Author: sohil.shah(a)jboss.com Date: 2009-08-01 16:40:35 -0400 (Sat, 01 Aug 2009) New Revision: 13651 Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java Log: UserACL adapted to switch between jboss security impl and exo impl via configuration * both testsuites pass at 100%. this is a baseline before some more tweaking Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-08-01 20:40:35 UTC (rev 13651) @@ -7,12 +7,22 @@ <property name="policyProvisioner"> <inject bean="/agent/LocalPolicyProvisioner"/> </property> + <!-- + Optional configuration: At this point in the integration cycle, this is optional since the configuration + is overriden by the UserACL configuration + + Later when UserACL relationship to the Provisioner changes, this can possibly change as well and + some properties may not be optional anymore + --> + <!-- <property name="superuser">root</property> + --> <!-- TODO: change the values from whatever:/platform/administrators and whatever:/organization/management/executive-board to *:/platform/administrators and *:/organization/management/executive-board once a custom Roles component is implemented --> + <!-- - <property name="portalCreatorGroups"> <list class="java.util.ArrayList" elementClass="java.lang.String"> <value>whatever:/platform/administrators</value> @@ -21,6 +31,7 @@ </property> <property name="guestGroup">/platform/guests</property> <property name="navigationCreatorMembershipType">manager</property> + --> </bean> <bean name="/exo/jboss/PolicyEnforcementPoint" class="org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint"> Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml 2009-08-01 20:40:35 UTC (rev 13651) @@ -47,6 +47,11 @@ <name>guests.group</name> <description>guests group</description> <value>/platform/guests</value> + </value-param> + <value-param> + <name>activate.jboss.security</name> + <description>Activate/Deactivates Authorization based on JBoss Security Framework</description> + <value>true</value> </value-param> </init-params> </component> Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -33,6 +33,11 @@ import org.exoplatform.services.security.Identity; import org.exoplatform.services.security.MembershipEntry; +import org.jboss.security.authz.bootstrap.ServiceContainer; +import org.jboss.security.authz.agent.enforcement.EnforcementException; +import org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint; +import org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner; + /** * Jun 27, 2006 */ @@ -64,6 +69,11 @@ private String adminGroups; private String adminMSType; + + private boolean activateJBossSecurity; + private ExoEnforcementPoint enforcementPoint; + private ExoPolicyProvisioner policyProvisioner; + @SuppressWarnings("unchecked") public UserACL(InitParams params) { @@ -95,8 +105,15 @@ ValueParam adminMSTypeParam = params.getValueParam("portal.administrator.mstype"); if (adminMSTypeParam != null) setAdminMSType(adminMSTypeParam.getValue()); + + //Activate/Deactivate security based on JBoss Security Framework + ValueParam jbossSecurityStatus = params.getValueParam("activate.jboss.security"); + if(jbossSecurityStatus.getValue().equalsIgnoreCase(String.valueOf(Boolean.TRUE))) + { + md.setActivateJBossSecurity(true); + } - init(md); + init(md); } public UserACL(UserACLMetaData md) { @@ -127,6 +144,30 @@ if (md.getPortalCreateGroups() != null) allGroups = md.getPortalCreateGroups(); portalCreatorGroups_ = defragmentPermission(allGroups); + + if(md.isActivateJBossSecurity()) + { + this.activateJBossSecurity = true; + + ServiceContainer.bootstrap(); + this.enforcementPoint = (ExoEnforcementPoint)ServiceContainer.lookup("/exo/jboss/PolicyEnforcementPoint"); + this.policyProvisioner = (ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner"); + + //Override any PolicyProvisioner configuration + this.policyProvisioner.setSuperuser(this.superUser_); + this.policyProvisioner.setGuestGroup(this.guestGroup_); + if(this.navigationCreatorMembershipType_ != null && this.navigationCreatorMembershipType_.trim().length() >0) + { + this.policyProvisioner.setNavigationCreatorMembershipType(this.navigationCreatorMembershipType_); + } + if(this.portalCreatorGroups_ != null && !this.portalCreatorGroups_.isEmpty()) + { + this.policyProvisioner.setPortalCreatorGroups(this.portalCreatorGroups_); + } + + //Initialize the PolicyProvisioner + this.policyProvisioner.initialize(); + } } // TODO: unnecessary to keep potalACLPlugin @@ -275,91 +316,235 @@ // --------------------------------------------------------------------------// private boolean hasPermission(Identity identity, PortalConfig pconfig) { - if (hasPermission(identity, pconfig.getEditPermission())) { - pconfig.setModifiable(true); - return true; - } - pconfig.setModifiable(false); - String[] accessPerms = (pconfig.getAccessPermissions()); - for (String per : accessPerms) { - if (hasPermission(identity, per)) - return true; - } - return false; + if(!this.activateJBossSecurity) + { + if (hasPermission(identity, pconfig.getEditPermission())) { + pconfig.setModifiable(true); + return true; + } + pconfig.setModifiable(false); + String[] accessPerms = (pconfig.getAccessPermissions()); + for (String per : accessPerms) { + if (hasPermission(identity, per)) + return true; + } + return false; + } + else + { + try + { + //Use the JBoss Security Framework + if(this.enforcementPoint.checkWriteAccess(identity, pconfig)) + { + pconfig.setModifiable(true); + return true; + } + pconfig.setModifiable(false); + return this.enforcementPoint.checkReadAccess(identity, pconfig); + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private boolean hasEditPermission(Identity identity, PortalConfig pconfig) { - if (superUser_.equals(identity.getUserId())) - return true; - return hasPermission(identity, pconfig.getEditPermission()); + if(!this.activateJBossSecurity) + { + if (superUser_.equals(identity.getUserId())) + return true; + return hasPermission(identity, pconfig.getEditPermission()); + } + else + { + try + { + //Use the JBoss Security Framework + return this.enforcementPoint.checkWriteAccess(identity, pconfig); + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private boolean hasCreatePortalPermission(Identity identity) { - if (superUser_.equals(identity.getUserId())) - return true; - if (portalCreatorGroups_ == null || portalCreatorGroups_.size() < 1) - return false; - for (String ele : portalCreatorGroups_) { - if (hasPermission(identity, ele)) - return true; - } - return false; + + if(!this.activateJBossSecurity) + { + if (superUser_.equals(identity.getUserId())) + return true; + if (portalCreatorGroups_ == null || portalCreatorGroups_.size() < 1) + return false; + for (String ele : portalCreatorGroups_) { + if (hasPermission(identity, ele)) + return true; + } + return false; + } + else + { + try + { + //Use the JBoss Security Framework + return this.enforcementPoint.checkCreatePortalAccess(identity); + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private boolean hasEditPermission(Identity identity, PageNavigation pageNav) { - if (superUser_.equals(identity.getUserId())) { - pageNav.setModifiable(true); - return true; - } - String ownerType = pageNav.getOwnerType(); - if (PortalConfig.GROUP_TYPE.equals(ownerType)) { - String expPerm = navigationCreatorMembershipType_ + ":/" + pageNav.getOwnerId(); - return hasPermission(identity, expPerm); - } else if (PortalConfig.USER_TYPE.equals(ownerType)) { - return pageNav.getOwnerId().equals(identity.getUserId()); - } - return false; + if(!this.activateJBossSecurity) + { + if (superUser_.equals(identity.getUserId())) { + pageNav.setModifiable(true); + return true; + } + String ownerType = pageNav.getOwnerType(); + if (PortalConfig.GROUP_TYPE.equals(ownerType)) { + String expPerm = navigationCreatorMembershipType_ + ":/" + pageNav.getOwnerId(); + return hasPermission(identity, expPerm); + } else if (PortalConfig.USER_TYPE.equals(ownerType)) { + return pageNav.getOwnerId().equals(identity.getUserId()); + } + return false; + } + else + { + try + { + //Use the JBoss Security Framework + boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, pageNav); + if(hasWriteAccess && superUser_.equals(identity.getUserId())) + { + pageNav.setModifiable(true); + } + return hasWriteAccess; + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private boolean hasPermission(Identity identity, Page page) { - if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) { - if (page.getOwnerId().equals(identity.getUserId())) { - page.setModifiable(true); - return true; - } - return false; - } - if (superUser_.equals(identity.getUserId())) { - page.setModifiable(true); - return true; - } - if (hasEditPermission(identity, page)) { - page.setModifiable(true); - return true; - } - page.setModifiable(false); - String[] accessPerms = page.getAccessPermissions(); - for (String per : accessPerms) { - if (hasPermission(identity, per)) - return true; - } - return false; + if(!this.activateJBossSecurity) + { + if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) { + if (page.getOwnerId().equals(identity.getUserId())) { + page.setModifiable(true); + return true; + } + return false; + } + if (superUser_.equals(identity.getUserId())) { + page.setModifiable(true); + return true; + } + if (hasEditPermission(identity, page)) { + page.setModifiable(true); + return true; + } + page.setModifiable(false); + String[] accessPerms = page.getAccessPermissions(); + for (String per : accessPerms) { + if (hasPermission(identity, per)) + return true; + } + return false; + } + else + { + try + { + //TODO: this logic needs to be incorporated into the security framework via custom policy combining algrorithm + /*if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) + { + if (page.getOwnerId().equals(identity.getUserId())) + { + page.setModifiable(true); + return true; + } + return false; + }*/ + + boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, page); + if(hasWriteAccess) + { + page.setModifiable(true); + return true; + } + + page.setModifiable(false); + return this.enforcementPoint.checkReadAccess(identity, page); + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private boolean hasEditPermission(Identity identity, Page page) { - if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) { - if (page.getOwnerId().equals(identity.getUserId())) { - page.setModifiable(true); - return true; - } - return false; - } - if (hasPermission(identity, page.getEditPermission())) { - page.setModifiable(true); - return true; - } - page.setModifiable(false); - return false; + if(!this.activateJBossSecurity) + { + if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) { + if (page.getOwnerId().equals(identity.getUserId())) { + page.setModifiable(true); + return