[jboss-cvs] JBossBlog SVN: r237 - in trunk: resources/WEB-INF and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Mar 4 07:53:20 EST 2008
Author: adamw
Date: 2008-03-04 07:53:20 -0500 (Tue, 04 Mar 2008)
New Revision: 237
Modified:
trunk/resources/META-INF/security.drl
trunk/resources/WEB-INF/pages.xml
trunk/src/action/org/jboss/blog/session/security/Authenticator.java
trunk/src/action/org/jboss/blog/session/security/FeedsIdentity.java
trunk/src/action/org/jboss/blog/session/security/SecurityModBean.java
trunk/src/action/org/jboss/blog/session/security/SecurityObserver.java
trunk/view/manage/index.xhtml
trunk/view/security/security_manager.xhtml
Log:
Modified: trunk/resources/META-INF/security.drl
===================================================================
--- trunk/resources/META-INF/security.drl 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/resources/META-INF/security.drl 2008-03-04 12:53:20 UTC (rev 237)
@@ -88,6 +88,33 @@
c.grant();
end;
+// Security-management
+
+rule CanAddOrDeleteSecurityGroupOrUser
+when
+ (
+ c: PermissionCheck(name == "security_group", action == "add") or
+ c: PermissionCheck(name == "security_user", action == "add") or
+ c: PermissionCheck(name == "security_group", action == "delete") or
+ c: PermissionCheck(name == "security_user", action == "delete")
+ ) and
+ (
+ (
+ role : FeedsSecurityRole(this == FeedsSecurityRole.FEED_ADMIN) and
+ feed : Feed() and
+ group : Group() from feed.group and
+ FeedsCombinedRole(role == FeedsSecurityRole.GROUP_ADMIN, id == group.id)
+ ) or
+ (
+ role : FeedsSecurityRole(this == FeedsSecurityRole.GROUP_ADMIN) and
+ group : Group() and
+ FeedsCombinedRole(role == FeedsSecurityRole.GROUP_ADMIN, id == group.id)
+ )
+ )
+then
+ c.grant();
+end;
+
// View-related rules
rule CanViewGroupsManagement
@@ -116,6 +143,16 @@
c.grant();
end;
+rule CanViewSecurity
+when
+ c: PermissionCheck(name == "security", action == "view") and
+ (
+ FeedsCombinedRole(role == FeedsSecurityRole.GROUP_ADMIN)
+ )
+then
+ c.grant();
+end;
+
rule CanViewManagement
when
c: PermissionCheck(name == "management", action == "view") and
Modified: trunk/resources/WEB-INF/pages.xml
===================================================================
--- trunk/resources/WEB-INF/pages.xml 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/resources/WEB-INF/pages.xml 2008-03-04 12:53:20 UTC (rev 237)
@@ -289,6 +289,7 @@
<!-- Manage security -->
<page view-id="/security/security_manager.xhtml">
+ <restrict>#{identity.hasPermission('security', 'view')}</restrict>
<param name="securityGroup" converterId="securityGroupConverter" value="#{securityMod.restrictedSecurityGroup}" />
<param name="securityUser" converterId="securityUserConverter" value="#{securityMod.restrictedSecurityUser}" />
<param name="group" converterId="groupConverter" value="#{securityMod.group}" />
@@ -297,6 +298,7 @@
</page>
<page view-id="/security/security_group_add.xhtml">
+ <restrict>#{identity.hasPermission('security', 'view')}</restrict>
<param name="group" converterId="groupConverter" value="#{securityMod.group}" />
<param name="feed" converterId="feedConverter" value="#{securityMod.feed}" />
<param name="role" converterId="securityRoleConverter" value="#{securityMod.role}" />
@@ -307,6 +309,7 @@
</page>
<page view-id="/security/security_user_add.xhtml">
+ <restrict>#{identity.hasPermission('security', 'view')}</restrict>
<param name="group" converterId="groupConverter" value="#{securityMod.group}" />
<param name="feed" converterId="feedConverter" value="#{securityMod.feed}" />
