You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by rw...@apache.org on 2013/04/10 07:02:52 UTC
svn commit: r1466333 - in
/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src:
main/java/org/apache/jetspeed/om/page/
main/java/org/apache/jetspeed/om/page/impl/
main/java/org/apache/jetspeed/om/page/psml/ test/java/org/apache/jetspee...
Author: rwatler
Date: Wed Apr 10 05:02:51 2013
New Revision: 1466333
URL: http://svn.apache.org/r1466333
Log:
JS2-1281: Implement security constraint reference expressions
Added:
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/PageManagerTestShared.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java
portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
Added: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java?rev=1466333&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java (added)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java Wed Apr 10 05:02:51 2013
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Stack;
+
+/**
+ * SecurityConstraintsRefExpression
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+public class SecurityConstraintsRefExpression
+{
+ private String constraintsRef;
+ private List constraintsRefTokens;
+
+ SecurityConstraintsRefExpression(String constraintsRef, List constraintsRefTokens)
+ {
+ this.constraintsRef = constraintsRef;
+ this.constraintsRefTokens = constraintsRefTokens;
+ }
+
+ /**
+ * Check expression against action and principals. The security
+ * constraints and embedded logical operations are evaluated and
+ * the resulting permission is returned.
+ *
+ * @param action check action
+ * @param userPrincipals check user principals
+ * @param rolePrincipals check role principals
+ * @param groupPrincipals check group principals
+ * @return flag indicating permission grant
+ * @throws RuntimeException if expression evaluation error occurs
+ */
+ public boolean checkExpression(String action, List userPrincipals, List rolePrincipals, List groupPrincipals)
+ {
+ // evaluate postfix constraints ref tokens
+ Stack operandsStack = new Stack();
+ Iterator constraintsRefTokensIter = constraintsRefTokens.iterator();
+ while (constraintsRefTokensIter.hasNext())
+ {
+ SecurityConstraintsRefToken token = (SecurityConstraintsRefToken)constraintsRefTokensIter.next();
+ String tokenOperation = token.getOperation();
+ if (tokenOperation != null)
+ {
+ if (tokenOperation.equals(SecurityConstraintsRefToken.NOT_OPERATION))
+ {
+ if (operandsStack.size() >= 1)
+ {
+ boolean operand = ((Boolean)operandsStack.pop()).booleanValue();
+ operand = !operand;
+ operandsStack.push(new Boolean(operand));
+ }
+ else
+ {
+ throw new RuntimeException("Missing NOT expression operand in \""+constraintsRef+"\"");
+ }
+ }
+ else if (tokenOperation.equals(SecurityConstraintsRefToken.AND_OPERATION))
+ {
+ if (operandsStack.size() >= 2)
+ {
+ boolean operand0 = ((Boolean)operandsStack.pop()).booleanValue();
+ boolean operand1 = ((Boolean)operandsStack.pop()).booleanValue();
+ boolean operand = (operand0 && operand1);
+ operandsStack.push(new Boolean(operand));
+ }
+ else
+ {
+ throw new RuntimeException("Missing AND expression operand in \""+constraintsRef+"\"");
+ }
+ }
+ else if (tokenOperation.equals(SecurityConstraintsRefToken.OR_OPERATION))
+ {
+ if (operandsStack.size() >= 2)
+ {
+ boolean operand0 = ((Boolean)operandsStack.pop()).booleanValue();
+ boolean operand1 = ((Boolean)operandsStack.pop()).booleanValue();
+ boolean operand = (operand0 || operand1);
+ operandsStack.push(new Boolean(operand));
+ }
+ else
+ {
+ throw new RuntimeException("Missing OR expression operand in \""+constraintsRef+"\"");
+ }
+ }
+ else
+ {
+ throw new RuntimeException("Unexpected expression operator "+tokenOperation+" in \""+constraintsRef+"\"");
+ }
+ }
+ else if (token.getConstraint() != null)
+ {
+ // evaluate security constraint operand and place on stack
+ boolean operand = checkExpressionConstraint(action, userPrincipals, rolePrincipals, groupPrincipals, token.getConstraint());
+ operandsStack.push(new Boolean(operand));
+ }
+ else
+ {
+ throw new RuntimeException("Unexpected expression token in \""+constraintsRef+"\"");
+ }
+ }
+
+ // return single operand left on stack
+ if (operandsStack.size() == 1)
+ {
+ return ((Boolean)operandsStack.pop()).booleanValue();
+ }
+ else
+ {
+ throw new RuntimeException("Unexpected expression operand in \""+constraintsRef+"\"");
+ }
+ }
+
+ /**
+ * Check expression constraint against action and principals. Note that
+ * expression constraints without permissions, denials, are treated as
+ * simply negative grants: they do not necessarily imply the expression
+ * check will fail as they do when specified or referenced as security
+ * constraints proper.
+ *
+ * @param action check action
+ * @param userPrincipals check user principals
+ * @param rolePrincipals check role principals
+ * @param groupPrincipals check group principals
+ * @param constraint check constraint
+ * @return flag indicating permission grant
+ */
+ private boolean checkExpressionConstraint(String action, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintImpl constraint)
+ {
+ if (constraint.getPermissions() != null)
+ {
+ // permitted if action matches permissions and user/role/group match principals
+ return (constraint.actionMatch(action) && constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true));
+ }
+ else
+ {
+ // permissions not specified: not permitted if any principal matched
+ return !constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false);
+ }
+ }
+}
Added: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java?rev=1466333&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java (added)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java Wed Apr 10 05:02:51 2013
@@ -0,0 +1,290 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Stack;
+
+/**
+ * SecurityConstraintsRefParser
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+public class SecurityConstraintsRefParser
+{
+ public static final String OPEN_PAREN = "(";
+ public static final String CLOSE_PAREN = ")";
+ public static final String NOT_OPERATION = SecurityConstraintsRefToken.NOT_OPERATION;
+ public static final String AND_OPERATION = SecurityConstraintsRefToken.AND_OPERATION;
+ public static final String OR_OPERATION = SecurityConstraintsRefToken.OR_OPERATION;
+
+ /**
+ * Parse security constraints reference string. If the reference contains an infix logical
+ * expression, return a security constraints reference expression. Otherwise, return a
+ * list of security constraints from reference.
