svn commit: r1509440 [2/8] - in /jena/Experimental/jena-security: ./ src/ src/example/ src/example/org/ src/example/org/apache/ src/example/org/apache/jena/ src/example/org/apache/jena/security/ src/example/org/apache/jena/security/example/ src/main/ s...

[cl...@apache.org]

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.impl;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.security.Principal;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import org.apache.commons.lang.ClassUtils;
+import org.apache.jena.security.SecurityEvaluator;
+
+/**
+ * A SecurityEvaluator that can be cached for later use.
+ */
+public class CachedSecurityEvaluator implements InvocationHandler
+{
+	private final SecurityEvaluator wrapped;
+	private final Principal origPrincipal;
+
+	// The getPrincipal() method.
+	private static Method GET_PRINCIPAL;
+
+	static
+	{
+		try
+		{
+			CachedSecurityEvaluator.GET_PRINCIPAL = SecurityEvaluator.class
+					.getMethod("getPrincipal");
+		}
+		catch (final SecurityException e)
+		{
+			throw new RuntimeException(e);
+		}
+		catch (final NoSuchMethodException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	/**
+	 * Create an instance.
+	 * @param evaluator The security evaluator we are caching.
+	 * @param runAs The principal that we want to use when checking the permissions.
+	 * @return The proxied SecurityEvaluator.
+	 */
+	public static SecurityEvaluator getInstance(
+			final SecurityEvaluator evaluator, final Principal runAs )
+	{
+		final Set<Class<?>> ifac = new LinkedHashSet<Class<?>>();
+		if (evaluator.getClass().isInterface())
+		{
+			ifac.add(evaluator.getClass());
+		}
+		ifac.addAll(ClassUtils.getAllInterfaces(evaluator.getClass()));
+
+		return (SecurityEvaluator) Proxy.newProxyInstance(
+				SecuredItemImpl.class.getClassLoader(),
+				ifac.toArray(new Class<?>[ifac.size()]),
+				new CachedSecurityEvaluator(evaluator, runAs));
+	}
+
+	/**
+	 * 
+	 * @param wrapped
+	 * @param runAs
+	 */
+	private CachedSecurityEvaluator( final SecurityEvaluator wrapped,
+			final Principal runAs )
+	{
+		origPrincipal = runAs;
+		this.wrapped = wrapped;
+	}
+
+	@Override
+	public Object invoke( final Object proxy, final Method method,
+			final Object[] args ) throws Throwable
+	{
+		// check for the special case methods
+		if (CachedSecurityEvaluator.GET_PRINCIPAL.equals(method))
+		{
+			return origPrincipal;
+		}
+
+		// if we get here then the method is not being proxied so call the
+		// original method
+		// on the base item.
+		return method.invoke(wrapped, args);
+
+	}
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/ItemHolder.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/ItemHolder.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/ItemHolder.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/ItemHolder.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.impl;
+
+import java.lang.reflect.Proxy;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import org.apache.commons.lang.ClassUtils;
+
+/**
+ * A class that holds the original item and the secured version of it.
+ * 
+ * This class is used by the Invoker to return secured versions of the object
+ * during
+ * calls that return the called class for cascading.
+ * 
+ * @param <Base>
+ *            The base class that is being secured
+ * @param <Secured>
+ *            The implementation (proxy) of the secured class.
+ */
+public class ItemHolder<Base, Secured extends SecuredItem>
+{
+	/**
+	 * The base item that is being secured
+	 */
+	private final Base baseItem;
+	/**
+	 * The proxy to the base class that implements the security.
+	 */
+	private Secured securedItem;
+
+	/**
+	 * Constructor.
+	 * 
+	 * @param baseItem
+	 *            The base item.
+	 */
+	public ItemHolder( final Base baseItem )
+	{
+		super();
+		this.baseItem = baseItem;
+	}
+
+	/**
+	 * Get the base item.
+	 * 
+	 * This method is used in the proxy to get call to the underlying instance.
+	 * 
+	 * @return The instance that is being protected.
+	 */
+	public Base getBaseItem()
+	{
+		return baseItem;
+	}
+
+	/**
+	 * Get the secured item.
+	 * 
+	 * This method is used in the invocation handler to get the instance of the
+	 * proxy that made the
+	 * on which a method call was made. Generally used in returing the original
+	 * object to support
+	 * cascading.
+	 * 
+	 * @return the proxy.
+	 */
+	public Secured getSecuredItem()
+	{
+		return securedItem;
+	}
+
+	/**
+	 * Creates the proxy, saves it as the securedItem and returns it.
+	 * 
+	 * @param handler
+	 *            The SecuredItemInvoker to create the proxy with.
+	 * @return The proxy.
