[jboss-cvs] JBossAS SVN: r64456 - in projects/security/security-jboss-sx/trunk/src: main/org/jboss/security/authorization/config and 11 other directories.

[jboss-cvs-commits at lists.jboss.org]

Author: anil.saldhana at jboss.com
Date: 2007-08-03 12:49:42 -0400 (Fri, 03 Aug 2007)
New Revision: 64456

Added:
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/config/ControlFlag.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/JBossIdentityTrustContext.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AbstractIdentityTrustModule.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysDenyTrustModule.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysNotApplicableTrustModule.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysPermitTrustModule.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/JavaEETrustModule.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/identitytrust/
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/identitytrust/JBossIdentityTrustManager.java
   projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/identitytrust/
   projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/identitytrust/IdentityTrustUnitTestCase.java
   projects/security/security-jboss-sx/trunk/src/tests/resources/config/identitytrust-config.xml
Modified:
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/RunAsIdentity.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/SecurityConstants.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationConfigEntryHolder.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/SecurityConfigObjectModelFactory.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/config/IdentityTrustModuleEntry.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JBossSecurityContext.java
   projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/authorization/JBossAuthorizationContext.java
   projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/config/SecurityConfigurationUnitTestCase.java
Log:
SECURITY-59:IdentityTrustManager framework to make initial trust based decisions

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/RunAsIdentity.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/RunAsIdentity.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/RunAsIdentity.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -162,6 +162,6 @@
 
    public <T> T getProof()
    { 
-      return (T) getRunAsRoles();
+      return (T) SecurityConstants.JAVAEE;
    } 
 }

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/SecurityConstants.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/SecurityConstants.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/SecurityConstants.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -116,4 +116,9 @@
    
    String CREDENTIAL = "Credential";
    String SUBJECT = "Subject";
+   
+   /**
+    * Identity Trust Constants
+    */
+   String JAVAEE = "JavaEE";
 }

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationConfigEntryHolder.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationConfigEntryHolder.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationConfigEntryHolder.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -26,8 +26,8 @@
 
 import javax.xml.namespace.QName;
  
-import org.jboss.security.auth.login.ModuleOption;
-import org.jboss.security.authorization.config.AuthorizationModuleEntry.ControlFlag;
+import org.jboss.security.auth.login.ModuleOption; 
+import org.jboss.security.config.ControlFlag;
 import org.jboss.xb.binding.GenericValueContainer;
 
 //$Id$

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -25,6 +25,7 @@
 import java.util.Map;
 
 import org.jboss.security.auth.login.ModuleOption;
+import org.jboss.security.config.ControlFlag;
 
 //$Id$
 
@@ -101,31 +102,5 @@
    public void setControlFlag(ControlFlag controlFlag)
    {
       this.controlFlag = controlFlag;
-   }
-   
-   /**
-    * Represents a Control Flag for the module 
-    */
-   public static class ControlFlag
-   {
-      private String flag = "";
-      public static final ControlFlag REQUIRED = new ControlFlag("REQUIRED");
-      public static final ControlFlag REQUISITE = new ControlFlag("REQUISITE");
-      public static final ControlFlag SUFFICIENT = new ControlFlag("SUFFICIENT");
-      public static final ControlFlag OPTIONAL = new ControlFlag("OPTIONAL");
-      
-      public ControlFlag(String flag)
-      {
-         this.flag = flag;
-      }  
-      
-      /**
-       * Returns the string represented
-       * "required", "requisite" etc
-       */
-      public String toString()
-      {
-         return flag;
-      }
    } 
 }