+ *
+ * @param constraintsRef constraints reference name or infix expression
+ * @param pageSecurity page security context
+ * @return security constraints reference expression or list of security constraints
+ * @throws RuntimeException if expression parsing error occurs
+ */
+ public static Object parse(String constraintsRef, PageSecurity pageSecurity)
+ {
+ // parse infix constraints ref expression into postfix tokens
+ List postfixTokens = parseConstraintsRef(constraintsRef);
+ if (postfixTokens.isEmpty())
+ {
+ return null;
+ }
+
+ // single reference expression check
+ if (postfixTokens.size() == 1) {
+ String postfixToken = (String)postfixTokens.get(0);
+ if (!postfixToken.equals(AND_OPERATION) && !postfixToken.equals(OR_OPERATION) && !postfixToken.equals(NOT_OPERATION))
+ {
+ // return definition security constraints
+ SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(postfixToken);
+ if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+ {
+ return new ArrayList(securityConstraintsDef.getSecurityConstraints());
+ }
+ return null;
+ }
+ }
+
+ // convert postfix expression tokens into constraints reference tokens
+ List constraintsRefTokens = new ArrayList();
+ Iterator postfixTokensIter = postfixTokens.iterator();
+ while (postfixTokensIter.hasNext()) {
+ String postfixToken = (String)postfixTokensIter.next();
+ if (postfixToken.equals(AND_OPERATION) || postfixToken.equals(OR_OPERATION) || postfixToken.equals(NOT_OPERATION))
+ {
+ // postfix operation
+ constraintsRefTokens.add(new SecurityConstraintsRefToken(postfixToken));
+ }
+ else
+ {
+ // postfix security constraints reference
+ SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(postfixToken);
+ if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+ {
+ // multiple security constraints within an expression are treated as an
+ // implicit "or": insert these as a postfix "or" sub expression
+ boolean multipleConstraintsOrExpression = false;
+ Iterator securityConstraintIter = securityConstraintsDef.getSecurityConstraints().iterator();
+ while (securityConstraintIter.hasNext())
+ {
+ // postfix security constraint
+ SecurityConstraintImpl securityConstraint = (SecurityConstraintImpl)securityConstraintIter.next();
+ constraintsRefTokens.add(new SecurityConstraintsRefToken(postfixToken, securityConstraint));
+ if (multipleConstraintsOrExpression)
+ {
+ // multiple security constraints postfix "or" operation
+ constraintsRefTokens.add(new SecurityConstraintsRefToken(OR_OPERATION));
+ }
+ else
+ {
+ multipleConstraintsOrExpression = true;
+ }
+ }
+ }
+ else
+ {
+ throw new RuntimeException("Unable to find security constraints reference "+postfixToken+" in \""+constraintsRef+"\"");
+ }
+ }
+ }
+
+ // return security constraints reference expression
+ return new SecurityConstraintsRefExpression(constraintsRef, constraintsRefTokens);
+ }
+
+ /**
+ * Parse infix expression security constraints reference string into postfix
+ * expression token strings.
+ *
+ * @param constraintsRef constraints reference name or infix expression
+ * @return list of postfix expression token strings.
+ * @throws RuntimeException if expression parsing error occurs
+ */
+ static List parseConstraintsRef(String constraintsRef)
+ {
+ List postfixTokens = new ArrayList();
+ Stack infixToPostfixStack = new Stack();
+ int tokenIndex = -1;
+ boolean token = false;
+ int parseIndex = 0;
+ int parseLimit = constraintsRef.length();
+ while (parseIndex < parseLimit)
+ {
+ char parseChar = constraintsRef.charAt(parseIndex);
+ if (token && !(Character.isJavaIdentifierPart(parseChar) || (parseChar == '-') || (parseChar == '.')))
+ {
+ infixToPostfix(constraintsRef, constraintsRef.substring(tokenIndex, parseIndex), parseIndex, infixToPostfixStack, postfixTokens);
+ token = false;
+ }
+ if (!token)
+ {
+ if (Character.isJavaIdentifierStart(parseChar))
+ {
+ tokenIndex = parseIndex;
+ token = true;
+ }
+ else if ((parseChar == '(') || (parseChar == ')') || (parseChar == '!'))
+ {
+ infixToPostfix(constraintsRef, constraintsRef.substring(parseIndex, parseIndex+1), parseIndex, infixToPostfixStack, postfixTokens);
+ }
+ else if (((parseChar == '&') || (parseChar == '|')) && (parseIndex+1 < parseLimit) && (constraintsRef.charAt(parseIndex+1) == parseChar))
+ {
+ infixToPostfix(constraintsRef, constraintsRef.substring(parseIndex, parseIndex+2), parseIndex, infixToPostfixStack, postfixTokens);
+ parseIndex++;
+ }
+ else if (!Character.isWhitespace(parseChar))
+ {
+ throw new RuntimeException("Illegal character '"+parseChar+"' at position "+parseIndex+" in \""+constraintsRef+"\"");
+ }
+ }
+ parseIndex++;
+ }
+ if (token)
+ {
+ infixToPostfix(constraintsRef, constraintsRef.substring(tokenIndex), parseIndex, infixToPostfixStack, postfixTokens);
+ }
+ infixToPostfix(constraintsRef, null, parseIndex, infixToPostfixStack, postfixTokens);
+ return postfixTokens;
+ }
+
+ /**
+ * Logical operator precedence map.
+ */
+ private static final Map OPERATOR_PRECEDENCE = new HashMap();
+ static
+ {
+ OPERATOR_PRECEDENCE.put(NOT_OPERATION, new Integer(2));
+ OPERATOR_PRECEDENCE.put(AND_OPERATION, new Integer(1));
+ OPERATOR_PRECEDENCE.put(OR_OPERATION, new Integer(0));
+ }
+
+ /**
+ * Process infix expression tokens into a postfix expression token list.