+	 */
+	@SuppressWarnings( "unchecked" )
+	public final Secured setSecuredItem( final SecuredItemInvoker handler )
+	{
+		final Set<Class<?>> ifac = new LinkedHashSet<Class<?>>();
+		if (baseItem.getClass().isInterface())
+		{
+			ifac.add(baseItem.getClass());
+		}
+		ifac.addAll(ClassUtils.getAllInterfaces(baseItem.getClass()));
+		if (handler.securedItem.getClass().isInterface())
+		{
+			ifac.add(handler.securedItem.getClass());
+		}
+		ifac.addAll(ClassUtils.getAllInterfaces(handler.securedItem.getClass()));
+
+		securedItem = (Secured) Proxy.newProxyInstance(
+				SecuredItemImpl.class.getClassLoader(),
+				ifac.toArray(new Class<?>[ifac.size()]), handler);
+		return securedItem;
+	}
+
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/ItemHolder.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItem.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItem.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItem.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItem.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,185 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.impl;
+
+import org.apache.jena.security.SecurityEvaluator;
+import org.apache.jena.security.SecurityEvaluator.SecNode;
+import org.apache.jena.security.SecurityEvaluator.SecTriple;
+
+/**
+ * The secured item interface is mixed into instances of secured objects by the
+ * proxy. It provides the security context for the security checks as well as
+ * several useful shorthand methods for common checks.
+ */
+public interface SecuredItem
+{
+
+	/**
+	 * Utilities for SecuredItem implementations.
+	 */
+	public static class Util
+	{
+		/**
+		 * Secured items are equivalent if their security evaluators and
+		 * modelIRIs are equal.
+		 * 
+		 * @param si1
+		 *            A secured item to check
+		 * @param si2
+		 *            A second secured item to check
+		 * @return true if si1 is equivalent to si2.
+		 */
+		public static boolean isEquivalent( final SecuredItem si1,
+				final SecuredItem si2 )
+		{
+			return si1.getSecurityEvaluator()
+					.equals(si2.getSecurityEvaluator())
+					&& si1.getModelIRI().equals(si2.getModelIRI());
+		}
+	}
+
+	/**
+	 * @return true if the securedModel allows items to to be created.
+	 */
+	public boolean canCreate();
+
+	/**
+	 * Return true if the triple can be created.
+	 * If any s,p or o is SecNode.ANY then this method must return false if
+	 * there
+	 * are
+	 * any restrictions where the remaining nodes and held constant and the ANY
+	 * node
+	 * is allowed to vary.
+	 * 
+	 * See canRead(SecTriple t)
+	 * 
+	 * @param t
+	 *            The triple to check
+	 * @return true if the triple can be created.
+	 */
+	public boolean canCreate( SecTriple t );
+
+	/**
+	 * @return true if the securedModel allows items to to be deleted.
+	 */
+	public boolean canDelete();
+
+	/**
+	 * Return true if the triple can be deleted.
+	 * If any s,p or o is SecNode.ANY then this method must return false if
+	 * there
+	 * are
+	 * any restrictions where the remaining nodes and held constant and the ANY
+	 * node
+	 * is allowed to vary.
+	 * 
+	 * See canRead(SecTriple t)
+	 * 
+	 * @param t
+	 *            The triple to check
+	 * @return true if the triple can be deleted.
+	 */
+	public boolean canDelete( SecTriple t );
+
+	/**
+	 * @return true if the securedModel allows items to to be read.
+	 */
+	public boolean canRead();
+
+	/**
+	 * Return true if the triple can be read.
+	 * If any s,p or o is SecNode.ANY then this method must return false if
+	 * there
+	 * are
+	 * any restrictions where the remaining nodes and held constant and the ANY
+	 * node
+	 * is allowed to vary.
+	 * 
+	 * (S, P, O) check if S,P,O can be read.
+	 * (S, P, ANY) check if there are any S,P,x restrictions.
+	 * (S, ANY, P) check if there are any S,x,P restrictions.
+	 * (ANY, ANY, ANY) check if there are any restricitons on reading.
+	 * 
+	 * @param t
+	 *            The triple to check
+	 * @return true if the triple can be read.
+	 */
+	public boolean canRead( SecTriple t );
+
+	/**
+	 * @return true if the securedModel allows items to to be updated.
+	 */
+	public boolean canUpdate();
+
+	/**
+	 * Return true if the triple can be updated.
+	 * If any s,p or o is SecNode.ANY then this method must return false if
+	 * there
+	 * are
+	 * any restrictions where the remaining nodes and held constant and the ANY
+	 * node
+	 * is allowed to vary.
+	 * 
+	 * See canRead(SecTriple t)
+	 * 
+	 * @param from
+	 *            The triple that will be changed
+	 * @param to
+	 *            The resulting triple.
+	 * @return true if the from triple can be updated as the to triple.
+	 */
+	public boolean canUpdate( SecTriple from, SecTriple to );
+
+	@Override
+	public boolean equals( Object o );
+
+	/**
+	 * @return the base item that is being secured.
+	 */
+	public Object getBaseItem();
+
+	/**
+	 * @return The IRI of the securedModel that the item belongs to.
