Author: sohil.shah(a)jboss.com
Date: 2010-01-19 17:52:20 -0500 (Tue, 19 Jan 2010)
New Revision: 1105
Added:
authz/trunk/portal-profile/src/test/java/org/jboss/security/authz/portal/provisioning/
authz/trunk/portal-profile/src/test/java/org/jboss/security/authz/portal/provisioning/TestPortalObjectPolicyConfig.java
authz/trunk/portal-profile/src/test/resources/portal-policy.xml.backup
Modified:
authz/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java
authz/trunk/policy-server/src/main/resources/META-INF/authz-config.xml
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/component/resource/PortletResource.java
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/configuration/PortalObjectPolicyConfig.java
authz/trunk/portal-profile/src/test/resources/portal-policy.xml
Log:
portal-profile
* first success of App level security
Modified:
authz/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java
===================================================================
---
authz/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2010-01-19
18:39:36 UTC (rev 1104)
+++
authz/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2010-01-19
22:52:20 UTC (rev 1105)
@@ -344,14 +344,15 @@
throw new IllegalArgumentException("Invalid Policy Structure. A Policy without
any Resource Matching Rules is not Supported!!");
}
+ Policy policy = null;
for(AttributeExpression resourceMatch: policyTarget.getResourceMatches())
{
try
{
- Policy policy = this.findByResource(resourceMatch.getAttribute());
- if(policy != null)
+ policy = this.findByResource(resourceMatch.getAttribute());
+ if(policy == null)
{
- return policy;
+ return null;
}
}
catch(Throwable t)
@@ -359,6 +360,6 @@
continue;
}
}
- return null;
+ return policy;
}
}
Modified: authz/trunk/policy-server/src/main/resources/META-INF/authz-config.xml
===================================================================
--- authz/trunk/policy-server/src/main/resources/META-INF/authz-config.xml 2010-01-19
18:39:36 UTC (rev 1104)
+++ authz/trunk/policy-server/src/main/resources/META-INF/authz-config.xml 2010-01-19
22:52:20 UTC (rev 1105)
@@ -22,7 +22,7 @@
</bean>
<bean name="/policy-server/PolicyDecisionPoint"
class="org.jboss.security.authz.policy.server.decision.PolicyDecisionPoint">
- <property name="debug">false</property>
+ <property name="debug">true</property>
</bean>
<bean name="/policy-server/PolicyStore"
class="org.jboss.security.authz.policy.server.provisioning.RelationalDBPolicyStore">
Modified:
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/component/resource/PortletResource.java
===================================================================
---
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/component/resource/PortletResource.java 2010-01-19
18:39:36 UTC (rev 1104)
+++
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/component/resource/PortletResource.java 2010-01-19
22:52:20 UTC (rev 1105)
@@ -34,7 +34,7 @@
* @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
*/
@Component(
- name="portlet-uri",
+ name="portlet-resource",
type=ComponentType.TARGET,
category=ComponentCategory.RESOURCE
)
Modified:
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/configuration/PortalObjectPolicyConfig.java
===================================================================
---
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/configuration/PortalObjectPolicyConfig.java 2010-01-19
18:39:36 UTC (rev 1104)
+++
authz/trunk/portal-profile/src/main/java/org/jboss/security/authz/portal/configuration/PortalObjectPolicyConfig.java 2010-01-19
22:52:20 UTC (rev 1105)
@@ -21,11 +21,38 @@
*/
package org.jboss.security.authz.portal.configuration;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
import java.util.Set;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.apache.log4j.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.agent.services.PolicyComposer;
+import org.jboss.security.authz.components.action.Operation;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.model.Effect;
import org.jboss.security.authz.model.PolicyMetaData;
import org.jboss.security.authz.policy.server.spi.PolicyConfig;
+import org.jboss.security.authz.portal.component.resource.PortletResource;
+import org.jboss.security.authz.portal.component.action.ViewMode;
+import org.jboss.security.authz.portal.component.action.AdminMode;