<param name="role" converterId="securityRoleConverter" value="#{securityMod.role}" />
Modified: trunk/src/action/org/jboss/blog/session/security/Authenticator.java
===================================================================
--- trunk/src/action/org/jboss/blog/session/security/Authenticator.java 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/src/action/org/jboss/blog/session/security/Authenticator.java 2008-03-04 12:53:20 UTC (rev 237)
@@ -2,6 +2,7 @@
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.AutoCreate;
import org.jboss.blog.model.security.SecurityUser;
import org.jboss.blog.model.security.SecurityGroup;
import org.jboss.blog.model.security.SecurityMapping;
@@ -10,6 +11,7 @@
import java.util.List;
@Name("authenticator")
+ at AutoCreate
public class Authenticator {
@In
private FeedsIdentity identity;
@@ -24,6 +26,21 @@
}
}
}
+
+ private void flushRoles(SecurityUser user) {
+ identity.setSecurityUser(user);
+
+ identity.removeAllFeedsRoles();
+
+ addFeedRolesFromMappings(user.getMappings());
+ for (SecurityGroup securityGroup : externalSecurityService.getGroupsOfUser(user)) {
+ addFeedRolesFromMappings(securityGroup.getMappings());
+ }
+ }
+
+ public void flushRoles() {
+ flushRoles(externalSecurityService.getUnrestrictedSecurityUser(identity.getSecurityUser()));
+ }
public boolean authenticate() {
SecurityUser user;
@@ -34,15 +51,8 @@
return false;
}
- identity.setSecurityUser(user);
+ flushRoles(user);
- List<SecurityGroup> securityGroups = externalSecurityService.getGroupsOfUser(user);
-
- addFeedRolesFromMappings(user.getMappings());
- for (SecurityGroup securityGroup : securityGroups) {
- addFeedRolesFromMappings(securityGroup.getMappings());
- }
-
return true;
}
}
Modified: trunk/src/action/org/jboss/blog/session/security/FeedsIdentity.java
===================================================================
--- trunk/src/action/org/jboss/blog/session/security/FeedsIdentity.java 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/src/action/org/jboss/blog/session/security/FeedsIdentity.java 2008-03-04 12:53:20 UTC (rev 237)
@@ -43,14 +43,29 @@
StatefulSession securityContext = getSecurityContext();
if (securityContext != null) {
- getSecurityContext().insert(new FeedsCombinedRole(role, id));
- getSecurityContext().fireAllRules();
+ securityContext.insert(new FeedsCombinedRole(role, id));
+ securityContext.fireAllRules();
return true;
}
return false;
}
+ public void removeAllFeedsRoles() {
+ StatefulSession securityContext = getSecurityContext();
+
+ if (securityContext != null) {
+ //noinspection unchecked
+ Iterator<FeedsCombinedRole> iter = securityContext.iterateObjects(
+ new ClassObjectFilter(FeedsCombinedRole.class));
+ while (iter.hasNext()) {
+ FeedsCombinedRole r = iter.next();
+ FactHandle fh = getSecurityContext().getFactHandle(r);
+ getSecurityContext().retract(fh);
+ }
+ }
+ }
+
public void removeFeedsRole(FeedsSecurityRole role) {
removeFeedsRole(role, null);
}
@@ -74,4 +89,23 @@
}
}
}
+
+ public boolean hasPermission(String s, String s1, Object... objects) {
+ int arraySize = 0;
+ for (Object object : objects) {
+ if (object != null) {
+ arraySize++;
+ }
+ }
+
+ Object[] newObjects = new Object[arraySize];
+ int arrayIndex = 0;
+ for (Object object : objects) {
+ if (object != null) {
+ newObjects[arrayIndex++] = object;
+ }
+ }
+
+ return super.hasPermission(s, s1, newObjects);
+ }
}
Modified: trunk/src/action/org/jboss/blog/session/security/SecurityModBean.java
===================================================================
