Author: sohil.shah(a)jboss.com
Date: 2009-07-29 18:26:23 -0400 (Wed, 29 Jul 2009)
New Revision: 13630
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/CreatePortal.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPortalConfigACL.java
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/.classpath
Log:
porting "PortalConfig" security related test cases to the new framework
approach
* same exact functionality, just security swapped
Property changes on:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal
___________________________________________________________________
Name: svn:ignore
+ nul
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/.classpath
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/.classpath 2009-07-29
20:01:36 UTC (rev 13629)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/.classpath 2009-07-29
22:26:23 UTC (rev 13630)
@@ -1,8 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<classpath>
+ <classpathentry kind="src" path="src/main/java"/>
<classpathentry kind="src" output="target/test-classes"
path="src/test/java"/>
- <classpathentry excluding="**/*.java" kind="src"
output="target/test-classes" path="src/test/resources"/>
- <classpathentry kind="src" path="src/main/java"/>
+ <classpathentry excluding="**/*.java" kind="src"
output="target/test-classes" path="src/test/resources"/>
<classpathentry kind="var"
path="M2_REPO_EXO/javax/activation/activation/1.1/activation-1.1.jar"/>
<classpathentry kind="var"
path="M2_REPO_EXO/javax/ccpp/ccpp/1.0/ccpp-1.0.jar"/>
<classpathentry kind="var"
path="M2_REPO_EXO/javax/resource/connector-api/1.5/connector-api-1.5.jar"/>
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/CreatePortal.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/CreatePortal.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/CreatePortal.java 2009-07-29
22:26:23 UTC (rev 13630)
@@ -0,0 +1,46 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+*/
+package org.exoplatform.portal.config.security.jboss;
+
+import org.jboss.security.authz.component.Component;
+import org.jboss.security.authz.component.ComponentType;
+import org.jboss.security.authz.component.ComponentCategory;
+
+import org.jboss.security.authz.components.action.Operation;
+
+/**
+ * Read represents a "read" action that can be performed on a Resource
+ *
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+@Component(
+ name="createPortal",
+ type=ComponentType.TARGET,
+ category=ComponentCategory.ACTION
+)
+public class CreatePortal extends Operation
+{
+ public CreatePortal()
+ {
+ this.name = "createPortal";
+ }
+}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-07-29
22:26:23 UTC (rev 13630)
@@ -0,0 +1,212 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.net.URI;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.apache.log4j.Logger;
+
+import org.exoplatform.portal.config.UserACL;
+import org.exoplatform.services.security.ConversationState;
+import org.exoplatform.services.security.Identity;
+import org.exoplatform.services.security.MembershipEntry;
+import org.exoplatform.test.BasicTestCase;
+
+import org.jboss.security.authz.bootstrap.ServiceContainer;
+
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Roles;
+
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+import org.jboss.security.authz.agent.enforcement.PolicyEnforcementPoint;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.enforcement.EnforcementResponse;
+import org.jboss.security.authz.agent.provisioning.PolicyProvisioner;
+
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.agent.services.PolicyComposer;
+
+/**
+ * @author soshah
+ *
+ */
+public class JBossAbstractTestUserACL extends BasicTestCase
+{
+ private static Logger log = Logger.getLogger(JBossAbstractTestUserACL.class);
+
+ User root, administrator, manager, user, guest;
+
+ PolicyComposer policyComposer;
+ PolicyEnforcementPoint enforcer;
+ PolicyProvisioner provisioner;
+
+ protected void setUp() throws Exception
+ {
+ ServiceContainer.bootstrap();
+ this.policyComposer = (PolicyComposer) ServiceContainer
+ .lookup("/agent/PolicyComposer");
+ this.enforcer = (PolicyEnforcementPoint) ServiceContainer
+ .lookup("/agent/LocalEnforcementPoint");
+ this.provisioner = (PolicyProvisioner) ServiceContainer
+ .lookup("/agent/LocalPolicyProvisioner");
+
+ this.root = new User("root");
+ this.administrator = new User("administrator");
+ this.administrator.addMembership("whatever",
"/platform/administrators");
+ this.manager = new User("manager");
+ this.manager.addMembership("manager", "/manageable");
+ this.user = new User("user");
+ this.guest = new User(null);
+
+ //Bootstrap the Policy Repository
+ //Provision the Policy that protects "Portal Creation"