true; + } + return false; + } + if (hasPermission(identity, page.getEditPermission())) { + page.setModifiable(true); + return true; + } + page.setModifiable(false); + return false; + } + else + { + try + { + //TODO: this logic needs to be incorporated into the security framework via custom policy combining algrorithm + /*if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) + { + if (page.getOwnerId().equals(identity.getUserId())) + { + page.setModifiable(true); + return true; + } + return false; + }*/ + + boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, page); + if(hasWriteAccess) + { + page.setModifiable(true); + return true; + } + + page.setModifiable(false); + return false; + } + catch(EnforcementException enfe) + { + //TODO: log this.... + throw new RuntimeException(enfe); + } + } } private Identity getIdentity() { Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -35,6 +35,8 @@ /** . */ private String portalCreateGroups; + + private boolean activateJBossSecurity; public String getSuperUser() { return superUser; @@ -67,4 +69,14 @@ public void setPortalCreateGroups(String portalCreateGroups) { this.portalCreateGroups = portalCreateGroups; } + + public boolean isActivateJBossSecurity() + { + return activateJBossSecurity; + } + + public void setActivateJBossSecurity(boolean activateJBossSecurity) + { + this.activateJBossSecurity = activateJBossSecurity; + } } Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -49,9 +49,7 @@ } public void start() - { - this.initializePolicyRepository(); - + { log.debug("----------------------------------------------------------------"); log.debug("Exo-JBoss Policy Provisioner successfully started..............."+this.policyProvisioner); log.debug("----------------------------------------------------------------"); @@ -66,6 +64,11 @@ { this.printPolicyRepository(); } + + public void initialize() + { + this.initializePolicyRepository(); + } //---------------------------------------------------------------------------------------------------------------------------------------------------------------------- public PolicyProvisioner getPolicyProvisioner() { Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -8,7 +8,9 @@ import org.exoplatform.test.BasicTestCase; import org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner; -import org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint; +import org.exoplatform.services.security.ConversationState; +import org.exoplatform.portal.config.UserACL; +import org.exoplatform.portal.config.UserACLMetaData; import org.exoplatform.portal.config.model.PortalConfig; import org.exoplatform.portal.config.model.PageNavigation; import org.exoplatform.portal.config.model.Page; @@ -26,17 +28,33 @@ User root, administrator, manager, user, guest; ExoPolicyProvisioner exoPolicyProvisioner; - ExoEnforcementPoint exoEnforcementPoint; + UserACL ua; protected void setUp() throws Exception - { - ServiceContainer.bootstrap(); - - this.exoPolicyProvisioner = (ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner"); - this.exoEnforcementPoint = (ExoEnforcementPoint)ServiceContainer.lookup("/exo/jboss/PolicyEnforcementPoint"); + { + //Setup the UserACL instance + UserACLMetaData md = new UserACLMetaData(); - this.root = new User(this.exoPolicyProvisioner.getSuperuser()); + //Super User and Guest configuration + md.setSuperUser("root"); + md.setGuestsGroups("/platform/guests"); + + //TODO: replace with *:/platform/administrators,*:/organization/management/executive-board, once custom + //Roles component is used + //md.setPortalCreateGroups("*:/platform/administrators,*:/organization/management/executive-board"); + md.setPortalCreateGroups("whatever:/platform/administrators,whatever:/organization/management/executive-board"); + + md.setNavigationCreatorMembershipType("manager"); + md.setActivateJBossSecurity(true); + + //Initializes the UserACL instance + this.ua = new UserACL(md); + + this.exoPolicyProvisioner = (ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner"); + + //SetUp the mock identities + this.root = new User(this.ua.getSuperUser()); this.administrator = new User("administrator"); this.administrator.addMembership("whatever", "/platform/administrators"); @@ -50,121 +68,152 @@ } protected void checkCreatePortalAccess(User user, boolean mustBePermitted) throws Exception - { - boolean access = this.exoEnforcementPoint.checkCreatePortalAccess(user.getIdentity()); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + { + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasCreatePortalPermission(); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } protected void checkReadAccess(User user, PortalConfig portal, boolean mustBePermitted) throws Exception { - boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(), portal); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasPermission(portal); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } protected void checkWriteAccess(User user, PortalConfig portal, boolean mustBePermitted) throws Exception - { - boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(), portal); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + { + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasEditPermission(portal); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } - - protected void