Revision 570
Added by bojilova over 24 years ago
| src/edu/ucsb/nceas/metacat/DBQuery.java | ||
|---|---|---|
| 168 | 168 |
boolean tableHasRows = rs.next(); |
| 169 | 169 |
while (tableHasRows) {
|
| 170 | 170 |
docid = rs.getString(1); |
| 171 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
|
|
| 171 |
if ( !hasPermission(conn, user, group, docid) ) {continue;}
|
|
| 172 | 172 |
docname = rs.getString(2); |
| 173 | 173 |
doctype = rs.getString(3); |
| 174 | 174 |
doctitle = rs.getString(4); |
| ... | ... | |
| 274 | 274 |
while(tableHasRows) |
| 275 | 275 |
{
|
| 276 | 276 |
docid = rs.getString(1); |
| 277 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;}
|
|
| 277 |
if ( !hasPermission(conn, user, group, docid) ) {continue;}
|
|
| 278 | 278 |
fieldname = rs.getString(2); |
| 279 | 279 |
fielddata = rs.getString(3); |
| 280 | 280 |
|
| ... | ... | |
| 635 | 635 |
return createQuery(value, "any"); |
| 636 | 636 |
} |
| 637 | 637 |
|
| 638 |
/** Check for "read" permissions from DB connection */ |
|
| 639 |
private boolean hasReadPermission(Connection conn, String docid, |
|
| 640 |
String user, String group) |
|
| 641 |
throws SQLException {
|
|
| 638 |
/** |
|
| 639 |
* Check for "READ" permission on @docid for @user and/or @group |
|
| 640 |
* from DB connection |
|
| 641 |
*/ |
|
| 642 |
private boolean hasPermission ( Connection conn, String user, |
|
| 643 |
String group, String docid ) |
|
| 644 |
throws SQLException |
|
| 645 |
{
|
|
| 642 | 646 |
// b' of the command line invocation |
| 643 | 647 |
if ( (user == null) && (group == null) ) {
|
| 644 | 648 |
return true; |
| 645 | 649 |
} |
| 646 | 650 |
|
| 647 |
PreparedStatement pstmt; |
|
| 648 |
// checking if user is owner of docid or if docid has public access |
|
| 649 |
try {
|
|
| 650 |
pstmt = conn.prepareStatement( |
|
| 651 |
"SELECT 'x' FROM xml_documents " + |
|
| 652 |
"WHERE docid LIKE ? AND user_owner LIKE ? " + |
|
| 653 |
"UNION " + |
|
| 654 |
"SELECT 'x' FROM xml_documents " + |
|
| 655 |
"WHERE docid LIKE ? AND public_access = 1"); |
|
| 656 |
// Bind the values to the query |
|
| 657 |
pstmt.setString(1, docid); |
|
| 658 |
pstmt.setString(2, user); |
|
| 659 |
pstmt.setString(3, docid); |
|
| 660 |
|
|
| 661 |
pstmt.execute(); |
|
| 662 |
ResultSet rs = pstmt.getResultSet(); |
|
| 663 |
boolean hasRow = rs.next(); |
|
| 664 |
pstmt.close(); |
|
| 665 |
if (hasRow) {
|
|
| 666 |
return true; |
|
| 667 |
} |
|
| 668 |
|
|
| 669 |
} catch (SQLException e) {
|
|
| 670 |
throw new |
|
| 671 |
SQLException("Error checking document's owner or public access: "
|
|
| 672 |
+ e.getMessage()); |
|
| 651 |
// Check for READ permission on @docid for @user and/or @group |
|
| 652 |
AccessControlList aclobj = new AccessControlList(conn); |
|
| 653 |
boolean hasPermission = aclobj.hasPermission("READ",user,docid);
|
|
| 654 |
if ( !hasPermission && group != null ) {
|
|
| 655 |
hasPermission = aclobj.hasPermission("READ",group,docid);
|
|
| 673 | 656 |
} |
| 674 |
|
|
| 675 |
// checking if docid has public access at this time |
|
| 676 |
try {
|
|
| 677 |
pstmt = conn.prepareStatement( |
|
| 678 |
"SELECT 'x' FROM xml_access " + |
|
| 679 |
"WHERE docid LIKE ? " + |
|
| 680 |
"AND principal_name = 'public' " + |
|
| 681 |
"AND principal_type = 'user' " + |
|
| 682 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 683 |
"AND nvl(end_time,sysdate)"); |
|
| 684 |
// Bind the values to the query |
|
| 685 |
pstmt.setString(1, docid); |
|
| 686 |
|
|
| 687 |
pstmt.execute(); |
|
| 688 |
ResultSet rs = pstmt.getResultSet(); |
|
| 689 |
boolean hasRow = rs.next(); |
|
| 690 |
pstmt.close(); |
|
| 691 |
if (hasRow) {
|
|
| 692 |
return true; |
|
| 693 |
} |
|
| 694 |
|
|
| 695 |
} catch (SQLException e) {
|
|
| 696 |
throw new |
|
| 697 |
