[seam-commits] Seam SVN: r13389 - in modules/security/trunk: api/src/main/java/org/jboss/seam/security/management and 3 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Wed Jul 14 06:47:59 EDT 2010
Author: shane.bryzak at jboss.com
Date: 2010-07-14 06:47:59 -0400 (Wed, 14 Jul 2010)
New Revision: 13389
Modified:
modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java
modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java
modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java
modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java
Log:
got rule-based permissions resolving
Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java
===================================================================
--- modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -141,16 +141,16 @@
void checkRole(String role, String group, String groupType);
/**
- * Checks if the currently authenticated user can perform the specified action
- * on the specified target object.
+ * Checks if the currently authenticated user has the specified permission
+ * for the specified resource.
*
- * @param target The target object for which the user wishes to perform a restricted action
- * @param action The action that the user wishes to perform
+ * @param resource The resource for which the user wishes to perform a restricted action
+ * @param permission The name of the permission that the user requires to invoke the operation
* @throws NotLoggedInException if the current user is not authenticated
* @throws AuthorizationException if the current user does not have the necessary
- * privileges to perform the specified action on the specified target object.
+ * permission for the specified resource object.
*/
- void checkPermission(Object target, String action);
+ void checkPermission(Object resource, String permission);
/**
* Filters a collection of objects by a specified action, by removing the
@@ -160,15 +160,13 @@
* @param collection The Collection to filter
* @param action The name of the action to filter by
*/
- void filterByPermission(Collection<?> collection, String action);
+ void filterByPermission(Collection<?> collection, String permission);
/**
- * Checks if the currently authenticated user has the necessary privileges to perform the
- * specified action on the specified target object.
+ * Checks if the currently authenticated user has the necessary permission for
+ * a specific resource.
*
- * @param target
- * @param action
- * @return true if the user has the required privileges, otherwise false
+ * @return true if the user has the required permission, otherwise false
*/
- boolean hasPermission(Object target, String action);
+ boolean hasPermission(Object resource, String permission);
}
Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java
===================================================================
--- modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -80,7 +80,7 @@
* @param value The value of the attribute
* @return true if the attribute was successfully set
*/
- boolean setUserAttribute(String username, String attribute, Object value);
+ void setUserAttribute(String username, String attribute, Object value);
/**
* Deletes the specified attribute value from the specified user
@@ -89,7 +89,7 @@
* @param attribute The name of the attribute to delete
* @return true if the attribute was successfully deleted
*/
- boolean deleteUserAttribute(String username, String attribute);
+ void deleteUserAttribute(String username, String attribute);
/**
* Creates a new role type
Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java
===================================================================
--- modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -19,4 +19,5 @@
boolean revokePermissions(List<Permission> permissions);
List<String> listAvailableActions(Object target);
void clearPermissions(Object target);
+ boolean isEnabled();
}
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -26,7 +26,7 @@
import org.slf4j.LoggerFactory;
/**
- * Default IdentityManager implementation
+ * Default IdentityManager implementation, backed by PicketLink IDM
*
* @author Shane Bryzak
*/
@@ -35,9 +35,7 @@
{
private static final long serialVersionUID = 6864253169970552893L;
- public static final String USER_PERMISSION_NAME = "seam.user";
- public static final String ROLE_PERMISSION_NAME = "seam.role";
- public static final String GROUP_PERMISSION_NAME = "seam.group";
+ public static final String RESOURCE_IDENTITY = "seam.identity";
public static final String PERMISSION_CREATE = "create";
public static final String PERMISSION_READ = "read";
@@ -53,7 +51,7 @@
public boolean createUser(String name, Credential credential)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_CREATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE);
try
{
User user = identitySession.getPersistenceManager().createUser(name);
@@ -68,7 +66,7 @@
public boolean deleteUser(String name)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_DELETE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE);
try
{
@@ -83,21 +81,21 @@
public boolean enableUser(String name)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return identityStore.enableUser(name);
return false;
}
public boolean disableUser(String name)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return identityStore.disableUser(name);
return false;
}
public boolean updateCredential(String name, Credential credential)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
try
{
@@ -112,49 +110,63 @@