checkReadAccess(User user, PageNavigation nav, boolean mustBePermitted) throws Exception - { - boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(), nav); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } - } - + protected void checkWriteAccess(User user, PageNavigation nav, boolean mustBePermitted) throws Exception - { - boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(), nav); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + { + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasEditPermission(nav); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } protected void checkReadAccess(User user, Page page, boolean mustBePermitted) throws Exception { - boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(), page); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasPermission(page); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } protected void checkWriteAccess(User user, Page page, boolean mustBePermitted) throws Exception { - boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(), page); - - log.info("-----------------------------------"); - log.info("Decision="+access); - - if(mustBePermitted) - { - assertTrue("Access must be granted!!!", access); - } - else - { - assertFalse("Access must be denied!!!", access); - } + ConversationState.setCurrent(new ConversationState(user.getIdentity())); + try + { + boolean access = this.ua.hasEditPermission(page); + + log.info("-----------------------------------"); + log.info("Decision="+access); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", access); + } + else + { + assertFalse("Access must be denied!!!", access); + } + } + finally + { + ConversationState.setCurrent(null); + } } } Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -3,6 +3,9 @@ */ package org.exoplatform.portal.config.security.jboss; +import java.util.List; +import java.util.ArrayList; + import org.apache.log4j.Logger; import org.exoplatform.portal.config.UserACL; @@ -32,6 +35,7 @@ String navigationCreatorMembershipType_; String superuser_; String guestGroup_; + List<String> portalCreatorGroups; PolicyComposer policyComposer; @@ -50,10 +54,18 @@ //via system configuration this.navigationCreatorMembershipType_ = "manager"; - this.superuser_ = "root"; - + this.superuser_ = "root"; this.guestGroup_ = "/platform/guests"; + //TODO: replace with *:/platform/administrators,*:/organization/management/executive-board, once custom + //Roles component is used + this.portalCreatorGroups = new ArrayList<String>(); + //this.portalCreatorGroups.add("*:/platform/administrators"); + //this.portalCreatorGroups.add("*:/organization/management/executive-board"); + this.portalCreatorGroups.add("whatever:/platform/administrators"); + this.portalCreatorGroups.add("whatever:/organization/management/executive-board"); + + //Setup mock identities this.root = new User(this.superuser_); this.administrator = new User("administrator"); Modified: jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java =================================================================== --- jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-08-01 15:10:09 UTC (rev 13650) +++ jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-08-01 20:40:35 UTC (rev 13651) @@ -23,9 +23,11 @@ import org.exoplatform.services.security.MembershipEntry; import org.jboss.security.authz.agent.enforcement.EnforcementContext; +import org.jboss.security.authz.agent.services.CompositionContext; import org.jboss.security.authz.components.resource.URIResource; import org.jboss.security.authz.components.subject.Roles; import org.jboss.security.authz.components.subject.Identity; +import org.jboss.security.authz.model.Effect; /** * @author soshah @@ -35,6 +37,7 @@ { public void testCreatePortal() throws Exception { + this.provisionCreatePortalPolicy(); this.dumpPolicyRepository(); // Generate an EnforcementContext to see if the superuser and administrator @@ -49,6 +52,38 @@ this.enforce(this.createPortalEnforcementContext(this.user), false); } // ---------------------------------------------------------------------------------------------------------------------------------------------------------------- + private void provisionCreatePortalPolicy() throws Exception + { + CompositionContext context = new CompositionContext(); + + //Using the custom "CreatePortal" "Security Component" + CreatePortal action = new CreatePortal(); + URIResource resource = new URIResource(); + resource.setUri(new URI(action.getName())); + context.setPolicyTarget(resource); + + // Super User... Supers Users have access to everything + org.jboss.security.authz.components.subject.Identity superuser = new org.jboss.security.authz.components.subject.Identity(); + superuser.setName(this.root.getId()); + context.addPolicyRule(Effect.PERMIT, action, superuser); + + // PortalCreators Group.... + if(this.portalCreatorGroups != null && !this.portalCreatorGroups.isEmpty()) + { + Roles portalCreators = new Roles(); + + for(String portalCreatorGroup: this.portalCreatorGroups) + { + portalCreators.addName(portalCreatorGroup); + } + + context.addPolicyRule(Effect.PERMIT, action, portalCreators, + "allowExpression"); + } + + this.provisioner.composeAndDeploy(context); + } + /** * Enforcement Phase: Creates an EnforcementContext for an incoming request * that is trying to "Create a New Portal". The EnforcementContext is