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/SecurityConfigObjectModelFactory.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/SecurityConfigObjectModelFactory.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/authorization/config/SecurityConfigObjectModelFactory.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -24,11 +24,11 @@
 import org.jboss.logging.Logger;
 import org.jboss.security.audit.config.AuditProviderEntry;
 import org.jboss.security.auth.login.LoginConfigObjectModelFactory;
-import org.jboss.security.auth.login.ModuleOption;
-import org.jboss.security.authorization.config.AuthorizationModuleEntry.ControlFlag;
+import org.jboss.security.auth.login.ModuleOption; 
 import org.jboss.security.config.ApplicationPolicy;
 import org.jboss.security.config.AuditInfo;
 import org.jboss.security.config.AuthorizationInfo;
+import org.jboss.security.config.ControlFlag;
 import org.jboss.security.config.IdentityTrustInfo;
 import org.jboss.security.config.MappingInfo; 
 import org.jboss.security.identitytrust.config.IdentityTrustModuleEntry;
@@ -94,7 +94,8 @@
          String code = attrs.getValue("code");
          code = StringPropertyReplacer.replaceProperties(code.trim());
          String flag = attrs.getValue("flag");
-         flag = StringPropertyReplacer.replaceProperties(flag.trim());
+         if(flag != null)
+            flag = StringPropertyReplacer.replaceProperties(flag.trim()); 
          if(flag == null)
             flag = "REQUIRED";
          else
@@ -300,15 +301,34 @@
    {
       Object child = null;
       if( trace )
-         log.trace("newChild.AuditInfo, localName: "+localName);
+         log.trace("newChild.IdentityTrustInfo, localName: "+localName);
       if("trust-module".equals(localName))
       {
          String code = attrs.getValue("code");
          code = StringPropertyReplacer.replaceProperties(code.trim()); 
+         
+         String flag = attrs.getValue("flag");
+         if(flag != null)
+           flag = StringPropertyReplacer.replaceProperties(flag.trim());
+         if(flag == null)
+            flag = "REQUIRED";
+         else
+            flag = flag.toUpperCase();
          IdentityTrustModuleEntry entry = new IdentityTrustModuleEntry(code);  
+         if("REQUIRED".equals(flag)) 
+            entry.setControlFlag(ControlFlag.REQUIRED);
+         else
+            if("REQUISITE".equals(flag)) 
+              entry.setControlFlag(ControlFlag.REQUISITE);
+            else
+               if("SUFFICIENT".equals(flag)) 
+                  entry.setControlFlag(ControlFlag.SUFFICIENT);
+               else
+                  entry.setControlFlag(ControlFlag.OPTIONAL); 
+         
          child = entry;
          if( trace )
-            log.trace("newChild.AuditInfo, provider-module code: "+code);
+            log.trace("newChild.IdentityTrustInfo, trust-module code: "+code);
       }
       
       return child;
@@ -320,13 +340,13 @@
    {
       Object child = null;
       if( trace )
-         log.trace("newChild.AuditProviderEntry, localName: "+localName);
+         log.trace("newChild.trustProviderEntry, localName: "+localName);
       if("module-option".equals(localName))
       {
          String name = attrs.getValue("name");         
          child = new ModuleOption(name);
          if( trace )
-            log.trace("newChild.AuditProviderEntry, module-option name: "+name);
+            log.trace("newChild.trustProviderEntry, module-option name: "+name);
       }
       
       return child;

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/config/ControlFlag.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/config/ControlFlag.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/config/ControlFlag.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,53 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.config; 
+
+//$Id$
+
+/**
+ *  Control Flag for module entries
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class ControlFlag
+{
+   private String flag;
+   public static final ControlFlag REQUIRED = new ControlFlag("REQUIRED");
+   public static final ControlFlag REQUISITE = new ControlFlag("REQUISITE");
+   public static final ControlFlag SUFFICIENT = new ControlFlag("SUFFICIENT");
+   public static final ControlFlag OPTIONAL = new ControlFlag("OPTIONAL");
+   
+   public ControlFlag(String flag)
+   {
+      this.flag = flag;
+   }  
+   
+   /**
+    * Returns the string represented
+    * "required", "requisite" etc
+    */
+   public String toString()
+   {
+      return flag;
+   }
+}