SQLException("Error checking doc's public access: " + e.getMessage());
|
|
| 698 |
} |
|
| 699 |
|
|
| 700 |
// checking access type from xml_access table |
|
| 701 |
int accesstype = 0; |
|
| 702 |
try {
|
|
| 703 |
pstmt = conn.prepareStatement( |
|
| 704 |
"SELECT access_type FROM xml_access " + |
|
| 705 |
"WHERE docid LIKE ? " + |
|
| 706 |
"AND principal_name LIKE ? " + |
|
| 707 |
"AND principal_type = 'user' " + |
|
| 708 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 709 |
"AND nvl(end_time,sysdate) " + |
|
| 710 |
"UNION " + |
|
| 711 |
"SELECT access_type FROM xml_access " + |
|
| 712 |
"WHERE docid LIKE ? " + |
|
| 713 |
"AND principal_name LIKE ? " + |
|
| 714 |
"AND principal_type = 'group' " + |
|
| 715 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 716 |
"AND nvl(end_time,sysdate)"); |
|
| 717 |
// Bind the values to the query |
|
| 718 |
pstmt.setString(1, docid); |
|
| 719 |
pstmt.setString(2, user); |
|
| 720 |
pstmt.setString(3, docid); |
|
| 721 |
pstmt.setString(4, group); |
|
| 722 |
|
|
| 723 |
pstmt.execute(); |
|
| 724 |
ResultSet rs = pstmt.getResultSet(); |
|
| 725 |
boolean hasRows = rs.next(); |
|
| 726 |
while ( hasRows ) {
|
|
| 727 |
accesstype = rs.getInt(1); |
|
| 728 |
if ( (accesstype & READ) == READ ) {
|
|
| 729 |
pstmt.close(); |
|
| 730 |
return true; |
|
| 731 |
} |
|
| 732 |
hasRows = rs.next(); |
|
| 733 |
} |
|
| 734 |
|
|
| 735 |
pstmt.close(); |
|
| 736 |
return false; |
|
| 737 |
|
|
| 738 |
} catch (SQLException e) {
|
|
| 739 |
throw new |
|
| 740 |
SQLException("Error getting document's permissions: " + e.getMessage());
|
|
| 741 |
} |
|
| 657 |
|
|
| 658 |
return hasPermission; |
|
| 742 | 659 |
} |
| 743 | 660 |
|
| 744 | 661 |
} |
| src/edu/ucsb/nceas/metacat/DocumentImpl.java | ||
|---|---|---|
| 771 | 771 |
|
| 772 | 772 |
if ( action.equals("UPDATE") ) {
|
| 773 | 773 |
// check for 'write' permission for 'user' to update this document |
| 774 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 774 |
if ( !hasPermission(conn, user, group, docid) ) {
|
|
| 775 | 775 |
throw new Exception("User " + user +
|
| 776 | 776 |
" does not have permission to update XML Document #" + docid); |
| 777 | 777 |
} |
| ... | ... | |
| 828 | 828 |
String newdocid = ac.generate(docid, "DELETE"); |
| 829 | 829 |
|
| 830 | 830 |
// check for 'write' permission for 'user' to delete this document |
| 831 |
if ( !hasWritePermission(conn, docid, user, group) ) {
|
|
| 831 |
if ( !hasPermission(conn, user, group, docid) ) {
|
|
| 832 | 832 |
throw new Exception("User " + user +
|
| 833 | 833 |
" does not have permission to delete XML Document #" + docid); |
| 834 | 834 |
} |
| ... | ... | |
| 846 | 846 |
conn.setAutoCommit(true); |
| 847 | 847 |
} |
| 848 | 848 |
|
| 849 |
/** Check for "write" permissions from DB connection */ |
|
| 850 |
private static boolean hasWritePermission(Connection conn, String docid, |
|
| 851 |
String user, String group) |
|
| 852 |
throws SQLException {
|
|
| 849 |
/** |
|
| 850 |
* Check for "WRITE" permission on @docid for @user and/or @group |
|
| 851 |
* from DB connection |
|
| 852 |
*/ |
|
| 853 |
private static boolean hasPermission( Connection conn, String user, |
|
| 854 |
String group, String docid) |
|
| 855 |
throws SQLException |
|
| 856 |
{
|
|
| 853 | 857 |
// b' of the command line invocation |
| 854 | 858 |
if ( (user == null) && (group == null) ) {
|
| 855 | 859 |
return true; |
| 856 | 860 |
} |
| 857 | 861 |
|
| 858 |
PreparedStatement pstmt; |
|
| 859 |
// checking if user is owner of docid |
|
| 860 |
try {
|
|
| 861 |
pstmt = conn.prepareStatement( |
|
| 862 |
"SELECT 'x' FROM xml_documents " + |
|
| 863 |
"WHERE docid LIKE ? AND user_owner LIKE ?"); |
|
| 864 |
// Bind the values to the query |
|
| 865 |
