Author: sohil.shah(a)jboss.com
Date: 2009-08-01 16:40:35 -0400 (Sat, 01 Aug 2009)
New Revision: 13651
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
Log:
UserACL adapted to switch between jboss security impl and exo impl via configuration
* both testsuites pass at 100%. this is a baseline before some more tweaking
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-08-01
20:40:35 UTC (rev 13651)
@@ -7,12 +7,22 @@
<property name="policyProvisioner">
<inject bean="/agent/LocalPolicyProvisioner"/>
</property>
+ <!--
+ Optional configuration: At this point in the integration cycle, this is optional
since the configuration
+ is overriden by the UserACL configuration
+
+ Later when UserACL relationship to the Provisioner changes, this can possibly
change as well and
+ some properties may not be optional anymore
+ -->
+ <!--
<property name="superuser">root</property>
+ -->
<!--
TODO: change the values from whatever:/platform/administrators and
whatever:/organization/management/executive-board
to *:/platform/administrators and *:/organization/management/executive-board
once a custom Roles component is implemented
-->
+ <!-- -
<property name="portalCreatorGroups">
<list class="java.util.ArrayList"
elementClass="java.lang.String">
<value>whatever:/platform/administrators</value>
@@ -21,6 +31,7 @@
</property>
<property name="guestGroup">/platform/guests</property>
<property
name="navigationCreatorMembershipType">manager</property>
+ -->
</bean>
<bean name="/exo/jboss/PolicyEnforcementPoint"
class="org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint">
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/conf/portal/configuration.xml 2009-08-01
20:40:35 UTC (rev 13651)
@@ -47,6 +47,11 @@
<name>guests.group</name>
<description>guests group</description>
<value>/platform/guests</value>
+ </value-param>
+ <value-param>
+ <name>activate.jboss.security</name>
+ <description>Activate/Deactivates Authorization based on JBoss Security
Framework</description>
+ <value>true</value>
</value-param>
</init-params>
</component>
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACL.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -33,6 +33,11 @@
import org.exoplatform.services.security.Identity;
import org.exoplatform.services.security.MembershipEntry;
+import org.jboss.security.authz.bootstrap.ServiceContainer;
+import org.jboss.security.authz.agent.enforcement.EnforcementException;
+import org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint;
+import org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner;
+
/**
* Jun 27, 2006
*/
@@ -64,6 +69,11 @@
private String adminGroups;
private String adminMSType;
+
+ private boolean activateJBossSecurity;
+ private ExoEnforcementPoint enforcementPoint;
+ private ExoPolicyProvisioner policyProvisioner;
+
@SuppressWarnings("unchecked")
public UserACL(InitParams params) {
@@ -95,8 +105,15 @@
ValueParam adminMSTypeParam =
params.getValueParam("portal.administrator.mstype");
if (adminMSTypeParam != null)
setAdminMSType(adminMSTypeParam.getValue());
+
+ //Activate/Deactivate security based on JBoss Security Framework
+ ValueParam jbossSecurityStatus =
params.getValueParam("activate.jboss.security");
+ if(jbossSecurityStatus.getValue().equalsIgnoreCase(String.valueOf(Boolean.TRUE)))
+ {
+ md.setActivateJBossSecurity(true);
+ }
- init(md);
+ init(md);
}
public UserACL(UserACLMetaData md) {
@@ -127,6 +144,30 @@
if (md.getPortalCreateGroups() != null)
allGroups = md.getPortalCreateGroups();
portalCreatorGroups_ = defragmentPermission(allGroups);
+
+ if(md.isActivateJBossSecurity())
+ {
+ this.activateJBossSecurity = true;
+
+ ServiceContainer.bootstrap();
+ this.enforcementPoint =
(ExoEnforcementPoint)ServiceContainer.lookup("/exo/jboss/PolicyEnforcementPoint");
+ this.policyProvisioner =
(ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner");
+
