[exo-jcr-commits] exo-jcr SVN: r2541 - in core/trunk/exo.core.component.security.core: src/main/java/org/exoplatform/services/security and 2 other directories.
do-not-reply at jboss.org
do-not-reply at jboss.org
Thu Jun 10 08:48:48 EDT 2010
Author: nzamosenchuk
Date: 2010-06-10 08:48:48 -0400 (Thu, 10 Jun 2010)
New Revision: 2541
Added:
core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/PermissionConstants.java
core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/BaseSecurityTest.java
core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/TestIdentityPermissions.java
core/trunk/exo.core.component.security.core/src/test/resources/test.policy
Modified:
core/trunk/exo.core.component.security.core/pom.xml
core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/Identity.java
Log:
EXOJCR-770 : Added test for Identity security and Identity changed using SecureSet from KERNEL project.
Modified: core/trunk/exo.core.component.security.core/pom.xml
===================================================================
--- core/trunk/exo.core.component.security.core/pom.xml 2010-06-10 10:05:24 UTC (rev 2540)
+++ core/trunk/exo.core.component.security.core/pom.xml 2010-06-10 12:48:48 UTC (rev 2541)
@@ -1,25 +1,17 @@
-<!--
- Copyright (C) 2009 eXo Platform SAS.
+ <!--
- This is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as
- published by the Free Software Foundation; either version 2.1 of
- the License, or (at your option) any later version.
+ Copyright (C) 2009 eXo Platform SAS. This is free software; you can redistribute it and/or modify it under the
+ terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of
+ the License, or (at your option) any later version. This software is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU
+ Lesser General Public License along with this software; if not, write to the Free Software Foundation, Inc., 51
+ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- This software is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public
- License along with this software; if not, write to the Free
- Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
<modelVersion>4.0.0</modelVersion>
<parent>
@@ -53,7 +45,7 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
- </dependency>
+ </dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
@@ -61,6 +53,15 @@
</dependencies>
<build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <argLine>-Djava.security.manager -Djava.security.policy=${project.build.directory}/test-classes/test.policy</argLine>
+ </configuration>
+ </plugin>
+ </plugins>
<testResources>
<testResource>
<directory>src/test/java</directory>
@@ -75,6 +76,7 @@
<include>**/*.properties</include>
<include>**/*.xml</include>
<include>**/login.conf</include>
+ <include>**/test.policy</include>
</includes>
</testResource>
</testResources>
Modified: core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/Identity.java
===================================================================
--- core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/Identity.java 2010-06-10 10:05:24 UTC (rev 2540)
+++ core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/Identity.java 2010-06-10 12:48:48 UTC (rev 2541)
@@ -18,6 +18,8 @@
*/
package org.exoplatform.services.security;
+import org.exoplatform.commons.utils.secure.SecureCollections;
+
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
@@ -38,10 +40,6 @@
public class Identity
{
- private static final RuntimePermission SET_SUBJECT_PERMISSION = new RuntimePermission("setSubject");
-
- private static final RuntimePermission MODIFY_IDENTITY_PERMISSION = new RuntimePermission("modifyIdentity");
-
/**
* User's identifier.
*/
@@ -50,7 +48,7 @@
/**
* Memberships.
*/
- private Set<MembershipEntry> memberships;
+ private final Set<MembershipEntry> memberships;
/**
* javax.security.auth.Subject can be used for logout process. <code>
@@ -63,7 +61,7 @@
/**
* User's roles.
*/
- private Collection<String> roles;
+ private final Set<String> roles;
/**
* @param userId the iser's identifier.