+	 */
+	public String getModelIRI();
+
+	/**
+	 * @return The node represnetation of the securedModel IRI.
+	 */
+	public SecNode getModelNode();
+
+	/**
+	 * The SecurityEvaluator implementation that is being used to determine
+	 * access.
+	 * 
+	 * @return The SecurityEvaluator implementation.
+	 */
+	public SecurityEvaluator getSecurityEvaluator();
+
+	/**
+	 * Return true if this secured item is equivalent to another secured item.
+	 * Generally implemented by calling SecuredItem.Util.isEquivalent
+	 * 
+	 * @param securedItem
+	 *            the other secured item.
+	 * @return True if they are equivalent, false otherwise.
+	 */
+	public boolean isEquivalent( SecuredItem securedItem );
+
+}
\ No newline at end of file

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItem.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,843 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.impl;
+
+import com.hp.hpl.jena.rdf.model.Statement;
+import com.hp.hpl.jena.util.iterator.ExtendedIterator;
+import com.hp.hpl.jena.vocabulary.RDF;
+
+import java.lang.reflect.Proxy;
+
+import org.apache.commons.collections.map.LRUMap;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.jena.security.AccessDeniedException;
+import org.apache.jena.security.SecurityEvaluator;
+import org.apache.jena.security.SecurityEvaluator.Action;
+import org.apache.jena.security.SecurityEvaluator.SecNode;
+import org.apache.jena.security.SecurityEvaluator.SecTriple;
+import org.apache.jena.security.SecurityEvaluator.SecNode.Type;
+
+/**
+ * An abstract implementation of SecuredItem that caches security checks.
+ * <p>
+ * Security checks are performed at multiple locations.  This implementation ensures that 
+ * during a single operation the specific check is only evaluated once by caching the result.
+ * </p>
+ * 
+ */
+public abstract class SecuredItemImpl implements SecuredItem
+{
+	// a key for the secured item.
+	private class CacheKey implements Comparable<CacheKey>
+	{
+		private final Action action;
+		private final SecNode modelNode;
+		private final SecTriple from;
+		private final SecTriple to;
+		private Integer hashCode;
+
+		public CacheKey( final Action action, final SecNode modelNode )
+		{
+			this(action, modelNode, null, null);
+		}
+
+		public CacheKey( final Action action, final SecNode modelNode,
+				final SecTriple to )
+		{
+			this(action, modelNode, to, null);
+		}
+
+		public CacheKey( final Action action, final SecNode modelNode,
+				final SecTriple to, final SecTriple from )
+		{
+			this.action = action;
+			this.modelNode = modelNode;
+			this.to = to;
+			this.from = from;
+		}
+
+		@Override
+		public int compareTo( final CacheKey other )
+		{
+			int retval = this.action.compareTo(other.action);
+			if (retval == 0)
+			{
+				retval = this.modelNode.compareTo(other.modelNode);
+			}
+			if (retval == 0)
+			{
+				if (this.to == null)
+				{
+					if (other.to == null)
+					{
+						return 0;
+					}
+					return -1;
+				}
+				retval = this.to.compareTo(other.to);
+			}
+			if (retval == 0)
+			{
+				if (this.from == null)
+				{
+					if (other.from == null)
+					{
+						return 0;
+					}
+					return -1;
+				}
+				retval = this.from.compareTo(other.from);
+			}
+			return retval;
+		}
+
+		@Override
+		public boolean equals( final Object o )
+		{
+			if (o instanceof CacheKey)
+			{
+				return this.compareTo((CacheKey) o) == 0;
+			}
+			return false;
+		}
+
+		@Override
+		public int hashCode()
+		{
+			if (hashCode == null)
+			{
+				hashCode = new HashCodeBuilder().append(action)
+						.append(modelNode).append(from).append(to).toHashCode();
+			}
+			return hashCode;
+		}
+	}
+
+	// the maximum size of the cache
+	public static int MAX_CACHE = 100;
+	// the cache for this thread.
+	public static final ThreadLocal<LRUMap> CACHE = new ThreadLocal<LRUMap>();
+	// the number of times this thread has recursively called the constructor.
+	public static final ThreadLocal<Integer> COUNT = new ThreadLocal<Integer>();
+	
+	/**
+	 * Convert a Jena Node object into a SecNode object.
+	 * @param jenaNode The Jena node to convert.
+	 * @return The SecNode that represents the jenaNode.
+	 */
+	public static SecNode convert( final com.hp.hpl.jena.graph.Node jenaNode )
+	{
+		if (com.hp.hpl.jena.graph.Node.ANY.equals(jenaNode))
+		{
+			return SecNode.ANY;
+		}
+		if (jenaNode.isLiteral())
+		{
+			return new SecNode(Type.Literal, jenaNode.getLiteral().toString());
+		}
+		if (jenaNode.isBlank())
+		{
+			return new SecNode(Type.Anonymous, jenaNode.getBlankNodeLabel());
+		}
+		if (jenaNode.isVariable())
+		{
+			return SecNode.VARIABLE;
+		}
+		return new SecNode(Type.URI, jenaNode.getURI());
+	}
+
+	/**
+	 * Convert a Jena Triple into a SecTriple.