+ //Override any PolicyProvisioner configuration
+ this.policyProvisioner.setSuperuser(this.superUser_);
+ this.policyProvisioner.setGuestGroup(this.guestGroup_);
+ if(this.navigationCreatorMembershipType_ != null &&
this.navigationCreatorMembershipType_.trim().length() >0)
+ {
+
this.policyProvisioner.setNavigationCreatorMembershipType(this.navigationCreatorMembershipType_);
+ }
+ if(this.portalCreatorGroups_ != null &&
!this.portalCreatorGroups_.isEmpty())
+ {
+ this.policyProvisioner.setPortalCreatorGroups(this.portalCreatorGroups_);
+ }
+
+ //Initialize the PolicyProvisioner
+ this.policyProvisioner.initialize();
+ }
}
// TODO: unnecessary to keep potalACLPlugin
@@ -275,91 +316,235 @@
// --------------------------------------------------------------------------//
private boolean hasPermission(Identity identity, PortalConfig pconfig) {
- if (hasPermission(identity, pconfig.getEditPermission())) {
- pconfig.setModifiable(true);
- return true;
- }
- pconfig.setModifiable(false);
- String[] accessPerms = (pconfig.getAccessPermissions());
- for (String per : accessPerms) {
- if (hasPermission(identity, per))
- return true;
- }
- return false;
+ if(!this.activateJBossSecurity)
+ {
+ if (hasPermission(identity, pconfig.getEditPermission())) {
+ pconfig.setModifiable(true);
+ return true;
+ }
+ pconfig.setModifiable(false);
+ String[] accessPerms = (pconfig.getAccessPermissions());
+ for (String per : accessPerms) {
+ if (hasPermission(identity, per))
+ return true;
+ }
+ return false;
+ }
+ else
+ {
+ try
+ {
+ //Use the JBoss Security Framework
+ if(this.enforcementPoint.checkWriteAccess(identity, pconfig))
+ {
+ pconfig.setModifiable(true);
+ return true;
+ }
+ pconfig.setModifiable(false);
+ return this.enforcementPoint.checkReadAccess(identity, pconfig);
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private boolean hasEditPermission(Identity identity, PortalConfig pconfig) {
- if (superUser_.equals(identity.getUserId()))
- return true;
- return hasPermission(identity, pconfig.getEditPermission());
+ if(!this.activateJBossSecurity)
+ {
+ if (superUser_.equals(identity.getUserId()))
+ return true;
+ return hasPermission(identity, pconfig.getEditPermission());
+ }
+ else
+ {
+ try
+ {
+ //Use the JBoss Security Framework
+ return this.enforcementPoint.checkWriteAccess(identity, pconfig);
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private boolean hasCreatePortalPermission(Identity identity) {
- if (superUser_.equals(identity.getUserId()))
- return true;
- if (portalCreatorGroups_ == null || portalCreatorGroups_.size() < 1)
- return false;
- for (String ele : portalCreatorGroups_) {
- if (hasPermission(identity, ele))
- return true;
- }
- return false;
+
+ if(!this.activateJBossSecurity)
+ {
+ if (superUser_.equals(identity.getUserId()))
+ return true;
+ if (portalCreatorGroups_ == null || portalCreatorGroups_.size() < 1)
+ return false;
+ for (String ele : portalCreatorGroups_) {
+ if (hasPermission(identity, ele))
+ return true;
+ }
+ return false;
+ }
+ else
+ {
+ try
+ {
+ //Use the JBoss Security Framework
+ return this.enforcementPoint.checkCreatePortalAccess(identity);
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private boolean hasEditPermission(Identity identity, PageNavigation pageNav) {
- if (superUser_.equals(identity.getUserId())) {
- pageNav.setModifiable(true);
- return true;
- }
- String ownerType = pageNav.getOwnerType();
- if (PortalConfig.GROUP_TYPE.equals(ownerType)) {
- String expPerm = navigationCreatorMembershipType_ + ":/" +
pageNav.getOwnerId();
- return hasPermission(identity, expPerm);
- } else if (PortalConfig.USER_TYPE.equals(ownerType)) {
- return pageNav.getOwnerId().equals(identity.getUserId());
- }
- return false;
+ if(!this.activateJBossSecurity)
+ {
+ if (superUser_.equals(identity.getUserId())) {
+ pageNav.setModifiable(true);
+ return true;
+ }