+ this.provisionCreatePortalPolicy();
+ }
+
+ protected void enforce(EnforcementContext enforcementContext, boolean mustBePermitted)
throws Exception
+ {
+ EnforcementResponse response = this.enforcer.checkAccess(enforcementContext);
+
+ assertNotNull(response);
+ log.info("-----------------------------------");
+ log.info("Decision="+response.getMessage());
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", response.isAccessGranted());
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", response.isAccessGranted());
+ }
+ }
+
+ protected void dumpPolicyRepository() throws Exception
+ {
+ //Assert Policy State of the Server
+ Policy[] policies = this.provisioner.readAllPolicies();
+
+ if(policies != null)
+ {
+ log.info("------------------------------------------------------------------------------");
+ for(Policy storedPolicy: policies)
+ {
+ log.info(storedPolicy.generateSystemPolicy());
+ }
+ }
+ }
+ //-------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Provisioning Phase: Provisions the Policy for Portal Creation. The Policy Structure
is created using "Security Components" whose state is populated from
+ * appropriate System configuration values
+ */
+ private void provisionCreatePortalPolicy() throws Exception
+ {
+ //Using the custom "CreatePortal" "Security Component"
+ CreatePortal action = new CreatePortal();
+ URIResource resource = new URIResource();
+ resource.setUri(new URI(action.getName()));
+
+
+ //Super User/Everyone (gives access without further evaluation)
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.root.getId()); //Provided via system configuration
+ Roles everyone = new Roles();
+ everyone.addName(UserACL.EVERYONE);
+
+ //Guest Group
+ Roles guest = new Roles();
+ guest.addName("/platform/guests"); //Provided via system configuration
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+
+ //TODO: use a custom Roles component
+ //PortalCreators Group....
+ Roles portalCreators = new Roles();
+ //portalCreators.addName("*:/platform/administrators"); //Provided via system
configuration
+ //portalCreators.addName("*:/organization/management/executive-board");
+ portalCreators.addName("whatever:/platform/administrators"); //Provided via
system configuration
+ portalCreators.addName("whatever:/organization/management/executive-board");
+
+ //Setup the Context for the Composition with these components
+ CompositionContext context = new CompositionContext();
+ context.setPolicyTarget(resource);
+ context.addPolicyRule(Effect.PERMIT, action, superuser);
+ context.addPolicyRule(Effect.PERMIT, action, everyone, "allowExpression");
+ context.addPolicyRule(Effect.PERMIT, action, guest, "allowExpression");
+ context.addPolicyRule(Effect.PERMIT, action, portalCreators,
"allowExpression");
+
+ //Store the policy into the Policy Server
+ PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+ this.provisioner.newPolicy(policyMetaData);
+ }
+ //----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ public class User
+ {
+ private final Identity identity;
+
+ private User(String id) {
+ if (id != null) {
+ Collection<String> roles = Collections.emptySet();
+ Set<MembershipEntry> memberships = new HashSet<MembershipEntry>();
+ identity = new Identity(id, memberships, roles);
+ } else {
+ identity = null;
+ }
+ }
+
+ public String getId() {
+ return identity != null ? identity.getUserId() : null;
+ }
+
+ public void addMembership(String type, String group) {
+ identity.getMemberships().add(new MembershipEntry(group, type));
+ }
+
+ public void removeMembership(String type, String group) {
+ for (Iterator<MembershipEntry> i =
identity.getMemberships().iterator();i.hasNext();) {
+ MembershipEntry membership = i.next();
+ if (type == null || type.equals(membership.getMembershipType())) {
+ if (group == null || group.equals(membership.getGroup())) {
+ i.remove();
+ }
+ }
+ }
+ }
+
+ public Collection<MembershipEntry> getMemberships()
+ {
+ if(this.identity != null)
+ {
+ return this.identity.getMemberships();
+ }
+ return null;
+ }
+
+ public void removeMembershipByType(String type) {
+ removeMembership(type, null);
+ }
+
+ public void removeMembershipByGroup(String group) {
+ removeMembership(null, group);
+ }
+
+ public void run(Runnable runnable) {
+ ConversationState.setCurrent(new ConversationState(identity));
+ try {
+ runnable.run();
+ } finally {
+ ConversationState.setCurrent(null);
+ }
+ }
+ }
+}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-07-29
22:26:23 UTC (rev 13630)
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2003-2007 eXo Platform SAS.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not,
see<http://www.gnu.org/licenses/>.