pstmt.setString(1, docid); |
|
| 866 |
pstmt.setString(2, user); |
|
| 867 |
|
|
| 868 |
pstmt.execute(); |
|
| 869 |
ResultSet rs = pstmt.getResultSet(); |
|
| 870 |
boolean hasRow = rs.next(); |
|
| 871 |
pstmt.close(); |
|
| 872 |
if (hasRow) {
|
|
| 873 |
return true; |
|
| 874 |
} |
|
| 875 |
|
|
| 876 |
} catch (SQLException e) {
|
|
| 877 |
throw new |
|
| 878 |
SQLException("Error checking document's owner: " + e.getMessage());
|
|
| 862 |
// Check for WRITE permission on @docid for @user and/or @group |
|
| 863 |
AccessControlList aclobj = new AccessControlList(conn); |
|
| 864 |
boolean hasPermission = aclobj.hasPermission("WRITE",user,docid);
|
|
| 865 |
if ( !hasPermission && group != null ) {
|
|
| 866 |
hasPermission = aclobj.hasPermission("WRITE",group,docid);
|
|
| 879 | 867 |
} |
| 880 |
|
|
| 881 |
// checking access type from xml_access table |
|
| 882 |
int accesstype = 0; |
|
| 883 |
try {
|
|
| 884 |
pstmt = conn.prepareStatement( |
|
| 885 |
"SELECT access_type FROM xml_access " + |
|
| 886 |
"WHERE docid LIKE ? " + |
|
| 887 |
"AND principal_name LIKE ? " + |
|
| 888 |
"AND principal_type = 'user' " + |
|
| 889 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 890 |
"AND nvl(end_time,sysdate) " + |
|
| 891 |
"UNION " + |
|
| 892 |
"SELECT access_type FROM xml_access " + |
|
| 893 |
"WHERE docid LIKE ? " + |
|
| 894 |
"AND principal_name LIKE ? " + |
|
| 895 |
"AND principal_type = 'group' " + |
|
| 896 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 897 |
"AND nvl(end_time,sysdate)"); |
|
| 898 |
// Bind the values to the query |
|
| 899 |
pstmt.setString(1, docid); |
|
| 900 |
pstmt.setString(2, user); |
|
| 901 |
pstmt.setString(3, docid); |
|
| 902 |
pstmt.setString(4, group); |
|
| 903 |
|
|
| 904 |
pstmt.execute(); |
|
| 905 |
ResultSet rs = pstmt.getResultSet(); |
|
| 906 |
boolean hasRows = rs.next(); |
|
| 907 |
while ( hasRows ) {
|
|
| 908 |
accesstype = rs.getInt(1); |
|
| 909 |
if ( (accesstype & WRITE) == WRITE ) {
|
|
| 910 |
pstmt.close(); |
|
| 911 |
return true; |
|
| 912 |
} |
|
| 913 |
hasRows = rs.next(); |
|
| 914 |
} |
|
| 915 |
|
|
| 916 |
pstmt.close(); |
|
| 917 |
return false; |
|
| 918 |
|
|
| 919 |
} catch (SQLException e) {
|
|
| 920 |
throw new |
|
| 921 |
SQLException("Error getting document's permissions: " + e.getMessage());
|
|
| 922 |
} |
|
| 868 |
|
|
| 869 |
return hasPermission; |
|
| 923 | 870 |
} |
| 924 | 871 |
|
| 925 | 872 |
/** |
| src/edu/ucsb/nceas/metacat/AccessControlList.java | ||
|---|---|---|
| 38 | 38 |
static final int WRITE = 2; |
| 39 | 39 |
static final int READ = 4; |
| 40 | 40 |
|
| 41 |
private Connection conn; |
|
| 42 |
private String docid; |
|
| 41 |
private Connection conn; |
|
| 43 | 42 |
private String parserName; |
| 44 | 43 |
private Stack elementStack; |
| 45 | 44 |
|
| 46 |
private Vector allow = new Vector(); |
|
| 47 |
private Vector begin1 = new Vector(); |
|
| 48 |
private Vector end1 = new Vector(); |
|
| 49 |
private Vector count1 = new Vector(); |
|
| 50 |
|
|
| 51 |
private Vector denyv = new Vector(); |
|
| 52 |
private Vector begin2 = new Vector(); |
|
| 53 |
private Vector end2 = new Vector(); |
|
| 54 |
private Vector count2 = new Vector(); |
|
| 45 |
private String resourceId; |
|
| 46 |
private Vector principalName; |
|
| 47 |
private int permission; |
|
| 48 |
private String permType; |
|
| 49 |
private String permOrder; |
|
| 50 |
private String beginTime; |
|
| 51 |
private String endTime; |
|
| 52 |
private int ticketCount; |
|
| 55 | 53 |
|
| 56 |
private String principal_name = ""; |
|
| 57 |
private String principal_type; |
|
| 58 |
private int permission = 0; |
|
| 59 |
private String begin_time; |
|
| 60 |
private String end_time; |
|
| 61 |
private int count; |
|
| 62 |
private int deny; |
|
| 63 |
|