+ String ownerType = pageNav.getOwnerType();
+ if (PortalConfig.GROUP_TYPE.equals(ownerType)) {
+ String expPerm = navigationCreatorMembershipType_ + ":/" +
pageNav.getOwnerId();
+ return hasPermission(identity, expPerm);
+ } else if (PortalConfig.USER_TYPE.equals(ownerType)) {
+ return pageNav.getOwnerId().equals(identity.getUserId());
+ }
+ return false;
+ }
+ else
+ {
+ try
+ {
+ //Use the JBoss Security Framework
+ boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, pageNav);
+ if(hasWriteAccess && superUser_.equals(identity.getUserId()))
+ {
+ pageNav.setModifiable(true);
+ }
+ return hasWriteAccess;
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private boolean hasPermission(Identity identity, Page page) {
- if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) {
- if (page.getOwnerId().equals(identity.getUserId())) {
- page.setModifiable(true);
- return true;
- }
- return false;
- }
- if (superUser_.equals(identity.getUserId())) {
- page.setModifiable(true);
- return true;
- }
- if (hasEditPermission(identity, page)) {
- page.setModifiable(true);
- return true;
- }
- page.setModifiable(false);
- String[] accessPerms = page.getAccessPermissions();
- for (String per : accessPerms) {
- if (hasPermission(identity, per))
- return true;
- }
- return false;
+ if(!this.activateJBossSecurity)
+ {
+ if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) {
+ if (page.getOwnerId().equals(identity.getUserId())) {
+ page.setModifiable(true);
+ return true;
+ }
+ return false;
+ }
+ if (superUser_.equals(identity.getUserId())) {
+ page.setModifiable(true);
+ return true;
+ }
+ if (hasEditPermission(identity, page)) {
+ page.setModifiable(true);
+ return true;
+ }
+ page.setModifiable(false);
+ String[] accessPerms = page.getAccessPermissions();
+ for (String per : accessPerms) {
+ if (hasPermission(identity, per))
+ return true;
+ }
+ return false;
+ }
+ else
+ {
+ try
+ {
+ //TODO: this logic needs to be incorporated into the security framework via custom
policy combining algrorithm
+ /*if (PortalConfig.USER_TYPE.equals(page.getOwnerType()))
+ {
+ if (page.getOwnerId().equals(identity.getUserId()))
+ {
+ page.setModifiable(true);
+ return true;
+ }
+ return false;
+ }*/
+
+ boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, page);
+ if(hasWriteAccess)
+ {
+ page.setModifiable(true);
+ return true;
+ }
+
+ page.setModifiable(false);
+ return this.enforcementPoint.checkReadAccess(identity, page);
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private boolean hasEditPermission(Identity identity, Page page) {
- if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) {
- if (page.getOwnerId().equals(identity.getUserId())) {
- page.setModifiable(true);
- return true;
- }
- return false;
- }
- if (hasPermission(identity, page.getEditPermission())) {
- page.setModifiable(true);
- return true;
- }
- page.setModifiable(false);
- return false;
+ if(!this.activateJBossSecurity)
+ {
+ if (PortalConfig.USER_TYPE.equals(page.getOwnerType())) {
+ if (page.getOwnerId().equals(identity.getUserId())) {
+ page.setModifiable(true);
+ return true;
+ }
+ return false;
+ }
+ if (hasPermission(identity, page.getEditPermission())) {
+ page.setModifiable(true);
+ return true;
+ }
+ page.setModifiable(false);
+ return false;
+ }
+ else
+ {
+ try
+ {
+ //TODO: this logic needs to be incorporated into the security framework via custom
policy combining algrorithm
+ /*if (PortalConfig.USER_TYPE.equals(page.getOwnerType()))
+ {
+ if (page.getOwnerId().equals(identity.getUserId()))
+ {
+ page.setModifiable(true);
+ return true;
+ }
+ return false;
+ }*/
+
+ boolean hasWriteAccess = this.enforcementPoint.checkWriteAccess(identity, page);
+ if(hasWriteAccess)
+ {
+ page.setModifiable(true);
+ return true;
+ }
+
+ page.setModifiable(false);
+ return false;
+ }
+ catch(EnforcementException enfe)
+ {
+ //TODO: log this....
