Author: shane.bryzak(a)jboss.com Date: 2010-07-14 06:47:59 -0400 (Wed, 14 Jul 2010) New Revision: 13389 Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java Log: got rule-based permissions resolving Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java =================================================================== --- modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/Identity.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -141,16 +141,16 @@ void checkRole(String role, String group, String groupType); /** - * Checks if the currently authenticated user can perform the specified action - * on the specified target object. + * Checks if the currently authenticated user has the specified permission + * for the specified resource. * - * @param target The target object for which the user wishes to perform a restricted action - * @param action The action that the user wishes to perform + * @param resource The resource for which the user wishes to perform a restricted action + * @param permission The name of the permission that the user requires to invoke the operation * @throws NotLoggedInException if the current user is not authenticated * @throws AuthorizationException if the current user does not have the necessary - * privileges to perform the specified action on the specified target object. + * permission for the specified resource object. */ - void checkPermission(Object target, String action); + void checkPermission(Object resource, String permission); /** * Filters a collection of objects by a specified action, by removing the @@ -160,15 +160,13 @@ * @param collection The Collection to filter * @param action The name of the action to filter by */ - void filterByPermission(Collection<?> collection, String action); + void filterByPermission(Collection<?> collection, String permission); /** - * Checks if the currently authenticated user has the necessary privileges to perform the - * specified action on the specified target object. + * Checks if the currently authenticated user has the necessary permission for + * a specific resource. * - * @param target - * @param action - * @return true if the user has the required privileges, otherwise false + * @return true if the user has the required permission, otherwise false */ - boolean hasPermission(Object target, String action); + boolean hasPermission(Object resource, String permission); } Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java =================================================================== --- modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/management/IdentityManager.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -80,7 +80,7 @@ * @param value The value of the attribute * @return true if the attribute was successfully set */ - boolean setUserAttribute(String username, String attribute, Object value); + void setUserAttribute(String username, String attribute, Object value); /** * Deletes the specified attribute value from the specified user @@ -89,7 +89,7 @@ * @param attribute The name of the attribute to delete * @return true if the attribute was successfully deleted */ - boolean deleteUserAttribute(String username, String attribute); + void deleteUserAttribute(String username, String attribute); /** * Creates a new role type Modified: modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java =================================================================== --- modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/api/src/main/java/org/jboss/seam/security/permission/PermissionStore.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -19,4 +19,5 @@ boolean revokePermissions(List<Permission> permissions); List<String> listAvailableActions(Object target); void clearPermissions(Object target); + boolean isEnabled(); } Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/IdentityManagerImpl.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -26,7 +26,7 @@ import org.slf4j.LoggerFactory; /** - * Default IdentityManager implementation + * Default IdentityManager implementation, backed by PicketLink IDM * * @author Shane Bryzak */ @@ -35,9 +35,7 @@ { private static final long serialVersionUID = 6864253169970552893L; - public static final String USER_PERMISSION_NAME = "seam.user"; - public static final String ROLE_PERMISSION_NAME = "seam.role"; - public static final String GROUP_PERMISSION_NAME = "seam.group"; + public static final String RESOURCE_IDENTITY = "seam.identity"; public static final String PERMISSION_CREATE = "create"; public static final String PERMISSION_READ = "read"; @@ -53,7 +51,7 @@ public boolean createUser(String name, Credential credential) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_CREATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE); try { User user = identitySession.getPersistenceManager().createUser(name); @@ -68,7 +66,7 @@ public boolean deleteUser(String name) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_DELETE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE); try { @@ -83,21 +81,21 @@ public boolean enableUser(String name) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return identityStore.enableUser(name); return false; } public boolean disableUser(String name) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return identityStore.disableUser(name); return false; } public boolean updateCredential(String name, Credential credential) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); try { @@ -112,49 +110,63 @@ public boolean isUserEnabled(String name) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ); //return identityStore.isUserEnabled(name); return false; } - public boolean setUserAttribute(String username, String attribute, Object value) + public void setUserAttribute(String username, String attribute, Object value) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); - //return identityStore.setUserAttribute(username, attribute, value); - return false; + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); + try + { + identitySession.getAttributesManager().addAttribute(username, attribute, value); + } + catch (IdentityException e) + { + // TODO Auto-generated catch block + e.printStackTrace(); + } } - public boolean deleteUserAttribute(String username, String attribute) + public void deleteUserAttribute(String username, String attribute) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); - //return identityStore.deleteUserAttribute(username, attribute); - return false; + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); + try + { + identitySession.getAttributesManager().removeAttributes(username, new String[] {attribute}); + } + catch (IdentityException e) + { + // TODO Auto-generated catch block + e.printStackTrace(); + } } public boolean grantRole(String name, String role, String groupName, String groupType) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return roleIdentityStore.grantRole(name, role, groupName, groupType); return false; } public boolean revokeRole(String name, String role, String groupName, String groupType) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return roleIdentityStore.revokeRole(name, role, groupName, groupType); return false; } public boolean associateUser(String groupName, String groupType, String username) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return identityStore.associateUser(groupName, groupType, username); return false; } public boolean disassociateUser(String groupName, String groupType, String username) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_UPDATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_UPDATE); //return identityStore.disassociateUser(groupName, groupType, username); return false; } @@ -171,35 +183,35 @@ public boolean createRoleType(String roleType) { - identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_CREATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE); //return roleIdentityStore.createRoleType(roleType); return false; } public boolean deleteRoleType(String roleType) { - identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_DELETE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE); //return roleIdentityStore.deleteRoleType(roleType); return false; } public boolean createGroup(String groupName, String groupType) { - identity.checkPermission(GROUP_PERMISSION_NAME, PERMISSION_CREATE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_CREATE); //return groupIdentityStore.createGroup(groupName, groupType); return false; } public boolean deleteGroup(String groupName, String groupType) { - identity.checkPermission(GROUP_PERMISSION_NAME, PERMISSION_DELETE); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_DELETE); //return groupIdentityStore.deleteGroup(groupName, groupType); return false; } public boolean userExists(String name) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ); //return identityStore.userExists(name); return false; } @@ -212,7 +224,7 @@ public List<String> findUsers(String filter) { - identity.checkPermission(USER_PERMISSION_NAME, PERMISSION_READ); + identity.checkPermission(RESOURCE_IDENTITY, PERMISSION_READ); UserQueryBuilder builder = identitySession.createUserQueryBuilder(); UserQuery userQuery = builder.createQuery(); @@ -237,7 +249,7 @@ public List<String> listRoleTypes() { - identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ); + // identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ); //List<String> roles = roleIdentityStore.listRoleTypes(); return null; @@ -276,7 +288,7 @@ public List<IdentityType> listRoleMembers(String roleType, String groupName, String groupType) { - identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ); + //identity.checkPermission(ROLE_PERMISSION_NAME, PERMISSION_READ); //return roleIdentityStore.listRoleMembers(roleType, groupName, groupType); return null; } Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/management/JpaIdentityStore.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -1132,7 +1132,7 @@ CriteriaBuilder builder = em.getCriteriaBuilder(); CriteriaQuery<?