|
| 64 | 54 |
/** |
| 65 | 55 |
* Construct an instance of the AccessControlList class. |
| 56 |
* It is used by the permission check up from DBQuery and DocumentImpl |
|
| 57 |
* |
|
| 58 |
* @param conn the JDBC connection where acl data are loaded |
|
| 59 |
*/ |
|
| 60 |
public AccessControlList ( Connection conn ) |
|
| 61 |
{
|
|
| 62 |
this.conn = conn; |
|
| 63 |
} |
|
| 64 |
|
|
| 65 |
/** |
|
| 66 |
* Construct an instance of the AccessControlList class. |
|
| 66 | 67 |
* It parse acl file and loads acl data into db connection. |
| 67 | 68 |
* |
| 68 | 69 |
* @param conn the JDBC connection where acl data are loaded |
| 69 | 70 |
* @param docid the Accession# of the document with the acl data |
| 70 |
* @param acl the acl file containing acl data for the document
|
|
| 71 |
* @param acl the acl file containing acl data |
|
| 71 | 72 |
*/ |
| 72 | 73 |
public AccessControlList ( Connection conn, String docid, Reader acl ) |
| 73 | 74 |
throws SAXException, IOException, ClassNotFoundException |
| ... | ... | |
| 77 | 78 |
String parserName = util.getOption("saxparser");
|
| 78 | 79 |
|
| 79 | 80 |
this.conn = conn; |
| 80 |
this.docid = docid; |
|
| 81 | 81 |
this.parserName = parserName; |
| 82 |
elementStack = new Stack(); |
|
| 82 |
this.elementStack = new Stack(); |
|
| 83 |
|
|
| 84 |
this.principalName = new Vector(); |
|
| 85 |
this.permission = 0; |
|
| 86 |
this.ticketCount = 0; |
|
| 83 | 87 |
|
| 84 | 88 |
// Initialize the parser and read the queryspec |
| 85 | 89 |
XMLReader parser = initializeParser(); |
| ... | ... | |
| 87 | 91 |
|
| 88 | 92 |
} |
| 89 | 93 |
|
| 94 |
/** |
|
| 95 |
* Construct an instance of the AccessControlList class. |
|
| 96 |
* It parse acl file and loads acl data into db connection. |
|
| 97 |
* |
|
| 98 |
* @param conn the JDBC connection where acl data are loaded |
|
| 99 |
* @param docid the Accession# of the document with the acl data |
|
| 100 |
* @param aclfilename the name of acl file containing acl data |
|
| 101 |
*/ |
|
| 90 | 102 |
public AccessControlList( Connection conn, String docid, String aclfilename ) |
| 91 | 103 |
throws SAXException, IOException, ClassNotFoundException |
| 92 | 104 |
{
|
| ... | ... | |
| 128 | 140 |
currentNode.setAttribute(atts.getLocalName(i), atts.getValue(i)); |
| 129 | 141 |
} |
| 130 | 142 |
} |
| 143 |
if ( currentNode.getTagName().equals("resource") ) {
|
|
| 144 |
permOrder = currentNode.getAttribute("order");
|
|
| 145 |
} |
|
| 131 | 146 |
elementStack.push(currentNode); |
| 132 | 147 |
} |
| 133 | 148 |
|
| ... | ... | |
| 143 | 158 |
BasicNode currentNode = (BasicNode)elementStack.peek(); |
| 144 | 159 |
String currentTag = currentNode.getTagName(); |
| 145 | 160 |
|
| 146 |
if (currentTag.equals("groupName")) {
|
|
| 147 |
principal_name = inputString; |
|
| 148 |
principal_type = "group"; |
|
| 149 |
} else if (currentTag.equals("userName")) {
|
|
| 150 |
principal_name = inputString; |
|
| 151 |
principal_type = "user"; |
|
| 161 |
if (currentTag.equals("resourceIdentifier")) {
|
|
| 162 |
resourceId = inputString; |
|
| 163 |
} else if (currentTag.equals("principalName")) {
|
|
| 164 |
principalName.addElement(new String(inputString)); |
|
| 152 | 165 |
} else if (currentTag.equals("permission")) {
|
| 153 | 166 |
if ( inputString.trim().toUpperCase().equals("READ") ) {
|
| 154 | 167 |
permission = permission | READ; |
| ... | ... | |
| 158 | 171 |
permission = permission | ALL; |
| 159 | 172 |
} |
| 160 | 173 |
} else if (currentTag.equals("duration") &&
|
| 161 |
begin_time == null && end_time == null ) {
|
|
| 174 |
beginTime == null && endTime == null ) {
|
|
| 162 | 175 |
try {
|
| 163 |
begin_time = inputString.substring(0, inputString.indexOf(" "));
|
|
| 164 |
end_time = inputString.substring(inputString.indexOf(" ")+1);