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/JBossIdentityTrustContext.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/JBossIdentityTrustContext.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/JBossIdentityTrustContext.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,241 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust;
+
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Map;
+
+import org.jboss.logging.Logger;
+import org.jboss.security.SecurityContext; 
+import org.jboss.security.config.ApplicationPolicy;
+import org.jboss.security.config.ControlFlag;
+import org.jboss.security.config.IdentityTrustInfo;
+import org.jboss.security.config.SecurityConfiguration;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+import org.jboss.security.identitytrust.config.IdentityTrustModuleEntry;
+import org.jboss.security.plugins.authorization.SecurityActions;
+
+//$Id$
+
+/**
+ *  
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class JBossIdentityTrustContext extends IdentityTrustContext
+{ 
+   protected Logger log = Logger.getLogger(JBossIdentityTrustContext.class); 
+
+   //Control Flag behavior
+   private boolean encounteredRequiredDeny = false; 
+   private boolean encounteredRequiredNotApplicable = false;
+   private boolean encounteredOptionalError = false; 
+   private IdentityTrustException moduleException = null;
+   private TrustDecision overallDecision = TrustDecision.NotApplicable;
+
+   private boolean encounteredRequiredPermit;
+   
+   public JBossIdentityTrustContext(SecurityContext sc)
+   {
+      this.securityContext = sc;
+   }
+   
+   @Override
+   public TrustDecision isTrusted() throws IdentityTrustException
+   { 
+      TrustDecision decision = NOTAPPLICABLE;
+         
+      try
+      {
+         initializeModules();
+      }
+      catch (Exception e)
+      {
+         throw new IdentityTrustException(e);
+      }
+      //Do a PrivilegedAction
+      try
+      {
+         decision = (TrustDecision) AccessController.doPrivileged(new PrivilegedExceptionAction() 
+         {
+            public Object run() throws IdentityTrustException 
+            {
+               TrustDecision result = invokeTrusted();
+               if(result == PERMIT)
+                  invokeCommit();
+               if(result == DENY || result == NOTAPPLICABLE)
+               {
+                  invokeAbort();  
+               } 
+               return result;
+            }
+         });
+      }
+      catch (PrivilegedActionException e)
+      {
+         Exception exc = e.getException();
+         log.trace("Error in isAuthorize:", exc); 
+         invokeAbort();
+         throw ((IdentityTrustException)exc);
+      }
+      return decision; 
+   } 
+   
+   private void initializeModules() throws Exception
+   {
+      String securityDomain = this.securityContext.getSecurityDomain();
+      //Get the Configuration
+      ApplicationPolicy aPolicy = SecurityConfiguration.getApplicationPolicy( securityDomain);
+      if(aPolicy == null)
+         throw new IllegalStateException("ApplicationPolicy not found for "+ securityDomain);
+      
+      IdentityTrustInfo iti = aPolicy.getIdentityTrustInfo();
+      IdentityTrustModuleEntry[] itmearr = iti.getIdentityTrustModuleEntry();
+      for(IdentityTrustModuleEntry itme: itmearr)
+      { 
+         ControlFlag cf = itme.getControlFlag();
+         if(cf == null)
+            cf = ControlFlag.REQUIRED;
+         
+         this.controlFlags.add(cf);
+         modules.add(instantiateModule(itme.getName(), itme.getOptions())); 
+      }
+   }
+   
+   private IdentityTrustModule instantiateModule(String name, Map map) throws Exception
+   {
+      IdentityTrustModule im = null;