@@ -90,8 +88,11 @@
public Identity(String userId, Collection<MembershipEntry> memberships, Collection<String> roles)
{
this.userId = userId;
- this.memberships = new SecureSet<MembershipEntry>(memberships);
- this.roles = new SecureSet<String>(roles);
+ this.memberships =
+ SecureCollections.secureSet(new HashSet<MembershipEntry>(memberships),
+ PermissionConstants.MODIFY_IDENTITY_PERMISSION);
+ this.roles =
+ SecureCollections.secureSet(new HashSet<String>(roles), PermissionConstants.MODIFY_IDENTITY_PERMISSION);;
}
/**
@@ -154,7 +155,8 @@
@Deprecated
public void setMemberships(Collection<MembershipEntry> memberships)
{
- this.memberships = new SecureSet<MembershipEntry>(memberships);
+ this.memberships.clear();
+ this.memberships.addAll(memberships);
}
/**
@@ -172,7 +174,8 @@
*/
public void setRoles(Collection<String> roles)
{
- this.roles = new SecureSet<String>(roles);
+ this.roles.clear();
+ this.roles.addAll(roles);
}
/**
@@ -199,7 +202,7 @@
SecurityManager security = System.getSecurityManager();
if (security != null)
{
- security.checkPermission(SET_SUBJECT_PERMISSION);
+ security.checkPermission(PermissionConstants.SET_SUBJECT_PERMISSION);
}
this.subject = subject;
}
@@ -214,151 +217,4 @@
{
return memberships.contains(checkMe);
}
-
- private static class SecureSet<T> implements Set<T>
- {
-
- final Set<T> set;
-
- SecureSet()
- {
- this.set = new HashSet<T>();
- }
-
- SecureSet(Collection<T> set)
- {
- this.set = new HashSet<T>(set);
- }
-
- public boolean add(T e)
- {
- checkPermission();
- return set.add(e);
- }
-
- public boolean addAll(Collection<? extends T> elements)
- {
- if (elements == null)
- {
- throw new NullPointerException();
- }
- checkPermission();
- set.addAll(elements);
- return elements.size() > 0;
- }
-
- public void clear()
- {
- checkPermission();
- set.clear();
- }
-
- public boolean contains(Object o)
- {
- return set.contains(o);
- }
-
- public boolean containsAll(Collection<?> coll)
- {
- return set.containsAll(coll);
- }
-
- @Override
- public boolean equals(Object o)
- {
- return o == this || set.equals(o);
- }
-
- @Override
- public int hashCode()
- {
- return set.hashCode();
- }
-
- public boolean isEmpty()
- {
- return set.isEmpty();
- }
-
- public Iterator<T> iterator()
- {
- return new Iterator<T>()
- {
- Iterator<? extends T> i = set.iterator();
-
- public boolean hasNext()
- {
- return i.hasNext();
- }
-
- public T next()
- {
- return i.next();
- }
-
- public void remove()
- {
- checkPermission();
- i.remove();
- }
- };
- }
-
- public boolean remove(Object o)
- {
- checkPermission();
- return set.remove(o);
- }
-
- public boolean removeAll(Collection<?> pds)
- {
- if (pds == null)
- {
- throw new NullPointerException();
- }
- checkPermission();
- return set.removeAll(pds);
- }
-
- public boolean retainAll(Collection<?> pds)
- {
- if (pds == null)
- {
- throw new NullPointerException();
- }
- checkPermission();
- return set.retainAll(pds);
- }
-
- public int size()
- {
- return set.size();
- }
-
- public Object[] toArray()
- {
- return set.toArray();
- }
-
- public <T> T[] toArray(T[] a)
- {
- return set.toArray(a);
- }
-
- @Override
- public String toString()
- {
- return set.toString();
- }
-
- protected void checkPermission()
- {
- SecurityManager security = System.getSecurityManager();
- if (security != null)
- {
- security.checkPermission(MODIFY_IDENTITY_PERMISSION);
- }
- }
- }
-
-}
+}
\ No newline at end of file
Added: core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/PermissionConstants.java
===================================================================
--- core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/PermissionConstants.java (rev 0)
+++ core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/PermissionConstants.java 2010-06-10 12:48:48 UTC (rev 2541)
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2010 eXo Platform SAS.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.exoplatform.services.security;
+
+/**
+ * @author <a href="mailto:nikolazius at gmail.com">Nikolay Zamosenchuk</a>
+ * @version $Id: PermissionConstants.java 34360 2009-07-22 23:58:59Z nzamosenchuk $
+ *
+ */
+public class PermissionConstants
+{
+
+ public static final RuntimePermission SET_SUBJECT_PERMISSION = new RuntimePermission("setSubject");
+