|
|
| 176 |
beginTime = inputString.substring(0, inputString.indexOf(" "));
|
|
| 177 |
endTime = inputString.substring(inputString.indexOf(" ")+1);
|
|
| 165 | 178 |
} catch (StringIndexOutOfBoundsException se) {
|
| 166 |
begin_time = inputString;
|
|
| 179 |
beginTime = inputString;
|
|
| 167 | 180 |
} |
| 168 |
} else if (currentTag.equals("count") && count == 0 ) {
|
|
| 169 |
count = (new Integer(inputString.trim())).intValue();
|
|
| 181 |
} else if (currentTag.equals("ticketCount") && ticketCount == 0 ) {
|
|
| 182 |
ticketCount = (new Integer(inputString.trim())).intValue();
|
|
| 170 | 183 |
} |
| 171 | 184 |
} |
| 172 | 185 |
|
| ... | ... | |
| 179 | 192 |
throws SAXException |
| 180 | 193 |
{
|
| 181 | 194 |
BasicNode leaving = (BasicNode)elementStack.pop(); |
| 182 |
if ( leaving.getTagName().equals("allow") && permission > 0 ) {
|
|
| 183 |
// collect allowed permissions in a Vector variable allow |
|
| 184 |
allow.add(new Integer(permission)); |
|
| 185 |
begin1.add(begin_time); |
|
| 186 |
end1.add(end_time); |
|
| 187 |
count1.add(new Integer(count)); |
|
| 195 |
if ( leaving.getTagName().equals("allow") ) {
|
|
| 196 |
|
|
| 197 |
if ( permission > 0 ) {
|
|
| 188 | 198 |
|
| 199 |
// insert into db calculated permission for the list of principals |
|
| 200 |
try {
|
|
| 201 |
insertPermissions("allowed");
|
|
| 202 |
} catch (SQLException sqle) {
|
|
| 203 |
throw new SAXException(sqle); |
|
| 204 |
} |
|
| 205 |
} |
|
| 206 |
|
|
| 189 | 207 |
// reset the allowed permission |
| 208 |
principalName = new Vector(); |
|
| 190 | 209 |
permission = 0; |
| 191 |
begin_time = null;
|
|
| 192 |
end_time = null;
|
|
| 193 |
count = 0;
|
|
| 210 |
beginTime = null;
|
|
| 211 |
endTime = null;
|
|
| 212 |
ticketCount = 0;
|
|
| 194 | 213 |
|
| 195 |
} else if ( leaving.getTagName().equals("deny") && permission > 0 ) {
|
|
| 196 |
// collect denied permissions in a Vector variable denyv |
|
| 197 |
denyv.add(new Integer(permission)); |
|
| 198 |
begin2.add(begin_time); |
|
| 199 |
end2.add(end_time); |
|
| 200 |
count2.add(new Integer(count)); |
|
| 214 |
} else if ( leaving.getTagName().equals("deny") ) {
|
|
| 215 |
|
|
| 216 |
if ( permission > 0 ) {
|
|
| 201 | 217 |
|
| 202 |
// reset the denied permission |
|
| 203 |
permission = 0; |
|
| 204 |
begin_time = null; |
|
| 205 |
end_time = null; |
|
| 206 |
count = 0; |
|
| 207 |
|
|
| 208 |
} else if ( leaving.getTagName().equals("accessControl") ) {
|
|
| 209 |
// when order attribute for <accessControl> is specified to "denyFirst" |
|
| 210 |
// exclude the allowed permissions from the list of denied ones |
|
| 211 |
if ( leaving.getAttribute("order").equals("denyFirst") ) {
|
|
| 212 |
for ( int i = 0; i < allow.size(); i++ ) {
|
|
| 213 |
for ( int j = 0; j < denyv.size(); j++ ) {
|
|
| 214 |
denyv.setElementAt( |
|
| 215 |
new Integer(((Integer)denyv.elementAt(j)).intValue() & |
|
| 216 |
~((Integer)allow.elementAt(i)).intValue()), j); |
|
| 217 |
} |
|
| 218 |
// insert into db calculated permission for the list of principals |
|
| 219 |
try {
|
|
| 220 |
insertPermissions("denied");
|
|
| 221 |
} catch (SQLException sqle) {
|
|
| 222 |
throw new SAXException(sqle); |
|
| 218 | 223 |
} |
| 219 | 224 |
} |
| 220 | 225 |
|
| 221 |
// insert into db connection collected permissions for the principal
|
|
| 222 |
try {
|
|
| 223 |
insertPermissions();
|
|
| 224 |
} catch (SQLException sqle) {
|
|
| 225 |
throw new SAXException(sqle);
|
|
| 226 |
}
|
|
| 226 |
// reset the denied permission
|
|
| 227 |
principalName = new Vector();
|
|
| 228 |
permission = 0;
|
|
| 229 |
beginTime = null;
|
|
| 230 |
endTime = null;
|
|
| 231 |
ticketCount = 0;
|
|
| 227 | 232 |
|
| 228 |
// reset the list of allowed and denied permissions |
|
| 229 |