+ throw new RuntimeException(enfe);
+ }
+ }
}
private Identity getIdentity() {
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/config/UserACLMetaData.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -35,6 +35,8 @@
/** . */
private String portalCreateGroups;
+
+ private boolean activateJBossSecurity;
public String getSuperUser() {
return superUser;
@@ -67,4 +69,14 @@
public void setPortalCreateGroups(String portalCreateGroups) {
this.portalCreateGroups = portalCreateGroups;
}
+
+ public boolean isActivateJBossSecurity()
+ {
+ return activateJBossSecurity;
+ }
+
+ public void setActivateJBossSecurity(boolean activateJBossSecurity)
+ {
+ this.activateJBossSecurity = activateJBossSecurity;
+ }
}
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -49,9 +49,7 @@
}
public void start()
- {
- this.initializePolicyRepository();
-
+ {
log.debug("----------------------------------------------------------------");
log.debug("Exo-JBoss Policy Provisioner successfully
started..............."+this.policyProvisioner);
log.debug("----------------------------------------------------------------");
@@ -66,6 +64,11 @@
{
this.printPolicyRepository();
}
+
+ public void initialize()
+ {
+ this.initializePolicyRepository();
+ }
//----------------------------------------------------------------------------------------------------------------------------------------------------------------------
public PolicyProvisioner getPolicyProvisioner()
{
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -8,7 +8,9 @@
import org.exoplatform.test.BasicTestCase;
import org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner;
-import org.exoplatform.portal.jboss.security.enforcement.ExoEnforcementPoint;
+import org.exoplatform.services.security.ConversationState;
+import org.exoplatform.portal.config.UserACL;
+import org.exoplatform.portal.config.UserACLMetaData;
import org.exoplatform.portal.config.model.PortalConfig;
import org.exoplatform.portal.config.model.PageNavigation;
import org.exoplatform.portal.config.model.Page;
@@ -26,17 +28,33 @@
User root, administrator, manager, user, guest;
ExoPolicyProvisioner exoPolicyProvisioner;
- ExoEnforcementPoint exoEnforcementPoint;
+ UserACL ua;
protected void setUp() throws Exception
- {
- ServiceContainer.bootstrap();
-
- this.exoPolicyProvisioner =
(ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner");
- this.exoEnforcementPoint =
(ExoEnforcementPoint)ServiceContainer.lookup("/exo/jboss/PolicyEnforcementPoint");
+ {
+ //Setup the UserACL instance
+ UserACLMetaData md = new UserACLMetaData();
- this.root = new User(this.exoPolicyProvisioner.getSuperuser());
+ //Super User and Guest configuration
+ md.setSuperUser("root");
+ md.setGuestsGroups("/platform/guests");
+
+ //TODO: replace with
*:/platform/administrators,*:/organization/management/executive-board, once custom
+ //Roles component is used
+
//md.setPortalCreateGroups("*:/platform/administrators,*:/organization/management/executive-board");
+
md.setPortalCreateGroups("whatever:/platform/administrators,whatever:/organization/management/executive-board");
+
+ md.setNavigationCreatorMembershipType("manager");
+ md.setActivateJBossSecurity(true);
+
+ //Initializes the UserACL instance
+ this.ua = new UserACL(md);
+
+ this.exoPolicyProvisioner =
(ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner");
+
+ //SetUp the mock identities
+ this.root = new User(this.ua.getSuperUser());
this.administrator = new User("administrator");
this.administrator.addMembership("whatever",
"/platform/administrators");
@@ -50,121 +68,152 @@
}
protected void checkCreatePortalAccess(User user, boolean mustBePermitted) throws
Exception
- {
- boolean access =
this.exoEnforcementPoint.checkCreatePortalAccess(user.getIdentity());
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ {
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasCreatePortalPermission();
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
protected void checkReadAccess(User user, PortalConfig portal, boolean mustBePermitted)
throws Exception
{
- boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(),
portal);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasPermission(portal);
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
protected void checkWriteAccess(User user, PortalConfig portal, boolean mustBePermitted)
throws Exception
- {
- boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(),
portal);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ {
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasEditPermission(portal);
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
-
- protected void checkReadAccess(User user, PageNavigation nav, boolean mustBePermitted)
throws Exception
- {
- boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(), nav);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
