com.endeca.portal.data.security
Class DefaultMDEXSecurityManager

java.lang.Object
  com.endeca.portal.data.security.DefaultMDEXSecurityManager

All Implemented Interfaces:

MDEXSecurityManager, java.io.Serializable

public class DefaultMDEXSecurityManager
extends java.lang.Object
implements MDEXSecurityManager, java.io.Serializable

This is a simple implementation of MDEXSecurityManager, providing role-based security filters via data source configuration. For a given data source, the following properties can be configured:

• securityEnabled: enabling/disabling security filters on all queries issued to this data source. Default: false
• securityFilters: JSON definition of all security filters to be used by this data source (any extension of QueryFunction)
• rolePermissions: role mappings to the security filters that have been defined for the data source
• rolePermissionsMultiOr: if set to true, users with multiple roles will have role filter-sets logically OR-ed together. Default: false, and multiple role filter-sets are logically AND-ed
• inheritSecurity: enabling/disabling of security filter inheritance, based on data source relationships defined via the parentDataSource property. Default: true if parentDataSource is specified; false otherwise
• parentDataSource: when inheritSecurity is true, this property is used to find all ancestors of each data source being secured; for each data source, the list of security filters to be applied is a combination of all security filters configured for every ancestor data source, plus any found with the data source configuration itself.

In short, this object is stored in session and maintains a map of filter sets that should be applied to each data source for the user. The map is initialized on the first call to the applySecurity(PortletRequest, MDEXState, Query) method.

Author:

Endeca Technologies, Inc.

See Also:

Serialized Form

Field Summary

static java.lang.String	CONFIG_PROPERTY_INHERIT_SECURITY JSON key for toggling security filter inheritance from parents on/off
static java.lang.String	CONFIG_PROPERTY_ROLE_PERMISSIONS JSON key for defining available security roles for filters
static java.lang.String	CONFIG_PROPERTY_ROLE_PERMISSIONS_MULTI_OR JSON key for specifying multiple filters from multiple roles should be logically OR-ed, default false=multi-roles ANDed
static java.lang.String	CONFIG_PROPERTY_SECURITY_ENABLED JSON key for toggling security on/off
static java.lang.String	CONFIG_PROPERTY_SECURITY_FILTERS JSON key for security filters
protected boolean	dirty
protected java.util.Map<java.lang.String,java.util.Set<QueryFunction>>	mdexSecurityFilterMap
protected java.util.Set<com.liferay.portal.model.Role>	userRoles

Constructor Summary

DefaultMDEXSecurityManager()
Default constructor

Method Summary

protected void	addFiltersFromRoles(java.lang.String mdexStateId, org.json.JSONObject securityFilters, org.json.JSONObject rolePermissions, java.util.Set<QueryFunction> mdexQueryFilterSet, boolean logicallyOrMultipleRoles, MDEXState mdexState, javax.portlet.PortletRequest request) Calculates security filters for the user's Roles, and adds them to the Set of current filters.
void	applySecurity(javax.portlet.PortletRequest request, MDEXState mdexState, Query query) See MDEXSecurityManager.applySecurity(PortletRequest, MDEXState, Query)
protected java.util.Set<QueryFunction>	createFilterSetFromJSON(org.json.JSONArray filterRefArray, org.json.JSONObject securityFilters, MDEXState mdexState, javax.portlet.PortletRequest request) Searches a set of JSON object representations of filters identified by name in the provided JSONArray.
protected java.util.Set<com.liferay.portal.model.Role>	getRolesForUser(java.lang.String remoteUser, long companyId, long currentGroupId) Determines the set of roles and Liferay user groups to which the current user belongs.
protected void	init(javax.portlet.PortletRequest request) Initializes an internal map of security filters associated with the user making the request, under any of the following conditions: This is the first time a request is made for the session.
protected void	initMDEXPermissions(MDEXState mdexState, UserSession userSession, javax.portlet.PortletRequest request) Initializes a set of security filters for the provided MDEXState, which is then stored in this security manager's internal map of data source-to-filter mappings for the user.
protected void	initRoleBasedSecurityFilters(MDEXState mdexState, UserSession userSession, javax.portlet.PortletRequest request) Gets a list of role-based security filters for a specified MDEXState.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

dirty

protected transient boolean dirty

CONFIG_PROPERTY_SECURITY_ENABLED

public static final java.lang.String CONFIG_PROPERTY_SECURITY_ENABLED

JSON key for toggling security on/off

See Also:

Constant Field Values

CONFIG_PROPERTY_ROLE_PERMISSIONS

public static final java.lang.String CONFIG_PROPERTY_ROLE_PERMISSIONS

JSON key for defining available security roles for filters

See Also:

Constant Field Values

CONFIG_PROPERTY_ROLE_PERMISSIONS_MULTI_OR

public static final java.lang.String CONFIG_PROPERTY_ROLE_PERMISSIONS_MULTI_OR

JSON key for specifying multiple filters from multiple roles should be logically OR-ed, default false=multi-roles ANDed

See Also:

Constant Field Values

CONFIG_PROPERTY_SECURITY_FILTERS

public static final java.lang.String CONFIG_PROPERTY_SECURITY_FILTERS

JSON key for security filters

See Also:

Constant Field Values

CONFIG_PROPERTY_INHERIT_SECURITY

public static final java.lang.String CONFIG_PROPERTY_INHERIT_SECURITY

JSON key for toggling security filter inheritance from parents on/off

See Also:

Constant Field Values

mdexSecurityFilterMap

protected java.util.Map<java.lang.String,java.util.Set<QueryFunction>> mdexSecurityFilterMap

userRoles

protected transient java.util.Set<com.liferay.portal.model.Role> userRoles

Constructor Detail

DefaultMDEXSecurityManager

public DefaultMDEXSecurityManager()