+      ClassLoader tcl = SecurityActions.getContextClassLoader();
+      try
+      {
+         Class clazz = tcl.loadClass(name);
+         im = (IdentityTrustModule)clazz.newInstance();
+      }
+      catch ( Exception e)
+      {
+         log.debug("Error instantiating IdentityTrustModule:",e);
+      } 
+      if(im == null)
+         throw new IllegalStateException("IdentityTrustModule has not " +
+               "been instantiated"); 
+      im.initialize(this.securityContext, this.callbackHandler, this.sharedState,map); 
+      return im;
+   }
+   
+   private TrustDecision invokeTrusted() 
+   throws IdentityTrustException
+   {
+      int length = modules.size();
+      for(int i = 0; i < length; i++)
+      {
+         IdentityTrustModule module = (IdentityTrustModule)modules.get(i);
+         ControlFlag flag = (ControlFlag)this.controlFlags.get(i); 
+         TrustDecision decision = NOTAPPLICABLE;
+         try
+         {
+            decision = module.isTrusted();
+         }
+         catch(Exception ae)
+         {
+            decision = NOTAPPLICABLE;
+            if(this.moduleException == null)
+               this.moduleException = new IdentityTrustException(ae);
+         }
+         
+         if(decision == PERMIT)
+         { 
+            this.overallDecision =  PERMIT;
+            if(flag == ControlFlag.REQUIRED)
+               this.encounteredRequiredPermit = true;
+            //SUFFICIENT case
+            if(flag == ControlFlag.SUFFICIENT && this.encounteredRequiredDeny == false)
+               return PERMIT;
+            continue; //Continue with the other modules
+         }
+         
+         if(decision == NOTAPPLICABLE && flag == ControlFlag.REQUIRED)
+         {  
+            this.encounteredRequiredNotApplicable = true;
+            continue; //Continue with the other modules
+         }
+         //Go through the failure cases 
+         //REQUISITE case
+         if(flag == ControlFlag.REQUISITE)
+         {
+            log.trace("REQUISITE failed for " + module); 
+            if(this.moduleException == null)
+               this.moduleException = new IdentityTrustException("Authorization failed");
+            else
+               throw this.moduleException;
+         }
+         //REQUIRED Case
+         if(flag == ControlFlag.REQUIRED)
+         {
+            log.trace("REQUIRED failed for " + module);
+            this.encounteredRequiredDeny = true;
+         }
+         if(flag == ControlFlag.OPTIONAL)
+            this.encounteredOptionalError = true; 
+      }
+      
+      //All the authorization modules have been visited.
+      if(this.encounteredRequiredDeny)
+         return DENY;
+      if(this.overallDecision == DENY && this.encounteredOptionalError)
+         return DENY;
+      if(this.overallDecision == DENY)
+         return DENY;
+      
+      if(this.encounteredRequiredNotApplicable && !encounteredRequiredPermit)
+         return NOTAPPLICABLE;
+      return PERMIT;
+   }
+   
+   private void invokeCommit()
+   throws IdentityTrustException
+   {
+      int length = modules.size();
+      for(int i = 0; i < length; i++)
+      {
+         IdentityTrustModule module = (IdentityTrustModule)modules.get(i); 
+         boolean bool = module.commit();
+         if(!bool)
+            throw new IdentityTrustException("commit on modules failed");
+      } 
+   }
+   
+   private void invokeAbort()
+   throws IdentityTrustException
+   {
+      int length = modules.size();
+      for(int i = 0; i < length; i++)
+      {
+         IdentityTrustModule module = (IdentityTrustModule)modules.get(i); 
+         boolean bool = module.abort(); 
+         if(!bool)
+            throw new IdentityTrustException("abort on modules failed");
+      } 
+   }
+}