+import org.jboss.security.authz.portal.component.action.EditMode;
+import org.jboss.security.authz.portal.component.action.HelpMode;
+
/**
* Used to configure Security Policies for a Portal Object Tree using Easy Domain
specific XML
*
@@ -33,6 +60,20 @@
*/
public class PortalObjectPolicyConfig implements PolicyConfig
{
+ private static Logger log = Logger.getLogger(PortalObjectPolicyConfig.class);
+
+ private PolicyComposer policyComposer;
+
+ public PolicyComposer getPolicyComposer()
+ {
+ return policyComposer;
+ }
+
+ public void setPolicyComposer(PolicyComposer policyComposer)
+ {
+ this.policyComposer = policyComposer;
+ }
+
public PortalObjectPolicyConfig()
{
@@ -40,7 +81,193 @@
//-----PolicyConfig
Implementation--------------------------------------------------------------------------------------------------------------------------
public Set<PolicyMetaData> configure(String easyDomainXml)
{
- return null;
+ InputStream xmlStream = null;
+ try
+ {
+ Set<PolicyMetaData> policies = new HashSet<PolicyMetaData>();
+
+ xmlStream = new ByteArrayInputStream(easyDomainXml.getBytes());
+ DocumentBuilder builder = DocumentBuilderFactory.newInstance()
+ .newDocumentBuilder();
+ Document document = builder.parse(xmlStream);
+
+ NodeList securityConstraints = document
+ .getElementsByTagName("security-constraint");
+ for (int i = 0, length = securityConstraints.getLength(); i < length; i++)
+ {
+ Element securityConstraint = (Element) securityConstraints.item(i);
+
+ // Parse out information related to access control based on user roles
+ NodeList roleNodes = securityConstraint.getElementsByTagName("roles");
+ Roles allowRoles = new Roles();
+ Roles denyRoles = new Roles();
+ if (roleNodes != null)
+ {
+ for (int j = 0; j < roleNodes.getLength(); j++)
+ {
+ boolean allow = true;
+ Element roles = (Element) roleNodes.item(j);
+
+ allow = Boolean.parseBoolean(roles.getAttribute("allow").trim());
+
+ NodeList roleNames = roles.getElementsByTagName("role-name");
+ if (roleNames != null)
+ {
+ for (int k = 0; k < roleNames.getLength(); k++)
+ {
+ Element roleName = (Element) roleNames.item(k);
+ String role = roleName.getTextContent().trim();
+
+ if (allow)
+ {
+ allowRoles.addName(role);
+ }
+ else
+ {
+ denyRoles.addName(role);
+ }
+ }
+ }
+ }
+ }
+
+
+ // Parse out the resources and actions upon which the Policies must be
+ // created
+ Element portletResourceCollection = (Element) securityConstraint
+ .getElementsByTagName("portlet-resource-collection").item(0);
+ NodeList resources = portletResourceCollection
+ .getElementsByTagName("portlet-resource");
+ if (resources != null)
+ {
+ for (int j = 0; j < resources.getLength(); j++)
+ {
+ // SetUp the Portlet Resource
+ PortletResource policyResource = new PortletResource();
+ Element portletResource = (Element) resources.item(j);
+ Element portletName = (Element) portletResource.getElementsByTagName(
+ "portlet-name").item(0);
+
+ policyResource.setUri(new URI(portletName.getTextContent().trim()));
+ this.parseParameters(policyResource, portletResource);
+
+ // Setup the Action Targets to be secured on this resource
+ List<Operation> secureModes = this
+ .parseSecureModes(portletResource);
+
+ if (secureModes != null && !secureModes.isEmpty())
+ {
+ // SetUp Policy Composition Context
+ CompositionContext context = new CompositionContext();
+ context.setPolicyTarget(policyResource);
+ for (Operation secureMode : secureModes)
+ {
+ if (!allowRoles.isEmpty())
+ {
+ context.addPolicyRule(Effect.PERMIT, secureMode,
+ allowRoles, "allowExpression");
+ }
+
+ if (!denyRoles.isEmpty())
+ {
+ context.addPolicyRule(Effect.DENY, secureMode, denyRoles,
+ "denyExpression");
+ }
+ }
+
+ // Generate the Policy
+ PolicyMetaData policyMetaData = this.policyComposer
+ .compose(context);
+ policies.add(policyMetaData);
+ }
+ }
+ }
+ }
+
+ return policies;
+ }
+ catch (Exception e)
+ {
+ log.error(this, e);
+ throw new RuntimeException(e);
+ }
+ finally
+ {
+ try
+ {
+ if (xmlStream != null)
+ {
+ xmlStream.close();
+ }
+ }
+ catch (IOException ioe)
+ {
+ log.warn(this, ioe);
+ }
+ }
}
- //---------------------------------------------------------------------------------------------------------------------------------------------------------
+ //---------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private void parseParameters(PortletResource policyResource, Element