+ *
+ * @param expression infix expression
+ * @param token infix expression token or null to indicate end of expression
+ * @param parseIndex index of token in expression for error messages
+ * @param stack infix to postfix operations stack
+ * @param postfixTokens postfix expression tokens
+ */
+ private static void infixToPostfix(String expression, String token, int parseIndex, Stack stack, List postfixTokens)
+ {
+ // null token: end expression infix to postfix operation conversion
+ if (token == null)
+ {
+ if (!stack.empty())
+ {
+ String peek = (String)stack.peek();
+ while (!peek.equals(OPEN_PAREN))
+ {
+ postfixTokens.add(stack.pop());
+ if (stack.empty())
+ {
+ break;
+ }
+ peek = (String)stack.peek();
+ }
+ if (peek.equals(OPEN_PAREN))
+ {
+ throw new RuntimeException("Missing paren at position "+parseIndex+" in \""+expression+"\"");
+ }
+ }
+ return;
+ }
+ // open paren: begin sub expression
+ if (token.equals(OPEN_PAREN))
+ {
+ stack.push(token);
+ return;
+ }
+ // close paren: end sub expression infix to postfix operation conversion
+ if (token.equals(CLOSE_PAREN))
+ {
+ boolean matchedParen = false;
+ if (!stack.empty())
+ {
+ String peek = (String)stack.peek();
+ while (!peek.equals(OPEN_PAREN))
+ {
+ postfixTokens.add(stack.pop());
+ if (stack.empty())
+ {
+ break;
+ }
+ peek = (String)stack.peek();
+ }
+ if (peek.equals(OPEN_PAREN))
+ {
+ stack.pop();
+ matchedParen = true;
+ }
+ }
+ if (!matchedParen)
+ {
+ throw new RuntimeException("Mismatched paren at position "+parseIndex+" in \""+expression+"\"");
+ }
+ return;
+ }
+ // map operation tokens
+ if (token.equals("&&") || (token.equalsIgnoreCase(AND_OPERATION) && !token.equals(AND_OPERATION)))
+ {
+ token = AND_OPERATION;
+ }
+ else if (token.equals("||") || (token.equalsIgnoreCase(OR_OPERATION) && !token.equals(OR_OPERATION)))
+ {
+ token = OR_OPERATION;
+ }
+ else if (token.equals("!") || (token.equalsIgnoreCase(NOT_OPERATION) && !token.equals(NOT_OPERATION)))
+ {
+ token = NOT_OPERATION;
+ }
+ // push non-operation tokens
+ Integer operatorPrecedence = (Integer)OPERATOR_PRECEDENCE.get(token);
+ if (operatorPrecedence == null)
+ {
+ postfixTokens.add(token);
+ return;
+ }
+ // infix to postfix operation conversion
+ if (!stack.empty())
+ {
+ String peek = (String)stack.peek();
+ while (!peek.equals(OPEN_PAREN) && (((Integer)OPERATOR_PRECEDENCE.get(peek)).intValue() >= operatorPrecedence.intValue()))
+ {
+ postfixTokens.add(stack.pop());
+ if (stack.empty())
+ {
+ break;
+ }
+ peek = (String)stack.peek();
+ }
+ }
+ stack.push(token);
+ }
+}
Added: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java?rev=1466333&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java (added)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java Wed Apr 10 05:02:51 2013
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+/**
+ * SecurityConstraintsRefToken
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+class SecurityConstraintsRefToken
+{
+ public static final String NOT_OPERATION = "not";
+ public static final String AND_OPERATION = "and";
+ public static final String OR_OPERATION = "or";
+
+ private String operation;
+ private String constraintsRef;
+ private SecurityConstraintImpl constraint;
+
+ SecurityConstraintsRefToken(String operation)
+ {
+ this.operation = operation;
+ }
+
+ SecurityConstraintsRefToken(String constraintsRef, SecurityConstraintImpl constraint)
+ {
+ this.constraintsRef = constraintsRef;
+ this.constraint = constraint;
+ }
+
+ public String getOperation()
+ {
+ return operation;
+ }
+
+ public String getConstraintsRef()
+ {
+ return constraintsRef;
+ }
+
+ public SecurityConstraintImpl getConstraint()
+ {
+ return constraint;
+ }
+}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java?rev=1466333&r1=1466332&r2=1466333&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java Wed Apr 10 05:02:51 2013
@@ -16,14 +16,18 @@
*/
package org.apache.jetspeed.om.page.impl;
-import java.util.Iterator;
-import java.util.List;
-
import org.apache.jetspeed.om.common.SecurityConstraints;
import org.apache.jetspeed.om.page.PageSecurity;
import org.apache.jetspeed.om.page.SecurityConstraintImpl;
-import org.apache.jetspeed.om.page.SecurityConstraintsDef;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefExpression;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefParser;
import org.apache.jetspeed.page.impl.DatabasePageManagerUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
/**
* SecurityConstraintsImpl
@@ -33,6 +37,8 @@ import org.apache.jetspeed.page.impl.Dat
*/
public class SecurityConstraintsImpl implements SecurityConstraints
{
+ private final static Logger log = LoggerFactory.getLogger(SecurityConstraintsImpl.class);
+
private String owner;
private List constraints;
private List constraintsRefs;
@@ -120,72 +126,100 @@ public class SecurityConstraintsImpl imp
return;
}
- // skip missing or empty constraints: permit all access
- List checkConstraints = getAllSecurityConstraints(pageSecurity);
- if ((checkConstraints != null) && !checkConstraints.isEmpty())
- {
- // test each action, constraints check passes only
- // if all actions are permitted for principals
- Iterator actionsIter = actions.iterator();
- while (actionsIter.hasNext())
+ try
+ {
+ // skip missing or empty constraints: permit all access
+ List checkConstraints = getAllSecurityConstraints(pageSecurity);
+ if ((checkConstraints != null) && !checkConstraints.isEmpty())
{
- // check each action:
- // - if any actions explicity permitted, (including owner),
- // assume no permissions are permitted by default
- // - if all constraints do not specify a permission, assume
- // access is permitted by default
- String action = (String)actionsIter.next();
- boolean actionPermitted = false;
- boolean actionNotPermitted = false;
- boolean anyActionsPermitted = (getOwner() != null);
-
- // check against constraints
- Iterator checkConstraintsIter = checkConstraints.iterator();
- while (checkConstraintsIter.hasNext())
+ // test each action, constraints check passes only
+ // if all actions are permitted for principals