Default constructor

Method Detail

applySecurity

public void applySecurity(javax.portlet.PortletRequest request,
                          MDEXState mdexState,
                          Query query)
                   throws MDEXSecurityException

See MDEXSecurityManager.applySecurity(PortletRequest, MDEXState, Query)

Specified by:

applySecurity in interface MDEXSecurityManager

Parameters:

request - the PortletRequest

mdexState - the MDEXState object representing the target MDEX and its current state

query - the Query to which security filters should be applied

Throws:

MDEXSecurityException - on error parsing, processing, or applying security

See Also:

Query

init

protected void init(javax.portlet.PortletRequest request)
             throws MDEXSecurityException

Initializes an internal map of security filters associated with the user making the request, under any of the following conditions:

• This is the first time a request is made for the session.
• The user's roles have changed in the portal configuration.
• This session-based object has been de-serialized.

For each MDEXState (data source) defined in the user's session, the #initMDEXPermissions(MDEXState, UserSession) method is called.

Parameters:

request - the PortletRequest

Throws:

MDEXSecurityException

getRolesForUser

protected java.util.Set<com.liferay.portal.model.Role> getRolesForUser(java.lang.String remoteUser,
                                                                       long companyId,
                                                                       long currentGroupId)
                                                                throws java.lang.NumberFormatException,
                                                                       com.liferay.portal.PortalException,
                                                                       com.liferay.portal.SystemException

Determines the set of roles and Liferay user groups to which the current user belongs. Of note is that if the current user is unauthenticated/anonymous, this method will return a single role of "Guest" for that user. This behavior mimics how Liferay works at runtime.

Parameters:

remoteUser - String representing the id of the current user, or null if the user is unauthenticated. This param should be generated by PortletRequest.getRemoteUser().

companyId - the Liferay company id for the current request

Returns:

the set of all roles and user groups to which this user belongs

Throws:

java.lang.NumberFormatException

com.liferay.portal.PortalException

com.liferay.portal.SystemException

initMDEXPermissions

protected void initMDEXPermissions(MDEXState mdexState,
                                   UserSession userSession,
                                   javax.portlet.PortletRequest request)
                            throws MDEXSecurityException

Initializes a set of security filters for the provided MDEXState, which is then stored in this security manager's internal map of data source-to-filter mappings for the user.

Parameters:

mdexState - the MDEXState

userSession - the UserSession instance for this session

Throws:

MDEXSecurityException

initRoleBasedSecurityFilters

protected void initRoleBasedSecurityFilters(MDEXState mdexState,
                                            UserSession userSession,
                                            javax.portlet.PortletRequest request)
                                     throws MDEXSecurityException

Gets a list of role-based security filters for a specified MDEXState. If security is disabled or no security filters are found for the MDEXState, an empty list will be returned. If the "inheritSecurity" property has been specified, this method will be applied recursively to return a combined set of all security filters for the MDEXState and all of its ancestors that have security enabled and security filters defined.

Parameters:

mdexState - the MDEXState

userSession - the UserSession instance for this session

Throws:

MDEXSecurityException

addFiltersFromRoles

protected void addFiltersFromRoles(java.lang.String mdexStateId,
                                   org.json.JSONObject securityFilters,
                                   org.json.JSONObject rolePermissions,
                                   java.util.Set<QueryFunction> mdexQueryFilterSet,
                                   boolean logicallyOrMultipleRoles,
                                   MDEXState mdexState,
                                   javax.portlet.PortletRequest request)
                            throws MDEXSecurityException

Calculates security filters for the user's Roles, and adds them to the Set of current filters. The set passed in may already contain filters from a parent data source, if inheritSecurity is enabled. Inherited parent security filters are always ANDed with filters from the child data source. By default, the following logic applies in the case of multiple security filters:

Filters for this data source are logically ANDed with any filters inherited from a parent data source

Multiple filters for a single Role held by the user are logically ANDed with each other

Filters ensuing from multiple Roles held by the user are ANDed together

The last of these, multi-role filters, may be configured to instead logically OR multiple filter-sets generated through the user obtaining filters from multiple roles. This is done by setting the boolean rolePermissionsMultiOr JSON property to true.

Parameters:

mdexStateId -

securityFilters -

rolePermissions -

mdexQueryFilterSet -

logicallyOrMultipleRoles -

Throws:

MDEXSecurityException

createFilterSetFromJSON

protected java.util.Set<QueryFunction> createFilterSetFromJSON(org.json.JSONArray filterRefArray,
                                                               org.json.JSONObject securityFilters,
                                                               MDEXState mdexState,
                                                               javax.portlet.PortletRequest request)
                                                        throws org.json.JSONException,
                                                               MDEXSecurityException

Searches a set of JSON object representations of filters identified by name in the provided JSONArray. For each of those that match, filter is constructed (anything that implements QueryFunction) and added to the set that will be returned.

JSONArray of names:

 
 ["filter1","filter2"]
 
 

List of security filters:

 
 {
        "filter1": {
                "class":"com.endeca.portal.data.functions.DataSourceFilter",
                "filterString":"Region='Bordeaux' or Region='Burgundy'"
        },
        "filter2": {
                "class":"com.endeca.portal.data.functions.DataSourceFilter",
                "filterString":"Region='Sonoma'"
        }
 }
 
 

Parameters:

filterRefArray - a JSON Array of filter names to look for

securityFilters - a JSON Object storing a list of filters

Returns:

a set of filters

Throws:

org.json.JSONException

MDEXSecurityException