Author: julien(a)jboss.com Date: 2006-11-23 17:49:44 -0500 (Thu, 23 Nov 2006) New Revision: 5719 Added: trunk/core/src/main/org/jboss/portal/core/impl/model/CustomizationManagerService.java trunk/core/src/main/org/jboss/portal/core/model/CustomizationManager.java Modified: trunk/core/src/main/org/jboss/portal/core/controller/Controller.java trunk/core/src/main/org/jboss/portal/core/controller/command/SignOutCommand.java trunk/core/src/main/org/jboss/portal/core/model/portal/command/PortalObjectCommand.java trunk/core/src/main/org/jboss/portal/core/model/portal/command/WindowCommand.java trunk/core/src/main/org/jboss/portal/core/portlet/management/PortalObjectManagerBean.java trunk/core/src/resources/portal-core-sar/META-INF/jboss-service.xml trunk/security/src/main/org/jboss/portal/security/PortalPermissionCollection.java trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalPermissionCollection.java trunk/security/src/main/org/jboss/portal/security/spi/auth/PortalAuthorizationManager.java Log: - encapsulate customization of instance based on the user + window in an interface - fix signout bug - add explicit Subject checking in portal security - add dashboard permission in portal object manager bean Modified: trunk/core/src/main/org/jboss/portal/core/controller/Controller.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/controller/Controller.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/controller/Controller.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -27,6 +27,7 @@ import org.jboss.portal.core.controller.command.mapper.URLFactory; import org.jboss.portal.core.model.portal.PortalObjectContainer; import org.jboss.portal.core.model.instance.InstanceContainer; +import org.jboss.portal.core.model.CustomizationManager; import org.jboss.portal.common.invocation.InterceptorStackFactory; import org.jboss.portal.security.spi.auth.PortalAuthorizationManagerFactory; import org.jboss.portal.jems.as.system.AbstractJBossService; @@ -60,6 +61,19 @@ /** . */ protected PortalAuthorizationManagerFactory portalAuthorizationManagerFactory; + /** . */ + protected CustomizationManager customizationManager; + + public CustomizationManager getCustomizationManager() + { + return customizationManager; + } + + public void setCustomizationManager(CustomizationManager customizationManager) + { + this.customizationManager = customizationManager; + } + public PortalAuthorizationManagerFactory getPortalAuthorizationManagerFactory() { return portalAuthorizationManagerFactory; Modified: trunk/core/src/main/org/jboss/portal/core/controller/command/SignOutCommand.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/controller/command/SignOutCommand.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/controller/command/SignOutCommand.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -24,9 +24,9 @@ import org.jboss.portal.core.controller.ControllerCommand; import org.jboss.portal.core.controller.ControllerException; -import org.jboss.portal.core.controller.portlet.SignOutResponse; import org.jboss.portal.core.controller.command.info.ActionCommandInfo; import org.jboss.portal.core.controller.command.info.CommandInfo; +import org.jboss.portal.core.controller.command.response.SignOutResponse; /** * A global signout. Added: trunk/core/src/main/org/jboss/portal/core/impl/model/CustomizationManagerService.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/impl/model/CustomizationManagerService.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/impl/model/CustomizationManagerService.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -0,0 +1,186 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.portal.core.impl.model; + +import org.jboss.portal.jems.as.system.AbstractJBossService; +import org.jboss.portal.core.model.CustomizationManager; +import org.jboss.portal.core.model.instance.Instance; +import org.jboss.portal.core.model.instance.InstanceContainer; +import org.jboss.portal.core.model.portal.PortalObject; +import org.jboss.portal.core.model.portal.Window; +import org.jboss.portal.core.model.portal.PortalObjectPermission; +import org.jboss.portal.security.spi.auth.PortalAuthorizationManagerFactory; +import org.jboss.portal.security.spi.auth.PortalAuthorizationManager; +import org.jboss.portal.identity.UserModule; +import org.jboss.portal.identity.RoleModule; +import org.jboss.portal.identity.User; +import org.jboss.logging.Logger; + +/** + * @author <a href="mailto:julien@jboss.org">Julien Viet</a> + * @version $Revision: 1.1 $ + */ +public class CustomizationManagerService extends AbstractJBossService implements CustomizationManager +{ + + /** . */ + private static final Logger log = Logger.getLogger(CustomizationManager.class); + + /** . */ + private InstanceContainer instanceContainer; + + /** . */ + private PortalAuthorizationManagerFactory pamf; + + /** . */ + private UserModule userModule; + + /** . */ + private RoleModule roleModule; + + public InstanceContainer getInstanceContainer() + { + return instanceContainer; + } + + public void setInstanceContainer(InstanceContainer instanceContainer) + { + this.instanceContainer = instanceContainer; + } + + public PortalAuthorizationManagerFactory getPortalAuthorizationManagerFactory() + { + return pamf; + } + + public void setPortalAuthorizationManagerFactory(PortalAuthorizationManagerFactory