+	 * @param jenaTriple The Jena Triple to convert.
+	 * @return The SecTriple that represents the jenaTriple.
+	 */
+	public static SecTriple convert(
+			final com.hp.hpl.jena.graph.Triple jenaTriple )
+	{
+		return new SecTriple(SecuredItemImpl.convert(jenaTriple.getSubject()),
+				SecuredItemImpl.convert(jenaTriple.getPredicate()),
+				SecuredItemImpl.convert(jenaTriple.getObject()));
+	}
+
+	/**
+	 * Decrement the number of instances of SecuredItem.
+	 */
+	public static void decrementUse()
+	{
+		final Integer i = SecuredItemImpl.COUNT.get();
+		if (i == null)
+		{
+			throw new IllegalStateException("No count on exit");
+		}
+		if (i < 1)
+		{
+			throw new IllegalStateException("No count less than 1");
+		}
+		if (i == 1)
+		{
+			SecuredItemImpl.CACHE.remove();
+			SecuredItemImpl.COUNT.remove();
+		}
+		else
+		{
+			SecuredItemImpl.COUNT.set(Integer.valueOf(i - 1));
+		}
+	}
+
+	/**
+	 * Increment the number of instances of SecuredItem.
+	 */
+	public static void incrementUse()
+	{
+		final Integer i = SecuredItemImpl.COUNT.get();
+		if (i == null)
+		{
+			SecuredItemImpl.CACHE.set(new LRUMap(Math.max(
+					SecuredItemImpl.MAX_CACHE, 100)));
+			SecuredItemImpl.COUNT.set(Integer.valueOf(1));
+		}
+		else
+		{
+			SecuredItemImpl.COUNT.set(Integer.valueOf(i + 1));
+		}
+	}
+
+	// the evaluator we are using 
+	private final SecurityEvaluator securityEvaluator;
+
+	// the secured node for that names the graph.
+	private final SecNode modelNode;
+
+	// the item holder that we are evaluating.
+	private final ItemHolder<?, ?> itemHolder;
+
+	/**
+	 * Create the SecuredItemImpl.
+	 * @param securedItem The securedItem.
+	 * @param holder The Item holder for the securedItem.
+	 * @throws IllegalArgumentException if securedItem is null or securedItem.getSecurityEvaluator() 
+	 * returns null, or the holder is null.
+	 */
+	protected SecuredItemImpl( final SecuredItem securedItem,
+			final ItemHolder<?, ?> holder )
+	{
+		if (securedItem == null)
+		{
+			throw new IllegalArgumentException("Secured item may not be null");
+		}
+		if (securedItem.getSecurityEvaluator() == null)
+		{
+			throw new IllegalArgumentException(
+					"Security evaluator in secured item may not be null");
+		}
+		if (holder == null)
+		{
+			throw new IllegalArgumentException("ItemHolder may not be null");
+		}
+		this.securityEvaluator = securedItem.getSecurityEvaluator();
+		this.modelNode = new SecurityEvaluator.SecNode(
+				SecurityEvaluator.SecNode.Type.URI, securedItem.getModelIRI());
+		this.itemHolder = holder;
+	}
+
+	/**
+	 * Create the SecuredItemImpl.
+	 * @param securityEvaluator the secured evaluator to use.
+	 * @param modelURI the URI for the model.
+	 * @param holder The holder to use.
+	 * @throws IllegalArgumentException if security evaluator is null, modelURI is null or empty,
+	 * or holder is null.
+	 */
+	protected SecuredItemImpl( final SecurityEvaluator securityEvaluator,
+			final String modelURI, final ItemHolder<?, ?> holder )
+	{
+		if (securityEvaluator == null)
+		{
+			throw new IllegalArgumentException(
+					"Security evaluator may not be null");
+		}
+		if (StringUtils.isEmpty(modelURI))
+		{
+			throw new IllegalArgumentException(
+					"ModelURI may not be empty or null");
+		}
+		if (holder == null)
+		{
+			throw new IllegalArgumentException("ItemHolder may not be null");
+		}
+		this.securityEvaluator = securityEvaluator;
+		this.modelNode = new SecurityEvaluator.SecNode(
+				SecurityEvaluator.SecNode.Type.URI, modelURI);
+		this.itemHolder = holder;
+	}
+
+	@Override
+	public String toString() {
+		if (canRead())
+		{
+			return itemHolder.getBaseItem().toString();
+		}
+		return super.toString();
+	}
+	
+	/**
+	 * get the cached value.
+	 * @param key The key to look for.
+	 * @return the value of the security check or <code>null</code> if the value has not been cached.
