You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by rw...@apache.org on 2005/11/18 04:38:04 UTC
svn commit: r345432 - in /portals/jetspeed-2/trunk/components/page-manager:
./ src/java/org/apache/jetspeed/om/page/impl/
src/java/org/apache/jetspeed/page/impl/ src/test/
src/test/org/apache/jetspeed/page/
Author: rwatler
Date: Thu Nov 17 19:37:59 2005
New Revision: 345432
URL: http://svn.apache.org/viewcvs?rev=345432&view=rev
Log:
complete permissions implementation and implement secure permissions test case
Added:
portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
Modified:
portals/jetspeed-2/trunk/components/page-manager/maven.xml
portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml
Modified: portals/jetspeed-2/trunk/components/page-manager/maven.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/maven.xml?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/maven.xml (original)
+++ portals/jetspeed-2/trunk/components/page-manager/maven.xml Thu Nov 17 19:37:59 2005
@@ -16,9 +16,10 @@
-->
<project default="java:jar" xmlns:j="jelly:core" xmlns:define="jelly:define">
- <property name='testcase' value='org.apache.jetspeed.page.TestSecureDatabasePageManager' />
+<!-- <property name='testcase' value='org.apache.jetspeed.page.TestSecurePermissionsDatabasePageManager' /> -->
+<!-- <property name='testcase' value='org.apache.jetspeed.page.TestSecureDatabasePageManager' /> -->
<!-- <property name='testcase' value='org.apache.jetspeed.page.TestDatabasePageManager' /> -->
-<!-- <property name='testcase' value='org.apache.jetspeed.page.TestCastorXmlPageManager' /> -->
+ <property name='testcase' value='org.apache.jetspeed.page.TestCastorXmlPageManager' />
<preGoal name="test:test">
Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java (original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java Thu Nov 17 19:37:59 2005
@@ -375,7 +375,7 @@
public void checkPermissions(String actions) throws SecurityException
{
// skip checks if not enabled
- if (getPermissionsEnabled())
+ if (!getPermissionsEnabled())
{
return;
}
Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java (original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java Thu Nov 17 19:37:59 2005
@@ -15,6 +15,7 @@
*/
package org.apache.jetspeed.om.page.impl;
+import java.security.AccessController;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
@@ -25,6 +26,7 @@
import org.apache.jetspeed.om.folder.Folder;
import org.apache.jetspeed.om.page.Fragment;
import org.apache.jetspeed.om.page.PageSecurity;
+import org.apache.jetspeed.security.FragmentPermission;
import org.apache.ojb.broker.PersistenceBroker;
import org.apache.ojb.broker.PersistenceBrokerException;
@@ -226,6 +228,16 @@
}
/* (non-Javadoc)
+ * @see org.apache.jetspeed.om.page.impl.BaseElementImpl#checkPermissions(java.lang.String, java.lang.String, boolean, boolean)
+ */
+ public void checkPermissions(String path, String actions, boolean checkNodeOnly, boolean checkParentsOnly) throws SecurityException
+ {
+ // always check for granted fragment permissions
+ FragmentPermission permission = new FragmentPermission(path, actions);
+ AccessController.checkPermission(permission);
+ }
+
+ /* (non-Javadoc)
* @see org.apache.jetspeed.om.common.SecuredResource#getConstraintsEnabled()
*/
public boolean getConstraintsEnabled()
@@ -249,20 +261,6 @@
return false;
}
- /* (non-Javadoc)
- * @see org.apache.jetspeed.om.common.SecuredResource#checkAccess(java.lang.String)
- */
- public void checkAccess(String actions) throws SecurityException
- {
- // check access permissions and constraints only
- // for view access: all other permissions granted
- // implicitly via access to page
- if ((actions != null) && (actions.indexOf(SecuredResource.VIEW_ACTION) != -1))
- {
- super.checkAccess(SecuredResource.VIEW_ACTION);
- }
- }
-
/* (non-Javadoc)
* @see org.apache.jetspeed.om.page.Fragment#getType()