+ Iterator actionsIter = actions.iterator();
+ while (actionsIter.hasNext())
{
- SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
-
- // if permissions specified, attempt to match constraint
- if (constraint.getPermissions() != null)
+ // check each action:
+ // - if any actions explicitly permitted, (including owner),
+ // assume no permissions are permitted by default
+ // - if all constraints do not specify a permission or an
+ // expression, assume access is permitted by default
+ String action = (String)actionsIter.next();
+ boolean actionPermitted = false;
+ boolean actionNotPermitted = false;
+ boolean anyActionsPermitted = (getOwner() != null);
+
+ // check against constraints and constraint ref expressions
+ Iterator checkConstraintsIter = checkConstraints.iterator();
+ while (checkConstraintsIter.hasNext())
{
- // explicit actions permitted
- anyActionsPermitted = true;
+ Object constraintOrExpression = checkConstraintsIter.next();
+ if (constraintOrExpression instanceof SecurityConstraintImpl)
+ {
+ // check constraint
+ SecurityConstraintImpl constraint = (SecurityConstraintImpl)constraintOrExpression;
- // test action permission match and user/role/group principal match
- if (constraint.actionMatch(action) &&
- constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+ // if permissions specified, attempt to match constraint
+ if (constraint.getPermissions() != null)
+ {
+ // explicit actions permitted
+ anyActionsPermitted = true;
+
+ // test action permission match and user/role/group principal match
+ if (constraint.actionMatch(action) &&
+ constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+ {
+ actionPermitted = true;
+ break;
+ }
+ }
+ else
+ {
+ // permissions not specified: not permitted if any principal matched
+ if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
+ {
+ actionNotPermitted = true;
+ break;
+ }
+ }
+ }
+ else if (constraintOrExpression instanceof SecurityConstraintsRefExpression)
{
- actionPermitted = true;
- break;
+ // check expression
+ SecurityConstraintsRefExpression expression = (SecurityConstraintsRefExpression)constraintOrExpression;
+
+ // assume actions are permitted in expression
+ anyActionsPermitted = true;
+
+ // check expression with action permission and user/role/group principals
+ if (expression.checkExpression(action, userPrincipals, rolePrincipals, groupPrincipals))
+ {
+ actionPermitted = true;
+ break;
+ }
}
}
- else
+
+ // fail if any action not permitted
+ if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
{
- // permissions not specified: not permitted if any principal matched
- if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
- {
- actionNotPermitted = true;
- break;
- }
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
}
}
-
- // fail if any action not permitted
- if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
+ }
+ else
+ {
+ // fail for any action if owner specified
+ // since no other constraints were found
+ if ((getOwner() != null) && !actions.isEmpty())
{
- throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
+ String action = (String)actions.get(0);
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
}
}
}
- else
+ catch (Exception e)
{
- // fail for any action if owner specified
- // since no other constraints were found
- if ((getOwner() != null) && !actions.isEmpty())
- {
- String action = (String)actions.get(0);
- throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
- }
+ log.error("Security constraints check exception: "+e);
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Exception detected: "+e);
}
}
@@ -202,7 +236,8 @@ public class SecurityConstraintsImpl imp
* getAllSecurityConstraints
*
* @param pageSecurity page security definitions
- * @return all security constraints
+ * @return all security constraints and constraints ref expressions
+ * @throws RuntimeException if expression parsing error occurs
*/
private synchronized List getAllSecurityConstraints(PageSecurity pageSecurity)
{
@@ -213,12 +248,12 @@ public class SecurityConstraintsImpl imp
}
// construct new ordered security constraints list
- allConstraints = DatabasePageManagerUtils.createList();
+ List newAllConstraints = new ArrayList();
// add any defined security constraints
if ((getSecurityConstraints() != null) && !getSecurityConstraints().isEmpty())
{
- allConstraints.addAll(securityConstraints);
+ newAllConstraints.addAll(securityConstraints);
}
// add any security constraints references
@@ -227,11 +262,11 @@ public class SecurityConstraintsImpl imp
List referencedConstraints = dereferenceSecurityConstraintsRefs(getSecurityConstraintsRefs(), pageSecurity);
if (referencedConstraints != null)
{
- allConstraints.addAll(referencedConstraints);
+ newAllConstraints.addAll(referencedConstraints);
}
}
- // add any global decurity constraints references
+ // add any global security constraints references
if (pageSecurity != null)
{
List globalConstraintsRefs = pageSecurity.getGlobalSecurityConstraintsRefs();
@@ -240,12 +275,12 @@ public class SecurityConstraintsImpl imp
List referencedConstraints = dereferenceSecurityConstraintsRefs(globalConstraintsRefs, pageSecurity);
if (referencedConstraints != null)
{
- allConstraints.addAll(referencedConstraints);
+ newAllConstraints.addAll(referencedConstraints);
}
}
}
-
- return allConstraints;
+
+ return allConstraints = newAllConstraints;
}
/**
@@ -260,9 +295,10 @@ public class SecurityConstraintsImpl imp
/**
* dereferenceSecurityConstraintsRefs
*
- * @param constraintsRefs contstraints references to be dereferenced
+ * @param constraintsRefs constraints references to be dereferenced
* @param pageSecurity page security definitions
- * @return security constraints
+ * @return security constraints and constraints ref expressions
+ * @throws RuntimeException if expression parsing error occurs
*/
private List dereferenceSecurityConstraintsRefs(List constraintsRefs, PageSecurity pageSecurity)
{
@@ -274,17 +310,34 @@ public class SecurityConstraintsImpl imp
while (constraintsRefsIter.hasNext())
{
String constraintsRef = (String)constraintsRefsIter.next();
- SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(constraintsRef);
- if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+ // parse constraints ref and return constraints/constraints ref expressions
+ Object constraintsOrExpression = SecurityConstraintsRefParser.parse(constraintsRef, pageSecurity);
+ if (constraintsOrExpression instanceof List)
{
if (constraints == null)
{
- constraints = DatabasePageManagerUtils.createList();
+ constraints = new ArrayList();
}
- constraints.addAll(securityConstraintsDef.getSecurityConstraints());
+ constraints.addAll((List)constraintsOrExpression);
+ }
+ else if (constraintsOrExpression instanceof SecurityConstraintsRefExpression)
+ {
+ if (constraints == null)
+ {
+ constraints = new ArrayList();
+ }
+ constraints.add(constraintsOrExpression);
+ }
+ else if (constraintsOrExpression != null)
+ {
+ throw new RuntimeException("Unexpected security constraints ref parser result");
}
}
}
+ else
+ {
+ throw new RuntimeException("Page security definitions not available");
+ }
return constraints;
}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java?rev=1466333&r1=1466332&r2=1466333&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/main/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java Wed Apr 10 05:02:51 2013
@@ -16,18 +16,19 @@
*/
package org.apache.jetspeed.om.page.psml;
+import org.apache.jetspeed.om.common.SecurityConstraints;
+import org.apache.jetspeed.om.page.PageSecurity;
+import org.apache.jetspeed.om.page.SecurityConstraintImpl;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefExpression;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefParser;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.apache.jetspeed.om.common.SecurityConstraints;
-import org.apache.jetspeed.om.page.PageSecurity;
-import org.apache.jetspeed.om.page.SecurityConstraintImpl;
-import org.apache.jetspeed.om.page.SecurityConstraintsDef;
-
/**
* <p>
* SecurityConstraintsImpl
@@ -171,63 +172,101 @@ public class SecurityConstraintsImpl imp
return;
}
- // skip missing or empty constraints: permit all access
- List checkConstraints = getAllSecurityConstraints(pageSecurity);
- if ((checkConstraints != null) && !checkConstraints.isEmpty())
+ try
{
- // test each action, constraints check passes only
- // if all actions are permitted for principals
- Iterator actionsIter = actions.iterator();
- while (actionsIter.hasNext())
+ // skip missing or empty constraints: permit all access
+ List checkConstraints = getAllSecurityConstraints(pageSecurity);
+ if ((checkConstraints != null) && !checkConstraints.isEmpty())
{
- // check each action:
- // - if any actions explicity permitted, assume no permissions
- // are permitted by default
- // - if all constraints do not specify a permission, assume
- // access is permitted by default
- String action = (String)actionsIter.next();
- boolean actionPermitted = false;
- boolean actionNotPermitted = false;
- boolean anyActionsPermitted = false;
-
- // check against constraints
- Iterator checkConstraintsIter = checkConstraints.iterator();
- while (checkConstraintsIter.hasNext())
+ // test each action, constraints check passes only
+ // if all actions are permitted for principals
+ Iterator actionsIter = actions.iterator();
+ while (actionsIter.hasNext())
{
- SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
-
- // if permissions specified, attempt to match constraint
- if (constraint.getPermissions() != null)
+ // check each action:
+ // - if any actions explicitly permitted, (including owner),
+ // assume no permissions are permitted by default
+ // - if all constraints do not specify a permission or an
+ // expression, assume access is permitted by default
+ String action = (String)actionsIter.next();
+ boolean actionPermitted = false;
+ boolean actionNotPermitted = false;
+ boolean anyActionsPermitted = (getOwner() != null);
+
+ // check against constraints and constraint ref expressions
+ Iterator checkConstraintsIter = checkConstraints.iterator();
+ while (checkConstraintsIter.hasNext())
{
- // explicit actions permitted
- anyActionsPermitted = true;
+ Object constraintOrExpression = checkConstraintsIter.next();
+ if (constraintOrExpression instanceof SecurityConstraintImpl)
+ {
+ // check constraint
+ SecurityConstraintImpl constraint = (SecurityConstraintImpl)constraintOrExpression;
- // test action permission match and user/role/group principal match
- if (constraint.actionMatch(action) &&
- constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+ // if permissions specified, attempt to match constraint
+ if (constraint.getPermissions() != null)
+ {
+ // explicit actions permitted
+ anyActionsPermitted = true;
+
+ // test action permission match and user/role/group principal match
+ if (constraint.actionMatch(action) &&
+ constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+ {
+ actionPermitted = true;
+ break;
+ }
+ }
+ else
+ {
+ // permissions not specified: not permitted if any principal matched
+ if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
+ {
+ actionNotPermitted = true;
+ break;
+ }
+ }
+ }
+ else if (constraintOrExpression instanceof SecurityConstraintsRefExpression)
{
- actionPermitted = true;
- break;
+ // check expression
+ SecurityConstraintsRefExpression expression = (SecurityConstraintsRefExpression)constraintOrExpression;
+
+ // assume actions are permitted in expression
+ anyActionsPermitted = true;
+
+ // check expression with action permission and user/role/group principals
+ if (expression.checkExpression(action, userPrincipals, rolePrincipals, groupPrincipals))
+ {
+ actionPermitted = true;
+ break;
+ }
}
}
- else
+
+ // fail if any action not permitted
+ if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
{
- // permissions not specified: not permitted if any principal matched
- if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
- {
- actionNotPermitted = true;
- break;
- }
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
}
}
-
- // fail if any action not permitted
- if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
+ }
+ else
+ {
+ // fail for any action if owner specified