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/config/IdentityTrustModuleEntry.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/config/IdentityTrustModuleEntry.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/config/IdentityTrustModuleEntry.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -24,7 +24,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import org.jboss.security.auth.login.ModuleOption;
+import org.jboss.security.auth.login.ModuleOption; 
+import org.jboss.security.config.ControlFlag;
 
 //$Id$
 
@@ -37,6 +38,7 @@
 public class IdentityTrustModuleEntry
 {
    private String name; 
+   private ControlFlag controlFlag; 
    
    private Map options = new HashMap();
 
@@ -60,4 +62,14 @@
    {
       return this.options;
    }
+
+   public ControlFlag getControlFlag()
+   {
+      return controlFlag;
+   }
+
+   public void setControlFlag(ControlFlag controlFlag)
+   {
+      this.controlFlag = controlFlag;
+   } 
 }

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AbstractIdentityTrustModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AbstractIdentityTrustModule.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AbstractIdentityTrustModule.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,81 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust.modules;
+
+import java.util.Map;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.jboss.security.SecurityContext;
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustModule;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+
+//$Id$
+
+/**
+ *  Abstract IdentityTrustModule that pulls in common stuff
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public abstract class AbstractIdentityTrustModule implements IdentityTrustModule
+{
+   protected SecurityContext securityContext;
+   protected CallbackHandler callbackHandler;
+   protected Map sharedState;
+   protected Map options;
+   
+   /**
+    * @see IdentityTrustModule#abort()
+    */
+   public boolean abort() throws IdentityTrustException
+   {
+      return true;
+   }
+
+   /**
+    * @see IdentityTrustModule#commit()
+    */
+   public boolean commit() throws IdentityTrustException
+   {
+      return true;
+   }
+   
+   /**
+    * @see IdentityTrustModule#initialize(SecurityContext, CallbackHandler, Map, Map)
+    */
+   public void initialize(SecurityContext sc, 
+         CallbackHandler handler, Map sharedState, Map options) 
+   throws IdentityTrustException
+   { 
+      this.securityContext = sc;
+      this.callbackHandler = handler;
+      this.sharedState = sharedState;
+      this.options = options;
+   } 
+   
+   /**
+    * @see IdentityTrustModule#isTrusted()
+    */
+   public abstract TrustDecision isTrusted() throws IdentityTrustException; 
+}

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysDenyTrustModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysDenyTrustModule.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysDenyTrustModule.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,43 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust.modules;
+
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+
+//$Id$
+
+/**
+ *  Trust Module that always returns DENY
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class AlwaysDenyTrustModule extends AbstractIdentityTrustModule
+{  
+   @Override
+   public TrustDecision isTrusted() throws IdentityTrustException
+   { 
+      return TrustDecision.Deny;
+   }
+
+}

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysNotApplicableTrustModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysNotApplicableTrustModule.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysNotApplicableTrustModule.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,42 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust.modules;
+
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+
+//$Id$
+
+/**
+ *  Trust Module that always returns NotApplicable
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class AlwaysNotApplicableTrustModule extends AbstractIdentityTrustModule
+{  
+   @Override
+   public TrustDecision isTrusted() throws IdentityTrustException
+   {  
+      return TrustDecision.NotApplicable;
+   } 
+}

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysPermitTrustModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysPermitTrustModule.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/AlwaysPermitTrustModule.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,41 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust.modules;
+
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+
+//$Id$
+
+/**
+ *  Trust Module that always does a PERMIT
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class AlwaysPermitTrustModule extends AbstractIdentityTrustModule
+{   
+   public TrustDecision isTrusted() throws IdentityTrustException
+   { 
+      return TrustDecision.Permit;
+   } 
+}

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/JavaEETrustModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/JavaEETrustModule.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/identitytrust/modules/JavaEETrustModule.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,52 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.identitytrust.modules;
+
+import org.jboss.security.RunAs;
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+
+//$Id$
+
+/**
+ *  Trust Module that deals with JavaEE RunAsIdentity
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class JavaEETrustModule extends AbstractIdentityTrustModule
+{  
+   @Override
+   public TrustDecision isTrusted() throws IdentityTrustException
+   { 
+      RunAs runAs = this.securityContext.getIncomingRunAs();
+      if(runAs instanceof RunAsIdentity )
+      {
+         RunAsIdentity runAsIdentity = (RunAsIdentity)runAs;
+         if(SecurityConstants.JAVAEE.equals(runAsIdentity.getProof()))
+               return TrustDecision.Permit;
+      }
+      return TrustDecision.NotApplicable;
+   }  
+}