- }
-
+
protected void checkWriteAccess(User user, PageNavigation nav, boolean mustBePermitted)
throws Exception
- {
- boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(),
nav);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ {
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasEditPermission(nav);
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
protected void checkReadAccess(User user, Page page, boolean mustBePermitted) throws
Exception
{
- boolean access = this.exoEnforcementPoint.checkReadAccess(user.getIdentity(),
page);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasPermission(page);
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
protected void checkWriteAccess(User user, Page page, boolean mustBePermitted) throws
Exception
{
- boolean access = this.exoEnforcementPoint.checkWriteAccess(user.getIdentity(),
page);
-
- log.info("-----------------------------------");
- log.info("Decision="+access);
-
- if(mustBePermitted)
- {
- assertTrue("Access must be granted!!!", access);
- }
- else
- {
- assertFalse("Access must be denied!!!", access);
- }
+ ConversationState.setCurrent(new ConversationState(user.getIdentity()));
+ try
+ {
+ boolean access = this.ua.hasEditPermission(page);
+
+ log.info("-----------------------------------");
+ log.info("Decision="+access);
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", access);
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", access);
+ }
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
}
}
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -3,6 +3,9 @@
*/
package org.exoplatform.portal.config.security.jboss;
+import java.util.List;
+import java.util.ArrayList;
+
import org.apache.log4j.Logger;
import org.exoplatform.portal.config.UserACL;
@@ -32,6 +35,7 @@
String navigationCreatorMembershipType_;
String superuser_;
String guestGroup_;
+ List<String> portalCreatorGroups;
PolicyComposer policyComposer;
@@ -50,10 +54,18 @@
//via system configuration
this.navigationCreatorMembershipType_ = "manager";
- this.superuser_ = "root";
-
+ this.superuser_ = "root";
this.guestGroup_ = "/platform/guests";
+ //TODO: replace with
*:/platform/administrators,*:/organization/management/executive-board, once custom
+ //Roles component is used
+ this.portalCreatorGroups = new ArrayList<String>();
+ //this.portalCreatorGroups.add("*:/platform/administrators");
+ //this.portalCreatorGroups.add("*:/organization/management/executive-board");
+ this.portalCreatorGroups.add("whatever:/platform/administrators");
+ this.portalCreatorGroups.add("whatever:/organization/management/executive-board");
+
+ //Setup mock identities
this.root = new User(this.superuser_);
this.administrator = new User("administrator");
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-08-01
15:10:09 UTC (rev 13650)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-08-01
20:40:35 UTC (rev 13651)
@@ -23,9 +23,11 @@
import org.exoplatform.services.security.MembershipEntry;
import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.services.CompositionContext;
import org.jboss.security.authz.components.resource.URIResource;
import org.jboss.security.authz.components.subject.Roles;
import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.model.Effect;
/**
* @author soshah
@@ -35,6 +37,7 @@
{
public void testCreatePortal() throws Exception
{
+ this.provisionCreatePortalPolicy();
this.dumpPolicyRepository();
// Generate an EnforcementContext to see if the superuser and administrator
@@ -49,6 +52,38 @@
this.enforce(this.createPortalEnforcementContext(this.user), false);
}
//
----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private void provisionCreatePortalPolicy() throws Exception
+ {
+ CompositionContext context = new CompositionContext();
+
+ //Using the custom "CreatePortal" "Security Component"
+ CreatePortal action = new CreatePortal();
+ URIResource resource = new URIResource();
+ resource.setUri(new URI(action.getName()));
+ context.setPolicyTarget(resource);
+
+ // Super User... Supers Users have access to everything
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.root.getId());
+ context.addPolicyRule(Effect.PERMIT, action, superuser);
+
+ // PortalCreators Group....
+ if(this.portalCreatorGroups != null && !this.portalCreatorGroups.isEmpty())
+ {
+ Roles portalCreators = new Roles();
+
+ for(String portalCreatorGroup: this.portalCreatorGroups)
+ {
+ portalCreators.addName(portalCreatorGroup);
+ }
+
+ context.addPolicyRule(Effect.PERMIT, action, portalCreators,
+ "allowExpression");
+ }
+
+ this.provisioner.composeAndDeploy(context);
+ }
+
/**
* Enforcement Phase: Creates an EnforcementContext for an incoming request
* that is trying to "Create a New Portal". The EnforcementContext is