+ // since no other constraints were found
+ if ((getOwner() != null) && !actions.isEmpty())
{
- throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
+ String action = (String)actions.get(0);
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
}
}
}
+ catch (Exception e)
+ {
+ log.error("Security constraints check exception: "+e);
+ throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Exception detected: "+e);
+ }
}
/**
@@ -236,7 +275,8 @@ public class SecurityConstraintsImpl imp
* </p>
*
* @param pageSecurity
- * @return all security constraints
+ * @return all security constraints and constraints ref expressions
+ * @throws RuntimeException if expression parsing error occurs
*/
private synchronized List getAllSecurityConstraints(PageSecurity pageSecurity)
{
@@ -248,12 +288,12 @@ public class SecurityConstraintsImpl imp
}
// construct new ordered security constraints list
- allConstraints = Collections.synchronizedList(new ArrayList(8));
+ List newAllConstraints = new ArrayList();
// add any defined security constraints
if (constraints != null)
{
- allConstraints.addAll(constraints);
+ newAllConstraints.addAll(constraints);
}
// add any security constraints references
@@ -262,7 +302,7 @@ public class SecurityConstraintsImpl imp
List referencedConstraints = dereferenceSecurityConstraintsRefs(constraintsRefs, pageSecurity);
if (referencedConstraints != null)
{
- allConstraints.addAll(referencedConstraints);
+ newAllConstraints.addAll(referencedConstraints);
}
}
@@ -275,12 +315,12 @@ public class SecurityConstraintsImpl imp
List referencedConstraints = dereferenceSecurityConstraintsRefs(globalConstraintsRefs, pageSecurity);
if (referencedConstraints != null)
{
- allConstraints.addAll(referencedConstraints);
+ newAllConstraints.addAll(referencedConstraints);
}
}
}
- return allConstraints;
+ return allConstraints = newAllConstraints;
}
/**
@@ -288,14 +328,15 @@ public class SecurityConstraintsImpl imp
* dereferenceSecurityConstraintsRefs
* </p>
*
- * @param constraintsRefs
- * @param pageSecurity
- * @return security constraints
+ * @param constraintsRefs constraints references to be dereferenced
+ * @param pageSecurity page security definitions
+ * @return security constraints and constraints ref expressions
+ * @throws RuntimeException if expression parsing error occurs
*/
private List dereferenceSecurityConstraintsRefs(List constraintsRefs, PageSecurity pageSecurity)
{
// access security document to dereference security
- // constriants definitions
+ // constraints definitions
List constraints = null;
if (pageSecurity != null)
{
@@ -304,26 +345,34 @@ public class SecurityConstraintsImpl imp
while (constraintsRefsIter.hasNext())
{
String constraintsRef = (String)constraintsRefsIter.next();
- SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(constraintsRef);
- if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+ // parse constraints ref and return constraints/constraints ref expressions
+ Object constraintsOrExpression = SecurityConstraintsRefParser.parse(constraintsRef, pageSecurity);
+ if (constraintsOrExpression instanceof List)
+ {
+ if (constraints == null)
+ {
+ constraints = new ArrayList();
+ }
+ constraints.addAll((List)constraintsOrExpression);
+ }
+ else if (constraintsOrExpression instanceof SecurityConstraintsRefExpression)
{
if (constraints == null)
{
- constraints = Collections.synchronizedList(new ArrayList(constraintsRefs.size()));
+ constraints = new ArrayList();
}
- constraints.addAll(securityConstraintsDef.getSecurityConstraints());
+ constraints.add(constraintsOrExpression);
}
- else
+ else if (constraintsOrExpression != null)
{
- log.error("dereferenceSecurityConstraintsRefs(): Unable to dereference \"" + constraintsRef + "\" security constraints definition.");
+ throw new RuntimeException("Unexpected security constraints ref parser result");
}
}
}
else
{
- log.error("dereferenceSecurityConstraintsRefs(): Missing page security, unable to dereference security constraints definitions.");
+ throw new RuntimeException("Page security definitions not available");
}
-
return constraints;
}
}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/PageManagerTestShared.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/PageManagerTestShared.java?rev=1466333&r1=1466332&r2=1466333&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/PageManagerTestShared.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/PageManagerTestShared.java Wed Apr 10 05:02:51 2013
@@ -16,34 +16,11 @@
*/
package org.apache.jetspeed.page;
-import java.io.File;
-import java.io.FileFilter;
-import java.security.CodeSource;
-import java.security.Permission;
-import java.security.PermissionCollection;
-import java.security.Permissions;
-import java.security.Policy;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.ProtectionDomain;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.StringTokenizer;
-
-import javax.security.auth.Subject;
-
import junit.framework.TestCase;
-
import net.sf.ehcache.CacheManager;
-
import org.apache.jetspeed.JetspeedActions;
import org.apache.jetspeed.cache.file.FileCache;
+import org.apache.jetspeed.cache.impl.EhCacheImpl;
import org.apache.jetspeed.idgenerator.IdGenerator;
import org.apache.jetspeed.idgenerator.JetspeedIdGenerator;
import org.apache.jetspeed.om.common.SecurityConstraint;
@@ -73,11 +50,11 @@ import org.apache.jetspeed.page.document
import org.apache.jetspeed.page.document.psml.DocumentHandlerFactoryImpl;
import org.apache.jetspeed.page.document.psml.FileSystemFolderHandler;
import org.apache.jetspeed.page.psml.CastorXmlPageManager;
+import org.apache.jetspeed.security.Group;
import org.apache.jetspeed.security.JSSubject;
import org.apache.jetspeed.security.JetspeedPermission;
import org.apache.jetspeed.security.JetspeedPrincipal;
import org.apache.jetspeed.security.JetspeedPrincipalType;
-import org.apache.jetspeed.security.Group;
import org.apache.jetspeed.security.PermissionFactory;
import org.apache.jetspeed.security.PrincipalsSet;
import org.apache.jetspeed.security.Role;
@@ -89,7 +66,27 @@ import org.apache.jetspeed.security.spi.