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JBossSecurityContext.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JBossSecurityContext.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JBossSecurityContext.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -22,8 +22,10 @@
 import org.jboss.security.SecurityUtil;
 import org.jboss.security.SubjectInfo; 
 import org.jboss.security.audit.AuditManager;
+import org.jboss.security.identitytrust.IdentityTrustManager;
 import org.jboss.security.mapping.MappingManager; 
 import org.jboss.security.plugins.audit.JBossAuditManager;
+import org.jboss.security.plugins.identitytrust.JBossIdentityTrustManager;
 import org.jboss.security.plugins.mapping.JBossMappingManager;
 
 import static org.jboss.security.SecurityConstants.ROLES_IDENTIFIER;
@@ -106,7 +108,15 @@
    public MappingManager getMappingManager()
    {
       return new JBossMappingManager(this.securityDomain);
-   }
+   } 
+
+   /**
+    * @see SecurityContext#getIdentityTrustManager()
+    */
+   public IdentityTrustManager getIdentityTrustManager()
+   { 
+      return new JBossIdentityTrustManager(this);
+   } 
    
    /**
     * @see SecurityContext#getOutgoingRunAs()
@@ -187,5 +197,6 @@
       if(jsc != null)
          jsc.contextData = (Map<String, Object>) ((HashMap)contextData).clone();
       return super.clone();
-   } 
+   }
+
 } 

Modified: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/authorization/JBossAuthorizationContext.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/authorization/JBossAuthorizationContext.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/authorization/JBossAuthorizationContext.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -35,11 +35,11 @@
 import org.jboss.security.authorization.AuthorizationModule;
 import org.jboss.security.authorization.Resource;
 import org.jboss.security.authorization.ResourceType;
-import org.jboss.security.authorization.config.AuthorizationModuleEntry;
-import org.jboss.security.authorization.config.AuthorizationModuleEntry.ControlFlag;
+import org.jboss.security.authorization.config.AuthorizationModuleEntry; 
 import org.jboss.security.authorization.modules.DelegatingAuthorizationModule;
 import org.jboss.security.config.ApplicationPolicy;
 import org.jboss.security.config.AuthorizationInfo;
+import org.jboss.security.config.ControlFlag;
 import org.jboss.security.config.SecurityConfiguration;
 
 //$Id: JBossAuthorizationContext.java 62954 2007-05-10 04:12:18Z anil.saldhana at jboss.com $
@@ -160,12 +160,12 @@
       for(int i = 0 ; i < len; i++)
       {
          AuthorizationModuleEntry entry = entries[i];
-         AuthorizationModuleEntry.ControlFlag flag = entry.getControlFlag();
+         ControlFlag flag = entry.getControlFlag();
          if(flag == null)
          {
             if(trace)
                log.trace("Null Control flag for entry:"+entry+". Defaults to REQUIRED!");
-            flag = AuthorizationModuleEntry.ControlFlag.REQUIRED;
+            flag = ControlFlag.REQUIRED;
          }
          else
             if(trace)

Added: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/identitytrust/JBossIdentityTrustManager.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/identitytrust/JBossIdentityTrustManager.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/identitytrust/JBossIdentityTrustManager.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,65 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.security.plugins.identitytrust;
+
+import org.jboss.logging.Logger;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.identitytrust.IdentityTrustContext;
+import org.jboss.security.identitytrust.IdentityTrustException;
+import org.jboss.security.identitytrust.IdentityTrustManager;
+import org.jboss.security.identitytrust.JBossIdentityTrustContext;
+
+//$Id$
+
+/**
+ *  Identity Trust Manager default implementation
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class JBossIdentityTrustManager implements IdentityTrustManager
+{
+   protected static Logger log = Logger.getLogger(JBossIdentityTrustManager.class);
+   private SecurityContext securityContext;
+   
+   public JBossIdentityTrustManager(SecurityContext sc)
+   {
+      this.securityContext = sc;
+   }
+   /**
+    * @see IdentityTrustManager#isTrusted()
+    */
+   public TrustDecision isTrusted()
+   { 
+      TrustDecision td = TrustDecision.Deny;
+      IdentityTrustContext itc = new JBossIdentityTrustContext(securityContext);
+      try
+      {
+         td = itc.isTrusted();
+      }
+      catch (IdentityTrustException e)
+      { 
+         log.trace("Trust Exception:",e);
+      } 
+      return td;
+   } 
+}