*/
Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java (original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java Thu Nov 17 19:37:59 2005
@@ -648,16 +648,22 @@
}
else
{
+ // determine if folder is new by checking autoincrement id
+ boolean newFolder = folder.getId().equals("0");
+
// check for edit access on folder and parent folder
- folder.checkAccess(SecuredResource.EDIT_ACTION);
+ // if not being initially created; access is not
+ // checked on create
+ if (!newFolder || !folder.getPath().equals(Folder.PATH_SEPARATOR))
+ {
+ folder.checkAccess(SecuredResource.EDIT_ACTION);
+ }
// create root folder or update folder
- boolean newFolder = folder.getId().equals("0");
getPersistenceBrokerTemplate().store(folder);
- newFolder = (newFolder && !folder.getId().equals("0"));
// notify page manager listeners
- if (newFolder)
+ if (newFolder && !folder.getId().equals("0"))
{
delegator.notifyNewNode(folder);
}
Modified: portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java (original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java Thu Nov 17 19:37:59 2005
@@ -20,7 +20,6 @@
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
-import java.util.Locale;
import java.util.Set;
import javax.security.auth.Subject;
@@ -43,17 +42,17 @@
import junit.framework.TestSuite;
/**
- * TestPageXmlPersistence
+ * TestSecureDatabasePageManager
*
- * @author <a href="taylor@apache.org">David Sean Taylor</a>
+ * @author <a href="rwatler@apache.org">Randy Watler</a>
* @version $Id: $
*
*/
public class TestSecureDatabasePageManager extends DatasourceEnabledSpringTestCase
{
- private PageManager pageManager;
+ protected PageManager pageManager;
- private String somePortletId;
+ protected String somePortletId;
public static void main(String args[])
{
@@ -64,7 +63,7 @@
protected void setUp() throws Exception
{
super.setUp();
- pageManager = (PageManager)ctx.getBean("securePageManager");
+ pageManager = (PageManager)ctx.getBean("pageManager");
}
public static Test suite()
@@ -110,7 +109,7 @@
Subject guestSubject = new Subject(true, principals, new HashSet(), new HashSet());
// setup test as admin user
- Exception setup = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+ Exception setup = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
{
public Object run()
{
@@ -202,14 +201,14 @@
return e;
}
}
- });
+ }, null);
if (setup != null)
{
throw setup;
}
// access test as admin user
- Exception adminAccess = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+ Exception adminAccess = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
{
public Object run()
{
@@ -241,14 +240,14 @@
return e;
}
}
- });
+ }, null);
if (adminAccess != null)
{
throw adminAccess;
}
// access test as user user
- Exception userAccess = (Exception)Subject.doAs(userSubject, new PrivilegedAction()
+ Exception userAccess = (Exception)Subject.doAsPrivileged(userSubject, new PrivilegedAction()
{
public Object run()
{
@@ -301,14 +300,14 @@
return e;
}
}
- });
+ }, null);
if (userAccess != null)
{
throw userAccess;
}
// access test as manager user
- Exception managerAccess = (Exception)Subject.doAs(managerSubject, new PrivilegedAction()
+ Exception managerAccess = (Exception)Subject.doAsPrivileged(managerSubject, new PrivilegedAction()
{
public Object run()
{
@@ -359,14 +358,14 @@
return e;
}
}
- });
+ }, null);
if (managerAccess != null)
{
throw managerAccess;
}
// access test as guest user
- Exception guestAccess = (Exception)Subject.doAs(guestSubject, new PrivilegedAction()
+ Exception guestAccess = (Exception)Subject.doAsPrivileged(guestSubject, new PrivilegedAction()
{
public Object run()
{
@@ -424,14 +423,14 @@
return e;
}
}
- });
+ }, null);
if (guestAccess != null)
{
throw guestAccess;
}
// cleanup test as admin user
- Exception cleanup = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+ Exception cleanup = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