portletResourceElem)
+ throws Exception
+ {
+ // Process Parameters
+ Element parameters = (Element) portletResourceElem.getElementsByTagName(
+ "request-parameters").item(0);
+ if (parameters != null)
+ {
+ NodeList params = parameters.getElementsByTagName("parameter");
+ if (params != null)
+ {
+ for (int i = 0, length = params.getLength(); i < length; i++)
+ {
+ Element parameter = (Element) params.item(i);
+
+ String name = parameter.getAttribute("name").trim();
+ String value = parameter.getTextContent().trim();
+
+ policyResource.addParameter(name, value);
+ }
+ }
+ }
+ }
+
+ private List<Operation> parseSecureModes(Element portletResource)
+ throws Exception
+ {
+ List<Operation> secureModes = new ArrayList<Operation>();
+
+ NodeList modes = portletResource.getElementsByTagName("mode");
+ if (modes != null && modes.getLength()>0)
+ {
+ for (int i = 0; i < modes.getLength(); i++)
+ {
+ Element modeElem = (Element) modes.item(i);
+
+ String mode = modeElem.getTextContent();
+
+ if (mode.equalsIgnoreCase("view"))
+ {
+ secureModes.add(new ViewMode());
+ }
+ else if (mode.equalsIgnoreCase("edit"))
+ {
+ secureModes.add(new EditMode());
+ }
+ else if (mode.equalsIgnoreCase("admin"))
+ {
+ secureModes.add(new AdminMode());
+ }
+ else if (mode.equalsIgnoreCase("help"))
+ {
+ secureModes.add(new HelpMode());
+ }
+ }
+ }
+ else
+ {
+ secureModes.add(new ViewMode());
+ }
+
+ return secureModes;
+ }
}
Added:
authz/trunk/portal-profile/src/test/java/org/jboss/security/authz/portal/provisioning/TestPortalObjectPolicyConfig.java
===================================================================
---
authz/trunk/portal-profile/src/test/java/org/jboss/security/authz/portal/provisioning/TestPortalObjectPolicyConfig.java
(rev 0)
+++
authz/trunk/portal-profile/src/test/java/org/jboss/security/authz/portal/provisioning/TestPortalObjectPolicyConfig.java 2010-01-19
22:52:20 UTC (rev 1105)
@@ -0,0 +1,194 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.portal.provisioning;
+
+import java.util.Set;
+import java.io.InputStream;
+import java.net.URI;
+
+import junit.framework.TestCase;
+
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.bootstrap.ServiceContainer;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.enforcement.EnforcementResponse;
+import org.jboss.security.authz.agent.enforcement.PolicyEnforcementPoint;
+import org.jboss.security.authz.agent.provisioning.PolicyProvisioner;
+import org.jboss.security.authz.agent.services.PolicyComposer;
+
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+import org.jboss.security.authz.tools.GeneralTool;
+import org.jboss.security.authz.policy.server.spi.PolicyConfig;
+
+import org.jboss.security.authz.portal.component.resource.PortletResource;
+import org.jboss.security.authz.portal.component.action.ViewMode;
+import org.jboss.security.authz.portal.configuration.PortalObjectPolicyConfig;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class TestPortalObjectPolicyConfig extends TestCase
+{
+ private static Logger log = Logger
+ .getLogger(TestPortalObjectPolicyConfig.class);
+
+ private PolicyComposer policyComposer;
+ private PolicyEnforcementPoint enforcer;
+ private PolicyProvisioner provisioner;
+
+ public void setUp() throws Exception
+ {
+ ServiceContainer.bootstrap();
+
+ this.policyComposer = (PolicyComposer) ServiceContainer
+ .lookup("/agent/PolicyComposer");
+ this.enforcer = (PolicyEnforcementPoint) ServiceContainer
+ .lookup("/agent/LocalEnforcementPoint");
+ this.provisioner = (PolicyProvisioner) ServiceContainer
+ .lookup("/agent/LocalPolicyProvisioner");
+
+ PolicyConfig config = new PortalObjectPolicyConfig();
+ ((PortalObjectPolicyConfig) config).setPolicyComposer(this.policyComposer);
+
+ InputStream is = Thread.currentThread().getContextClassLoader()
+ .getResourceAsStream("portal-policy.xml");
+
+ Set<PolicyMetaData> metadata = config.configure(GeneralTool.readStream(is));
+
+ assertNotNull(metadata);
+
+ for (PolicyMetaData policyMetaData : metadata)
+ {
+ this.provisioner.deploy(policyMetaData);
+ }
+
+ is.close();
+
+ // Assert Policy State of the Server
+ Set<Policy> policies = this.provisioner.readAllPolicies();
+
+ assertTrue("Policy Store must not be empty!!", policies != null
+ && !policies.isEmpty());
+ for (Policy policy : policies)
+ {
+ log
