You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by wo...@apache.org on 2007/12/13 12:42:27 UTC
svn commit: r603894 - in
/portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src:
java/org/apache/jetspeed/security/impl/UserManagerImpl.java
test/org/apache/jetspeed/security/TestUserManager.java
Author: woonsan
Date: Thu Dec 13 03:42:22 2007
New Revision: 603894
URL: http://svn.apache.org/viewvc?rev=603894&view=rev
Log:
[JS2-21] Missing Security Feature: Check roles assigned to any group to user belongs
Fixed the issue.
Now it conforms to the following requirements:
1. The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies for portlets) specifies that a user is in a specific role either when assigned directly to the user or when assigned to a group the user belongs to.
Thus according to this definition the isUserInRole() should also check the roles assigned to any group to user belongs to.
2. Concerning the following use-case:
assume the 'groovy.psml' has constraints allowing role 'admin' and group 'engineering' to view.
assume the user 'user' is only in group 'accounting' and doesn't have role 'admin'.
assume the group 'accounting' has no roles (initially)
-> the user doesn't get access to the groovy.psml.
Now add role 'admin' to group 'accounting'.
-> the user now has "gets" the role 'admin'
-> the user gets access to the 'groovy.psml'
Modified:
portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/test/org/apache/jetspeed/security/TestUserManager.java
Modified: portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/java/org/apache/jetspeed/security/impl/UserManagerImpl.java?rev=603894&r1=603893&r2=603894&view=diff
==============================================================================
--- portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/java/org/apache/jetspeed/security/impl/UserManagerImpl.java (original)
+++ portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/java/org/apache/jetspeed/security/impl/UserManagerImpl.java Thu Dec 13 03:42:22 2007
@@ -64,6 +64,12 @@
private String anonymousUser = "guest";
private User guest = null;
+ /**
+ * Flag whether the principals's user group matches the user group to which the role has been mapped. (See SRV.12.4)
+ * If this flag is set to true, roles can be inherited to users via groups.
+ */
+ private boolean rolesInheritableViaGroups = true;
+
/**
* @param securityProvider
* The security provider.
@@ -154,7 +160,12 @@
{
return this.anonymousUser;
}
-
+
+ public void setRolesInheritableViaGroups(boolean rolesInheritableViaGroups)
+ {
+ this.rolesInheritableViaGroups = rolesInheritableViaGroups;
+ }
+
/**
* @see org.apache.jetspeed.security.UserManager#authenticate(java.lang.String,
* java.lang.String)
@@ -392,7 +403,18 @@
principals.add(userPrincipal);
principals.addAll(securityMappingHandler.getRolePrincipals(username));
- principals.addAll(securityMappingHandler.getGroupPrincipals(username));
+ Set groupPrincipals = securityMappingHandler.getGroupPrincipals(username);
+ principals.addAll(groupPrincipals);
+
+ if (this.rolesInheritableViaGroups)
+ {
+ for (Iterator it = groupPrincipals.iterator(); it.hasNext(); )
+ {
+ Principal groupPrincipal = (Principal) it.next();
+ Set rolePrincipalsInGroup = securityMappingHandler.getRolePrincipalsInGroup(groupPrincipal.getName());
+ principals.addAll(rolePrincipalsInGroup);
+ }
+ }
Subject subject = null;
if (getAnonymousUser().equals(username))
Modified: portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/test/org/apache/jetspeed/security/TestUserManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/test/org/apache/jetspeed/security/TestUserManager.java?rev=603894&r1=603893&r2=603894&view=diff
==============================================================================
--- portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/test/org/apache/jetspeed/security/TestUserManager.java (original)
+++ portals/jetspeed-2/branches/JETSPEED-2.1.3/components/security/src/test/org/apache/jetspeed/security/TestUserManager.java Thu Dec 13 03:42:22 2007
@@ -19,7 +19,10 @@
import java.security.Principal;
import java.util.Collection;
import java.util.Iterator;
+import java.util.List;
+import java.util.ArrayList;
import java.util.prefs.Preferences;
+import java.security.Principal;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
@@ -144,6 +147,76 @@
// Test the User Preferences.
Preferences preferences = user.getPreferences();
assertEquals("expected user node == /user/test", "/user/test", preferences.absolutePath());
+
+ // Test if roles are inheritable to a user via groups
+ try
+ {
+ // If user 'inheritedUser' belongs to group 'inheritingGroup' and group 'group' has role 'assignedRole', then
+ // the role 'assignedRole' can be inherited to the user 'inheritedUser' via group 'inheritingGroup'.
+
+ ums.addUser("inheritedUser", "password");
+ gms.addGroup("inheritingGroup");
+ gms.addUserToGroup("inheritedUser", "inheritingGroup");
+ rms.addRole("assignedRole");
+ rms.addRoleToGroup("assignedRole", "inheritingGroup");
+ User testUser = ums.getUser("inheritedUser");
+
+ List principalNames = new ArrayList();
+ for (Iterator it = testUser.getSubject().getPrincipals().iterator(); it.hasNext(); )
+ {
+ Principal p = (Principal) it.next();
+ principalNames.add(p.getName());
+ }
+
+ assertTrue("user is expected to have a user principal named inheritedUser.", principalNames.contains("inheritedUser"));
+ assertTrue("user is expected to have a group principal named inheritingGroup.", principalNames.contains("inheritingGroup"));
+ assertTrue("user is expected to have a role principal named assignedRole which is inherited via the group.", principalNames.contains("assignedRole"));
+
+ // However, roles from role manager should not contain the role 'assignedRole'
+ // because the role 'assignedRole' is not directly assigned to user 'inheritedUser'.
+ // For example, the Users Admin portlet uses RoleManager to retrieve roles directly assigned to a user.
+
+ List userRoleNames = new ArrayList();
+ for (Iterator it = rms.getRolesForUser("inheritedUser").iterator(); it.hasNext(); )
+ {
+ Role role = (Role) it.next();
+ userRoleNames.add(role.getPrincipal().getName());
+ }
+
+ assertFalse("role 'assignedRole' is not expected to be retrieved because the role 'assignedRole' is not directly assigned to user 'inheritedUser'.", userRoleNames.contains("assignedRole"));
+ }
+ catch (SecurityException sex)
+ {
+ assertTrue("failed to test 'rolesInheritableViaGroups' mode in testGetUser(), " + sex, false);
+ }
+ finally
+ {
+ // Cleanup test.
+ try
+ {
+ rms.removeRole("assignedRole");
+ }
+ catch (SecurityException sex)
+ {
+ }
+
+ try
+ {
+ gms.removeGroup("inheritingGroup");
+ }
+ catch (SecurityException sex)
+ {
+ }
+
+ try
+ {
+ ums.removeUser("inheritedUser");
+ }
+ catch (SecurityException sex)
+ {
+ }
+ }
+
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org