import org.apache.jetspeed.security.spi.impl.FragmentPermission;
import org.apache.jetspeed.security.spi.impl.JetspeedPermissionFactory;
import org.apache.jetspeed.security.spi.impl.PagePermission;
-import org.apache.jetspeed.cache.impl.EhCacheImpl;
+
+import javax.security.auth.Subject;
+import java.io.File;
+import java.io.FileFilter;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.StringTokenizer;
/**
* PageManagerTestShared
@@ -243,8 +240,8 @@ public interface PageManagerTestShared
/**
* testSecurePageManager
*
- * @param test case
- * @param page manager
+ * @param test test case
+ * @param pageManager page manager
*/
static void testSecurePageManager(final TestCase test, final PageManager pageManager) throws Exception
{
@@ -719,6 +716,449 @@ public interface PageManagerTestShared
throw cleanup;
}
}
+
+ /**
+ * testSecurityConstraintsRefExpressions
+ *
+ * @param test test case
+ * @param pageManager page manager
+ */
+ static void testSecurityConstraintsRefExpressions(final TestCase test, final PageManager pageManager) throws Exception
+ {
+ // reset page manager cache
+ pageManager.reset();
+
+ // setup test subjects
+ Set principals = new PrincipalsSet();
+ principals.add(new TestUser("admin"));
+ Subject adminSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ principals = new PrincipalsSet();
+ principals.add(new TestUser("user-with-admin"));
+ principals.add(new TestRole("admin"));
+ Subject userWithAdminSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ principals = new PrincipalsSet();
+ principals.add(new TestUser("user"));
+ Subject userSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ principals = new PrincipalsSet();
+ principals.add(new TestUser("test-group-user"));
+ principals.add(new TestGroup("test-group"));
+ Subject testGroupUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ principals = new PrincipalsSet();
+ principals.add(new TestUser("test-role-user"));
+ principals.add(new TestRole("test-role"));
+ Subject testRoleUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ principals = new PrincipalsSet();
+ principals.add(new TestUser("test-group-role-user"));
+ principals.add(new TestGroup("test-group"));
+ principals.add(new TestRole("test-role"));
+ Subject testGroupRoleUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+ // setup test as admin
+ Exception setup = (Exception) JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ // reset page manager to initial state
+ try
+ {
+ Folder removeRootFolder = pageManager.getFolder("/");
+ pageManager.removeFolder(removeRootFolder);
+ pageManager.reset();
+ }
+ catch (FolderNotFoundException e)
+ {
+ }
+
+ // create test documents and folders
+ Folder folder = pageManager.newFolder("/");
+ SecurityConstraints constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ List constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("public-view");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ folder.setSecurityConstraints(constraints);
+ pageManager.updateFolder(folder);
+
+ PageSecurity pageSecurity = pageManager.newPageSecurity();
+ List constraintsDefs = new ArrayList(5);
+ SecurityConstraintsDef constraintsDef = pageManager.newSecurityConstraintsDef();
+ constraintsDef.setName("public-view");
+ List defConstraints = new ArrayList(1);
+ SecurityConstraint defConstraint = pageManager.newPageSecuritySecurityConstraint();
+ defConstraint.setUsers(Shared.makeListFromCSV("*"));
+ defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+ defConstraints.add(defConstraint);
+ constraintsDef.setSecurityConstraints(defConstraints);
+ constraintsDefs.add(constraintsDef);
+ constraintsDef = pageManager.newSecurityConstraintsDef();
+ constraintsDef.setName("test-group");
+ defConstraints = new ArrayList(1);
+ defConstraint = pageManager.newPageSecuritySecurityConstraint();
+ defConstraint.setGroups(Shared.makeListFromCSV("test-group"));
+ defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+ defConstraints.add(defConstraint);
+ constraintsDef.setSecurityConstraints(defConstraints);
+ constraintsDefs.add(constraintsDef);
+ constraintsDef = pageManager.newSecurityConstraintsDef();
+ constraintsDef.setName("test-role");
+ defConstraints = new ArrayList(1);
+ defConstraint = pageManager.newPageSecuritySecurityConstraint();
+ defConstraint.setRoles(Shared.makeListFromCSV("test-role"));
+ defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+ defConstraints.add(defConstraint);
+ constraintsDef.setSecurityConstraints(defConstraints);
+ constraintsDefs.add(constraintsDef);
+ constraintsDef = pageManager.newSecurityConstraintsDef();
+ constraintsDef.setName("admin-role");
+ defConstraints = new ArrayList(1);
+ defConstraint = pageManager.newPageSecuritySecurityConstraint();
+ defConstraint.setRoles(Shared.makeListFromCSV("admin"));
+ defConstraint.setPermissions(Shared.makeListFromCSV("view,edit"));
+ defConstraints.add(defConstraint);
+ constraintsDef.setSecurityConstraints(defConstraints);
+ constraintsDefs.add(constraintsDef);
+ constraintsDef = pageManager.newSecurityConstraintsDef();
+ constraintsDef.setName("admin-user");
+ defConstraints = new ArrayList(1);
+ defConstraint = pageManager.newPageSecuritySecurityConstraint();
+ defConstraint.setUsers(Shared.makeListFromCSV("admin"));
+ defConstraint.setPermissions(Shared.makeListFromCSV("view,edit"));
+ defConstraints.add(defConstraint);
+ constraintsDef.setSecurityConstraints(defConstraints);
+ constraintsDefs.add(constraintsDef);
+ pageSecurity.setSecurityConstraintsDefs(constraintsDefs);
+ List globalConstraintsRefs = new ArrayList(1);
+ globalConstraintsRefs.add("admin-role or admin-user");
+ pageSecurity.setGlobalSecurityConstraintsRefs(globalConstraintsRefs);
+ pageManager.updatePageSecurity(pageSecurity);
+
+ Page page = pageManager.newPage("/default-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("public-view");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ page = pageManager.newPage("/or-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ List inlineConstraints = new ArrayList(1);
+ SecurityConstraint constraint = pageManager.newPageSecurityConstraint();
+ constraint.setUsers(Shared.makeListFromCSV("user"));
+ constraint.setPermissions(Shared.makeListFromCSV("view"));
+ inlineConstraints.add(constraint);
+ constraints.setSecurityConstraints(inlineConstraints);