+	 */
+	private Boolean cacheGet( final CacheKey key )
+	{
+		final LRUMap cache = SecuredItemImpl.CACHE.get();
+		return (cache == null) ? null : (Boolean) cache.get(key);
+	}
+
+	/**
+	 * set teh cache value.
+	 * @param key The key to set the value for.
+	 * @param value The value to set.
+	 */
+	void cachePut( final CacheKey key, final boolean value )
+	{
+		final LRUMap cache = SecuredItemImpl.CACHE.get();
+		if (cache != null)
+		{
+			cache.put(key, value);
+			SecuredItemImpl.CACHE.set(cache);
+		}
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#canCreate()
+	 */
+	@Override
+	public boolean canCreate()
+	{
+		final CacheKey key = new CacheKey(Action.Create, modelNode);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Create, modelNode);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canCreate( final com.hp.hpl.jena.graph.Triple t )
+	{
+		return canCreate(SecuredItemImpl.convert(t));
+	}
+
+	@Override
+	public boolean canCreate( final SecTriple t )
+	{
+		final CacheKey key = new CacheKey(Action.Create, modelNode, t);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Create, modelNode, t);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canCreate( final Statement s )
+	{
+		return canCreate(s.asTriple());
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#canDelete()
+	 */
+	@Override
+	public boolean canDelete()
+	{
+		final CacheKey key = new CacheKey(Action.Delete, modelNode);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Delete, modelNode);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canDelete( final com.hp.hpl.jena.graph.Triple t )
+	{
+		return canDelete(SecuredItemImpl.convert(t));
+	}
+
+	@Override
+	public boolean canDelete( final SecTriple t )
+	{
+		final CacheKey key = new CacheKey(Action.Delete, modelNode, t);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Delete, modelNode, t);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canDelete( final Statement s )
+	{
+		return canDelete(s.asTriple());
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#canRead()
+	 */
+	@Override
+	public boolean canRead()
+	{
+		final CacheKey key = new CacheKey(Action.Read, modelNode);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Read, modelNode);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canRead( final com.hp.hpl.jena.graph.Triple t )
+	{
+		return canRead(SecuredItemImpl.convert(t));
+	}
+
+	@Override
+	public boolean canRead( final SecTriple t )
+	{
+		final CacheKey key = new CacheKey(Action.Read, modelNode, t);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Read, modelNode, t);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canRead( final Statement s )
+	{
+		return canRead(s.asTriple());
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#canUpdate()
+	 */
+	@Override
+	public boolean canUpdate()
+	{
+		final CacheKey key = new CacheKey(Action.Update, modelNode);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluate(Action.Update, modelNode);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canUpdate( final com.hp.hpl.jena.graph.Triple from,
+			final com.hp.hpl.jena.graph.Triple to )
+	{
+		return canUpdate(SecuredItemImpl.convert(from),
+				SecuredItemImpl.convert(to));
+	}
+
+	@Override
+	public boolean canUpdate( final SecTriple from, final SecTriple to )
+	{
+		final CacheKey key = new CacheKey(Action.Update, modelNode, from, to);
+		Boolean retval = cacheGet(key);
+		if (retval == null)
+		{
+			retval = securityEvaluator.evaluateUpdate(modelNode, from, to);
+			cachePut(key, retval);
+		}
+		return retval;
+	}
+
+	public boolean canUpdate( final Statement from, final Statement to )
+	{
+		return canUpdate(from.asTriple(), to.asTriple());
+	}
+
+	/**
+	 * check that create on the securedModel is allowed,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkCreate()
+	{
+		if (!canCreate())
+		{
+			throw new AccessDeniedException(modelNode, Action.Create);
+		}
+	}
+
+	protected void checkCreate( final com.hp.hpl.jena.graph.Triple t )
+	{
+		checkCreate(SecuredItemImpl.convert(t));
+	}
+
+	/**
+	 * check that the triple can be created in the securedModel.,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkCreate( final SecTriple t )
+	{
+		if (!canCreate(t))
+		{
+			throw new AccessDeniedException(modelNode, t.toString(),
+					Action.Create);
+		}
+	}
+
+	protected void checkCreate( final Statement s )
+	{
+		checkCreate(s.asTriple());
+	}
+
+	protected void checkCreateReified( final String uri, final SecTriple t )
+	{
+		checkUpdate();
+		final SecNode n = uri == null ? SecNode.FUTURE : new SecNode(Type.URI,
+				uri);
+		checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.subject
+				.asNode()), t.getSubject()));
+		checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.predicate
+				.asNode()), t.getPredicate()));