// for use for the next principal |
|
| 230 |
allow = new Vector(); |
|
| 231 |
begin1 = new Vector(); |
|
| 232 |
end1 = new Vector(); |
|
| 233 |
count1 = new Vector(); |
|
| 233 |
} else if ( leaving.getTagName().equals("resource") ) {
|
|
| 234 |
// reset the resource identifier |
|
| 235 |
resourceId = null; |
|
| 236 |
permOrder = null; |
|
| 237 |
} |
|
| 234 | 238 |
|
| 235 |
denyv = new Vector(); |
|
| 236 |
begin2 = new Vector(); |
|
| 237 |
end2 = new Vector(); |
|
| 238 |
count2 = new Vector(); |
|
| 239 |
|
|
| 240 |
} else if ( leaving.getTagName().equals("user") ||
|
|
| 241 |
leaving.getTagName().equals("group") ) {
|
|
| 242 |
// try {
|
|
| 243 |
// principal_name = |
|
| 244 |
// principal_name.substring(0, principal_name.lastIndexOf("."));
|
|
| 245 |
// } catch (StringIndexOutOfBoundsException se) {
|
|
| 246 |
// reset the name of the current principal for next use |
|
| 247 |
principal_name = ""; |
|
| 248 |
// } |
|
| 249 |
} |
|
| 250 | 239 |
} |
| 251 | 240 |
|
| 252 |
/** Insert into db connection collected permissions for a principal */
|
|
| 253 |
private void insertPermissions() |
|
| 241 |
/** Insert into db calculated permission for the list of principals */
|
|
| 242 |
private void insertPermissions( String permType )
|
|
| 254 | 243 |
throws SQLException |
| 255 | 244 |
{
|
| 256 | 245 |
PreparedStatement pstmt; |
| ... | ... | |
| 258 | 247 |
try {
|
| 259 | 248 |
pstmt = conn.prepareStatement( |
| 260 | 249 |
"INSERT INTO xml_access " + |
| 261 |
"(docid, principal_name, principal_type, " + |
|
| 262 |
"permission, begin_time, end_time, ticket_counter, deny)" + |
|
| 263 |
"VALUES (?, ?, ?, ?, to_date(?,'mm/dd/yy'), " + |
|
| 264 |
" to_date(?,'mm/dd/yy'), ?, ?)"); |
|
| 250 |
"(docid,principal_name,permission,perm_type,perm_order," + |
|
| 251 |
"begin_time,end_time,ticket_count) VALUES " + |
|
| 252 |
"(?,?,?,?,?,to_date(?,'mm/dd/yy'),to_date(?,'mm/dd/yy'),?)"); |
|
| 265 | 253 |
// Bind the values to the query |
| 266 |
pstmt.setString(1, docid); |
|
| 267 |
pstmt.setString(2, principal_name); |
|
| 268 |
pstmt.setString(3, principal_type); |
|
| 269 |
// insert the allowed permissions first |
|
| 270 |
for ( int i = 0; i < allow.size(); i++ ) {
|
|
| 271 |
pstmt.setInt(4, ((Integer)allow.elementAt(i)).intValue()); |
|
| 272 |
pstmt.setString(5, (String)begin1.elementAt(i)); |
|
| 273 |
pstmt.setString(6, (String)end1.elementAt(i)); |
|
| 274 |
if ( ((Integer)count1.elementAt(i)).intValue() > 0 ) {
|
|
| 275 |
pstmt.setString(7, "" + ((Integer)count1.elementAt(i)).intValue()); |
|
| 276 |
} else {
|
|
| 277 |
pstmt.setString(7, ""); |
|
| 278 |
} |
|
| 254 |
pstmt.setString(1, resourceId); |
|
| 255 |
pstmt.setInt(3, permission); |
|
| 256 |
pstmt.setString(4, permType); |
|
| 257 |
pstmt.setString(5, permOrder); |
|
| 258 |
pstmt.setString(6, beginTime); |
|
| 259 |
pstmt.setString(7, endTime); |
|
| 260 |
if ( ticketCount > 0 ) {
|
|
| 261 |
pstmt.setString(8, "" + ticketCount); |
|
| 262 |
} else {
|
|
| 279 | 263 |
pstmt.setString(8, ""); |
| 264 |
} |
|
| 265 |
for ( int i = 0; i < principalName.size(); i++ ) {
|
|
| 266 |
pstmt.setString(2, (String)principalName.elementAt(i)); |
|
| 267 |
pstmt.execute(); |
|
| 268 |
} |
|
| 280 | 269 |
|
| 270 |
} catch (SQLException e) {
|
|
| 271 |
throw new |
|
| 272 |
SQLException("AccessControlList.insertPermissions(): " + e.getMessage());
|
|
| 273 |
} |
|
| 274 |
} |
|
| 275 |
|
|
| 276 |
/** Check for @permission for @principal on @resourceId from db connection */ |
|
| 277 |
public boolean hasPermission ( String permission, String principal, |
|
| 278 |
String resourceId ) |
|
| 279 |
throws SQLException |
|
| 280 |
{
|
|
| 281 |
PreparedStatement pstmt; |
|
| 282 |
// check public access to @resourceId from xml_documents table |