portalAuthorizationManagerFactory) + { + this.pamf = portalAuthorizationManagerFactory; + } + + public UserModule getUserModule() + { + return userModule; + } + + public void setUserModule(UserModule userModule) + { + this.userModule = userModule; + } + + public RoleModule getRoleModule() + { + return roleModule; + } + + public void setRoleModule(RoleModule roleModule) + { + this.roleModule = roleModule; + } + + public Instance getInstance(Window window) throws IllegalArgumentException + { + return getInstance(window, null); + } + + public Instance getInstance(Window window, User user) throws IllegalArgumentException + { + if (window == null) + { + throw new IllegalArgumentException("No window provided"); + } + + // + String instanceId = window.getInstanceRef(); + if (instanceId == null) + { + return null; + } + + // Get the instance + Instance instance = instanceContainer.getInstance(instanceId); + if (instance != null) + { + // If we are in the context of an existing user we get a customization for that user + if (user != null) + { + String userId = user.getId().toString(); + + // And if it is in a dashboard context we get the per window customization + if (isDashboard(window, user)) + { + // That's how we manufacture dash board keys + String dashboardId = userId + "." + window.getId(); + + // + instance = instance.getCustomization(dashboardId); + } + else + { + instance = instance.getCustomization(userId); + } + } + } + + // + return instance; + } + + /** + * Return true if the portal object is in a dashboard context for the current authenticated user. + * + * @param object + * @return + */ + public boolean isDashboard(PortalObject object, User user) + { + if (object == null) + { + throw new IllegalArgumentException("No null object"); + } + + // Anonymous + if (user == null) + { + return false; + } + + // todo + // We should test that it is the same than the request user + // as for now we can only test permission for the currently + // authenticated user + + // + try + { + PortalAuthorizationManager pam = pamf.getManager(); + PortalObjectPermission perm = new PortalObjectPermission(object.getId(), PortalObjectPermission.DASHBOARD_MASK); + return pam.checkPermission(perm); + } + catch (Exception e) + { + log.error("Cannot check dashboard for", e); + return false; + } + } +} Added: trunk/core/src/main/org/jboss/portal/core/model/CustomizationManager.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/model/CustomizationManager.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/model/CustomizationManager.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -0,0 +1,65 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.portal.core.model; + +import org.jboss.portal.core.model.instance.Instance; +import org.jboss.portal.core.model.portal.Window; +import org.jboss.portal.core.model.portal.PortalObject; +import org.jboss.portal.identity.User; + +/** + * Encapsulate portlet customization semantics. + * + * @author <a href="mailto:julien@jboss.org">Julien Viet</a> + * @version $Revision: 1.1 $ + */ +public interface CustomizationManager +{ + /** + * Return a top level named portlet instance. + * + * @param window the window of the portlet instance + * @return the target instance or null if it cannot be found + * @throws IllegalArgumentException if the window is null + */ + Instance getInstance(Window window) throws IllegalArgumentException; + + /** + * Return a contextualized portlet instance for the specified user id. If the window is in the context + * of a dashboard then the portlet instance is further customized for that specific window. + * + * @param window the window of the portlet instance + * @param user the user that can be null + * @return the target instance or null if it cannot be found + * @throws IllegalArgumentException if the window is null + */ + Instance getInstance(Window window, User user) throws IllegalArgumentException; + + /** + * Return true if the portal object is in a dashboard context for the specified user. + * + * @param object + * @return + */ + boolean isDashboard(PortalObject object, User user); +} Modified: trunk/core/src/main/org/jboss/portal/core/model/portal/command/PortalObjectCommand.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/model/portal/command/PortalObjectCommand.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/model/portal/command/PortalObjectCommand.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -31,7 +31,7 @@ import org.jboss.portal.core.model.portal.PortalObjectPermission; import org.jboss.portal.security.PortalSecurityException; import org.jboss.portal.security.spi.auth.PortalAuthorizationManager; -import org.jboss.portal.security.spi.auth.PortalAuthorizationManagerFactory; +import org.jboss.portal.identity.User; /** * @author <a href="mailto:julien@jboss.org">Julien Viet</a> @@ -104,17 +104,9 @@ { if (dashboard == null) { - try - { - PortalAuthorizationManagerFactory pamf = getControllerContext().getController().getPortalAuthorizationManagerFactory(); - PortalAuthorizationManager pam = pamf.getManager(); - PortalObjectPermission perm = new PortalObjectPermission(targetId, PortalObjectPermission.DASHBOARD_MASK); - dashboard = Boolean.valueOf(pam.checkPermission(perm)); - } - catch (PortalSecurityException e) - { - dashboard = Boolean.FALSE; - } + User user = (User)getControllerContext().getServerInvocation().getRequest().getUser(); + boolean tmp = context.getController().getCustomizationManager().isDashboard(target, user); + dashboard = Boolean.valueOf(tmp); } return dashboard.booleanValue(); } Modified: trunk/core/src/main/org/jboss/portal/core/model/portal/command/WindowCommand.