+		checkCreate(new SecTriple(n, SecuredItemImpl.convert(RDF.object
+				.asNode()), t.getObject()));
+	}
+
+	protected void checkCreateStatement( final ExtendedIterator<Statement> stmts )
+	{
+		if (!canCreate(SecTriple.ANY))
+		{
+			try
+			{
+				while (stmts.hasNext())
+				{
+					checkCreate(stmts.next());
+				}
+			}
+			finally
+			{
+				stmts.close();
+			}
+		}
+	}
+
+	protected void checkCreateTriples(
+			final ExtendedIterator<com.hp.hpl.jena.graph.Triple> triples )
+	{
+		if (!canCreate(SecTriple.ANY))
+		{
+			try
+			{
+				while (triples.hasNext())
+				{
+					checkCreate(triples.next());
+				}
+			}
+			finally
+			{
+				triples.close();
+			}
+		}
+	}
+
+	/**
+	 * check that delete on the securedModel is allowed,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkDelete()
+	{
+		if (!canDelete())
+		{
+			throw new AccessDeniedException(modelNode, Action.Delete);
+		}
+	}
+
+	protected void checkDelete( final com.hp.hpl.jena.graph.Triple t )
+	{
+		checkDelete(SecuredItemImpl.convert(t));
+	}
+
+	/**
+	 * check that the triple can be deleted in the securedModel.,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkDelete( final SecTriple t )
+	{
+		if (!canDelete(t))
+		{
+			throw new AccessDeniedException(modelNode, t.toString(),
+					Action.Delete);
+		}
+	}
+
+	protected void checkDelete( final Statement s )
+	{
+		checkDelete(s.asTriple());
+	}
+
+	protected void checkDeleteStatements(
+			final ExtendedIterator<Statement> stmts )
+	{
+		if (!canDelete(SecTriple.ANY))
+		{
+			try
+			{
+				while (stmts.hasNext())
+				{
+					checkDelete(stmts.next());
+				}
+			}
+			finally
+			{
+				stmts.close();
+			}
+		}
+	}
+
+	protected void checkDeleteTriples(
+			final ExtendedIterator<com.hp.hpl.jena.graph.Triple> triples )
+	{
+		if (!canDelete(SecTriple.ANY))
+		{
+			try
+			{
+				while (triples.hasNext())
+				{
+					checkDelete(triples.next());
+				}
+			}
+			finally
+			{
+				triples.close();
+			}
+		}
+	}
+
+	/**
+	 * check that read on the securedModel is allowed,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkRead()
+	{
+		if (!canRead())
+		{
+			throw new AccessDeniedException(modelNode, Action.Read);
+		}
+	}
+
+	protected void checkRead( final com.hp.hpl.jena.graph.Triple t )
+	{
+		checkRead(SecuredItemImpl.convert(t));
+	}
+
+	/**
+	 * check that the triple can be read in the securedModel.,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkRead( final SecTriple t )
+	{
+		if (!canRead(t))
+		{
+			throw new AccessDeniedException(modelNode, t.toString(),
+					Action.Read);
+		}
+	}
+
+	protected void checkRead( final Statement s )
+	{
+		checkRead(s.asTriple());
+	}
+
+	protected void checkReadStatement( final ExtendedIterator<Statement> stmts )
+	{
+		try
+		{
+			while (stmts.hasNext())
+			{
+				checkRead(stmts.next());
+			}
+		}
+		finally
+		{
+			stmts.close();
+		}
+	}
+
+	protected void checkReadTriples(
+			final ExtendedIterator<com.hp.hpl.jena.graph.Triple> triples )
+	{
+		try
+		{
+			while (triples.hasNext())
+			{
+				checkRead(triples.next());
+			}
+		}
+		finally
+		{
+			triples.close();
+		}
+	}
+
+	/**
+	 * check that update on the securedModel is allowed,
+	 * 
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkUpdate()
+	{
+		if (!canUpdate())
+		{
+			throw new AccessDeniedException(modelNode, Action.Update);
+		}
+	}
+
+	protected void checkUpdate( final com.hp.hpl.jena.graph.Triple from,
+			final com.hp.hpl.jena.graph.Triple to )
+	{
+		checkUpdate(SecuredItemImpl.convert(from), SecuredItemImpl.convert(to));
+	}
+
+	/**
+	 * check that the triple can be updated in the securedModel.,
+	 * 
+	 * @param from the starting triple
+	 * @param to the final triple.
+	 * @throws AccessDeniedException
+	 *             on failure
+	 */
+	protected void checkUpdate( final SecTriple from, final SecTriple to )
+	{
+		if (!canUpdate(from, to))
+		{
+			throw new AccessDeniedException(modelNode, String.format(
+					"%s to %s", from, to), Action.Update);
+		}
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#equals(java.lang.Object)
+	 */
+	@Override
+	public boolean equals( final Object o )
+	{
+		if (Proxy.isProxyClass(o.getClass()))
+		{
+			return o.equals(itemHolder.getSecuredItem());
+		}
+		else
+		{
+			if (o instanceof SecuredItemImpl)
+			{
+				return itemHolder.getBaseItem().equals( ((SecuredItemImpl)o).getBaseItem());
+			}
+			return false;
+		}
+	}
+
+	@Override
+	public int hashCode()
+	{
+		return itemHolder.getBaseItem().hashCode();
+	}
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#getBaseItem()
+	 */
+	@Override
+	public Object getBaseItem()
+	{
+		return itemHolder.getBaseItem();
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#getModelIRI()
+	 */
+	@Override
+	public String getModelIRI()
+	{
+		return modelNode.getValue();
+	}
+
+	/**
+	 * get the name of the model.