Modified: projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/config/SecurityConfigurationUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/config/SecurityConfigurationUnitTestCase.java	2007-08-03 16:49:14 UTC (rev 64455)
+++ projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/config/SecurityConfigurationUnitTestCase.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -41,6 +41,7 @@
 import org.jboss.security.config.ApplicationPolicy;
 import org.jboss.security.config.AuditInfo;
 import org.jboss.security.config.AuthorizationInfo;
+import org.jboss.security.config.ControlFlag;
 import org.jboss.security.config.IdentityTrustInfo;
 import org.jboss.security.config.MappingInfo;
 import org.jboss.security.config.PolicyConfig;
@@ -206,7 +207,7 @@
       AuthorizationModuleEntry authzEntry = authzEntries[0];
       assertEquals("TestPolicyModule","org.jboss.test.TestPolicyModule",
             authzEntry.getPolicyModuleName());
-      assertEquals("Required", AuthorizationModuleEntry.ControlFlag.REQUIRED,
+      assertEquals("Required", ControlFlag.REQUIRED,
             authzEntry.getControlFlag());
       Map authzoptions = authzEntry.getOptions();
       assertEquals("Number of options = 2", 2, authzoptions.size());

Added: projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/identitytrust/IdentityTrustUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/identitytrust/IdentityTrustUnitTestCase.java	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/tests/org/jboss/test/security/identitytrust/IdentityTrustUnitTestCase.java	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,189 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2007, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.test.security.identitytrust;
+
+import java.net.URL;
+
+import javax.security.auth.login.Configuration;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.RunAs;
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.auth.login.XMLLoginConfigImpl;
+import org.jboss.security.identitytrust.IdentityTrustManager;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
+import org.jboss.security.plugins.JBossSecurityContext;
+
+//$Id$
+
+/**
+ *  Test the IdentityTrust framework  
+ *  @author Anil.Saldhana at redhat.com
+ *  @since  Aug 2, 2007 
+ *  @version $Revision$
+ */
+public class IdentityTrustUnitTestCase extends TestCase
+{ 
+   String configFile="config/identitytrust-config.xml";
+   
+   protected void setUp() throws Exception
+   {  
+      XMLLoginConfigImpl xli = new XMLLoginConfigImpl();
+      Configuration.setConfiguration(xli);
+      URL configURL = Thread.currentThread().getContextClassLoader().getResource(configFile);
+      assertNotNull("Config URL",configURL);
+      
+      xli.setConfigURL(configURL);
+      xli.loadConfig();
+   } 
+   
+   public void testPermit_Permit_Permit() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit-Permit-Permit");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+   }
+   
+   public void testPermit_Permit_Deny() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit-Permit-Deny");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted Deny",TrustDecision.Deny,itm.isTrusted()); 
+   }
+   
+   public void testPermit_Deny_Permit() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit-Deny-Permit");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted Deny",TrustDecision.Deny,itm.isTrusted()); 
+   }
+   
+   public void testDeny_Permit_Permit() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Deny-Permit-Permit");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted Deny",TrustDecision.Deny,itm.isTrusted()); 
+   }
+   
+   public void testPermit_Permit_NotApplicable() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit-Permit-NotApplicable");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+   } 
+   
+   public void testNotApplicable_Permit_Permit() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("NotApplicable-Permit-Permit");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+   } 
+   
+   public void testNotApplicable_Required__Permit_Optional() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("NotApplicable_Required-Permit_Optional");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted not applicable",TrustDecision.NotApplicable,itm.isTrusted()); 
+   }
+   
+   public void testPermit_Required__Deny_Optional() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit_Required-Deny_Optional");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+   }
+   
+   public void testNotApplicable_Required__Deny_Optional() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("NotApplicable_Required-Deny_Optional");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted false",TrustDecision.NotApplicable,itm.isTrusted()); 
+   }
+   
+   public void testPermit_Sufficient__Deny_Optional() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("Permit_Sufficient-Deny_Optional");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+   }
+
+   public void testJavaEERunAsIdentity() throws Exception
+   {
+      JBossSecurityContext sc = new JBossSecurityContext("conf-javaee");
+      sc.setIncomingRunAs(new RunAsIdentity("theduke", "jduke")); 
+      assertNotNull("SecurityContext is not null", sc);
+      IdentityTrustManager itm = sc.getIdentityTrustManager();
+      assertNotNull("IdentityTrustManager is not null", itm);
+      assertEquals("Is Trusted",TrustDecision.Permit,itm.isTrusted()); 
+      
+      sc.setIncomingRunAs(new RunAs()
+      { 
+         public <T> T getIdentity()
+         { 
+            return (T) "BAD";
+         }
+
+         public <T> T getProof()
+         { 
+            return (T) "BAD";
+         }
+
+         public String getName()
+         { 
+            return "BAD";
+         }
+     });
+      
+     assertEquals("Is Trusted is false",TrustDecision.NotApplicable,itm.isTrusted()); 
+   } 
+}