--- trunk/src/action/org/jboss/blog/session/security/SecurityModBean.java 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/src/action/org/jboss/blog/session/security/SecurityModBean.java 2008-03-04 12:53:20 UTC (rev 237)
@@ -4,6 +4,7 @@
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
+import org.jboss.seam.annotations.security.Restrict;
import org.jboss.seam.ScopeType;
import org.jboss.seam.faces.FacesMessages;
import org.jboss.blog.model.security.*;
@@ -139,6 +140,7 @@
return getMapping(getRole(), idForRole);
}
+ @Restrict("#{identity.hasPermission('security_group', 'add', securityMod.role, securityMod.group, securityMod.feed)}")
public void addSecurityGroup() {
SecurityGroup sg = externalSecurityService.getUnrestrictedSecurityGroup(getRestrictedSecurityGroup());
SecurityMapping mapping = getMapping();
@@ -160,6 +162,7 @@
externalSecurityService.getDisplayName(sg), param);
}
+ @Restrict("#{identity.hasPermission('security_group', 'delete', securityMod.role, securityMod.group, securityMod.feed)}")
public void deleteSecurityGroup() {
SecurityGroup sg = externalSecurityService.getUnrestrictedSecurityGroup(getRestrictedSecurityGroup());
SecurityMapping mapping = getMapping();
@@ -179,7 +182,7 @@
externalSecurityService.getDisplayName(sg), param);
}
- public void addSecurityUser() {
+ public void addSecurityUserAsSuperUser() {
SecurityUser su = externalSecurityService.getUnrestrictedSecurityUser(getRestrictedSecurityUser());
SecurityMapping mapping = getMapping();
@@ -200,6 +203,12 @@
externalSecurityService.getDisplayName(su), param);
}
+ @Restrict("#{identity.hasPermission('security_user', 'add', securityMod.role, securityMod.group, securityMod.feed)}")
+ public void addSecurityUser() {
+ addSecurityUserAsSuperUser();
+ }
+
+ @Restrict("#{identity.hasPermission('security_user', 'delete', securityMod.role, securityMod.group, securityMod.feed)}")
public void deleteSecurityUser() {
SecurityUser su = externalSecurityService.getUnrestrictedSecurityUser(getRestrictedSecurityUser());
SecurityMapping mapping = getMapping();
Modified: trunk/src/action/org/jboss/blog/session/security/SecurityObserver.java
===================================================================
--- trunk/src/action/org/jboss/blog/session/security/SecurityObserver.java 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/src/action/org/jboss/blog/session/security/SecurityObserver.java 2008-03-04 12:53:20 UTC (rev 237)
@@ -25,6 +25,9 @@
@In
private SecurityModBean securityMod;
+ @In
+ private Authenticator authenticator;
+
@Observer({"org.jboss.blog.group.updated"})
public void groupUpdated(Group group) { }
@@ -34,9 +37,11 @@
securityMod.setGroup(group);
securityMod.setRestrictedSecurityUser(identity.getSecurityUser());
- securityMod.addSecurityUser();
+ securityMod.addSecurityUserAsSuperUser();
entityManager.flush();
+
+ authenticator.flushRoles();
}
@Observer({"org.jboss.blog.group.deleted"})
Modified: trunk/view/manage/index.xhtml
===================================================================
--- trunk/view/manage/index.xhtml 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/view/manage/index.xhtml 2008-03-04 12:53:20 UTC (rev 237)
@@ -34,7 +34,8 @@
</s:fragment>
<s:fragment rendered="#{identity.hasPermission('management_groups', 'view') ||
identity.hasPermission('management_template', 'view') ||
- identity.hasPermission('management_update', 'view')}">
+ identity.hasPermission('management_update', 'view') ||
+ identity.hasPermission('security', 'view')}">
<dt>Other operations:</dt>
<hr />
<s:fragment rendered="#{identity.hasPermission('management_groups', 'view')}">