public boolean isUserEnabled(String name)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ);
//return identityStore.isUserEnabled(name);
return false;
}
- public boolean setUserAttribute(String username, String attribute, Object value)
+ public void setUserAttribute(String username, String attribute, Object value)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
- //return identityStore.setUserAttribute(username, attribute, value);
- return false;
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
+ try
+ {
+ identitySession.getAttributesManager().addAttribute(username, attribute, value);
+ }
+ catch (IdentityException e)
+ {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
}
- public boolean deleteUserAttribute(String username, String attribute)
+ public void deleteUserAttribute(String username, String attribute)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
- //return identityStore.deleteUserAttribute(username, attribute);
- return false;
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
+ try
+ {
+ identitySession.getAttributesManager().removeAttributes(username, new String[] {attribute});
+ }
+ catch (IdentityException e)
+ {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
}
public boolean grantRole(String name, String role, String groupName, String groupType)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return roleIdentityStore.grantRole(name, role, groupName, groupType);
return false;
}
public boolean revokeRole(String name, String role, String groupName, String groupType)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return roleIdentityStore.revokeRole(name, role, groupName, groupType);
return false;
}
public boolean associateUser(String groupName, String groupType, String username)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return identityStore.associateUser(groupName, groupType, username);
return false;
}
public boolean disassociateUser(String groupName, String groupType, String username)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE);
//return identityStore.disassociateUser(groupName, groupType, username);
return false;
}
@@ -171,35 +183,35 @@
public boolean createRoleType(String roleType)
{
- identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_CREATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE);
//return roleIdentityStore.createRoleType(roleType);
return false;
}
public boolean deleteRoleType(String roleType)
{
- identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_DELETE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE);
//return roleIdentityStore.deleteRoleType(roleType);
return false;
}
public boolean createGroup(String groupName, String groupType)
{
- identity.checkPermission(GROUP_PERMISSION_NAME, PERMISSION_CREATE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE);
//return groupIdentityStore.createGroup(groupName, groupType);
return false;
}
public boolean deleteGroup(String groupName, String groupType)
{
- identity.checkPermission(GROUP_PERMISSION_NAME, PERMISSION_DELETE);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE);
//return groupIdentityStore.deleteGroup(groupName, groupType);
return false;
}
public boolean userExists(String name)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ);
//return identityStore.userExists(name);
return false;
}
@@ -212,7 +224,7 @@
public List<String> findUsers(String filter)
{
- identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ);
+ identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ);
UserQueryBuilder builder = identitySession.createUserQueryBuilder();
UserQuery userQuery = builder.createQuery();
@@ -237,7 +249,7 @@
public List<String> listRoleTypes()
{
- identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ);
+ // identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ);
//List<String> roles = roleIdentityStore.listRoleTypes();
return null;
@@ -276,7 +288,7 @@
public List<IdentityType> listRoleMembers(String roleType, String groupName, String groupType)
{
- identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ);
+ //identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ);
//return roleIdentityStore.listRoleMembers(roleType, groupName, groupType);
return null;
}
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -1132,7 +1132,7 @@
CriteriaBuilder builder = em.getCriteriaBuilder();
CriteriaQuery<?> criteria = builder.createQuery(identityClass);
- //Root<?> root = criteria.from(identityClass);
+ Root<?> root = criteria.from(identityClass);
Property<?> identityNameProp = modelProperties.get(PROPERTY_IDENTITY_NAME);
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -62,6 +62,7 @@
}
}
+ private boolean enabled;
private Class<?> identityPermissionClass;
@@ -90,6 +91,7 @@
if (identityPermissionClass == null)
{
log.debug("No identityPermissionClass set, JpaPermissionStore will be unavailable.");
+ enabled = false;
return;
}
@@ -152,6 +154,8 @@
identityPermissionClass.getName() +
" - required annotation @PermissionProperty(PERMISSION) not found on any field or method.");
}
+
+ enabled = true;
}
/**
@@ -540,4 +544,9 @@
.setParameter("resource", identifier)
.executeUpdate();
}
+
+ public boolean isEnabled()
+ {
+ return enabled;
+ }
}
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -4,7 +4,7 @@
import java.util.Set;
/**
- * Used to assert permission requirements into a WorkingMemory when evaluating
+ * Used to assert permission check requirements into a StatefulSession when evaluating
* a @Restrict expression. The consequence of the rule is responsible for
* granting the permission.