+ .debug("------------------------------------------------------------------------------");
+ log.debug(policy.generateSystemPolicy());
+ }
+ }
+
+ //
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ public void testAppLevelSecurity() throws Exception
+ {
+ PortletResource r1 = new PortletResource();
+ r1.setUri(new URI("forums"));
+ r1.addParameter("topicId", "1234");
+ r1.addParameter("blah", "blahblah");
+
+ PortletResource r2 = new PortletResource();
+ r2.setUri(new URI("forums"));
+ r2.addParameter("topicId", "5678");
+ r2.addParameter("blah", "blahblah");
+
+ PortletResource r3 = new PortletResource();
+ r3.setUri(new URI("forums"));
+ r3.addParameter("topicId", "9999");
+ r3.addParameter("blah", "blahblah");
+
+ //Testing Employees access
+ this.enforce(this.createEnforcementContext(r1, new String[]{"employees",
"authenticated", "marketing"}, null), true);
+ this.enforce(this.createEnforcementContext(r2, new String[]{"employees",
"authenticated", "marketing"}, null), true);
+ this.enforce(this.createEnforcementContext(r3, new String[]{"employees",
"authenticated", "marketing"}, null), false);
+
+ //Testing Partners access
+ this.enforce(this.createEnforcementContext(r1, new String[]{"partners",
"authenticated", "insurance-company"}, null), true);
+ this.enforce(this.createEnforcementContext(r2, new String[]{"partners",
"authenticated", "insurance-company"}, null), true);
+ this.enforce(this.createEnforcementContext(r3, new String[]{"partners",
"authenticated", "insurance-company"}, null), false);
+
+ //Testing Anonymous access
+ this.enforce(this.createEnforcementContext(r1, new String[]{"anonymous"},
null), false);
+ this.enforce(this.createEnforcementContext(r2, new String[]{"anonymous"},
null), false);
+ this.enforce(this.createEnforcementContext(r3, new String[]{"anonymous"},
null), false);
+
+ //Testing Authenticated but not an Employee or a Partner
+ this.enforce(this.createEnforcementContext(r1, new String[]{"authenticated",
"community"}, null), false);
+ this.enforce(this.createEnforcementContext(r2, new String[]{"authenticated",
"community"}, null), false);
+ this.enforce(this.createEnforcementContext(r3, new String[]{"authenticated",
"community"}, null), false);
+ }
+ //
-------------------------------------------------------------------------------------------------------------------------------------------------
+ private void enforce(EnforcementContext enforcementContext,
+ boolean mustBePermitted) throws Exception
+ {
+ EnforcementResponse response = this.enforcer
+ .checkAccess(enforcementContext);
+
+ assertNotNull(response);
+ log.info("-----------------------------------");
+ log.info("Decision=" + response.getMessage());
+
+ if (mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", response.isAccessGranted());
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", response.isAccessGranted());
+ }
+ }
+
+ private EnforcementContext createEnforcementContext(
+ PortletResource protectedResource, String[] userRoles, Object actionComponent)
+ throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Resource being accessed
+ context.setAttribute("portlet-resource", protectedResource);
+
+ // Create Subjects
+ Roles roles = new Roles();
+ for (int i = 0; i < userRoles.length; i++)
+ {
+ roles.addName(userRoles[i]);
+ }
+ context.setAttribute("roles", roles);
+
+ // Action being performed
+ if(actionComponent != null)
+ {
+ context.setAttribute("portlet-mode", actionComponent);
+ }
+ else
+ {
+ context.setAttribute("portlet-mode", new ViewMode());
+ }
+
+ return context;
+ }
+}
Modified: authz/trunk/portal-profile/src/test/resources/portal-policy.xml
===================================================================
--- authz/trunk/portal-profile/src/test/resources/portal-policy.xml 2010-01-19 18:39:36
UTC (rev 1104)
+++ authz/trunk/portal-profile/src/test/resources/portal-policy.xml 2010-01-19 22:52:20
UTC (rev 1105)
@@ -6,131 +6,109 @@
Security Rule:
The specified topics "1234 and 5678" are available only when:
* User is an Employee or a Partner
- * Time of Access falls between the specified range
+ * Time of Access is after 5:00 pm
-->
- <portlet-security-constraint>
- <portlet-resource-collection>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <request-parameters>
- <parameter name="topicId">1234</parameter>
- </request-parameters>
