systems.dmx.accesscontrol

Class AccessControlPlugin

java.lang.Object

systems.dmx.core.osgi.PluginActivator

systems.dmx.accesscontrol.AccessControlPlugin

All Implemented Interfaces:

org.osgi.framework.BundleActivator, AccessControlService, ConfigCustomizer, PluginContext, CheckAssocReadAccess, CheckAssocWriteAccess, CheckTopicReadAccess, CheckTopicWriteAccess, PostCreateAssoc, PostCreateTopic, PostUpdateAssoc, PostUpdateTopic, PreCreateAssoc, PreUpdateTopic, ServiceRequestFilter, StaticResourceFilter, EventListener, CheckDiskQuota

public class AccessControlPlugin
extends PluginActivator
implements AccessControlService, ConfigCustomizer, CheckTopicReadAccess, CheckTopicWriteAccess, CheckAssocReadAccess, CheckAssocWriteAccess, PreCreateAssoc, PreUpdateTopic, PostCreateTopic, PostCreateAssoc, PostUpdateTopic, PostUpdateAssoc, ServiceRequestFilter, StaticResourceFilter, CheckDiskQuota

Field Summary

Fields inherited from class systems.dmx.core.osgi.PluginActivator

bundle, dmx, mf

Fields inherited from interface systems.dmx.accesscontrol.AccessControlService

ADMIN_INITIAL_PASSWORD, ADMIN_USERNAME, ADMIN_WORKSPACE_NAME, ADMIN_WORKSPACE_SHARING_MODE, ADMIN_WORKSPACE_URI, DEFAULT_PRIVATE_WORKSPACE_NAME, SYSTEM_WORKSPACE_NAME, SYSTEM_WORKSPACE_SHARING_MODE, SYSTEM_WORKSPACE_URI

Constructor Summary

Constructors

Constructor and Description
AccessControlPlugin()

Method Summary

Modifier and Type	Method and Description
Topic	_createUserAccount(Credentials cred) Creates an user account.
List<RelatedTopic>	bulkUpdateMemberships(long workspaceId, IdList addUserIds, IdList removeUserIds)
List<RelatedTopic>	bulkUpdateMemberships(String username, IdList addWorkspaceIds, IdList removeWorkspaceIds)
void	checkAdmin() Checks if the current user is a DMX admin and throws AccessControlException if not.
void	checkAssocReadAccess(long assocId)
void	checkAssocWriteAccess(long assocId)
void	checkDiskQuota(String username, long fileSize, long diskQuota)
void	checkTopicReadAccess(long topicId)
void	checkTopicWriteAccess(long topicId)
void	createMembership(String username, long workspaceId) Makes the given user a member of the given workspace.
Topic	createUserAccount(Credentials cred) Creates an user account.
Topic	createUsername(String username) Creates a Username topic and a private workspace.
void	enrichWithOwnerInfo(Topic workspace) Retrieves the OWNER and stores it in the given topic's model (under synthetic child type URI dmx.accesscontrol.owner).
void	enrichWithUserInfo(DMXObject object) Retrieves the CREATOR/MODIFIER usernames and stores them in the given object's model (under synthetic child type URIs dmx.accesscontrol.creator and dmx.accesscontrol.modifier).
long	getAdminWorkspaceId()
Collection<Assoc>	getAssocsByCreator(String username)
Collection<Assoc>	getAssocsByOwner(String username)
Set<String>	getAuthorizationMethods() Returns the names of all authorization methods, as registered by AccessControlService.registerAuthorizationMethod(java.lang.String, systems.dmx.accesscontrol.AuthorizationMethod).
TopicModel	getConfigValue(Topic topic)
String	getCreator(long objectId) Returns the creator of a topic or an association.
Assoc	getMembership(String username, long workspaceId)
List<RelatedTopic>	getMemberships(long workspaceId) Returns the members of the given workspace.
List<RelatedTopic>	getMemberships(String username) Returns the workspaces of the given user.
String	getModifier(long objectId) Returns the modifier of a topic or an association.
Permissions	getPermissions(long objectId)
Topic	getPrivateWorkspace() Returns the private workspace of the logged in user.
Collection<Topic>	getTopicsByCreator(String username)
Collection<Topic>	getTopicsByOwner(String username)
String	getUsername() Returns the username of the logged in user.
Topic	getUsernameTopic() Returns the "Username" topic of the logged in user.
Topic	getUsernameTopic(String username) Returns the "Username" topic for the specified username.
String	getWorkspaceOwner(long workspaceId) Returns the owner of a workspace.
boolean	isMember(String username, long workspaceId) Checks if a user is a member of the given workspace.
void	login() Checks whether the credentials in the authorization string match an existing User Account, and if so, creates an HTTP session.
void	logout() Logs the user out.
void	postCreateAssoc(Assoc assoc)
void	postCreateTopic(Topic topic)
void	postUpdateAssoc(Assoc assoc, ChangeReport report, AssocModel updateModel)
void	postUpdateTopic(Topic topic, ChangeReport report, TopicModel updateModel)
void	preCreateAssoc(AssocModel assoc)
void	preInstall()
void	preUpdateTopic(Topic topic, TopicModel updateModel)
void	registerAuthorizationMethod(String name, AuthorizationMethod am) Registers an authorization method under the given name, e.g.
void	serviceRequestFilter(com.sun.jersey.spi.container.ContainerRequest containerRequest)
void	setWorkspaceOwner(Topic workspace, String username) Sets the owner of a workspace.
void	shutdown()
void	staticResourceFilter(javax.servlet.http.HttpServletRequest servletRequest, javax.servlet.http.HttpServletResponse servletResponse)
void	unregisterAuthorizationMethod(String name) Unregisters the authorization method that has been registered under the given name.