+	 */
+	@Override
+	public SecNode getModelNode()
+	{
+		return modelNode;
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.SecuredItem#getSecurityEvaluator()
+	 */
+	@Override
+	public SecurityEvaluator getSecurityEvaluator()
+	{
+		return securityEvaluator;
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.apache.jena.security.isEquivalent()
+	 */
+	@Override
+	public boolean isEquivalent( final SecuredItem securedItem )
+	{
+		return SecuredItem.Util.isEquivalent(this, securedItem);
+	}
+}
\ No newline at end of file

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemInvoker.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemInvoker.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemInvoker.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemInvoker.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.impl;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
+import java.lang.reflect.Proxy;
+
+
+/**
+ * A generic InvocationHandler that handles the general invocation of the
+ * security methods.
+ */
+public class SecuredItemInvoker implements InvocationHandler
+{
+	// the equals() method
+	private static Method EQUALS;
+	// the toString() method
+	private static Method TO_STRING;
+	// the hashCode() method.
+	private static Method HASH_CODE;
+	// the instance of SecuredItem that this proxy is using. Must be
+	// package-private for ItemHolder use.
+	/* package-private */final SecuredItem securedItem;
+
+	// populate the static fields.
+	static
+	{
+		try
+		{
+			SecuredItemInvoker.EQUALS = Object.class.getMethod("equals",
+					Object.class);
+			SecuredItemInvoker.TO_STRING = Object.class.getMethod("toString");
+			SecuredItemInvoker.HASH_CODE = Object.class.getMethod("hashCode");
+		}
+		catch (final SecurityException e)
+		{
+			throw new RuntimeException(e);
+		}
+		catch (final NoSuchMethodException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	/**
+	 * Constructor.
+	 * 
+	 * @param securedClass
+	 *            The class of the object that is being protected.
+	 * @param securedItem
+	 *            The implementation of the SecuredItem version of the object.
+	 */
+	public SecuredItemInvoker( final Class<?> securedClass,
+			final SecuredItem securedItem )
+	{
+		this.securedItem = securedItem;
+	}
+
+	@Override
+	public Object invoke( final Object proxy, final Method method,
+			final Object[] args ) throws Throwable
+	{
+
+		// check for the special case methods
+		if (SecuredItemInvoker.EQUALS.equals(method))
+		{
+			if (Proxy.isProxyClass(args[0].getClass()))
+			{
+				return args[0].equals(securedItem);
+			}
+			else
+			{
+				return securedItem.equals(args[0]);
+			}
+		}
+
+		if (SecuredItemInvoker.HASH_CODE.equals(method))
+		{
+			return securedItem.hashCode();
+		}
+
+		if (SecuredItemInvoker.TO_STRING.equals(method))
+		{
+			return securedItem.toString();
+		}
+
+		try
+		{
+			final Method m = securedItem.getClass().getMethod(method.getName(),
+					method.getParameterTypes());
+			if (!Modifier.isAbstract(m.getModifiers()))
+			{
+				try
+				{
+					SecuredItemImpl.incrementUse();
+					try
+					{
+						return method.invoke(securedItem, args);
+					}
+					finally
+					{
+						SecuredItemImpl.decrementUse();
+					}
+
+				}
+				catch (final java.lang.reflect.InvocationTargetException e2)
+				{
+					if (e2.getTargetException() instanceof RuntimeException)
+					{
+						throw e2.getTargetException();
+					}
+					throw e2;
+				}
+			}
+		}
+		catch (final NoSuchMethodException e2)
+		{
+			// acceptable
+		}
+
+		// if we get here then the method is not being proxied so call the
+		// original method on the base item.
+		return method.invoke(securedItem.getBaseItem(), args);
+
+	}
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemInvoker.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredAlt.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredAlt.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredAlt.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredAlt.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,264 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.model;
+
+import com.hp.hpl.jena.rdf.model.Alt;
+import com.hp.hpl.jena.rdf.model.RDFNode;
+import com.hp.hpl.jena.rdf.model.ResourceF;
+
+import org.apache.jena.security.AccessDeniedException;
+
+/**
+ * The interface for secured Alt instances.