@@ -46,6 +47,9 @@
<s:fragment rendered="#{identity.hasPermission('management_update', 'view')}">
<dd><s:link value="Manage updates" view="/manage/update_manager.xhtml" /></dd>
</s:fragment>
+ <s:fragment rendered="#{identity.hasPermission('security', 'view')}">
+ <dd><s:link value="Manage security" view="/security/security_manager.xhtml" /></dd>
+ </s:fragment>
</s:fragment>
<s:fragment rendered="#{identity.hasPermission('admin', null)}">
<dt>Global posts operations:</dt>
Modified: trunk/view/security/security_manager.xhtml
===================================================================
--- trunk/view/security/security_manager.xhtml 2008-03-04 10:20:13 UTC (rev 236)
+++ trunk/view/security/security_manager.xhtml 2008-03-04 12:53:20 UTC (rev 237)
@@ -12,103 +12,109 @@
Security manager
</ui:define>
<ui:define name="body">
-<h3>Administrators:</h3>
-<table cellspacing="5" class="deftable" width="75%">
- <tr>
- <td class="term" width="15%" />
- <td class="def">
- <ul>
- <ui:repeat var="securityGroup" value="#{securityMod.administratorGroups}">
- <li>
- #{externalSecurityService.getDisplayName(securityGroup)}
- (
- <s:link value="delete" action="#{securityMod.deleteSecurityGroup}">
- <f:param name="role" value="ADMIN" />
- <f:param name="securityGroup" value="#{securityGroup.externalId}" />
- </s:link>
- )
- </li>
- </ui:repeat>
+<s:fragment rendered="#{identity.hasPermission('admin', null)}">
+ <h3>Administrators:</h3>
- <s:link value="Add group" view="/security/security_group_add.xhtml">
- <f:param name="role" value="ADMIN" />
- </s:link>
- </ul>
- </td>
- <td class="def">
- <ul>
- <ui:repeat var="securityUser" value="#{securityMod.administratorUsers}">
- <li>
- #{externalSecurityService.getDisplayName(securityUser)}
- (
- <s:link value="delete" action="#{securityMod.deleteSecurityUser}">
- <f:param name="role" value="ADMIN" />
- <f:param name="securityUser" value="#{securityUser.externalId}" />
- </s:link>
- )
- </li>
- </ui:repeat>
-
- <s:link value="Add user" view="/security/security_user_add.xhtml">
- <f:param name="role" value="ADMIN" />
- </s:link>
- </ul>
- </td>
- </tr>
-</table>
-<h3>Feed groups administrators:</h3>
-
-<table cellspacing="5" class="deftable" width="75%">
- <ui:repeat var="group" value="#{groupsService.allGroups}">
+ <table cellspacing="5" class="deftable" width="75%">
<tr>
- <td class="term" width="15%">#{group.displayName}</td>
+ <td class="term" width="15%" />
<td class="def">
- <ui:repeat var="securityGroup" value="#{securityMod.getGroupAdministratorGroups(group)}">
- <li>
- #{externalSecurityService.getDisplayName(securityGroup)}
- (
- <s:link value="delete" action="#{securityMod.deleteSecurityGroup}">
- <f:param name="role" value="GROUP_ADMIN" />
- <f:param name="group" value="#{group.id}" />
- <f:param name="securityGroup" value="#{securityGroup.externalId}" />
- </s:link>
- )
- </li>
- </ui:repeat>
+ <ul>
+ <ui:repeat var="securityGroup" value="#{securityMod.administratorGroups}">
+ <li>
+ #{externalSecurityService.getDisplayName(securityGroup)}
+ (
+ <s:link value="delete" action="#{securityMod.deleteSecurityGroup}">
+ <f:param name="role" value="ADMIN" />
+ <f:param name="securityGroup" value="#{securityGroup.externalId}" />
+ </s:link>
+ )
+ </li>
+ </ui:repeat>
- <s:link value="Add group" view="/security/security_group_add.xhtml">
- <f:param name="role" value="GROUP_ADMIN" />
- <f:param name="group" value="#{group.id}" />
- </s:link>
+ <s:link value="Add user group" view="/security/security_group_add.xhtml">
+ <f:param name="role" value="ADMIN" />