{
public Object run()
{
@@ -456,7 +455,7 @@
return e;
}
}
- });
+ }, null);
if (cleanup != null)
{
throw cleanup;
Added: portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java?rev=345432&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java (added)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java Thu Nov 17 19:37:59 2005
@@ -0,0 +1,188 @@
+/*
+ * Copyright 2000-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.page;
+
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.Principal;
+import java.security.ProtectionDomain;
+
+import org.apache.jetspeed.security.FolderPermission;
+import org.apache.jetspeed.security.FragmentPermission;
+import org.apache.jetspeed.security.GroupPrincipal;
+import org.apache.jetspeed.security.PagePermission;
+import org.apache.jetspeed.security.RolePrincipal;
+import org.apache.jetspeed.security.UserPrincipal;
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+/**
+ * TestSecurePermissionsDatabasePersistence
+ *
+ * @author <a href="rwatler@apache.org">Randy Watler</a>
+ * @version $Id: $
+ *
+ */
+public class TestSecurePermissionsDatabasePageManager extends TestSecureDatabasePageManager
+{
+ public static class PageManagerPermissionsPolicy extends Policy
+ {
+ private Policy defaultPolicy;
+
+ public PageManagerPermissionsPolicy(Policy defaultPolicy)
+ {
+ this.defaultPolicy = defaultPolicy;
+ }
+
+ public boolean implies(ProtectionDomain domain, Permission permission)
+ {
+ // classify policy query for local test case; this implementation
+ // is not optimized: multiple protection domains exist on the
+ // call stack, so this method will be invoked 2-3 times for each
+ // access check with the identical principals and permission
+ Principal[] principals = domain.getPrincipals();
+ if ((principals != null) && (principals.length > 0) &&
+ ((permission instanceof FolderPermission) ||
+ (permission instanceof PagePermission) ||
+ (permission instanceof FragmentPermission)))
+ {
+ // check permission using principals if available
+ Permissions permissions = new Permissions();
+ for (int i = 0; (i < principals.length); i++)
+ {
+ if (principals[i] instanceof UserPrincipal)
+ {
+ // get permissions for users
+ String user = principals[i].getName();
+ if (user.equals("admin"))
+ {
+ // owner permissions
+ permissions.add(new FolderPermission("/", "view, edit"));
+ permissions.add(new PagePermission("/default-page.psml", "view, edit"));
+ }
+ else if (user.equals("user"))
+ {
+ // owner permissions
+ permissions.add(new FragmentPermission("/default-page.psml/some-app::SomePortlet", "view, edit"));
+
+ // granted permissions
+ permissions.add(new PagePermission("/user-page.psml", "view, edit"));
+ permissions.add(new FragmentPermission("/user-page.psml/*", "view"));
+ }
+
+ // public view permissions
+ permissions.add(new FolderPermission("/", "view"));
+ permissions.add(new PagePermission("/default-page.psml", "view"));
+ permissions.add(new PagePermission("/page.security", "view"));
+ permissions.add(new FragmentPermission("security::*", "view"));
+ }
+ else if (principals[i] instanceof RolePrincipal)
+ {
+ // get permissions for roles
+ String role = principals[i].getName();
+ if (role.equals("admin"))
+ {
+ // global permissions
+ permissions.add(new FolderPermission("<<ALL FILES>>", "view, edit"));
+ permissions.add(new FragmentPermission("<<ALL FRAGMENTS>>", "view, edit"));
+ }
+ else if (role.equals("manager"))
+ {
+ // granted permissions
+ permissions.add(new PagePermission("/default-page.psml", "edit"));
+ }
+ }
+ }
+
+ // check permission
+ if (permissions.implies(permission))
+ {
+ return true;
+ }
+ }
+
+ // check default permissions
+ if (defaultPolicy != null)
+ {
+ return defaultPolicy.implies(domain, permission);
+ }
+ return false;
+ }
+
+ public PermissionCollection getPermissions(ProtectionDomain domain)