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/model/portal/command/WindowCommand.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/model/portal/command/WindowCommand.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -31,6 +31,7 @@ import org.jboss.portal.core.model.portal.Window; import org.jboss.portal.security.PortalSecurityException; import org.jboss.portal.security.spi.auth.PortalAuthorizationManager; +import org.jboss.portal.identity.User; /** * A superclass for command that target a specific window. @@ -99,26 +100,17 @@ throw new ResourceNotFoundException(targetId); } + // We need the user id + User user = (User)getControllerContext().getServerInvocation().getRequest().getUser(); + // Get instance - instance = context.getController().getInstanceContainer().getInstance(window.getInstanceRef()); + instance = context.getController().getCustomizationManager().getInstance(window, user); + + // No instance means we can't continue if (instance == null) { throw new ResourceNotFoundException(window.getInstanceRef()); } - - // Get the user customization id - String userId = getControllerContext().getServerInvocation().getServerContext().getClientRequest().getRemoteUser(); - if (userId != null) - { - instance = instance.getCustomization(userId); - - // - if (isDashboard()) - { - String dashboardId = userId + targetId; - instance = instance.getCustomization(dashboardId); - } - } } /** Modified: trunk/core/src/main/org/jboss/portal/core/portlet/management/PortalObjectManagerBean.java =================================================================== --- trunk/core/src/main/org/jboss/portal/core/portlet/management/PortalObjectManagerBean.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/main/org/jboss/portal/core/portlet/management/PortalObjectManagerBean.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -890,6 +890,7 @@ new SelectItem("viewrecursive"), new SelectItem("personalize"), new SelectItem("personalizerecursive"), + new SelectItem("dashboard"), }; } } Modified: trunk/core/src/resources/portal-core-sar/META-INF/jboss-service.xml =================================================================== --- trunk/core/src/resources/portal-core-sar/META-INF/jboss-service.xml 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/core/src/resources/portal-core-sar/META-INF/jboss-service.xml 2006-11-23 22:49:44 UTC (rev 5719) @@ -599,6 +599,27 @@ <attribute name="CacheNaturalId">true</attribute> </mbean> + <!-- Customization maanger --> + <mbean + code="org.jboss.portal.core.impl.model.CustomizationManagerService" + name="portal:service=CustomizationManager" + xmbean-dd="" + xmbean-code="org.jboss.portal.jems.as.system.JBossServiceModelMBean"> + <xmbean/> + <depends + optional-attribute-name="PortalAuthorizationManagerFactory" + proxy-type="attribute">portal:service=PortalAuthorizationManagerFactory</depends> + <depends + optional-attribute-name="InstanceContainer" + proxy-type="attribute">portal:container=Instance</depends> + <depends + optional-attribute-name="UserModule" + proxy-type="attribute">portal:service=Module,type=User</depends> + <depends + optional-attribute-name="RoleModule" + proxy-type="attribute">portal:service=Module,type=Role</depends> + </mbean> + <!-- Command factories --> <mbean code="org.jboss.portal.core.controller.command.mapper.DelegatingCommandFactoryService" @@ -914,6 +935,9 @@ <depends optional-attribute-name="PortalAuthorizationManagerFactory" proxy-type="attribute">portal:service=PortalAuthorizationManagerFactory</depends> + <depends + optional-attribute-name="CustomizationManager" + proxy-type="attribute">portal:service=CustomizationManager</depends> </mbean> <!-- The ajax controller --> @@ -944,6 +968,9 @@ <depends optional-attribute-name="PortalAuthorizationManagerFactory" proxy-type="attribute">portal:service=PortalAuthorizationManagerFactory</depends> + <depends + optional-attribute-name="CustomizationManager" + proxy-type="attribute">portal:service=CustomizationManager</depends> </mbean> <!-- --> Modified: trunk/security/src/main/org/jboss/portal/security/PortalPermissionCollection.java =================================================================== --- trunk/security/src/main/org/jboss/portal/security/PortalPermissionCollection.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/security/src/main/org/jboss/portal/security/PortalPermissionCollection.