+ </s:link>
+ </ul>
</td>
<td class="def">
- <ui:repeat var="securityUser" value="#{securityMod.getGroupAdministratorUsers(group)}">
- <li>
- #{externalSecurityService.getDisplayName(securityUser)}
- (
- <s:link value="delete" action="#{securityMod.deleteSecurityUser}">
- <f:param name="role" value="GROUP_ADMIN" />
- <f:param name="group" value="#{group.id}" />
- <f:param name="securityUser" value="#{securityUser.externalId}" />
- </s:link>
- )
- </li>
- </ui:repeat>
+ <ul>
+ <ui:repeat var="securityUser" value="#{securityMod.administratorUsers}">
+ <li>
+ #{externalSecurityService.getDisplayName(securityUser)}
+ (
+ <s:link value="delete" action="#{securityMod.deleteSecurityUser}">
+ <f:param name="role" value="ADMIN" />
+ <f:param name="securityUser" value="#{securityUser.externalId}" />
+ </s:link>
+ )
+ </li>
+ </ui:repeat>
- <s:link value="Add user" view="/security/security_user_add.xhtml">
- <f:param name="role" value="GROUP_ADMIN" />
- <f:param name="group" value="#{group.id}" />
- </s:link>
+ <s:link value="Add user" view="/security/security_user_add.xhtml">
+ <f:param name="role" value="ADMIN" />
+ </s:link>
+ </ul>
</td>
</tr>
+ </table>
+</s:fragment>
+
+<h3>Feed groups administrators:</h3>
+
+<table cellspacing="5" class="deftable" width="75%">
+ <ui:repeat var="group" value="#{groupsService.allGroups}">
+ <s:fragment rendered="#{identity.hasPermission('management_group', 'view', group)}">
+ <tr>
+ <td class="term" width="15%">#{group.displayName}</td>
+ <td class="def">
+ <ui:repeat var="securityGroup" value="#{securityMod.getGroupAdministratorGroups(group)}">
+ <li>
+ #{externalSecurityService.getDisplayName(securityGroup)}
+ (
+ <s:link value="delete" action="#{securityMod.deleteSecurityGroup}">
+ <f:param name="role" value="GROUP_ADMIN" />
+ <f:param name="group" value="#{group.id}" />
+ <f:param name="securityGroup" value="#{securityGroup.externalId}" />
+ </s:link>
+ )
+ </li>
+ </ui:repeat>
+
+ <s:link value="Add user group" view="/security/security_group_add.xhtml">
+ <f:param name="role" value="GROUP_ADMIN" />
+ <f:param name="group" value="#{group.id}" />
+ </s:link>
+ </td>
+ <td class="def">
+ <ui:repeat var="securityUser" value="#{securityMod.getGroupAdministratorUsers(group)}">
+ <li>
+ #{externalSecurityService.getDisplayName(securityUser)}
+ (
+ <s:link value="delete" action="#{securityMod.deleteSecurityUser}">
+ <f:param name="role" value="GROUP_ADMIN" />
+ <f:param name="group" value="#{group.id}" />
+ <f:param name="securityUser" value="#{securityUser.externalId}" />
+ </s:link>
+ )
+ </li>
+ </ui:repeat>
+
+ <s:link value="Add user" view="/security/security_user_add.xhtml">
+ <f:param name="role" value="GROUP_ADMIN" />
+ <f:param name="group" value="#{group.id}" />
+ </s:link>
+ </td>
+ </tr>
+ </s:fragment>
</ui:repeat>
</table>
<h3>Feed administrators:</h3>
<ui:repeat var="group" value="#{groupsService.allGroups}">
- <s:fragment rendered="#{groupsService.acceptedFeeds(group).size() > 0}">
+ <s:fragment rendered="#{identity.hasPermission('management_group', 'view', group)}">
#{group.displayName}:
<table cellspacing="5" class="deftable" width="75%">
<ui:repeat var="feed" value="#{groupsService.acceptedFeeds(group)}">
@@ -128,7 +134,7 @@
</li>
</ui:repeat>
- <s:link value="Add group" view="/security/security_group_add.xhtml">
+ <s:link value="Add user group" view="/security/security_group_add.xhtml">
<f:param name="role" value="FEED_ADMIN" />
<f:param name="feed" value="#{feed.name}" />
</s:link>
More information about the jboss-cvs-commits
mailing list