|
| 283 |
if ( permission.equals("READ") ) {
|
|
| 284 |
try {
|
|
| 285 |
pstmt = conn.prepareStatement( |
|
| 286 |
"SELECT 'x' FROM xml_documents " + |
|
| 287 |
"WHERE docid LIKE ? AND public_access = 1"); |
|
| 288 |
// Bind the values to the query |
|
| 289 |
pstmt.setString(1, principal); |
|
| 290 |
|
|
| 281 | 291 |
pstmt.execute(); |
| 292 |
ResultSet rs = pstmt.getResultSet(); |
|
| 293 |
boolean hasRow = rs.next(); |
|
| 294 |
pstmt.close(); |
|
| 295 |
if (hasRow) {
|
|
| 296 |
return true; |
|
| 297 |
} |
|
| 298 |
//System.out.println("Passed the check for public access");
|
|
| 299 |
|
|
| 300 |
} catch (SQLException e) {
|
|
| 301 |
throw new |
|
| 302 |
SQLException("Error checking document's public access: "
|
|
| 303 |
+ e.getMessage()); |
|
| 282 | 304 |
} |
| 305 |
} |
|
| 306 |
|
|
| 307 |
// since owner of resource has all permission on it, |
|
| 308 |
// check if @principal is owner of @resourceId in xml_documents table |
|
| 309 |
if ( principal != null ) {
|
|
| 310 |
try {
|
|
| 311 |
pstmt = conn.prepareStatement( |
|
| 312 |
"SELECT 'x' FROM xml_documents " + |
|
| 313 |
"WHERE docid LIKE ? AND user_owner LIKE ?"); |
|
| 314 |
// Bind the values to the query |
|
| 315 |
pstmt.setString(1, resourceId); |
|
| 316 |
pstmt.setString(2, principal); |
|
| 283 | 317 |
|
| 284 |
// insert the denied permissions |
|
| 285 |
for ( int i = 0; i < denyv.size(); i++ ) {
|
|
| 286 |
if ( ((Integer)denyv.elementAt(i)).intValue() <= 0 ) {
|
|
| 287 |
continue; |
|
| 318 |
pstmt.execute(); |
|
| 319 |
ResultSet rs = pstmt.getResultSet(); |
|
| 320 |
boolean hasRow = rs.next(); |
|
| 321 |
pstmt.close(); |
|
| 322 |
if (hasRow) {
|
|
| 323 |
return true; |
|
| 288 | 324 |
} |
| 289 |
pstmt.setInt(4, ((Integer)denyv.elementAt(i)).intValue()); |
|
| 290 |
pstmt.setString(5, (String)begin2.elementAt(i)); |
|
| 291 |
pstmt.setString(6, (String)end2.elementAt(i)); |
|
| 292 |
if ( ((Integer)count2.elementAt(i)).intValue() > 0 ) {
|
|
| 293 |
pstmt.setString(7, "" + ((Integer)count2.elementAt(i)).intValue()); |
|
| 294 |
} else {
|
|
| 295 |
pstmt.setString(7, ""); |
|
| 325 |
//System.out.println("Passed the check for ownership");
|
|
| 326 |
|
|
| 327 |
} catch (SQLException e) {
|
|
| 328 |
throw new |
|
| 329 |
SQLException("AccessControlList.hasPermission(): " +
|
|
| 330 |
"Error checking document's ownership. " + e.getMessage()); |
|
| 331 |
} |
|
| 332 |
|
|
| 333 |
// check @principal's @permission on @resourceId from xml_access table |
|
| 334 |
int accessValue = 0; |
|
| 335 |
int ticketCount = 0; |
|
| 336 |
String permOrder = ""; |
|
| 337 |
try {
|
|
| 338 |
pstmt = conn.prepareStatement( |
|
| 339 |
"SELECT permission, perm_order, ticket_count " + |
|
| 340 |
"FROM xml_access " + |
|
| 341 |
"WHERE docid LIKE ? " + |
|
| 342 |
"AND principal_name LIKE ? " + |
|
| 343 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 344 |
"AND nvl(end_time,sysdate) " + |
|
| 345 |
"AND perm_type LIKE ?"); |
|
| 346 |
// check if it is "denied" first |
|
| 347 |
// Bind the values to the query |
|
| 348 |
pstmt.setString(1, resourceId); |
|
| 349 |
pstmt.setString(2, principal); |
|
| 350 |
pstmt.setString(3, "denied"); |
|
| 351 |
|
|
| 352 |
pstmt.execute(); |
|
| 353 |
ResultSet rs = pstmt.getResultSet(); |
|
| 354 |
boolean hasRows = rs.next(); |
|
| 355 |
while ( hasRows ) {
|
|
| 356 |
accessValue = rs.getInt(1); |
|
| 357 |
permOrder = rs.getString(2); |
|
| 358 |
ticketCount = rs.getInt(3); |
|
| 359 |
if ( ( accessValue & intValue(permission) ) == intValue(permission) && |
|
| 360 |
( permOrder.equals("allow first") ) &&
|
|
| 361 |
( rs.wasNull() || ticketCount > 0 ) ) {
|
|
| 362 |
if ( !rs.wasNull() && ticketCount > 0 ) {
|
|
| 363 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"denied"); |