+ public static final RuntimePermission MODIFY_IDENTITY_PERMISSION = new RuntimePermission("modifyIdentity");
+
+}
Property changes on: core/trunk/exo.core.component.security.core/src/main/java/org/exoplatform/services/security/PermissionConstants.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Added: core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/BaseSecurityTest.java
===================================================================
--- core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/BaseSecurityTest.java (rev 0)
+++ core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/BaseSecurityTest.java 2010-06-10 12:48:48 UTC (rev 2541)
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2010 eXo Platform SAS.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.exoplatform.services.security;
+
+import java.net.URL;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.Permissions;
+import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
+
+import junit.framework.TestCase;
+
+/**
+ * @author <a href="mailto:nikolazius at gmail.com">Nikolay Zamosenchuk</a>
+ * @version $Id: BaseSecurityTest.java 34360 2009-07-22 23:58:59Z nzamosenchuk $
+ *
+ */
+public abstract class BaseSecurityTest extends TestCase
+{
+
+ public static final Permission SET_SUBJECT_PERMISSION = new RuntimePermission("setSubject");
+ public static final Permission MODIFY_IDENTITY_PERMISSION = new RuntimePermission("modifyIdentity");
+ public static final Permission ALL_PERMISSION = new AllPermission();
+
+ /**
+ *
+ */
+ public BaseSecurityTest()
+ {
+ super();
+ }
+
+ /**
+ * @param name
+ */
+ public BaseSecurityTest(String name)
+ {
+ super(name);
+ }
+
+ /**
+ * Run privileged action with given privileges.
+ */
+ public <T> T doActionWithPermissions(PrivilegedExceptionAction<T> action, Permission... permissions) throws Exception
+ {
+ Permissions allPermissions = new Permissions();
+ for (Permission permission : permissions)
+ {
+ if (permission != null)
+ {
+ allPermissions.add(permission);
+ }
+ }
+ ProtectionDomain[] protectionDomains =
+ new ProtectionDomain[]{new ProtectionDomain(new CodeSource(getCodeSource(),
+ (java.security.cert.Certificate[])null), allPermissions)};
+ return AccessController.doPrivileged(action, new AccessControlContext(protectionDomains));
+ }
+
+ protected URL getCodeSource()
+ {
+ return getClass().getProtectionDomain().getCodeSource().getLocation();
+ }
+
+}
\ No newline at end of file
Property changes on: core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/BaseSecurityTest.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Added: core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/TestIdentityPermissions.java
===================================================================
--- core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/TestIdentityPermissions.java (rev 0)
+++ core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/TestIdentityPermissions.java 2010-06-10 12:48:48 UTC (rev 2541)
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) 2010 eXo Platform SAS.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.exoplatform.services.security;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+
+import javax.security.auth.Subject;
+
+/**
+ * Test used to check whether SecurityManager related features are working properly.
+ *
+ * @author <a href="mailto:nikolazius at gmail.com">Nikolay Zamosenchuk</a>
+ * @version $Id: TestPermissions.java 34360 2009-07-22 23:58:59Z nzamosenchuk $
+ *
+ */
+public class TestIdentityPermissions extends BaseSecurityTest
+{
+
+ public void testSecurityManagerExists()
+ {
+ assertNotNull(System.getSecurityManager());
+ }
+
+ /**
+ * Check that modification is permitted if MODIFY_IDENTITY_PERMISSION given
+ */
+ public void testModifyRolesWithPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().getRoles().clear();
+ return null;
+ }
+ }, MODIFY_IDENTITY_PERMISSION);
+ }
+ catch (Exception e)
+ {
+ fail("Modification should be successfull, since it is launched with required permissions.");
+ }
+ }
+
+ /**
+ * Check that setRoles is permitted if MODIFY_IDENTITY_PERMISSION given
+ */
+ public void testSetRolesWithPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().setRoles(new HashSet<String>());
+ return null;
+ }
+ }, MODIFY_IDENTITY_PERMISSION);
+ }
+ catch (Exception e)
+ {