Methods inherited from class systems.dmx.core.osgi.PluginActivator

getBundleContext, getPluginName, getStaticResource, getUri, init, publishFileSystem, serviceArrived, serviceGone, setCoreService, start, stop, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

AccessControlPlugin

public AccessControlPlugin()

Method Detail

login

public void login()

Description copied from interface: AccessControlService

Checks whether the credentials in the authorization string match an existing User Account, and if so, creates an HTTP session. ### FIXDOC

Specified by:

login in interface AccessControlService

logout

public void logout()

Description copied from interface: AccessControlService

Logs the user out. That is invalidating the session associated with the JSESSION ID cookie. For a "non-private" DM installation the response is 204 No Content. For a "private" DM installation the response is 401 Authorization Required. In this case the webclient is supposed to shutdown the DM GUI then. The webclient of a "private" DM installation must only be visible/usable when logged in.

Specified by:

logout in interface AccessControlService

getUsername

public String getUsername()

Description copied from interface: AccessControlService

Returns the username of the logged in user.

Specified by:

getUsername in interface AccessControlService

Returns:

The username, or null if no user is logged in.

getUsernameTopic

public Topic getUsernameTopic()

Description copied from interface: AccessControlService

Returns the "Username" topic of the logged in user.

Specified by:

getUsernameTopic in interface AccessControlService

Returns:

The "Username" topic (type dmx.accesscontrol.username), or null if no user is logged in.

getPrivateWorkspace

public Topic getPrivateWorkspace()

Description copied from interface: AccessControlService

Returns the private workspace of the logged in user.

Note: a user can have more than one private workspace. This method returns only the first one.

Specified by:

getPrivateWorkspace in interface AccessControlService

Returns:

The logged in user's private workspace (a topic of type "Workspace").

checkAdmin

public void checkAdmin()

Description copied from interface: AccessControlService

Checks if the current user is a DMX admin and throws AccessControlException if not. Note: if invoked as "System" no AccessControlException is thrown.

Specified by:

checkAdmin in interface AccessControlService

createUserAccount

public Topic createUserAccount(Credentials cred)

Description copied from interface: AccessControlService

Creates an user account. Only DMX admins are allowed to create user accounts.

Specified by:

createUserAccount in interface AccessControlService

Returns:

The "Username" topic of the created user account.

_createUserAccount

public Topic _createUserAccount(Credentials cred)
                         throws Exception

Description copied from interface: AccessControlService

Creates an user account. This is a privileged method: no permissions are checked.

Security: this method is not callable from outside as it has no REST interface. So the DMX platform is still secure. On the other hand, a 3rd-party plugin which provides a RESTful interface to this method is required to apply an additional authorization measure, e.g. a short-living access token sent via email.

Specified by:

_createUserAccount in interface AccessControlService

Returns:

The "Username" topic of the created user account.

Throws:

Exception

createUsername

public Topic createUsername(String username)

Description copied from interface: AccessControlService

Creates a Username topic and a private workspace. TODO: rename to createUsernameAndPrivateWorkspace?