- </portlet-resource>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <request-parameters>
- <parameter name="topicId">5678</parameter>
- </request-parameters>
- </portlet-resource>
- </portlet-resource-collection>
- <auth-constraints>
- <auth-constraint>
- <roles allow="true">
- <role-name>employees</role-name>
- <role-name>partners</role-name>
- </roles>
- </auth-constraint>
- <!--
- <auth-constraint>
- <ip-address allow="true">
- <ip-range>
- <address-from></address-from>
- <address-to></address-to>
- </ip-range>
- </ip-address>
- </auth-constraint>
- -->
- <!--
- <auth-constraint>
- <time allow="true">
- <from></from>
- <to></to>
- </time>
- </auth-constraint>
- -->
- </auth-constraints>
- </portlet-security-constraint>
-
- <!--
- Demonstrates Application Level Authorization
-
- Security Rule:
- The specified topics "1111 and 2222" are available only when:
- * User is 18 years or older
- -->
- <portlet-security-constraint>
- <portlet-resource-collection>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <request-parameters>
- <parameter name="topicId">1111</parameter>
- </request-parameters>
- </portlet-resource>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <request-parameters>
- <parameter name="topicId">2222</parameter>
- </request-parameters>
- </portlet-resource>
- </portlet-resource-collection>
- <auth-constraints>
- <auth-constraint>
- <preferences allow="true">
- <preference name="age">>=18</preference>
- </preferences>
- </auth-constraint>
- </auth-constraints>
- </portlet-security-constraint>
+ <security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">1234</parameter>
+ </request-parameters>
+ </portlet-resource>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">5678</parameter>
+ </request-parameters>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>employees</role-name>
+ <role-name>partners</role-name>
+ </roles>
+ </auth-constraint>
+ <auth-constraint>
+ <time allow="true">
+ <after>17:00</after>
+ </time>
+ </auth-constraint>
+ </security-constraint>
<!--
Demonstrates Portlet Level Authorization by protecting Portlet Modes
- Security Rule: The Forums Portlet is available in VIEW, HELP, and EDIT mode when:
- * User is a member of the Community
+ Security Rule: The Forums Portlet is available in VIEW, HELP mode:
+ * To all users
-->
- <portlet-security-constraint>
+ <!--
+ <security-constraint>
<portlet-resource-collection>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <modes>
- <mode>VIEW</mode>
- <mode>HELP</mode>
- <mode>EDIT</mode>
- </modes>
- </portlet-resource>
- </portlet-resource-collection>
- <auth-constraints>
- <auth-constraint>
- <roles allow="true">
- <role-name>community</role-name>
- </roles>
- </auth-constraint>
- </auth-constraints>
- </portlet-security-constraint>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <modes>
+ <mode>VIEW</mode>
+ <mode>HELP</mode>
+ </modes>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>anonymous</role-name>
+ <role-name>authenticated</role-name>
+ </roles>
+ </auth-constraint>
+ </security-constraint>
+ -->
<!--
Demonstrates Portlet Level Authorization by protecting Portlet Modes
+ Security Rule: The Forums Portlet is available in EDIT mode:
+ * To only users in "Authenticated/Non-Anonymous" state
+ -->
+ <!--
+ <security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <modes>
+ <mode>EDIT</mode>
+ </modes>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>authenticated</role-name>
+ </roles>
+ </auth-constraint>
+ </security-constraint>
+ -->
+
+ <!--
+ Demonstrates Portlet Level Authorization by protecting Portlet Modes
+
Security Rule: The Forums Portlet is available in ADMIN mode when:
* User is an Admin
-->
- <portlet-security-constraint>
+ <!--
+ <security-constraint>
<portlet-resource-collection>
- <portlet-resource>
- <portlet-name>forums</portlet-name>
- <modes>
- <mode>ADMIN</mode>
- </modes>
- </portlet-resource>
- </portlet-resource-collection>
- <auth-constraints>
- <auth-constraint>
- <roles allow="true">
- <role-name>admin</role-name>
- </roles>
- </auth-constraint>
- </auth-constraints>
- </portlet-security-constraint>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <modes>
+ <mode>ADMIN</mode>
+ </modes>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>admin</role-name>
+ </roles>
+ </auth-constraint>
+ </security-constraint>
+ -->
<!--