> criteria = builder.createQuery(identityClass); - //Root<?> root = criteria.from(identityClass); + Root<?> root = criteria.from(identityClass); Property<?> identityNameProp = modelProperties.get(PROPERTY_IDENTITY_NAME); Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/JpaPermissionStore.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -62,6 +62,7 @@ } } + private boolean enabled; private Class<?> identityPermissionClass; @@ -90,6 +91,7 @@ if (identityPermissionClass == null) { log.debug("No identityPermissionClass set, JpaPermissionStore will be unavailable."); + enabled = false; return; } @@ -152,6 +154,8 @@ identityPermissionClass.getName() + " - required annotation @PermissionProperty(PERMISSION) not found on any field or method."); } + + enabled = true; } /** @@ -540,4 +544,9 @@ .setParameter("resource", identifier) .executeUpdate(); } + + public boolean isEnabled() + { + return enabled; + } } Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionCheck.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -4,7 +4,7 @@ import java.util.Set; /** - * Used to assert permission requirements into a WorkingMemory when evaluating + * Used to assert permission check requirements into a StatefulSession when evaluating * a @Restrict expression. The consequence of the rule is responsible for * granting the permission. * Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PermissionMapper.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -11,6 +11,7 @@ import javax.enterprise.context.ApplicationScoped; import javax.enterprise.context.SessionScoped; +import javax.enterprise.context.spi.CreationalContext; import javax.inject.Inject; import javax.enterprise.inject.Produces; import javax.enterprise.inject.spi.Bean; @@ -37,11 +38,11 @@ { defaultResolverChain = new ArrayList<PermissionResolver>(); - Set<Bean<?>> beans = manager.getBeans(PermissionResolver.class); - for (Bean<?> resolverBean : beans) - { - defaultResolverChain.add((PermissionResolver) manager.getReference( - resolverBean, PermissionResolver.class, manager.createCreationalContext(resolverBean))); + Set<Bean<?>> beans = (Set<Bean<?>>) manager.getBeans(PermissionResolver.class); + for (Bean<?> resolverBean : beans) + { + CreationalContext<PermissionResolver> ctx = manager.createCreationalContext((Bean<PermissionResolver>) resolverBean); + defaultResolverChain.add(((Bean<PermissionResolver>) resolverBean).create(ctx)); } } Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/PersistentPermissionResolver.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -42,6 +42,8 @@ if (!identity.isLoggedIn()) return false; + if (!permissionStore.isEnabled()) return false; + List<Permission> permissions = permissionStore.listPermissions(target, action); String username = identity.getPrincipal().getName(); Modified: modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java =================================================================== --- modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java 2010-07-14 10:46:56 UTC (rev 13388) +++ modules/security/trunk/impl/src/main/java/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java 2010-07-14 10:47:59 UTC (rev 13389) @@ -48,7 +48,7 @@ @Inject Identity identity; @Inject - protected void initSecurityContext() + public void init() { if (getSecurityRules() != null) { @@ -84,7 +84,7 @@ { // TODO fix String componentName = null; // manager. Seam.getComponentName((Class) target); - resource = componentName != null ? componentName : ((Class) resource).getName(); + resource = componentName != null ? componentName : ((Class<?>) resource).getName(); } check = new PermissionCheck(resource, permission); @@ -111,7 +111,7 @@ public void filterSetByAction(Set<Object> targets, String action) { - Iterator iter = targets.iterator(); + Iterator<?> iter = targets.iterator(); while (iter.hasNext()) { Object target = iter.next(); @@ -131,15 +131,15 @@ synchronized( securityContext ) { - if (!(target instanceof String) && !(target instanceof Class)) + if (!(target instanceof String) && !(target instanceof Class<?>)) { handles.add( securityContext.insert(target) ); } - else if (target instanceof Class) + else if (target instanceof Class<?>) { // TODO fix String componentName = null; //Seam.getComponentName((Class) target); - target = componentName != null ? componentName : ((Class) target).getName(); + target = componentName != null ? componentName : ((Class<?>) target).getName(); } try @@ -180,7 +180,6 @@ return roleCheck.isGranted(); } - @SuppressWarnings("unchecked") public void unAuthenticate(@Observes PostLoggedOutEvent event) { if (getSecurityContext() != null) @@ -188,7 +187,7 @@ getSecurityContext().dispose(); setSecurityContext(null); } - initSecurityContext(); + init(); } /** @@ -204,7 +203,7 @@ { if ( IdentityImpl.ROLES_GROUP.equals( sg.getName() ) ) { - Enumeration e = sg.members(); + Enumeration<?> e = sg.members(); while (e.hasMoreElements()) { Principal role = (Principal) e.nextElement();