Specified by:

createUsername in interface AccessControlService

Returns:

The created "Username" topic.

getUsernameTopic

public Topic getUsernameTopic(String username)

Description copied from interface: AccessControlService

Returns the "Username" topic for the specified username.

Specified by:

getUsernameTopic in interface AccessControlService

Parameters:

username - a username. Must not be null.

Returns:

The "Username" topic (type dmx.accesscontrol.username), or null if no such username exists.

getWorkspaceOwner

public String getWorkspaceOwner(long workspaceId)

Description copied from interface: AccessControlService

Returns the owner of a workspace.

Specified by:

getWorkspaceOwner in interface AccessControlService

Returns:

The username of the owner, or null if no owner is set.

setWorkspaceOwner

public void setWorkspaceOwner(Topic workspace,
                              String username)

Description copied from interface: AccessControlService

Sets the owner of a workspace. ### TODO: should take an ID instead a topic. ### Core service must be extended with a property setter.

Specified by:

setWorkspaceOwner in interface AccessControlService

enrichWithOwnerInfo

public void enrichWithOwnerInfo(Topic workspace)

Description copied from interface: AccessControlService

Retrieves the OWNER and stores it in the given topic's model (under synthetic child type URI dmx.accesscontrol.owner).

Specified by:

enrichWithOwnerInfo in interface AccessControlService

getMemberships

public List<RelatedTopic> getMemberships(String username)

Description copied from interface: AccessControlService

Returns the workspaces of the given user.

Specified by:

getMemberships in interface AccessControlService

Returns:

a list of Workspace topics. The "relating" part is the Membership association.

getMemberships

public List<RelatedTopic> getMemberships(long workspaceId)

Description copied from interface: AccessControlService

Returns the members of the given workspace.

Specified by:

getMemberships in interface AccessControlService

Returns:

a list of Username topics. The "relating" part is the Membership association.

isMember

public boolean isMember(String username,
                        long workspaceId)

Description copied from interface: AccessControlService

Checks if a user is a member of the given workspace.

Specified by:

isMember in interface AccessControlService

Parameters:

username - the user. If null is passed, false is returned. If an unknown username is passed an exception is thrown.

workspaceId - the workspace.

Returns:

true if the user is a member, false otherwise.

getMembership

public Assoc getMembership(String username,
                           long workspaceId)

Specified by:

getMembership in interface AccessControlService

Returns:

the Membership assoc between the given username and workspace, or null if the user is not a member.

createMembership

public void createMembership(String username,
                             long workspaceId)

Description copied from interface: AccessControlService

Makes the given user a member of the given workspace.

Specified by:

createMembership in interface AccessControlService

bulkUpdateMemberships

public List<RelatedTopic> bulkUpdateMemberships(String username,
                                                IdList addWorkspaceIds,
                                                IdList removeWorkspaceIds)

Specified by:

bulkUpdateMemberships in interface AccessControlService

Returns:

a list of Workspace topics. The "relating" part is the Membership association.

bulkUpdateMemberships

public List<RelatedTopic> bulkUpdateMemberships(long workspaceId,
                                                IdList addUserIds,
                                                IdList removeUserIds)

Specified by:

bulkUpdateMemberships in interface AccessControlService

Returns:

a list of Username topics. The "relating" part is the Membership association.

getAdminWorkspaceId

public long getAdminWorkspaceId()

Specified by:

getAdminWorkspaceId in interface AccessControlService

getPermissions

public Permissions getPermissions(long objectId)

Specified by:

getPermissions in interface AccessControlService

Parameters:

objectId - a topic ID, or an association ID.

Returns:

A Permissions object with one entry: dmx.accesscontrol.operation.write.

getCreator

public String getCreator(long objectId)

Description copied from interface: AccessControlService

Returns the creator of a topic or an association.

Specified by:

getCreator in interface AccessControlService

Returns:

The username of the creator, or null if no creator is set.

getModifier

public String getModifier(long objectId)

Description copied from interface: AccessControlService

Returns the modifier of a topic or an association.

Specified by:

getModifier in interface AccessControlService

Returns:

The username of the modifier, or null if no modifier is set.

enrichWithUserInfo

public void enrichWithUserInfo(DMXObject object)

Description copied from interface: AccessControlService

Retrieves the CREATOR/MODIFIER usernames and stores them in the given object's model (under synthetic child type URIs dmx.accesscontrol.creator and dmx.accesscontrol.modifier).