Configuration for the Portal Enforcement Engine
Added: authz/trunk/portal-profile/src/test/resources/portal-policy.xml.backup
===================================================================
--- authz/trunk/portal-profile/src/test/resources/portal-policy.xml.backup
(rev 0)
+++ authz/trunk/portal-profile/src/test/resources/portal-policy.xml.backup 2010-01-19
22:52:20 UTC (rev 1105)
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<portal-security>
+ <!--
+ Demonstrates Application Level Authorization
+
+ Security Rule:
+ The specified topics "1234 and 5678" are available only when:
+ * User is an Employee or a Partner
+ * Time of Access falls between the specified range
+ -->
+ <portlet-security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">1234</parameter>
+ </request-parameters>
+ </portlet-resource>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">5678</parameter>
+ </request-parameters>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraints>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>employees</role-name>
+ <role-name>partners</role-name>
+ </roles>
+ </auth-constraint>
+ <!--
+ <auth-constraint>
+ <ip-address allow="true">
+ <ip-range>
+ <address-from></address-from>
+ <address-to></address-to>
+ </ip-range>
+ </ip-address>
+ </auth-constraint>
+ -->
+ <!--
+ <auth-constraint>
+ <time allow="true">
+ <from></from>
+ <to></to>
+ </time>
+ </auth-constraint>
+ -->
+ </auth-constraints>
+ </portlet-security-constraint>
+
+ <!--
+ Demonstrates Application Level Authorization
+
+ Security Rule:
+ The specified topics "1111 and 2222" are available only when:
+ * User is 18 years or older
+ -->
+ <portlet-security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">1111</parameter>
+ </request-parameters>
+ </portlet-resource>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <request-parameters>
+ <parameter name="topicId">2222</parameter>
+ </request-parameters>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraints>
+ <auth-constraint>
+ <preferences allow="true">
+ <preference name="age">>=18</preference>
+ </preferences>
+ </auth-constraint>
+ </auth-constraints>
+ </portlet-security-constraint>
+
+ <!--
+ Demonstrates Portlet Level Authorization by protecting Portlet Modes
+
+ Security Rule: The Forums Portlet is available in VIEW, HELP, and EDIT mode when:
+ * User is a member of the Community
+ -->
+ <portlet-security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <modes>
+ <mode>VIEW</mode>
+ <mode>HELP</mode>
+ <mode>EDIT</mode>
+ </modes>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraints>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>community</role-name>
+ </roles>
+ </auth-constraint>
+ </auth-constraints>
+ </portlet-security-constraint>
+
+ <!--
+ Demonstrates Portlet Level Authorization by protecting Portlet Modes
+
+ Security Rule: The Forums Portlet is available in ADMIN mode when:
+ * User is an Admin
+ -->
+ <portlet-security-constraint>
+ <portlet-resource-collection>
+ <portlet-resource>
+ <portlet-name>forums</portlet-name>
+ <modes>
+ <mode>ADMIN</mode>
+ </modes>
+ </portlet-resource>
+ </portlet-resource-collection>
+ <auth-constraints>
+ <auth-constraint>
+ <roles allow="true">
+ <role-name>admin</role-name>
+ </roles>
+ </auth-constraint>
+ </auth-constraints>
+ </portlet-security-constraint>
+
+ <!--
+ Configuration for the Portal Enforcement Engine
+ -->
+ <enforcement-config>
+ <!--
+ default value, (false)
+ If resource match is set to "policy-match-mandatory=true", it means
that if there is an http request to the web application,
+ that does not have any specified/matching "security policy" for it,
then this access should be "Denied".
+
+ The default value is set to "false" since this makes Policy
Provisioning less intensive for most web applications. This means that if
+ a "Policy" is not specified for a http request, it means that resource
does not need to be "protected", and access should be "Granted".
+
+ The protection can be increased depending on the application by changing this to
"true". In which case only Http Requests that have a matching "Security
Policy" will
+ be considered for "Access Control". All others will be
"Denied" access.
+ -->
+ <policy-match-mandatory>false</policy-match-mandatory>
+ </enforcement-config>
+</portal-security>
\ No newline at end of file