Changeset 4570
- Timestamp:
- 07/09/09 12:51:04 (8 months ago)
- Author:
- jmoore
- Message:
-
SecuritySystem : Support for configurable permissions (ticket:1405)
It is now possible to set omero.security.default_permissions
at compile time (in source:trunk/etc/omero.properties) or via
OmeroConfig? (ticket:800) at runtime.
- Location:
- trunk
- Files:
-
Legend:
- Unmodified
- Added
- Removed
-
|
r3921
|
r4570
|
|
| 28 | 28 | on how this works. |
| 29 | 29 | </description> |
| | 30 | |
| | 31 | <bean id="permissionsContext" class="ome.system.PermissionsContext"> |
| | 32 | <description> |
| | 33 | Sets the value of the default permissions key based on the |
| | 34 | PreferenceContext in the system properties to be loaded by |
| | 35 | the ome.model.internal.Permissions class. |
| | 36 | </description> |
| | 37 | <constructor-arg ref="preferenceContext"/> |
| | 38 | </bean> |
| 30 | 39 | |
| 31 | 40 | <bean id="preferenceContext" class="ome.system.PreferenceContext"> |
-
|
r3486
|
r4570
|
|
| 1 | 1 | /* |
| 2 | | * ome.model.internal.Permissions |
| | 2 | * $Id$ |
| 3 | 3 | * |
| 4 | 4 | * Copyright 2006 University of Dundee. All rights reserved. |
| … |
… |
|
| 7 | 7 | package ome.model.internal; |
| 8 | 8 | |
| 9 | | // Java imports |
| 10 | 9 | import java.io.IOException; |
| 11 | 10 | import java.io.ObjectInputStream; |
| … |
… |
|
| 15 | 14 | import javax.persistence.Column; |
| 16 | 15 | |
| 17 | | // Third-party libraries |
| 18 | | |
| 19 | | // Application-internal dependencies |
| 20 | 16 | import ome.conditions.ApiUsageException; |
| 21 | 17 | import ome.model.IObject; |
| … |
… |
|
| 35 | 31 | * </p> |
| 36 | 32 | * |
| 37 | | * @see <a href="https://trac.openmicroscopy.org.uk/omero/ticket/180">ticket:180</a> |
| | 33 | * @see <a |
| | 34 | * href="https://trac.openmicroscopy.org.uk/omero/ticket/180">ticket:180</a> |
| 38 | 35 | */ |
| 39 | 36 | public class Permissions implements Serializable { |
| … |
… |
|
| 102 | 99 | /** |
| 103 | 100 | * enumeration of flags which can be set on a {@link Permissions} instance. |
| 104 | | * A {@link Flag#LOCKED} flag implies that the |
| 105 | | * {@link Details#getOwner() owner}, {@link Details#getGroup() group}, and |
| | 101 | * A {@link Flag#LOCKED} flag implies that the {@link Details#getOwner() |
| | 102 | * owner}, {@link Details#getGroup() group}, and |
| 106 | 103 | * {@link Details#getPermissions() permissions} for an {@link IObject} |
| 107 | 104 | * instance may not be changed. {@link Flag#SOFT} implies that the given |
| … |
… |
|
| 186 | 183 | |
| 187 | 184 | Permissions p = new Permissions(EMPTY); |
| 188 | | String regex = "([Rr_][Ww_]){3}"; |
| | 185 | String regex = "([Rr_-][Ww_-]){3}"; |
| 189 | 186 | |
| 190 | 187 | if (rwrwrw == null || !rwrwrw.matches(regex)) { |
| … |
… |
|
| 229 | 226 | * or empty rights are simply ignored. For example, <code> |
| 230 | 227 | * somePermissions().grant(USER,READ,WRITE,USE); |
| 231 | | * </code> |
| 232 | | * will guarantee that the current user has all rights on this entity. |
| | 228 | * </code> will guarantee |
| | 229 | * that the current user has all rights on this entity. |
| 233 | 230 | */ |
| 234 | 231 | public Permissions grant(Role role, Right... rights) { |
| … |
… |
|
| 245 | 242 | * or empty rights are simply ignored. For example, <code> |
| 246 | 243 | * new Permissions().revoke(WORLD,WRITE,USE); |
| 247 | | * </code> |
| 248 | | * will return a Permissions instance which cannot be altered or linked to |
| 249 | | * by members of WORLD. |
| | 244 | * </code> will return a |
| | 245 | * Permissions instance which cannot be altered or linked to by members of |
| | 246 | * WORLD. |
| 250 | 247 | */ |
| 251 | 248 | public Permissions revoke(Role role, Right... rights) { |
| … |
… |
|
| 264 | 261 | * Permissions mask = new Permissions().grant(WORLD,READ); |
| 265 | 262 | * someEntity.getDetails().getPermissions().grantAllk(mask); |
| 266 | | * </code> |
| 267 | | * will allow READ access (and possibly more) to <code>someEntity</code> |