+ * 
+ * Use the SecuredAlt.Factory to create instances
+ */
+public interface SecuredAlt extends Alt, SecuredContainer
+{
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredRDFNode getDefault() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt getDefaultAlt() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredBag getDefaultBag() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean getDefaultBoolean() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public byte getDefaultByte() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public char getDefaultChar() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public double getDefaultDouble() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public float getDefaultFloat() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public int getDefaultInt() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getDefaultLanguage() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredLiteral getDefaultLiteral() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public long getDefaultLong() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredResource getDefaultResource() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	@Deprecated
+	public SecuredResource getDefaultResource( final ResourceF f )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredSeq getDefaultSeq() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public short getDefaultShort() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple(this, RDF.li(1), o )
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getDefaultString() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final boolean o )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final char o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final double o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final float o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final long o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final Object o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final RDFNode o )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final String o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Update SecTriple(this, RDF.li(1), existing ), SecTriple(this,
+	 *            RDF.li(1), o )
+	 * @sec.triple Create SecTriple(this, RDF.li(1), o ) if no current default
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredAlt setDefault( final String o, final String l )
+			throws AccessDeniedException;
+
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredAlt.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredBag.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredBag.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredBag.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredBag.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.model;
+
+import com.hp.hpl.jena.rdf.model.Bag;
+
+/**
+ * The interface for secured Bag instances.
+ * 
+ * Use the SecuredBag.Factory to create instances
+ */
+public interface SecuredBag extends Bag, SecuredContainer
+{
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredBag.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredContainer.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredContainer.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredContainer.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredContainer.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,219 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.model;
+
+import com.hp.hpl.jena.rdf.model.Container;
+import com.hp.hpl.jena.rdf.model.RDFNode;
+import com.hp.hpl.jena.rdf.model.Statement;
+
+import java.util.Set;
+
+import org.apache.jena.security.AccessDeniedException;
+import org.apache.jena.security.SecurityEvaluator.Action;
+import org.apache.jena.security.model.impl.SecuredNodeIterator;
+
+/**
+ * The interface for secured Container instances.
+ * 
+ * Use one of the SecuredContainer derived class Factory methods to create
+ * instances
+ */
+public interface SecuredContainer extends Container, SecuredResource
+{
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final boolean o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final char o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final double o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final float o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final long o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final Object o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final RDFNode o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final String o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Create SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer add( final String o, final String l )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final boolean o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final char o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final double o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final float o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final long o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final Object o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final RDFNode o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final String o ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read SecTriple( this, RDF.li, o );
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean contains( final String o, final String l )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @sec.triple Read on each triple ( this, rdf:li_? node ) returned by
+	 *            iterator;
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredNodeIterator<RDFNode> iterator() throws AccessDeniedException;
+
+	/**
+	 * @param perms the Permissions required on each node returned
+	 * @sec.graph Read
+	 * @sec.triple Read + perms on each triple ( this, rdf:li_? node ) returned
+	 *            by iterator;
+	 * @throws AccessDeniedException
+	 */
+	public SecuredNodeIterator<RDFNode> iterator( Set<Action> perms )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Update
+	 * @sec.triple Delete s as triple;
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public SecuredContainer remove( final Statement s )
+			throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public int size() throws AccessDeniedException;
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredContainer.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredLiteral.java
URL: http://svn.apache.org/viewvc/jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredLiteral.java?rev=1509440&view=auto
==============================================================================
--- jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredLiteral.java (added)
+++ jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredLiteral.java Thu Aug  1 21:47:45 2013
@@ -0,0 +1,166 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jena.security.model;
+
+import com.hp.hpl.jena.datatypes.DatatypeFormatException;
+import com.hp.hpl.jena.datatypes.RDFDatatype;
+import com.hp.hpl.jena.rdf.model.Literal;
+import com.hp.hpl.jena.rdf.model.Model;
+
+import org.apache.jena.security.AccessDeniedException;
+
+/**
+ * The interface for secured Literal instances.
+ * 
+ * Use the SecuredLiteral.Factory to create instances
+ */
+public interface SecuredLiteral extends Literal, SecuredRDFNode
+{
+
+	@Override
+	public SecuredLiteral asLiteral();
+
+	// @Override
+	// public SecuredResource asResource();
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean getBoolean() throws AccessDeniedException,
+			DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public byte getByte() throws AccessDeniedException, DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public char getChar() throws AccessDeniedException, DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public RDFDatatype getDatatype() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getDatatypeURI() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public double getDouble() throws AccessDeniedException,
+			DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public float getFloat() throws AccessDeniedException,
+			DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public int getInt() throws AccessDeniedException, DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getLanguage() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getLexicalForm() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public long getLong() throws AccessDeniedException, DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public short getShort() throws AccessDeniedException,
+			DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public String getString() throws AccessDeniedException,
+			DatatypeFormatException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public Object getValue() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public Literal inModel( final Model m ) throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean isWellFormedXML() throws AccessDeniedException;
+
+	/**
+	 * @sec.graph Read
+	 * @throws AccessDeniedException
+	 */
+	@Override
+	public boolean sameValueAs( final Literal other )
+			throws AccessDeniedException;
+
+}

Propchange: jena/Experimental/jena-security/src/main/java/org/apache/jena/security/model/SecuredLiteral.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain