[jboss-cvs] JBossAS SVN: r80624 - in projects/security/security-jboss-sx/trunk: acl/src/tests/java/org/jboss/test/security/acl and 5 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Nov 6 18:31:09 EST 2008
Author: sguilhen at redhat.com
Date: 2008-11-06 18:31:09 -0500 (Thu, 06 Nov 2008)
New Revision: 80624
Modified:
projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLEntryImpl.java
projects/security/security-jboss-sx/trunk/acl/src/tests/java/org/jboss/test/security/acl/ACLUnitTestCase.java
projects/security/security-jboss-sx/trunk/jbosssx-mc-int/.classpath
projects/security/security-jboss-sx/trunk/jbosssx-mc-int/src/test/java/org/jboss/test/security/microcontainer/metadata/support/MockAuthorizationManager.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/JBossAuthorizationManager.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/acl/JBossACLContext.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java
Log:
SECURITY-318: changed JBossACLContext and JBossAuthorizationManager to implement the method authorize(resource, identity, permission) defined in their respective interfaces.
- Changed ACLEntryImpl.checkPermission method to return true only if the identity has all the permissions (as oposed to only one of them).
- Changed JBossAuthorizationManagerACLUnitTestCase to test the new authorize method in JBossAuthorizationManager.
Modified: projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLEntryImpl.java
===================================================================
--- projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLEntryImpl.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/acl/src/main/java/org/jboss/security/acl/ACLEntryImpl.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -178,8 +178,8 @@
// an empty permission is always part of another permission.
if (bitmaskPermission.getMaskValue() == 0)
return true;
- // simple implementation: if any bit matches, return true.
- return (this.permission.getMaskValue() & bitmaskPermission.getMaskValue()) != 0;
+ // simple implementation: if all bits match, return true.
+ return (this.permission.getMaskValue() & bitmaskPermission.getMaskValue()) == bitmaskPermission.getMaskValue();
}
/*
Modified: projects/security/security-jboss-sx/trunk/acl/src/tests/java/org/jboss/test/security/acl/ACLUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/acl/src/tests/java/org/jboss/test/security/acl/ACLUnitTestCase.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/acl/src/tests/java/org/jboss/test/security/acl/ACLUnitTestCase.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -69,8 +69,7 @@
/**
* <p>
- * Tests the execution of the {@code isGranted} method with different permissions and
- * identities.
+ * Tests the execution of the {@code isGranted} method with different permissions and identities.
* </p>
*
* @throws Exception if an error occurs when running the test.
@@ -83,8 +82,6 @@
// test the identity associated with a basic permission.
assertTrue(acl.isGranted(BasicACLPermission.READ, this.identities[0]));
- assertTrue(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ, BasicACLPermission.UPDATE),
- this.identities[0]));
assertFalse(acl.isGranted(BasicACLPermission.DELETE, this.identities[0]));
assertFalse(acl.isGranted(new CompositeACLPermission(BasicACLPermission.CREATE, BasicACLPermission.UPDATE),
this.identities[0]));
@@ -101,7 +98,7 @@
// test the identities associated to composite permissions.
assertTrue(acl.isGranted(BasicACLPermission.READ, this.identities[2]));
- assertTrue(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ, BasicACLPermission.UPDATE),
+ assertFalse(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ, BasicACLPermission.UPDATE),
this.identities[2]));
assertFalse(acl.isGranted(BasicACLPermission.CREATE, this.identities[2]));
assertFalse(acl.isGranted(new CompositeACLPermission(BasicACLPermission.UPDATE, BasicACLPermission.DELETE),
@@ -109,10 +106,11 @@
assertTrue(acl.isGranted(BasicACLPermission.CREATE, this.identities[3]));
assertTrue(acl.isGranted(BasicACLPermission.UPDATE, this.identities[3]));
- assertTrue(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ, BasicACLPermission.DELETE),
+ assertTrue(acl.isGranted(new CompositeACLPermission(BasicACLPermission.CREATE, BasicACLPermission.DELETE),
this.identities[3]));
assertFalse(acl.isGranted(BasicACLPermission.READ, this.identities[3]));
- assertFalse(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ), this.identities[3]));
+ assertFalse(acl.isGranted(new CompositeACLPermission(BasicACLPermission.READ, BasicACLPermission.UPDATE),
+ this.identities[3]));
for (BasicACLPermission permission : BasicACLPermission.values())
assertTrue(acl.isGranted(permission, this.identities[4]));
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/JBossAuthorizationManager.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/JBossAuthorizationManager.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/JBossAuthorizationManager.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -52,6 +52,7 @@
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.EntitlementHolder;
+import org.jboss.security.authorization.Permission;
import org.jboss.security.authorization.Resource;
import org.jboss.security.callbacks.SecurityContextCallback;
import org.jboss.security.identity.Identity;
@@ -76,7 +77,7 @@
public class JBossAuthorizationManager
implements AuthorizationManager
{
- private String securityDomain;
+ private final String securityDomain;
private static Logger log = Logger.getLogger(JBossAuthorizationManager.class);
@@ -84,8 +85,10 @@
private AuthorizationContext authorizationContext = null;
+ private ACLContext aclContext = null;
+
//Lock deals with synchronization of authorizationContext usage
- private Lock lock = new ReentrantLock();
+ private final Lock lock = new ReentrantLock();
public JBossAuthorizationManager(String securityDomainName)
{
@@ -130,16 +133,30 @@
this.validateResource(resource);
return internalAuthorization(resource, subject, getRoleGroup(roleGroup));
}
-
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.AuthorizationManager#authorize(org.jboss.security.authorization.Resource,
+ * org.jboss.security.identity.Identity, org.jboss.security.authorization.Permission)
+ */
+ public int authorize(Resource resource, Identity identity, Permission permission)
+ throws AuthorizationException
+ {
+ if(this.aclContext == null)
+ this.aclContext = new JBossACLContext(this.securityDomain);
+ return aclContext.authorize(resource, identity, permission);
+ }
+
/**
* @see AuthorizationManager#entitlements(Class, Resource, Identity)
*/
public <T> EntitlementHolder<T> getEntitlements(Class<T> clazz,
Resource resource, Identity identity)
throws AuthorizationException
- {
- ACLContext aclContext = new JBossACLContext(this.securityDomain);
+ {
+ if(this.aclContext == null)
+ this.aclContext = new JBossACLContext(this.securityDomain);
return aclContext.getEntitlements(clazz, resource, identity);
}
@@ -172,7 +189,7 @@
Iterator<Principal> iter = rolePrincipals.iterator();
while( hasRole == false && iter.hasNext() )
{
- Principal role = (Principal) iter.next();
+ Principal role = iter.next();
hasRole = doesRoleGroupHaveRole(role, roles);
if( trace )
log.trace("hasRole("+role+")="+hasRole);
@@ -404,7 +421,7 @@
if(trace)
log.trace("Roles before mapping:"+ userRoles);
mc.performMapping(contextMap, userRoles);
- mappedUserRoles = (RoleGroup) mc.getMappingResult().getMappedObject();
+ mappedUserRoles = mc.getMappingResult().getMappedObject();
if(trace)
log.trace("Roles after mapping:"+ userRoles);
}
@@ -472,7 +489,7 @@
Group roles = null;
while( iter.hasNext() )
{
- Group grp = (Group) iter.next();
+ Group grp = iter.next();
String name = grp.getName();
if( name.equals(ROLES_IDENTIFIER) )
roles = grp;
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/acl/JBossACLContext.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/acl/JBossACLContext.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/plugins/acl/JBossACLContext.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -1,26 +1,29 @@
/*
- * JBoss, Home of Professional Open Source
- * Copyright 2007, JBoss Inc., and individual contributors as indicated
- * by the @authors tag. See the copyright.txt in the distribution for a
- * full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
package org.jboss.security.plugins.acl;
+import static org.jboss.security.authorization.AuthorizationContext.DENY;
+import static org.jboss.security.authorization.AuthorizationContext.PERMIT;
+
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
@@ -30,41 +33,45 @@
import org.jboss.logging.Logger;
import org.jboss.security.acl.ACLContext;
+import org.jboss.security.acl.ACLPermission;
import org.jboss.security.acl.ACLProvider;
import org.jboss.security.acl.config.ACLProviderEntry;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.EntitlementHolder;
+import org.jboss.security.authorization.Permission;
import org.jboss.security.authorization.Resource;
import org.jboss.security.config.ACLInfo;
import org.jboss.security.config.ApplicationPolicy;
+import org.jboss.security.config.ControlFlag;
import org.jboss.security.config.SecurityConfiguration;
import org.jboss.security.identity.Identity;
-//$Id$
+// $Id$
/**
- * Default Implementation of ACLContext
- * @author Anil.Saldhana at redhat.com
- * @since Jan 30, 2008
- * @version $Revision$
+ * Default Implementation of ACLContext
+ *
+ * @author Anil.Saldhana at redhat.com
+ * @since Jan 30, 2008
+ * @version $Revision$
*/
public class JBossACLContext extends ACLContext
{
private static Logger log = Logger.getLogger(JBossACLContext.class);
- private boolean trace = log.isTraceEnabled();
-
+
+ private final boolean trace = log.isTraceEnabled();
+
public JBossACLContext(String name)
{
this.securityDomainName = name;
}
@Override
- public <T> EntitlementHolder<T> getEntitlements(final Class<T> clazz,
- final Resource resource, final Identity identity)
- throws AuthorizationException
+ public <T> EntitlementHolder<T> getEntitlements(final Class<T> clazz, final Resource resource,
+ final Identity identity) throws AuthorizationException
{
Set<T> aggregateEntitlements = null;
-
+
try
{
initializeModules(resource, identity);
@@ -72,17 +79,17 @@
catch (PrivilegedActionException e1)
{
throw new RuntimeException(e1);
- }
- //Do a PrivilegedAction
+ }
+ // Do a PrivilegedAction
try
{
- aggregateEntitlements = AccessController.doPrivileged(new PrivilegedExceptionAction<Set<T>>()
+ aggregateEntitlements = AccessController.doPrivileged(new PrivilegedExceptionAction<Set<T>>()
{
- public Set<T> run() throws AuthorizationException
+ public Set<T> run() throws AuthorizationException
{
- Set<T> entitlements = invokeACL(clazz,resource,identity);
+ Set<T> entitlements = invokeACL(clazz, resource, identity);
invokeTeardown();
-
+
return entitlements;
}
});
@@ -90,112 +97,226 @@
catch (PrivilegedActionException e)
{
Exception exc = e.getException();
- if(trace)
- log.trace("Error in authorize:", exc);
+ if (trace)
+ log.trace("Error in authorize:", exc);
invokeTeardown();
- throw ((AuthorizationException)exc);
+ throw ((AuthorizationException) exc);
}
-
+
final Set<T> result = aggregateEntitlements;
return new EntitlementHolder<T>()
- {
+ {
public Set<T> getEntitled()
{
return result;
}
};
}
-
- private void initializeModules(Resource resource, Identity identity)
- throws PrivilegedActionException
- {
- ACLInfo aclInfo = getACLInfo(securityDomainName, resource);
- if(aclInfo == null)
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see org.jboss.security.acl.ACLContext#authorize(org.jboss.security.authorization.Resource,
+ * org.jboss.security.identity.Identity, org.jboss.security.authorization.Permission)
+ */
+ @Override
+ public int authorize(final Resource resource, final Identity identity, final Permission permission)
+ throws AuthorizationException
+ {
+
+ if (permission instanceof ACLPermission == false)
+ throw new AuthorizationException("Unable to process permission of type " + permission.getClass());
+
+ // instantiate and initialize the ACL modules.
+ try
+ {
+ initializeModules(resource, identity);
+ }
+ catch (PrivilegedActionException pae)
+ {
+ throw new RuntimeException(pae);
+ }
+
+ // invoke the module's isAccessGranted method to figure out whether identity has or not access to the resource.
+ Integer result;
+ try
+ {
+ result = (Integer) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws AuthorizationException
+ {
+ return invokeAuthorize(resource, identity, (ACLPermission) permission);
+ }
+ });
+ }
+ catch (PrivilegedActionException e)
+ {
+ Exception exc = e.getException();
+ if (trace)
+ log.trace("Error authorizing identity " + identity + ":", exc);
+ this.invokeTeardown();
+ throw ((AuthorizationException) exc);
+ }
+ return result;
+ }
+
+ private void initializeModules(Resource resource, Identity identity) throws PrivilegedActionException
+ {
+ super.modules.clear();
+ ACLInfo aclInfo = getACLInfo(securityDomainName, resource);
+ if (aclInfo == null)
throw new IllegalStateException("ACL Info is null");
ACLProviderEntry[] entries = aclInfo.getACLProviderEntry();
int len = entries != null ? entries.length : 0;
- for(int i = 0 ; i < len; i++)
+ for (int i = 0; i < len; i++)
{
- ACLProviderEntry entry = entries[i];
- modules.add(instantiateModule(entry.getAclProviderName(),
- entry.getOptions()));
+ ACLProviderEntry entry = entries[i];
+ super.modules.add(instantiateModule(entry.getAclProviderName(), entry.getOptions()));
+ super.controlFlags.add(entry.getControlFlag());
}
}
-
- private ACLProvider instantiateModule(String name,
- Map<String,Object> map)
- throws PrivilegedActionException
+
+ private ACLProvider instantiateModule(String name, Map<String, Object> map) throws PrivilegedActionException
{
ACLProvider am = null;
ClassLoader tcl = SecurityActions.getContextClassLoader();
try
{
Class<?> clazz = tcl.loadClass(name);
- am = (ACLProvider)clazz.newInstance();
+ am = (ACLProvider) clazz.newInstance();
}
- catch ( Exception e)
+ catch (Exception e)
{
- log.debug("Error instantiating AuthorizationModule:",e);
- }
- if(am == null)
- throw new IllegalStateException("ACLProvider has not " +
- "been instantiated");
- am.initialize(this.sharedState,map);
+ log.debug("Error instantiating AuthorizationModule:", e);
+ }
+ if (am == null)
+ throw new IllegalStateException("ACLProvider has not " + "been instantiated");
+ am.initialize(this.sharedState, map);
return am;
}
-
- private <T> Set<T> invokeACL(Class<T> clazz, Resource resource, Identity identity)
- throws AuthorizationException
- {
+
+ private <T> Set<T> invokeACL(Class<T> clazz, Resource resource, Identity identity) throws AuthorizationException
+ {
Set<T> entitlements = new HashSet<T>();
int length = modules.size();
- for(int i = 0; i < length; i++)
+ for (int i = 0; i < length; i++)
{
- ACLProvider module = (ACLProvider)modules.get(i);
+ ACLProvider module = modules.get(i);
try
{
Set<T> er = module.getEntitlements(clazz, resource, identity);
- if(er == null)
- throw new AuthorizationException("module "+module.getClass().getName()
- +" generated null entitlements.");
+ if (er == null)
+ throw new AuthorizationException("module " + module.getClass().getName()
+ + " generated null entitlements.");
entitlements.addAll(er);
}
- catch(Exception ae)
- {
+ catch (Exception ae)
+ {
throw new AuthorizationException(ae.getMessage());
}
}
return entitlements;
}
-
+
+ /**
+ * <p>
+ * This method calls the configured ACL modules in order to determine of the specified identity has the expected
+ * permissions to access a resource.
+ * </p>
+ *
+ * @param resource the {@code Resource} that is to be accessed by the specified identity.
+ * @param identity the {@code Identity} trying to access the resource.
+ * @param permission the expected permissions of the identity.
+ * @return {@code AuthorizationContext#PERMIT} if the identity is has the expected permissions;
+ * {@code AuthorizationContext#DENY} otherwise.
+ * @throws AuthorizationException if an error occurs while calling the ACL modules.
+ */
+ private int invokeAuthorize(Resource resource, Identity identity, ACLPermission permission)
+ throws AuthorizationException
+ {
+ // if there are no ACL modules, allow access to the resource.
+ if (super.modules == null || super.modules.size() == 0)
+ return PERMIT;
+
+ boolean encounteredRequiredError = false;
+ int overallDecision = DENY;
+
+ for (int i = 0; i < super.modules.size(); i++)
+ {
+ ACLProvider module = super.modules.get(i);
+ ControlFlag flag = super.controlFlags.get(i);
+ int decision = DENY;
+ try
+ {
+ decision = module.isAccessGranted(resource, identity, permission) ? PERMIT : DENY;
+ if (trace)
+ log.trace("ACL module " + module.getClass().getName() + (decision == PERMIT ? " granted " : " denied ")
+ + "access to resource " + resource);
+ // if decision is PERMIT and module is SUFFICIENT, the overall result is PERMIT.
+ if (decision == PERMIT)
+ {
+ overallDecision = PERMIT;
+ if (flag == ControlFlag.SUFFICIENT && encounteredRequiredError == false)
+ {
+ if (trace)
+ log.trace("SUFFICIENT module succeeded: overall status=PERMIT");
+ break;
+ }
+ }
+ // if decision is DENY and module is REQUISITE, the overall result is DENY.
+ else if (flag == ControlFlag.REQUISITE)
+ {
+ if (trace)
+ log.trace("REQUISITE module failed: overall status=DENY");
+ overallDecision = DENY;
+ break;
+ }
+ // if decision is DENY and module is REQUIRED, set flag indicating the required module failed.
+ else if (flag == ControlFlag.REQUIRED)
+ {
+ if (trace)
+ log.trace("REQUIRED module failed: overall status=DENY");
+ encounteredRequiredError = true;
+ }
+ }
+ catch (Exception ae)
+ {
+ throw new AuthorizationException(ae.getMessage());
+ }
+ }
+ if (encounteredRequiredError == true)
+ overallDecision = DENY;
+
+ return overallDecision;
+ }
+
private ACLInfo getACLInfo(String domainName, Resource resource)
- {
- ApplicationPolicy aPolicy = SecurityConfiguration.getApplicationPolicy(domainName);
-
- if(aPolicy == null)
+ {
+ ApplicationPolicy aPolicy = SecurityConfiguration.getApplicationPolicy(domainName);
+
+ if (aPolicy == null)
{
- if(trace)
- log.trace("Application Policy not obtained for domain="+ domainName +
- ". Trying to obtain the App policy for the default domain of the layer:");
- aPolicy = SecurityConfiguration.getApplicationPolicy(resource.getLayer().name());
+ if (trace)
+ log.trace("Application Policy not obtained for domain=" + domainName
+ + ". Trying to obtain the App policy for the default domain of the layer:");
+ aPolicy = SecurityConfiguration.getApplicationPolicy(resource.getLayer().name());
}
- if(aPolicy == null)
- throw new IllegalStateException("Application Policy is null for domain:"+ domainName);
-
- return aPolicy.getAclInfo();
- }
-
- private void invokeTeardown()
- throws AuthorizationException
+ if (aPolicy == null)
+ throw new IllegalStateException("Application Policy is null for domain:" + domainName);
+
+ return aPolicy.getAclInfo();
+ }
+
+ private void invokeTeardown() throws AuthorizationException
{
int length = modules.size();
- for(int i = 0; i < length; i++)
+ for (int i = 0; i < length; i++)
{
- ACLProvider module = (ACLProvider)modules.get(i);
+ ACLProvider module = modules.get(i);
boolean bool = module.tearDown();
- if(!bool)
- throw new AuthorizationException("TearDown on module failed:"+module.getClass());