| 268 | | * for members of WORLD. |
| | 263 | * </code> will allow READ access (and possibly more) to |
| | 264 | * <code>someEntity</code> for members of WORLD. |
| 269 | 265 | */ |
| 270 | 266 | public Permissions grantAll(Permissions mask) { |
| … |
… |
|
| 283 | 279 | * Permissions mask = new Permissions().revoke(WORLD,READ,WRITE,USE); |
| 284 | 280 | * someEntity.getDetails().getPermissions().applyMask(mask); |
| 285 | | * </code> |
| 286 | | * will disallow all access to <code>someEntity</code> for members of |
| 287 | | * WORLD. |
| | 281 | * </code> will disallow all access to <code>someEntity</code> for members |
| | 282 | * of WORLD. |
| 288 | 283 | * |
| 289 | 284 | * This also implies that applyMask can be used to make copies of |
| 290 | 285 | * Permissions. For example, <code> |
| 291 | 286 | * new Permissions().applyMask( somePermissions ); |
| 292 | | * </code> |
| 293 | | * will produce a copy of <code>somePermissions</code>. |
| | 287 | * </code> will produce a copy of |
| | 288 | * <code>somePermissions</code>. |
| 294 | 289 | * |
| 295 | 290 | * Note: the logic here is different from Unix UMASKS. |
| … |
… |
|
| 366 | 361 | |
| 367 | 362 | /** |
| 368 | | * two {@link Permissions} instances are <code>identical</code> if they |
| 369 | | * have the same bit representation. |
| | 363 | * two {@link Permissions} instances are <code>identical</code> if they have |
| | 364 | * the same bit representation. |
| 370 | 365 | * |
| 371 | 366 | * @see <a |
| … |
… |
|
| 679 | 674 | |
| 680 | 675 | /** |
| 681 | | * an immutable {@link Permissions} instance which is used as the default |
| 682 | | * value in all persistent classes. It revokes {@link Right#WRITE} to both |
| 683 | | * {@link Role#GROUP} and {@link Role#WORLD} |
| 684 | | */ |
| 685 | | public final static Permissions DEFAULT = USER_PRIVATE; |
| 686 | | |
| 687 | | /** |
| 688 | 676 | * an immutable {@link Permissions} instance with all {@link Right#WRITE} |
| 689 | 677 | * rights turned off. Identical to {@link #WORLD_IMMUTABLE} |
| … |
… |
|
| 697 | 685 | public final static Permissions PUBLIC = WORLD_WRITEABLE; |
| 698 | 686 | |
| | 687 | /** |
| | 688 | * an immutable {@link Permissions} instance which is used as the default |
| | 689 | * value in all persistent classes. It is initiall set to |
| | 690 | * {@link #USER_PRIVATE}, but is reset from the |
| | 691 | * {@link ome.system.PermissionsContext#KEY} configuration value which is set by |
| | 692 | * default in etc/omero.properties. |
| | 693 | */ |
| | 694 | public/* final */static Permissions DEFAULT = USER_PRIVATE; |
| | 695 | |
| | 696 | public static void setDefaultPermissions(String permissions) { |
| | 697 | DEFAULT = new ImmutablePermissions(parseString(permissions)); |
| | 698 | } |
| | 699 | |
| 699 | 700 | } |
-
|
r1997
|
r4570
|
|
| 268 | 268 | public void testCompareWithString() throws Exception { |
| 269 | 269 | assertTrue(Permissions.EMPTY.sameRights(Permissions |
| | 270 | .parseString("------"))); |
| | 271 | assertTrue(Permissions.EMPTY.sameRights(Permissions |
| 270 | 272 | .parseString("______"))); |
| 271 | 273 | assertTrue(Permissions.DEFAULT.sameRights(Permissions |
| 272 | | .parseString("rwr_r_"))); |
| | 274 | .parseString("rw____"))); |
| 273 | 275 | assertTrue(Permissions.GROUP_IMMUTABLE.sameRights(Permissions |
| 274 | 276 | .parseString("r_r___"))); |
-
|
r4508
|
r4570
|
|
| 204 | 204 | s.setDefaultEventType(eventType); |
| 205 | 205 | s.setDefaultPermissions(umask.toString()); |
| 206 | | s.getDetails().setPermissions(Permissions.USER_PRIVATE); |
| | 206 | s.getDetails().setPermissions(Permissions.DEFAULT); |
| 207 | 207 | } |
| 208 | 208 | |
-
|
r4566
|
r4570
|
|
| 31 | 31 | omero.security.filter.bitand=(int8and(permissions,%s) = %s) |
| 32 | 32 | omero.security.password_provider=chainedPasswordProvider |
| | 33 | omero.security.default_permissions=rw---- |
| 33 | 34 | |
| 34 | 35 | |
Download in other formats:
1.2.1-PRO © 2008-2009
agile42 all
rights reserved
(this page was served in: 0.97839 sec.)