Added: projects/security/security-jboss-sx/trunk/src/tests/resources/config/identitytrust-config.xml
===================================================================
--- projects/security/security-jboss-sx/trunk/src/tests/resources/config/identitytrust-config.xml	                        (rev 0)
+++ projects/security/security-jboss-sx/trunk/src/tests/resources/config/identitytrust-config.xml	2007-08-03 16:49:42 UTC (rev 64456)
@@ -0,0 +1,82 @@
+<?xml version='1.0'?> 
+ 
+<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+         xsi:schemaLocation="urn:jboss:security-config:5.0"
+         xmlns="urn:jboss:security-config:5.0">
+   
+   <application-policy name="conf-javaee">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.JavaEETrustModule"/> 
+       </identity-trust> 
+   </application-policy>  
+   
+   <application-policy name="Permit-Permit-Permit">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/> 
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+       </identity-trust> 
+   </application-policy> 
+   
+   <application-policy name="Permit-Permit-Deny">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/> 
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysDenyTrustModule"/>
+       </identity-trust> 
+   </application-policy> 
+   
+   <application-policy name="Permit-Deny-Permit">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysDenyTrustModule"/> 
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+       </identity-trust> 
+   </application-policy> 
+   
+   <application-policy name="Permit-Permit-NotApplicable">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/> 
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysNotApplicableTrustModule"/>
+       </identity-trust> 
+   </application-policy> 
+   
+   <application-policy name="NotApplicable-Permit-Permit">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysNotApplicableTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/> 
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+       </identity-trust> 
+   </application-policy>
+   
+   <application-policy name="NotApplicable_Required-Permit_Optional">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysNotApplicableTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule" flag="optional"/> 
+       </identity-trust> 
+   </application-policy>
+   
+   <application-policy name="Permit_Required-Deny_Optional">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysPermitTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysDenyTrustModule" flag="optional"/> 
+       </identity-trust> 
+   </application-policy>
+   
+   <application-policy name="NotApplicable_Required-Deny_Optional">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysNotApplicableTrustModule"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysDenyTrustModule" flag="optional"/> 
+       </identity-trust> 
+   </application-policy>
+   
+   <application-policy name="Permit_Sufficient-Deny_Optional">  
+       <identity-trust>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysNotApplicableTrustModule"
+             flag="sufficient"/>
+         <trust-module code="org.jboss.security.identitytrust.modules.AlwaysDenyTrustModule" flag="optional"/> 
+       </identity-trust> 
+   </application-policy>
+   
+</policy>