- }
+ if (!bool)
+ throw new AuthorizationException("TearDown on module failed:" + module.getClass());
+ }
modules.clear();
}
@@ -204,7 +325,7 @@
{
StringBuilder builder = new StringBuilder();
builder.append("[").append(getClass().getCanonicalName()).append("()");
- builder.append(this.securityDomainName).append(")]");
+ builder.append(this.securityDomainName).append(")]");
return builder.toString();
- }
+ }
}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -33,6 +33,7 @@
import org.jboss.security.acl.CompositeACLPermission;
import org.jboss.security.acl.EntitlementEntry;
import org.jboss.security.acl.config.ACLProviderEntry;
+import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.EntitlementHolder;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
@@ -40,6 +41,7 @@
import org.jboss.security.config.ACLInfo;
import org.jboss.security.config.ApplicationPolicy;
import org.jboss.security.config.SecurityConfiguration;
+import org.jboss.security.identity.Identity;
import org.jboss.security.identity.plugins.IdentityFactory;
import org.jboss.security.plugins.JBossAuthorizationManager;
import org.jboss.security.plugins.JBossPolicyRegistration;
@@ -81,6 +83,13 @@
SecurityConfiguration.addApplicationPolicy(ap);
}
+ @Override
+ protected void tearDown() throws Exception
+ {
+ // unregister the application policy.
+ SecurityConfiguration.removeApplicationPolicy("test-acl");
+ }
+
/**
* <p>
* Tests the results of the {@code AuthorizationManager#getEntitlements} method when the ACLs have been specified in
@@ -139,6 +148,62 @@
/**
* <p>
+ * Tests the results of the {@code AuthorizationManager#authorize} method when the ACLs have been specified in an ACL
+ * configuration file and registered with the {@code PolicyRegistration}.
+ * </p>
+ *
+ * @throws Exception if an error occurs while running the test.
+ */
+ public void testAuthorize() throws Exception
+ {
+ Resource resource1 = new ACLTestResource(10);
+ Resource resource2 = new ACLTestResource(20);
+
+ // using the authorization manager, check if the identities have the expected permissions.
+ JBossAuthorizationManager jam = new JBossAuthorizationManager("test-acl");
+
+ // check that Administrator has all permissions on both resources.
+ Identity identity = IdentityFactory.createIdentity("Administrator");
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource1, identity, new CompositeACLPermission(
+ BasicACLPermission.values())));
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, new CompositeACLPermission(
+ BasicACLPermission.values())));
+
+ // check that Guest has only READ permission on resource1.
+ identity = IdentityFactory.createIdentity("Guest");
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource1, identity, BasicACLPermission.READ));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource1, identity, BasicACLPermission.CREATE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource1, identity, BasicACLPermission.UPDATE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource1, identity, BasicACLPermission.DELETE));
+
+ // check that Guest has READ and UPDATE permissions on resource2.
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, BasicACLPermission.READ));
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, BasicACLPermission.UPDATE));
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, new CompositeACLPermission(
+ BasicACLPermission.READ, BasicACLPermission.UPDATE)));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, BasicACLPermission.CREATE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, BasicACLPermission.DELETE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, new CompositeACLPermission(
+ BasicACLPermission.values())));
+
+ // check that Regular_User doesn't have any permissions on resource1.