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("test-group || test-role");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ page = pageManager.newPage("/and-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("test-group and test-role");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ page = pageManager.newPage("/not-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("not test-role");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ page = pageManager.newPage("/and-not-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("public-view and not test-group");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ page = pageManager.newPage("/paren-page.psml");
+ constraints = pageManager.newSecurityConstraints();
+ constraints.setOwner("admin");
+ constraintsRefs = new ArrayList(1);
+ constraintsRefs.add("((test-group||test-role)&&!admin-role)");
+ constraints.setSecurityConstraintsRefs(constraintsRefs);
+ page.setSecurityConstraints(constraints);
+ pageManager.updatePage(page);
+
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (setup != null)
+ {
+ throw setup;
+ }
+
+ // reset page manager
+ pageManager.reset();
+
+ // test as admin
+ Exception adminAccess = (Exception) JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessGranted(pageManager, "/and-page.psml");
+ assertPageAccessGranted(pageManager, "/not-page.psml");
+ assertPageAccessGranted(pageManager, "/and-not-page.psml");
+ assertPageAccessGranted(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (adminAccess != null)
+ {
+ throw adminAccess;
+ }
+
+ // test as user with admin
+ Exception userWithAdminAccess = (Exception) JSSubject.doAsPrivileged(userWithAdminSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessGranted(pageManager, "/and-page.psml");
+ assertPageAccessGranted(pageManager, "/not-page.psml");
+ assertPageAccessGranted(pageManager, "/and-not-page.psml");
+ assertPageAccessGranted(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (userWithAdminAccess != null)
+ {
+ throw userWithAdminAccess;
+ }
+
+ // test as user
+ Exception userAccess = (Exception) JSSubject.doAsPrivileged(userSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessDenied(pageManager, "/and-page.psml");
+ assertPageAccessGranted(pageManager, "/not-page.psml");
+ assertPageAccessGranted(pageManager, "/and-not-page.psml");
+ assertPageAccessDenied(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (userAccess != null)
+ {
+ throw userAccess;
+ }
+
+ // test as test group user
+ Exception testGroupUserAccess = (Exception) JSSubject.doAsPrivileged(testGroupUserSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessDenied(pageManager, "/and-page.psml");
+ assertPageAccessGranted(pageManager, "/not-page.psml");
+ assertPageAccessDenied(pageManager, "/and-not-page.psml");
+ assertPageAccessGranted(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (testGroupUserAccess != null)
+ {
+ throw testGroupUserAccess;
+ }
+
+ // test as test role user
+ Exception testRoleUserAccess = (Exception) JSSubject.doAsPrivileged(testRoleUserSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessDenied(pageManager, "/and-page.psml");
+ assertPageAccessDenied(pageManager, "/not-page.psml");
+ assertPageAccessGranted(pageManager, "/and-not-page.psml");
+ assertPageAccessGranted(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (testRoleUserAccess != null)
+ {
+ throw testRoleUserAccess;
+ }
+
+ // test as test group role user
+ Exception testGroupRoleUserAccess = (Exception) JSSubject.doAsPrivileged(testGroupRoleUserSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ assertPageAccessGranted(pageManager, "/default-page.psml");
+ assertPageAccessGranted(pageManager, "/or-page.psml");
+ assertPageAccessGranted(pageManager, "/and-page.psml");
+ assertPageAccessDenied(pageManager, "/not-page.psml");
+ assertPageAccessDenied(pageManager, "/and-not-page.psml");
+ assertPageAccessGranted(pageManager, "/paren-page.psml");
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (testGroupRoleUserAccess != null)
+ {
+ throw testGroupRoleUserAccess;
+ }
+
+ // cleanup test as admin user
+ Exception cleanup = (Exception)JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+ {
+ public Object run()
+ {
+ try
+ {
+ // cleanup by removing root folder
+ try
+ {
+ Folder remove = pageManager.getFolder("/");
+ TestCase.assertEquals("/", remove.getPath());
+ pageManager.removeFolder(remove);
+ }
+ catch (FolderNotFoundException e)
+ {
+ TestCase.assertTrue("Folder / NOT FOUND", false);
+ }
+
+ return null;
+ }
+ catch (Exception e)
+ {
+ return e;
+ }
+ finally
+ {
+ JSSubject.clearSubject();
+ }
+ }
+ }, null);
+ if (cleanup != null)
+ {
+ throw cleanup;
+ }
+ }
+
+ static void assertPageAccessGranted(PageManager pageManager, String path) throws Exception
+ {
+ try
+ {
+ pageManager.getPage(path);
+ }
+ catch (SecurityException se)
+ {
+ TestCase.fail("Page "+path+" access denied");
+ }
+ }
+
+ static void assertPageAccessDenied(PageManager pageManager, String path) throws Exception
+ {
+ try
+ {
+ pageManager.getPage(path);
+ TestCase.fail("Page "+path+" access granted");
+ }
+ catch (SecurityException se)
+ {
+ }
+ }
}
/**
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java?rev=1466333&r1=1466332&r2=1466333&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java Wed Apr 10 05:02:51 2013
@@ -93,4 +93,13 @@ public class TestSecureCastorXmlPageMana
// utilize standard secure page manager test
Shared.testSecurePageManager(this, pageManager);
}
+
+ public void testSecurityConstraintsRefExpressions() throws Exception
+ {
+ if (pageManager.getConstraintsEnabled())
+ {
+ // utilize standard secure page manager test
+ Shared.testSecurityConstraintsRefExpressions(this, pageManager);
+ }
+ }
}
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureDatabasePageManager.java?rev=1466333&r1=1466332&r2=1466333&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureDatabasePageManager.java (original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-page-manager/src/test/java/org/apache/jetspeed/page/TestSecureDatabasePageManager.java Wed Apr 10 05:02:51 2013
@@ -49,6 +49,17 @@ public class TestSecureDatabasePageManag
public void testSecurePageManager() throws Exception
{
// utilize standard secure page manager test
- Shared.testSecurePageManager(this, (PageManager)scm.getComponent("pageManager"));
+ PageManager pageManager = (PageManager)scm.getComponent("pageManager");
+ Shared.testSecurePageManager(this, pageManager);
+ }
+
+ public void testSecurityConstraintsRefExpressions() throws Exception
+ {
+ PageManager pageManager = (PageManager)scm.getComponent("pageManager");
+ if (pageManager.getConstraintsEnabled())
+ {
+ // utilize standard secure page manager test
+ Shared.testSecurityConstraintsRefExpressions(this, pageManager);
+ }
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org