inherited from class com.jalios.jcms.ChannelListener

compareTo, equals, init, initAfterStartup

Methods inherited from class java.lang.Object

clone, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

REVISION

public static final java.lang.String REVISION

See Also:

Constant Field Values

Method Detail

getInstance

public static AccessControlManager getInstance()

init

public void init()

reloadProperties

public void reloadProperties()

propertiesChange

public void propertiesChange(JProperties properties)

Description copied from interface: JPropertiesListener

Invoked after properties have been modified in JCMS and save on disk.

You cannot alter the value received in parameters.

Specified by:

propertiesChange in interface JPropertiesListener

Parameters:

properties - the properties which have been modified (may not contain all JCMS properties)

initBeforeStoreLoad

public void initBeforeStoreLoad()
                         throws java.lang.Exception

Description copied from class: ChannelListener

Called just before the store has been loaded. If for any reason you want to interrupt JCMS startup, you can throw an exception. The exception's message will be displayed in JCMS status page (to any user!).

Specified by:

initBeforeStoreLoad in class ChannelListener

Throws:

java.lang.Exception - any exception you may want to throw if a problem occurs needing to interrupt JCMS startup.

initAfterStoreLoad

public void initAfterStoreLoad()
                        throws java.lang.Exception

Description copied from class: ChannelListener

Called just after the store has been loaded and the channel has been initialized. If for any reason you want to interrupt JCMS startup, you can throw an exception. The exception's message will be displayed in JCMS status page (to any user!).

Specified by:

initAfterStoreLoad in class ChannelListener

Throws:

java.lang.Exception - any exception you may want to throw if a problem occurs needing to interrupt JCMS startup.

handleFinalize

public void handleFinalize()

Description copied from class: ChannelListener

Called when the channel is finalized

Specified by:

handleFinalize in class ChannelListener

handleCreate

public void handleCreate(Storable acl,
                         boolean firstTime)

Description copied from interface: StoreListener

This method gets called when a storable is created.

Specified by:

handleCreate in interface StoreListener

Parameters:

acl - the storable

firstTime - true if it is the first time this operation is processed

handlePrepareUpdate

public void handlePrepareUpdate(Storable acl,
                                java.util.Map<java.lang.String,java.lang.String> attributes,
                                boolean firstTime)

Description copied from interface: StoreListener

This method gets called when before a storable will be updated.
deprecated It should not be used anymore and will be removed from future version.

Specified by:

handlePrepareUpdate in interface StoreListener

Parameters:

acl - the storable

attributes - the attributes to update

firstTime - true if it is the first time this operation is processed

handleCommitUpdate

public void handleCommitUpdate(Storable acl,
                               Storable oldAcl,
                               boolean firstTime)

Description copied from interface: StoreListener

This method gets called when after a storable has been updated.

Specified by:

handleCommitUpdate in interface StoreListener

Parameters:

acl - the storable, this instance is the object that was created at first and that will be stored in jcms until deletion of the storable with this ID. You should always manipulate this object if you maintain any index.

oldAcl - the previous version of the storable, it is a clone, do not use in any index, it should only be used to access old values.

firstTime - true if it is the first time this operation is processed

handleDelete

public void handleDelete(Storable acl,
                         boolean firstTime)

Description copied from interface: StoreListener

This method gets called when a storable is deleted.

Specified by:

handleDelete in interface StoreListener

Parameters:

acl - the storable

firstTime - true if it is the first time this operation is processed

getDeclaredResources

public java.util.Set<java.lang.String> getDeclaredResources()

Retrieve the resources declared in properties.

Returns:

a Set of resource path.

getValidResources

public java.util.Set<java.lang.String> getValidResources()

Retrieve the resources allowed to be accessed (those declared in properties and the associated zone).

Returns:

a Set of resource path.

checkAccess

public boolean checkAccess(Member member,
                           java.lang.String resource,
                           java.util.Map<java.lang.String,java.lang.Object> context)

Check if the specified member is authorized to access the specified resource.

A valid context map containing the current Workspace is required for all access check on workspace resources (eg resource starting with "admin-ws/" as defined by "admin-ws".
Use utility method for easier invocation :

  boolean isAuthorized = AccessControlManager.checkAccess(loggedMember, "admin-ws/types/content", AccessControlUtil.getContext(workspace));
 

A valid context map containing the current Data being edited is required for all access to data resource (as declared in properties). Use utility method for easier invocation :

   Map<String,Object> aclContext = AccessControlUtil.getContext(null, AccessControlConstants.CTXT_DATA, someMemberBeingEdited);
  boolean isAuthorized = AccessControlManager.checkAccess(loggedMember, "admin/users/member", aclContext);
 

Parameters:

member - a Member

resource - a resource URI using a path representation, eg "admin/dev/store-cleaner"

context - an optional context map containing relevant information such as workspace or data

Returns:

true if the access is authorized, false otherwise

Since:

jcms-7.0.0

internalCheckWorkspaceDataAccess

protected static boolean internalCheckWorkspaceDataAccess(java.lang.String resource,
                                                          Group aclGroup,
                                                          Workspace ws,
                                                          Data data,
                                                          Member mbr)

This method is invoked when a Data ACL has been granted for a member, in such case, we check the minimum requirement to validate the authorization or not.

Parameters:

resource - the resource which granted the edit authorization check

aclGroup - Group to which the ACL edit authorization was attached

ws - the current Workspace in which it is being edited

data - the Data being edited

mbr - the Member editing

Returns:

is the authorization is validated or not

Since:

jcms-7.0.0

checkAccessIfAclExists

public boolean checkAccessIfAclExists(Member member,
                                      java.lang.String resource,
                                      java.util.Map<java.lang.String,java.lang.Object> context)

Check if the specified member is authorized to access the specified resource IF AND ONLY IF resource has been configured.

This method ONLY performs the ACL check when the specified resource has been configured on at least one AccessControlList, if resource has not been specified explicitely in any AccessControlList, access is AUTHORIZED..

DO NOT use this method for any security related resource that MUST be enforced by an implicit or explicit assignement of the ACL resource to a user. In such case, use checkAccess(Member, String, Map).

Access is always denied to anonymous user.

Parameters:

member - a Member

resource - a resource URI using a path representation, eg "admin/dev/store-cleaner"

context - an optional context map containing relevant information such as workspace or data

Returns:

true if the access is authorized, false otherwise

Since:

jcms-10.0.4 / JCMS-7996