+ identity = IdentityFactory.createIdentity("Regular_User");
+ for(BasicACLPermission permission : BasicACLPermission.values())
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource1, identity, permission));
+
+ // check that Regular_User has READ and UPDATE permissions on resource2.
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, BasicACLPermission.READ));
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, BasicACLPermission.UPDATE));
+ assertEquals(AuthorizationContext.PERMIT, jam.authorize(resource2, identity, new CompositeACLPermission(
+ BasicACLPermission.READ, BasicACLPermission.UPDATE)));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, BasicACLPermission.CREATE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, BasicACLPermission.DELETE));
+ assertEquals(AuthorizationContext.DENY, jam.authorize(resource2, identity, new CompositeACLPermission(
+ BasicACLPermission.values())));
+ }
+
+ /**
+ * <p>
* Creates and returns a map that contains the specified set of {@code EntitlementEntry} objects keyed by their
* resources ids.
* </p>
Modified: projects/security/security-jboss-sx/trunk/jbosssx-mc-int/.classpath
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx-mc-int/.classpath 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/jbosssx-mc-int/.classpath 2008-11-06 23:31:09 UTC (rev 80624)
@@ -46,7 +46,7 @@
<classpathentry kind="var" path="M2_REPO/org/jboss/jboss-mdr/2.0.0.Beta15/jboss-mdr-2.0.0.Beta15.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/jboss-reflect/2.0.0.Beta12/jboss-reflect-2.0.0.Beta12.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-security-acl-impl/2.0.2-SNAPSHOT/jboss-security-acl-impl-2.0.2-SNAPSHOT.jar" sourcepath="M2_REPO/org/jboss/security/jboss-security-acl-impl/2.0.2-SNAPSHOT/jboss-security-acl-impl-2.0.2-SNAPSHOT-sources.jar"/>
- <classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-security-spi/2.0.2.CR6/jboss-security-spi-2.0.2.CR6.jar"/>
+ <classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-security-spi/2.0.2-SNAPSHOT/jboss-security-spi-2.0.2-SNAPSHOT.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/javaee/jboss-servlet-api/2.5.0.CR1/jboss-servlet-api-2.5.0.CR1.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.2.GA/jboss-sunxacml-2.0.2.GA.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/jboss-test/1.0.4.GA/jboss-test-1.0.4.GA.jar"/>
Modified: projects/security/security-jboss-sx/trunk/jbosssx-mc-int/src/test/java/org/jboss/test/security/microcontainer/metadata/support/MockAuthorizationManager.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx-mc-int/src/test/java/org/jboss/test/security/microcontainer/metadata/support/MockAuthorizationManager.java 2008-11-06 23:27:11 UTC (rev 80623)
+++ projects/security/security-jboss-sx/trunk/jbosssx-mc-int/src/test/java/org/jboss/test/security/microcontainer/metadata/support/MockAuthorizationManager.java 2008-11-06 23:31:09 UTC (rev 80624)
@@ -32,6 +32,7 @@
import org.jboss.security.AuthorizationManager;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.EntitlementHolder;
+import org.jboss.security.authorization.Permission;
import org.jboss.security.authorization.Resource;
import org.jboss.security.identity.Identity;
import org.jboss.security.identity.RoleGroup;
@@ -106,6 +107,18 @@
/*
* (non-Javadoc)
*
+ * @see org.jboss.security.AuthorizationManager#authorize(org.jboss.security.authorization.Resource,
+ * org.jboss.security.identity.Identity, org.jboss.security.authorization.Permission)
+ */
+ public int authorize(final Resource resource, Identity identity, Permission permission)
+ throws AuthorizationException
+ {
+ return 0;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
* @see org.jboss.security.AuthorizationManager#doesUserHaveRole(java.security.Principal, java.util.Set)
*/
public boolean doesUserHaveRole(Principal principal, Set<Principal> roles)
More information about the jboss-cvs-commits
mailing list