+ {
+ // return default permissions only since
+ // domain and permsission not available
+ if (defaultPolicy != null)
+ {
+ return defaultPolicy.getPermissions(domain);
+ }
+ return new Permissions();
+ }
+
+ public PermissionCollection getPermissions(CodeSource codesource)
+ {
+ // return default permissions only since
+ // domain and permsission not available
+ if (defaultPolicy != null)
+ {
+ return defaultPolicy.getPermissions(codesource);
+ }
+ return new Permissions();
+ }
+
+ public void refresh()
+ {
+ // propagate refresh
+ if (defaultPolicy != null)
+ {
+ defaultPolicy.refresh();
+ }
+ }
+ }
+
+ public static void main(String args[])
+ {
+ junit.awtui.TestRunner.main(new String[]
+ { TestSecurePermissionsDatabasePageManager.class.getName() });
+ }
+
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+
+ // configure custom policy for test
+ Policy.setPolicy(new PageManagerPermissionsPolicy(Policy.getPolicy()));
+ Policy.getPolicy().refresh();
+ }
+
+ public static Test suite()
+ {
+ // All methods starting with "test" will be executed in the test suite.
+ return new TestSuite(TestSecurePermissionsDatabasePageManager.class);
+ }
+
+ protected String[] getConfigurations()
+ {
+ return new String[]
+ { "secure-permissions-database-page-manager.xml", "transaction.xml" };
+ }
+}
Modified: portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml (original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml Thu Nov 17 19:37:59 2005
@@ -35,7 +35,7 @@
</bean>
<!-- Transaction Proxying -->
- <bean id="org.apache.jetspeed.page.PageManager" name="securePageManager" parent="baseTransactionProxy">
+ <bean id="org.apache.jetspeed.page.PageManager" name="pageManager" parent="baseTransactionProxy">
<property name="proxyInterfaces">
<value>org.apache.jetspeed.page.PageManager</value>
</property>
Added: portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml?rev=345432&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml (added)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml Thu Nov 17 19:37:59 2005
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+<!--
+Copyright 2004 The Apache Software Foundation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<beans>
+
+ <!-- Page Manager -->
+ <bean id="org.apache.jetspeed.page.PageManagerImpl"
+ name="securePermissionsPageManagerImpl"
+ init-method="init"
+ class="org.apache.jetspeed.page.impl.DatabasePageManager">
+ <!-- OJB configuration file resource path -->
+ <constructor-arg index="0"><value>JETSPEED-INF/ojb/page-manager-repository.xml</value></constructor-arg>
+ <!-- folder/page/link cache size, default=128, min=128 -->
+ <constructor-arg index="1"><value>128</value></constructor-arg>
+ <!-- folder/page/link cache expires seconds, default=150, infinite=0, min=30 -->
+ <constructor-arg index="2"><value>0</value></constructor-arg>
+ <!-- permissions security enabled flag, default=false -->
+ <constructor-arg index="3"><value>true</value></constructor-arg>
+ <!-- constraints security enabled flag, default=true -->
+ <constructor-arg index="4"><value>false</value></constructor-arg>
+ </bean>
+
+ <!-- Transaction Proxying -->
+ <bean id="org.apache.jetspeed.page.PageManager" name="pageManager" parent="baseTransactionProxy">
+ <property name="proxyInterfaces">
+ <value>org.apache.jetspeed.page.PageManager</value>
+ </property>
+ <property name="target">
+ <ref bean="securePermissionsPageManagerImpl" />
+ </property>
+ <property name="transactionAttributes">
+ <props>
+ <prop key="*">PROPAGATION_SUPPORTS</prop>
+ <prop key="get*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+ <prop key="update*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+ <prop key="remove*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+ </props>
+ </property>
+ </bean>
+
+
+</beans>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org