|
| 364 |
} |
|
| 365 |
pstmt.close(); |
|
| 366 |
return false; |
|
| 367 |
} |
|
| 368 |
hasRows = rs.next(); |
|
| 296 | 369 |
} |
| 297 |
pstmt.setString(8, "" + 1);
|
|
| 370 |
//System.out.println("Passed the check for denied access");
|
|
| 298 | 371 |
|
| 372 |
// it is not denied then check if it is "allowed" |
|
| 373 |
// Bind the values to the query |
|
| 374 |
pstmt.setString(1, resourceId); |
|
| 375 |
pstmt.setString(2, principal); |
|
| 376 |
pstmt.setString(3, "allowed"); |
|
| 377 |
|
|
| 299 | 378 |
pstmt.execute(); |
| 379 |
rs = pstmt.getResultSet(); |
|
| 380 |
hasRows = rs.next(); |
|
| 381 |
while ( hasRows ) {
|
|
| 382 |
accessValue = rs.getInt(1); |
|
| 383 |
ticketCount = rs.getInt(3); |
|
| 384 |
if ( ( accessValue & intValue(permission) )==intValue(permission) && |
|
| 385 |
( rs.wasNull() || ticketCount > 0 ) ) {
|
|
| 386 |
if ( !rs.wasNull() && ticketCount > 0 ) {
|
|
| 387 |
decreaseNumberOfAccess(accessValue,principal,resourceId,"allowed"); |
|
| 388 |
} |
|
| 389 |
pstmt.close(); |
|
| 390 |
return true; |
|
| 391 |
} |
|
| 392 |
hasRows = rs.next(); |
|
| 393 |
} |
|
| 394 |
//System.out.println("Passed the check for allowed access");
|
|
| 395 |
|
|
| 396 |
// ??? |
|
| 397 |
// here there could be a check for the group's permission like |
|
| 398 |
// selfrecursive call to hasPermission(conn,permission,group,recourceId) |
|
| 399 |
// |
|
| 400 |
|
|
| 401 |
pstmt.close(); |
|
| 402 |
return false; |
|
| 403 |
|
|
| 404 |
} catch (SQLException e) {
|
|
| 405 |
throw new |
|
| 406 |
SQLException("AccessControlList.hasPermission(): " +
|
|
| 407 |
"Error checking document's permission. " + e.getMessage()); |
|
| 300 | 408 |
} |
| 409 |
} |
|
| 410 |
|
|
| 411 |
return false; |
|
| 412 |
} |
|
| 301 | 413 |
|
| 302 |
} catch (SQLException e) {
|
|
| 303 |
throw new |
|
| 304 |
SQLException("AccessControlList.insertPermissions(): " + e.getMessage());
|
|
| 414 |
/** decrease the number of access to @resourceId for @principal */ |
|
| 415 |
private void decreaseNumberOfAccess(int permission, String principal, |
|
| 416 |
String resourceId, String permType) |
|
| 417 |
throws SQLException |
|
| 418 |
{
|
|
| 419 |
PreparedStatement pstmt; |
|
| 420 |
pstmt = conn.prepareStatement( |
|
| 421 |
"UPDATE xml_access SET ticket_count = ticket_count - 1 " + |
|
| 422 |
"WHERE docid LIKE ? " + |
|
| 423 |
"AND principal_name LIKE ? " + |
|
| 424 |
"AND permission LIKE ? " + |
|
| 425 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
| 426 |
"AND nvl(end_time,sysdate) " + |
|
| 427 |
"AND perm_type LIKE ?"); |
|
| 428 |
// Bind the values to the query |
|
| 429 |
pstmt.setString(1, resourceId); |
|
| 430 |
pstmt.setString(2, principal); |
|
| 431 |
pstmt.setInt(3, permission); |
|
| 432 |
pstmt.setString(4, permType); |
|
| 433 |
|
|
| 434 |
pstmt.execute(); |
|
| 435 |
pstmt.close(); |
|
| 436 |
} |
|
| 437 |
|
|
| 438 |
// get the int value of READ, WRITE or ALL |
|
| 439 |
private int intValue ( String permission ) |
|
| 440 |
{
|
|
| 441 |
if ( permission.equals("READ") ) {
|
|
| 442 |
return READ; |
|
| 443 |
} else if ( permission.equals("WRITE") ) {
|
|
| 444 |
return WRITE; |
|
| 445 |
} else if ( permission.equals("ALL") ) {
|
|
| 446 |
return ALL; |
|
| 305 | 447 |
} |
| 448 |
|
|
| 449 |
return -1; |
|
| 306 | 450 |
} |
| 307 |
|
|
| 308 | 451 |
} |
Also available in: Unified diff
AccessControlList
- methods for parsing and loading acl file
- checkup method for permission for given principal on given resource
DBQuery
- checkup for READ permission using AccessControlList.hasPermission()
DocumentImpl
- using AccessControlList object to parse and load an acl file into xml_access table
- checkup for WRITE permission on UPDATE action using the same AccessControl.hasPermission()