*
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -11,6 +11,7 @@
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.context.SessionScoped;
+import javax.enterprise.context.spi.CreationalContext;
import javax.inject.Inject;
import javax.enterprise.inject.Produces;
import javax.enterprise.inject.spi.Bean;
@@ -37,11 +38,11 @@
{
defaultResolverChain = new ArrayList<PermissionResolver>();
- Set<Bean<?>> beans = manager.getBeans(PermissionResolver.class);
- for (Bean<?> resolverBean : beans)
- {
- defaultResolverChain.add((PermissionResolver) manager.getReference(
- resolverBean, PermissionResolver.class, manager.createCreationalContext(resolverBean)));
+ Set<Bean<?>> beans = (Set<Bean<?>>) manager.getBeans(PermissionResolver.class);
+ for (Bean<?> resolverBean : beans)
+ {
+ CreationalContext<PermissionResolver> ctx = manager.createCreationalContext((Bean<PermissionResolver>) resolverBean);
+ defaultResolverChain.add(((Bean<PermissionResolver>) resolverBean).create(ctx));
}
}
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -42,6 +42,8 @@
if (!identity.isLoggedIn()) return false;
+ if (!permissionStore.isEnabled()) return false;
+
List<Permission> permissions = permissionStore.listPermissions(target, action);
String username = identity.getPrincipal().getName();
Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java
===================================================================
--- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java 2010-07-14 10:46:56 UTC (rev 13388)
+++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java 2010-07-14 10:47:59 UTC (rev 13389)
@@ -48,7 +48,7 @@
@Inject Identity identity;
@Inject
- protected void initSecurityContext()
+ public void init()
{
if (getSecurityRules() != null)
{
@@ -84,7 +84,7 @@
{
// TODO fix
String componentName = null; // manager. Seam.getComponentName((Class) target);
- resource = componentName != null ? componentName : ((Class) resource).getName();
+ resource = componentName != null ? componentName : ((Class<?>) resource).getName();
}
check = new PermissionCheck(resource, permission);
@@ -111,7 +111,7 @@
public void filterSetByAction(Set<Object> targets, String action)
{
- Iterator iter = targets.iterator();
+ Iterator<?> iter = targets.iterator();
while (iter.hasNext())
{
Object target = iter.next();
@@ -131,15 +131,15 @@
synchronized( securityContext )
{
- if (!(target instanceof String) && !(target instanceof Class))
+ if (!(target instanceof String) && !(target instanceof Class<?>))
{
handles.add( securityContext.insert(target) );
}
- else if (target instanceof Class)
+ else if (target instanceof Class<?>)
{
// TODO fix
String componentName = null; //Seam.getComponentName((Class) target);
- target = componentName != null ? componentName : ((Class) target).getName();
+ target = componentName != null ? componentName : ((Class<?>) target).getName();
}
try
@@ -180,7 +180,6 @@
return roleCheck.isGranted();
}
- @SuppressWarnings("unchecked")
public void unAuthenticate(@Observes PostLoggedOutEvent event)
{
if (getSecurityContext() != null)
@@ -188,7 +187,7 @@
getSecurityContext().dispose();
setSecurityContext(null);
}
- initSecurityContext();
+ init();
}
/**
@@ -204,7 +203,7 @@
{
if ( IdentityImpl.ROLES_GROUP.equals( sg.getName() ) )
{
- Enumeration e = sg.members();
+ Enumeration<?> e = sg.members();
while (e.hasMoreElements())
{
Principal role = (Principal) e.nextElement();
More information about the seam-commits
mailing list