+ fail("Modification should be successfull, since it is launched with required permissions.");
+ }
+ }
+
+ /**
+ * Check that modification is denied if no permission given
+ */
+ public void testModifyRolesWithNoPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().getRoles().clear();
+ return null;
+ }
+ });
+ fail("Modification should be denied");
+ }
+ catch (Exception e)
+ {
+ // it's ok
+ }
+ }
+
+ /**
+ * Check that setRoles is denied if no permission given
+ */
+ public void testSetWithRolesNoPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().setRoles(new HashSet<String>());
+ return null;
+ }
+ });
+ fail("Modification should be denied");
+ }
+ catch (Exception e)
+ {
+ // it's ok
+ }
+ }
+
+ /**
+ * Check that modification is permitted if MODIFY_IDENTITY_PERMISSION given
+ */
+ public void testModifyMembershipsWithPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().getMemberships().clear();
+ return null;
+ }
+ }, MODIFY_IDENTITY_PERMISSION);
+ }
+ catch (Exception e)
+ {
+ fail("Modification should be successfull, since it is launched with required permissions.");
+ }
+ }
+
+ /**
+ * Check that setMemberships is permitted if MODIFY_IDENTITY_PERMISSION given
+ */
+ public void testSetMembershipsWithPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ @SuppressWarnings("deprecation")
+ public Object run() throws Exception
+ {
+ getIdentity().setMemberships(new HashSet<MembershipEntry>());
+ return null;
+ }
+ }, MODIFY_IDENTITY_PERMISSION);
+ }
+ catch (Exception e)
+ {
+ fail("Modification should be successfull, since it is launched with required permissions.");
+ }
+ }
+
+ /**
+ * Check that modification is denied if no permission given
+ */
+ public void testModifyMembershipsWithNoPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().getMemberships().clear();
+ return null;
+ }
+ });
+ fail("Modification should be denied");
+ }
+ catch (Exception e)
+ {
+ // it's ok
+ }
+ }
+
+ /**
+ * Check that setMemberships is denied if no permission given
+ */
+ public void testSetWithMembershipsNoPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ @SuppressWarnings("deprecation")
+ public Object run() throws Exception
+ {
+ getIdentity().setMemberships(new HashSet<MembershipEntry>());
+ return null;
+ }
+ });
+ fail("Modification should be denied");
+ }
+ catch (Exception e)
+ {
+ // it's ok
+ }
+ }
+
+ /**
+ * Check setSubject is permitted with "setSubject" permission
+ */
+ public void testSubjectWithSetSubjectPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().setSubject(new Subject());
+ return null;
+ }
+ }, SET_SUBJECT_PERMISSION);
+ }
+ catch (Exception e)
+ {
+ fail("Modification should be successfull, since it is launched with required permissions.");
+ }
+ }
+
+ /**
+ * Check setSubject is denied without "setSubject" permission
+ */
+ public void testSubjectWithNoPermissions()
+ {
+ try
+ {
+ doActionWithPermissions(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws Exception
+ {
+ getIdentity().setSubject(new Subject());
+ return null;
+ }
+ });
+ fail("Modification should be denied");
+ }
+ catch (Exception e)
+ {
+ // ok
+ }
+ }
+
+ /**
+ * Creates dummy Identity for testing purposes
+ * @return
+ */
+ private Identity getIdentity()
+ {
+ Collection<MembershipEntry> memberships = null;
+
+ memberships = new ArrayList<MembershipEntry>();
+ memberships.add(new MembershipEntry("/group1", "*"));
+ memberships.add(new MembershipEntry("/group2", "member"));
+
+ final Identity identity = new Identity("user", memberships);
+ return identity;
+ }
+
+}
Property changes on: core/trunk/exo.core.component.security.core/src/test/java/org/exoplatform/services/security/TestIdentityPermissions.java
___________________________________________________________________
Name: svn:mime-type
+ text/plain
Added: core/trunk/exo.core.component.security.core/src/test/resources/test.policy
===================================================================
--- core/trunk/exo.core.component.security.core/src/test/resources/test.policy (rev 0)
+++ core/trunk/exo.core.component.security.core/src/test/resources/test.policy 2010-06-10 12:48:48 UTC (rev 2541)
@@ -0,0 +1,5 @@
+// configure static permissions here
+grant {
+ permission java.security.AllPermission;
+};
+
\ No newline at end of file
More information about the exo-jcr-commits
mailing list