svn commit: r494718 - in /ofbiz/trunk/framework/service: dtd/ servicedef/ src/org/ofbiz/service/ src/org/ofbiz/service/security/

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r494718 - in /ofbiz/trunk/framework/service: dtd/ servicedef/ src/org/ofbiz/service/ src/org/ofbiz/service/security/

jaz-3
Author: jaz
Date: Tue Jan  9 21:29:30 2007
New Revision: 494718

URL: http://svn.apache.org/viewvc?view=rev&rev=494718
Log:
implemented new service based permission; removed the ServiceSecurity interface which this now replacess

Removed:
    ofbiz/trunk/framework/service/src/org/ofbiz/service/security/
Modified:
    ofbiz/trunk/framework/service/dtd/services.xsd
    ofbiz/trunk/framework/service/servicedef/services.xml
    ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java
    ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
    ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
    ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java

Modified: ofbiz/trunk/framework/service/dtd/services.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/dtd/services.xsd (original)
+++ ofbiz/trunk/framework/service/dtd/services.xsd Tue Jan  9 21:29:30 2007
@@ -37,6 +37,7 @@
             <xs:sequence>
                 <xs:element minOccurs="0" ref="description"/>
                 <xs:element minOccurs="0" ref="namespace"/>
+                <xs:element minOccurs="0" maxOccurs="1" ref="permission-service"/>
                 <xs:element minOccurs="0" maxOccurs="unbounded" ref="required-permissions"/>
                 <xs:element minOccurs="0" maxOccurs="unbounded" ref="implements"/>
                 <xs:choice maxOccurs="1" minOccurs="0">
@@ -108,12 +109,29 @@
             </xs:simpleType>
         </xs:attribute>
     </xs:attributeGroup>
+    <xs:element name="permission-service">
+        <xs:complexType>
+            <xs:attributeGroup ref="attlist.permission-service"/>
+        </xs:complexType>
+    </xs:element>
+    <xs:attributeGroup name="attlist.permission-service">
+        <xs:attribute type="xs:string" name="service-name" use="required"/>
+        <xs:attribute name="main-action" use="optional">
+            <xs:simpleType>
+                <xs:restriction base="xs:token">
+                    <xs:enumeration value="CREATE"/>
+                    <xs:enumeration value="UPDATE"/>
+                    <xs:enumeration value="DELETE"/>
+                    <xs:enumeration value="VIEW"/>
+                </xs:restriction>
+            </xs:simpleType>
+        </xs:attribute>
+    </xs:attributeGroup>
     <xs:element name="required-permissions">
         <xs:complexType>
             <xs:sequence>
                 <xs:element minOccurs="0" maxOccurs="unbounded" ref="check-permission"/>
-                <xs:element minOccurs="0" maxOccurs="unbounded" ref="check-role-member"/>
-                <xs:element minOccurs="0" maxOccurs="unbounded" ref="service-security"/>
+                <xs:element minOccurs="0" maxOccurs="unbounded" ref="check-role-member"/>                
             </xs:sequence>
             <xs:attributeGroup ref="attlist.required-permissions"/>
         </xs:complexType>

Modified: ofbiz/trunk/framework/service/servicedef/services.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/servicedef/services.xml?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/servicedef/services.xml (original)
+++ ofbiz/trunk/framework/service/servicedef/services.xml Tue Jan  9 21:29:30 2007
@@ -51,19 +51,36 @@
     </service>
 
     <!-- Service Engine Interfaces -->
-    <service name="serviceEcaConditionInterface" engine="interface" location="" invoke="">
+    <service name="permissionInterface" engine="interface">
+        <description>Interface to describe base parameters for Permission Services</description>
+        <attribute name="mainAction" type="String" mode="IN" optional="true"/>
+        <attribute name="hasPermission" type="Boolean" mode="OUT" optional="false"/>
+        <attribute name="failMessage" type="String" mode="OUT" optional="true"/>
+    </service>
+
+    <service name="authenticationInterface" engine="interface">
+        <description>Interface to describe authentication services</description>
+        <attribute name="login.username" type="String" mode="IN"/>
+        <attribute name="login.password" type="String" mode="IN"/>
+        <attribute name="visitId" type="String" mode="IN" optional="true"/>
+        <attribute name="isServiceAuth" type="Boolean" mode="IN" optional="true"/>
+        <attribute name="userLogin" type="org.ofbiz.entity.GenericValue" mode="OUT"/>
+        <attribute name="userLoginSession" type="java.util.Map" mode="OUT" optional="true"/>
+    </service>
+    
+    <service name="serviceEcaConditionInterface" engine="interface">
         <description>Interface to describe services which are used as SECA conditions</description>
         <attribute name="serviceContext" type="Map" mode="IN"/>
         <attribute name="serviceName" type="String" mode="IN"/>
         <attribute name="conditionReply" type="Boolean" mode="OUT"/>
     </service>
-    <service name="serviceMcaConditionInterface" engine="interface" location="" invoke="">
+    <service name="serviceMcaConditionInterface" engine="interface">
         <description>Interface to describe services which are used as SMCA conditions</description>
         <attribute name="messageWrapper" type="org.ofbiz.service.mail.MimeMessageWrapper" mode="IN"/>
         <attribute name="conditionReply" type="Boolean" mode="OUT"/>
     </service>
 