Specified by:

enrichWithUserInfo in interface AccessControlService

getTopicsByCreator

public Collection<Topic> getTopicsByCreator(String username)

Specified by:

getTopicsByCreator in interface AccessControlService

getTopicsByOwner

public Collection<Topic> getTopicsByOwner(String username)

Specified by:

getTopicsByOwner in interface AccessControlService

getAssocsByCreator

public Collection<Assoc> getAssocsByCreator(String username)

Specified by:

getAssocsByCreator in interface AccessControlService

getAssocsByOwner

public Collection<Assoc> getAssocsByOwner(String username)

Specified by:

getAssocsByOwner in interface AccessControlService

getAuthorizationMethods

public Set<String> getAuthorizationMethods()

Description copied from interface: AccessControlService

Returns the names of all authorization methods, as registered by AccessControlService.registerAuthorizationMethod(java.lang.String, systems.dmx.accesscontrol.AuthorizationMethod).

Specified by:

getAuthorizationMethods in interface AccessControlService

Returns:

the names of all registered authorization methods. Might be empty. Note: authorization method "BASIC" is not included. This one is not registered by AccessControlService.registerAuthorizationMethod(java.lang.String, systems.dmx.accesscontrol.AuthorizationMethod), but is an integral part of the DMX platform.

registerAuthorizationMethod

public void registerAuthorizationMethod(String name,
                                        AuthorizationMethod am)

Description copied from interface: AccessControlService

Registers an authorization method under the given name, e.g. "LDAP".

Specified by:

registerAuthorizationMethod in interface AccessControlService

unregisterAuthorizationMethod

public void unregisterAuthorizationMethod(String name)

Description copied from interface: AccessControlService

Unregisters the authorization method that has been registered under the given name. If no authorization method is registered under that name nothing happens.

Specified by:

unregisterAuthorizationMethod in interface AccessControlService

preInstall

public void preInstall()

Specified by:

preInstall in interface PluginContext

Overrides:

preInstall in class PluginActivator

shutdown

public void shutdown()

Specified by:

shutdown in interface PluginContext

Overrides:

shutdown in class PluginActivator

getConfigValue

public TopicModel getConfigValue(Topic topic)

Specified by:

getConfigValue in interface ConfigCustomizer

checkTopicReadAccess

public void checkTopicReadAccess(long topicId)

Specified by:

checkTopicReadAccess in interface CheckTopicReadAccess

checkTopicWriteAccess

public void checkTopicWriteAccess(long topicId)

Specified by:

checkTopicWriteAccess in interface CheckTopicWriteAccess

checkAssocReadAccess

public void checkAssocReadAccess(long assocId)

Specified by:

checkAssocReadAccess in interface CheckAssocReadAccess

checkAssocWriteAccess

public void checkAssocWriteAccess(long assocId)

Specified by:

checkAssocWriteAccess in interface CheckAssocWriteAccess

postCreateTopic

public void postCreateTopic(Topic topic)

Specified by:

postCreateTopic in interface PostCreateTopic

preCreateAssoc

public void preCreateAssoc(AssocModel assoc)

Specified by:

preCreateAssoc in interface PreCreateAssoc

postCreateAssoc

public void postCreateAssoc(Assoc assoc)

Specified by:

postCreateAssoc in interface PostCreateAssoc

preUpdateTopic

public void preUpdateTopic(Topic topic,
                           TopicModel updateModel)

Specified by:

preUpdateTopic in interface PreUpdateTopic

postUpdateTopic

public void postUpdateTopic(Topic topic,
                            ChangeReport report,
                            TopicModel updateModel)

Specified by:

postUpdateTopic in interface PostUpdateTopic

postUpdateAssoc

public void postUpdateAssoc(Assoc assoc,
                            ChangeReport report,
                            AssocModel updateModel)

Specified by:

postUpdateAssoc in interface PostUpdateAssoc

serviceRequestFilter

public void serviceRequestFilter(com.sun.jersey.spi.container.ContainerRequest containerRequest)

Specified by:

serviceRequestFilter in interface ServiceRequestFilter

staticResourceFilter

public void staticResourceFilter(javax.servlet.http.HttpServletRequest servletRequest,
                                 javax.servlet.http.HttpServletResponse servletResponse)

Specified by:

staticResourceFilter in interface StaticResourceFilter

checkDiskQuota

public void checkDiskQuota(String username,
                           long fileSize,
                           long diskQuota)

Specified by:

checkDiskQuota in interface CheckDiskQuota