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.util.Collection;
+import java.net.URI;
+
+import org.exoplatform.services.security.MembershipEntry;
+
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.subject.Identity;
+
+
+/**
+ * @author soshah
+ *
+ */
+public class TestJBossCreatePortalACL extends JBossAbstractTestUserACL
+{
+ public void testPermission() throws Exception
+ {
+ //Generate an EnforcementContext to see if the superuser and administrator are allowed
to create a Portal...Result: They should be
+ this.enforce(this.createPortalEnforcementContext(this.root), true);
+ this.enforce(this.createPortalEnforcementContext(this.administrator), true);
+
+ //Generate an EnforcementContext to see if a standard manager and a regular user are
allowed to create a Portal..Result: They shouldn't be
+ this.enforce(this.createPortalEnforcementContext(this.manager), false);
+ this.enforce(this.createPortalEnforcementContext(this.user), false);
+ }
+
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request that is
trying to "Create a New Portal". The EnforcementContext is populated with
+ * "Security Components" whose state comes from the state of the application
for the incoming thread
+ */
+ private EnforcementContext createPortalEnforcementContext(User creator) throws
Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ CreatePortal action = new CreatePortal();
+
+ // Create Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI(action.getName()));
+ context.setAttribute("resource", resource);
+
+ // Create Identity
+ Identity identity = new Identity();
+ identity.setName(creator.getId());
+ context.setAttribute("identity", identity);
+
+ //Create Roles
+ Collection<MembershipEntry> memberships = creator.getMemberships();
+ if(memberships != null && !memberships.isEmpty())
+ {
+ Roles roles = new Roles();
+ for(MembershipEntry membership: memberships)
+ {
+ roles.addName(membership.toString());
+ }
+ context.setAttribute("roles", roles);
+ }
+
+ // Create Action
+ context.setAttribute("action", action);
+
+ return context;
+ }
+}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPortalConfigACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPortalConfigACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPortalConfigACL.java 2009-07-29
22:26:23 UTC (rev 13630)
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2003-2007 eXo Platform SAS.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not,
see<http://www.gnu.org/licenses/>.
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.util.Collection;
+import java.net.URI;
+
+import org.exoplatform.portal.config.model.PortalConfig;
+import org.exoplatform.portal.config.UserACL;
+import org.exoplatform.services.security.MembershipEntry;
+
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.PolicyMetaData;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+
+/**
+ *
+ * @author soshah
+ *
+ */
+public class TestJBossPortalConfigACL extends JBossAbstractTestUserACL
+{
+
+
+ public void testPortalRootAccessOnly() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ this.provisionPortalConfigPolicy(portal);
+
+ this.dumpPolicyRepository();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalOnlyReadAccess() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setAccessPermissions(new String[]{"manager:/manageable"});
+ this.provisionPortalConfigPolicy(portal);
+
+ this.dumpPolicyRepository();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalEditableAndReadImplied() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setEditPermission("manager:/manageable");
+ this.provisionPortalConfigPolicy(portal);
+
+ this.dumpPolicyRepository();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalReadAndEditableExplicit() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setAccessPermissions(new String[]{"manager:/manageable"});
+ portal.setEditPermission("manager:/manageable");
+
+ this.provisionPortalConfigPolicy(portal);
+
+ this.dumpPolicyRepository();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
//--------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Provisioning Phase: Provisions the Policy associated with the "Portal".