-    <service name="mailProcessInterface" engine="interface" location="" invoke="">
+    <service name="mailProcessInterface" engine="interface">
         <description>Interface to describe services used to process incoming email</description>
         <attribute name="messageWrapper" type="org.ofbiz.service.mail.MimeMessageWrapper" mode="IN"/>
     </service>

Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelPermission.java Tue Jan  9 21:29:30 2007
@@ -15,19 +15,17 @@
  */
 package org.ofbiz.service;
 
-import org.ofbiz.entity.GenericValue;
+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilMisc;
 import org.ofbiz.entity.GenericDelegator;
 import org.ofbiz.entity.GenericEntityException;
+import org.ofbiz.entity.GenericValue;
 import org.ofbiz.entity.util.EntityUtil;
 import org.ofbiz.security.Security;
-import org.ofbiz.base.util.UtilMisc;
-import org.ofbiz.base.util.Debug;
-import org.ofbiz.base.util.ObjectType;
-import org.ofbiz.service.security.ServiceSecurity;
 
+import java.io.Serializable;
 import java.util.List;
 import java.util.Map;
-import java.io.Serializable;
 
 /**
  * Service Permission Model Class
@@ -39,7 +37,6 @@
     public static final int PERMISSION = 1;
     public static final int ENTITY_PERMISSION = 2;
     public static final int ROLE_MEMBER = 3;
-    public static final int CUSTOM = 4;
 
     public ModelService serviceModel = null;
     public int permissionType = 0;
@@ -61,8 +58,6 @@
                 return evalEntityPermission(security, userLogin);
             case ROLE_MEMBER:
                 return evalRoleMember(userLogin);
-            case CUSTOM:
-                return evalCustomPermission(dctx, context);
             default:
                 Debug.logWarning("Invalid permission type [" + permissionType + "] for permission named : " + nameOrRole + " on service : " + serviceModel.name, module);
                 return false;
@@ -108,22 +103,5 @@
             }
         }
         return false;
-    }
-
-    private boolean evalCustomPermission(DispatchContext dctx, Map context) {
-        Object obj;
-        try {
-            obj = ObjectType.getInstance(clazz);
-        } catch (Exception e) {
-            Debug.logError(e, module);
-            return false;
-        }
-
-        if (obj != null && (obj instanceof ServiceSecurity)) {
-            ServiceSecurity sec = (ServiceSecurity) obj;
-            return sec.hasPermission(dctx, context);
-        } else {
-            return false;
-        }
     }
 }

Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Tue Jan  9 21:29:30 2007
@@ -120,6 +120,12 @@
     /** Sets the max number of times this service will retry when failed (persisted async only) */
     public int maxRetry = -1;
 
+    /** Permission service name */
+    public String permissionServiceName;
+
+    /** Permission service main-action */
+    public String permissionMainAction;
+    
     /** Set of services this service implements */
     public Set implServices = new ListOrderedSet();
 
@@ -744,12 +750,66 @@
     }
 
     /**
+     * Evaluates permission-service for this service.
+     * @param dctx DispatchContext from the invoked service
+     * @param context Map containing userLogin and context infromation
+     * @return result of permission service invocation
+     */
+    public Map evalPermission(DispatchContext dctx, Map context) {
+        if (UtilValidate.isNotEmpty(this.permissionServiceName)) {
+            ModelService permission;
+            try {
+                permission = dctx.getModelService(this.permissionServiceName);
+            } catch (GenericServiceException e) {
+                Map result = ServiceUtil.returnSuccess();
+                result.put("hasPermission", Boolean.FALSE);
+                result.put("failMessage", e.getMessage());
+                return result;
+            }
+            if (permission != null) {
+                Map ctx = permission.makeValid(context, ModelService.IN_PARAM);
+                if (UtilValidate.isNotEmpty(this.permissionMainAction)) {
+                    ctx.put("mainAction", this.permissionMainAction);
+                }
+                LocalDispatcher dispatcher = dctx.getDispatcher();
+                Map resp;
+                try {
+                    resp = dispatcher.runSync(permission.name,  ctx, 300, true);
+                } catch (GenericServiceException e) {
+                    Debug.logError(e, module);
+                    Map result = ServiceUtil.returnSuccess();
+                    result.put("hasPermission", Boolean.FALSE);
+                    result.put("failMessage", e.getMessage());
+                    return result;
+                }
+                if (ServiceUtil.isError(resp) || ServiceUtil.isFailure(resp)) {
+                    Map result = ServiceUtil.returnSuccess();
+                    result.put("hasPermission", Boolean.FALSE);
+                    result.put("failMessage", ServiceUtil.getErrorMessage(resp));
+                    return result;
+                }
+                return resp;
+            } else {
+                Map result = ServiceUtil.returnSuccess();
+                result.put("hasPermission", Boolean.FALSE);
+                result.put("failMessage", "No ModelService found with the name [" + this.permissionServiceName + "]");
+                return result;
+            }
+        } else {
+            Map result = ServiceUtil.returnSuccess();
+            result.put("hasPermission", Boolean.TRUE);
+            return result;
+        }
+    }
+
+    /**
      * Evaluates permissions for a service.
      * @param dctx DispatchContext from the invoked service
      * @param context Map containing userLogin infromation
      * @return true if all permissions evaluate true.
      */
     public boolean evalPermissions(DispatchContext dctx, Map context) {
+        // old permission checking
         if (this.containsPermissions()) {
             Iterator i = this.permissionGroups.iterator();
             while (i.hasNext()) {

Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java Tue Jan  9 21:29:30 2007
@@ -330,6 +330,7 @@
 
         // contruct the context
         service.contextInfo = FastMap.newInstance();
+        this.createPermission(serviceElement, service);
         this.createPermGroups(serviceElement, service);
         this.createImplDefs(serviceElement, service);
         this.createAutoAttrDefs(serviceElement, service);
@@ -357,6 +358,15 @@
         return value;
     }
 
+    protected void createPermission(Element baseElement, ModelService model) {
+        Element e = UtilXml.firstChildElement(baseElement, "permission-service");
+        if (e != null) {
+            model.permissionServiceName = e.getAttribute("service-name");
+            model.permissionMainAction = e.getAttribute("main-action");
+            model.auth = true; // auth is always required when permissions are set
+        }
+    }
+
     protected void createPermGroups(Element baseElement, ModelService model) {
         List permGroups = UtilXml.childElementList(baseElement, "required-permissions");
         Iterator permIter = permGroups.iterator();
@@ -365,15 +375,14 @@
             Element element = (Element) permIter.next();
             ModelPermGroup group = new ModelPermGroup();
             group.joinType = element.getAttribute("join-type");
-            createPermissions(element, group, model);
+            createGroupPermissions(element, group, model);
             model.permissionGroups.add(group);
         }
     }
 
-    protected void createPermissions(Element baseElement, ModelPermGroup group, ModelService service) {
+    protected void createGroupPermissions(Element baseElement, ModelPermGroup group, ModelService service) {
         List permElements = UtilXml.childElementList(baseElement, "check-permission");
-        List rolePermElements = UtilXml.childElementList(baseElement, "check-role-member");
-        List serviceSecurity = UtilXml.childElementList(baseElement, "service-security");
+        List rolePermElements = UtilXml.childElementList(baseElement, "check-role-member");        
 
         // create the simple permissions
         Iterator si = permElements.iterator();
@@ -398,18 +407,6 @@
             ModelPermission perm = new ModelPermission();
             perm.permissionType = ModelPermission.ROLE_MEMBER;
             perm.nameOrRole = element.getAttribute("role-type");
-            perm.serviceModel = service;
-            group.permissions.add(perm);
-        }
-
-        // create the custom permissions
-        Iterator ci = serviceSecurity.iterator();
-        while (ci.hasNext()) {
-            Element element = (Element) ci.next();
-            ModelPermission perm = new ModelPermission();
-            perm.permissionType = ModelPermission.CUSTOM;
-            perm.nameOrRole = element.getAttribute("name");
-            perm.clazz = element.getAttribute("class");
             perm.serviceModel = service;
             group.permissions.add(perm);
         }

Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java?view=diff&rev=494718&r1=494717&r2=494718
==============================================================================
--- ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java (original)
+++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ServiceDispatcher.java Tue Jan  9 21:29:30 2007
@@ -757,8 +757,23 @@
 
         // evaluate permissions for the service or throw exception if fail.
         DispatchContext dctx = this.getLocalContext(localName);
-        if (!origService.evalPermissions(dctx, context)) {
-            throw new ServiceAuthException("You do not have permission to invoke this service");
+        if (UtilValidate.isNotEmpty(origService.permissionServiceName)) {
+            Map permResp = origService.evalPermission(dctx, context);            
+            Boolean hasPermission = (Boolean) permResp.get("hasPermission");
+            if (hasPermission.booleanValue()) {
+                context.putAll(permResp);
+                context = origService.makeValid(context, ModelService.IN_PARAM);
+            } else {
+                String message = (String) permResp.get("failMessage");
+                if (UtilValidate.isEmpty(message)) {
+                    message = "You do not have permission to invoke this service";
+                }
+                throw new ServiceAuthException(message);
+            }
+        } else {
+            if (!origService.evalPermissions(dctx, context)) {
+                throw new ServiceAuthException("You do not have permission to invoke this service");
+            }
         }
 
         return context;