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -90,7 +90,7 @@ try { PortalPermission portalPermission = (PortalPermission)permission; - Subject caller = getCaller(); + Subject caller = getCheckedSubject(); String roleName = getRoleName(); PermissionRepository repository = domain.getPermissionRepository(); boolean implied = owner.implies(repository, caller, roleName, portalPermission); @@ -114,9 +114,9 @@ public abstract String getRoleName(); /** - * Return the subject being used or null. + * Return the subject being checked or null if there is none. * * @return the current subject */ - public abstract Subject getCaller(); + public abstract Subject getCheckedSubject(); } Modified: trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java =================================================================== --- trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -34,6 +34,7 @@ import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; +import javax.security.jacc.PolicyContextException; import java.security.Policy; import java.security.Principal; import java.security.ProtectionDomain; @@ -65,6 +66,9 @@ /** . */ private PolicyConfigurationFactory pcf; + /** Used to retrieve the subject in hte jacc portal permission collection. */ + private static final ThreadLocal checkedSubjectLocal = new ThreadLocal(); + public JACCPortalAuthorizationManager(JACCPortalAuthorizationManagerFactory factory) { this.factory = factory; @@ -133,16 +137,16 @@ /** * */ - public boolean internalCheckPermission(PortalPermission permission) throws Exception + private boolean internalCheckPermission(PortalPermission permission) throws Exception { // Get the current context id. String contextID = PolicyContext.getContextID(); // Get the current authenticated subject through the JACC contract - Subject currentSubject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container"); + Subject currentSubject = (Subject)checkedSubjectLocal.get(); // - Principal[] principals = null; + Principal[] principals; // if (currentSubject != null) @@ -184,25 +188,60 @@ return policy.implies(pd, permission); } - public boolean checkPermission(PortalPermission permission) throws PortalSecurityException + + public boolean checkPermission(Subject checkedSubject, PortalPermission permission) throws PortalSecurityException { try { + + // Set the subject for later use in that layer + checkedSubjectLocal.set(checkedSubject); if (trace) { log.trace("hasPermission:uri=" + permission.getURI() + "::action=" + permission.getType() + "::type=" + permission.getType()); } + + // boolean result = internalCheckPermission(permission); if (trace) { log.trace("hasPermission:result=" + result); } + + // return result; } catch (Exception e) { log.trace("hasPermission:error", e); - throw new RuntimeException(e); + + // + throw new PortalSecurityException(e); } + finally + { + checkedSubjectLocal.set(null); + } } + + public boolean checkPermission(PortalPermission permission) throws PortalSecurityException + { + try + { + // Get the current authenticated subject through the JACC contract + Subject subject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container"); + + // + return checkPermission(subject, permission); + } + catch (PolicyContextException e) + { + throw new PortalSecurityException(e); + } + } + + static Subject getCheckedSubject() + { + return (Subject)checkedSubjectLocal.get(); + } } Modified: trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalPermissionCollection.java =================================================================== --- trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalPermissionCollection.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalPermissionCollection.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -26,8 +26,6 @@ import org.jboss.portal.security.spi.provider.AuthorizationDomain; import javax.security.auth.Subject; -import javax.security.jacc.PolicyContext; -import javax.security.jacc.PolicyContextException; import java.util.Enumeration; import java.util.Vector; @@ -42,12 +40,11 @@ /** The serialVersionUID */ private static final long serialVersionUID = -4307467280985644450L; + /** The role name of the permission container. */ private String roleName; - public JACCPortalPermissionCollection( - String roleName, - AuthorizationDomain repository) throws IllegalArgumentException + public JACCPortalPermissionCollection(String roleName, AuthorizationDomain repository) throws IllegalArgumentException { super(repository); if (roleName == null) @@ -68,16 +65,8 @@ return new Vector().elements(); } - - public Subject getCaller() + public Subject getCheckedSubject() { - try - { - return (Subject)PolicyContext.getContext("javax.security.auth.Subject.container"); - } - catch (PolicyContextException e) - { - return null; - } + return JACCPortalAuthorizationManager.getCheckedSubject(); } } Modified: trunk/security/src/main/org/jboss/portal/security/spi/auth/PortalAuthorizationManager.java =================================================================== --- trunk/security/src/main/org/jboss/portal/security/spi/auth/PortalAuthorizationManager.java 2006-11-23 21:53:43 UTC (rev 5718) +++ trunk/security/src/main/org/jboss/portal/security/spi/auth/PortalAuthorizationManager.java 2006-11-23 22:49:44 UTC (rev 5719) @@ -25,6 +25,8 @@ import org.jboss.portal.security.PortalPermission; import org.jboss.portal.security.PortalSecurityException; +import javax.security.auth.Subject; + /** * Portal Authorization Management Interface * @@ -39,4 +41,12 @@ * @throws PortalSecurityException */ public boolean checkPermission(PortalPermission permission) throws PortalSecurityException; + + /** + * @param checkedSubject + * @param permission + * @return + * @throws PortalSecurityException + */ + public boolean checkPermission(Subject checkedSubject, PortalPermission permission) throws PortalSecurityException; }