The Policy Structure is created using "Security Components" whose state is
populated from
+ * state of the PortalConfig object
+ */
+ private void provisionPortalConfigPolicy(PortalConfig portal) throws Exception
+ {
+ // SetUp Resource
+ URIResource target = new URIResource();
+ target.setUri(new URI(portal.getName()));
+
+ // Setup the Context for the Composition with these components
+ CompositionContext context = new CompositionContext();
+ context.setPolicyTarget(target);
+
+ // Read Access
+ if (portal.getAccessPermissions() != null
+ && portal.getAccessPermissions().length > 0)
+ {
+ Roles readRoles = new Roles();
+ String[] accessPermissions = portal.getAccessPermissions();
+ for (String accessPermission : accessPermissions)
+ {
+ readRoles.addName(accessPermission);
+ }
+ context.addPolicyRule(Effect.PERMIT, new Read(), readRoles,
+ "allowExpression");
+ }
+
+ // Write Access
+ String editPermission = portal.getEditPermission();
+ if (editPermission != null && editPermission.trim().length() > 0)
+ {
+ Roles writeRoles = new Roles();
+ writeRoles.addName(editPermission);
+ context.addPolicyRule(Effect.PERMIT, new Write(), writeRoles,
+ "allowExpression");
+ }
+
+ //Super User/Everyone (gives access without further evaluation)
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.root.getId()); //Provided via system configuration
+ Roles everyone = new Roles();
+ everyone.addName(UserACL.EVERYONE);
+
+
+ //Setup the Context for the Composition with these components........
+ context.addPolicyRule(Effect.PERMIT, new Write(), superuser);
+ context.addPolicyRule(Effect.PERMIT, new Write(), everyone,
"allowExpression");
+
+ // Store the policy into the Policy Server
+ PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+ this.provisioner.newPolicy(policyMetaData);
+ }
+
//---------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request that is
trying to "Read the Portal Object". The EnforcementContext is populated with
+ * "Security Components" whose state comes from the state of the application
for the incoming thread
+ */
+ private EnforcementContext readPortalEnforcementContext(User user, PortalConfig portal)
throws Exception
+ {
+ //Create an EnforcementContext
+ EnforcementContext context = this.accessPortalEnforcementContext(user, portal);
+
+ // Create Action
+ context.setAttribute("action", new Read());
+
+ return context;
+ }
+
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request that is
trying to "Edit the Portal Object". The EnforcementContext is populated with
+ * "Security Components" whose state comes from the state of the application
for the incoming thread
+ */
+ private EnforcementContext writePortalEnforcementContext(User user, PortalConfig
portal) throws Exception
+ {
+ //Create an EnforcementContext
+ EnforcementContext context = this.accessPortalEnforcementContext(user, portal);
+
+ // Create Action
+ context.setAttribute("action", new Write());
+
+ return context;
+ }
+
+
+ private EnforcementContext accessPortalEnforcementContext(User user, PortalConfig
portal) throws Exception
+ {
+ //Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Create Resource
+ URIResource portalRes = new URIResource();
+ portalRes.setUri(new URI(portal.getName()));
+ context.setAttribute("resource", portalRes);
+
+ // Create Identity
+ Identity identity = new Identity();
+ if(user.getId() != null)
+ {
+ identity.setName(user.getId());
+ context.setAttribute("identity", identity);
+ }
+
+ //Create Roles
+ Collection<MembershipEntry> memberships = user.getMemberships();
+ if(memberships != null && !memberships.isEmpty())
+ {
+ Roles roles = new Roles();
+ for(MembershipEntry membership: memberships)
+ {
+ roles.addName(membership.toString());
+ }
+ context.setAttribute("roles", roles);
+ }
+ else
+ {
+ //Check to see if this is guest access
+ if(user.getId() == null)
+ {
+ //This is a guest user
+ Roles guest = new Roles();
+ guest.addName("/platform/guests"); //Provided via system configuration
+ guest.addName(Roles.ANONYMOUS);
+
+ context.setAttribute("roles", guest);
+ }
+ }
+
+ return context;
+ }
+}