portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rwat...@apache.org
Subject svn commit: r345432 - in /portals/jetspeed-2/trunk/components/page-manager: ./ src/java/org/apache/jetspeed/om/page/impl/ src/java/org/apache/jetspeed/page/impl/ src/test/ src/test/org/apache/jetspeed/page/
Date Fri, 18 Nov 2005 03:38:04 GMT
Author: rwatler
Date: Thu Nov 17 19:37:59 2005
New Revision: 345432

URL: http://svn.apache.org/viewcvs?rev=345432&view=rev
Log:
complete permissions implementation and implement secure permissions test case

Added:
    portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
    portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
Modified:
    portals/jetspeed-2/trunk/components/page-manager/maven.xml
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
    portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
    portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
    portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml

Modified: portals/jetspeed-2/trunk/components/page-manager/maven.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/maven.xml?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/maven.xml (original)
+++ portals/jetspeed-2/trunk/components/page-manager/maven.xml Thu Nov 17 19:37:59 2005
@@ -16,9 +16,10 @@
 -->
 <project default="java:jar" xmlns:j="jelly:core" xmlns:define="jelly:define">
 
-    <property name='testcase' value='org.apache.jetspeed.page.TestSecureDatabasePageManager'
/>  
+<!--    <property name='testcase' value='org.apache.jetspeed.page.TestSecurePermissionsDatabasePageManager'
/>  -->
+<!--    <property name='testcase' value='org.apache.jetspeed.page.TestSecureDatabasePageManager'
/>  -->
 <!--    <property name='testcase' value='org.apache.jetspeed.page.TestDatabasePageManager'
/>  -->
-<!--    <property name='testcase' value='org.apache.jetspeed.page.TestCastorXmlPageManager'
/>  -->
+    <property name='testcase' value='org.apache.jetspeed.page.TestCastorXmlPageManager'
/>
     
 
     <preGoal name="test:test">

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/BaseElementImpl.java
Thu Nov 17 19:37:59 2005
@@ -375,7 +375,7 @@
     public void checkPermissions(String actions) throws SecurityException
     {
         // skip checks if not enabled
-        if (getPermissionsEnabled())
+        if (!getPermissionsEnabled())
         {
             return;
         }

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/FragmentImpl.java
Thu Nov 17 19:37:59 2005
@@ -15,6 +15,7 @@
  */
 package org.apache.jetspeed.om.page.impl;
 
+import java.security.AccessController;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -25,6 +26,7 @@
 import org.apache.jetspeed.om.folder.Folder;
 import org.apache.jetspeed.om.page.Fragment;
 import org.apache.jetspeed.om.page.PageSecurity;
+import org.apache.jetspeed.security.FragmentPermission;
 import org.apache.ojb.broker.PersistenceBroker;
 import org.apache.ojb.broker.PersistenceBrokerException;
 
@@ -226,6 +228,16 @@
     }
 
     /* (non-Javadoc)
+     * @see org.apache.jetspeed.om.page.impl.BaseElementImpl#checkPermissions(java.lang.String,
java.lang.String, boolean, boolean)
+     */
+    public void checkPermissions(String path, String actions, boolean checkNodeOnly, boolean
checkParentsOnly) throws SecurityException
+    {
+        // always check for granted fragment permissions
+        FragmentPermission permission = new FragmentPermission(path, actions);
+        AccessController.checkPermission(permission);
+    }
+
+    /* (non-Javadoc)
      * @see org.apache.jetspeed.om.common.SecuredResource#getConstraintsEnabled()
      */
     public boolean getConstraintsEnabled()
@@ -249,20 +261,6 @@
         return false;
     }
 
-    /* (non-Javadoc)
-     * @see org.apache.jetspeed.om.common.SecuredResource#checkAccess(java.lang.String)
-     */
-    public void checkAccess(String actions) throws SecurityException
-    {
-        // check access permissions and constraints only
-        // for view access: all other permissions granted
-        // implicitly via access to page
-        if ((actions != null) && (actions.indexOf(SecuredResource.VIEW_ACTION) !=
-1))
-        {
-            super.checkAccess(SecuredResource.VIEW_ACTION);
-        }
-    }
-    
     /* (non-Javadoc)
      * @see org.apache.jetspeed.om.page.Fragment#getType()
      */

Modified: portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/java/org/apache/jetspeed/page/impl/DatabasePageManager.java
Thu Nov 17 19:37:59 2005
@@ -648,16 +648,22 @@
             }
             else
             {
+                // determine if folder is new by checking autoincrement id
+                boolean newFolder = folder.getId().equals("0");
+
                 // check for edit access on folder and parent folder
-                folder.checkAccess(SecuredResource.EDIT_ACTION);
+                // if not being initially created; access is not
+                // checked on create
+                if (!newFolder || !folder.getPath().equals(Folder.PATH_SEPARATOR))
+                {
+                    folder.checkAccess(SecuredResource.EDIT_ACTION);
+                }
 
                 // create root folder or update folder
-                boolean newFolder = folder.getId().equals("0");
                 getPersistenceBrokerTemplate().store(folder);
-                newFolder = (newFolder && !folder.getId().equals("0"));
 
                 // notify page manager listeners
-                if (newFolder)
+                if (newFolder && !folder.getId().equals("0"))
                 {
                     delegator.notifyNewNode(folder);
                 }

Modified: portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
Thu Nov 17 19:37:59 2005
@@ -20,7 +20,6 @@
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Locale;
 import java.util.Set;
                                                                                         
            
 import javax.security.auth.Subject;
@@ -43,17 +42,17 @@
 import junit.framework.TestSuite;
 
 /**
- * TestPageXmlPersistence
+ * TestSecureDatabasePageManager
  * 
- * @author <a href="taylor@apache.org">David Sean Taylor</a>
+ * @author <a href="rwatler@apache.org">Randy Watler</a>
  * @version $Id: $
  *          
  */
 public class TestSecureDatabasePageManager extends DatasourceEnabledSpringTestCase
 {
-    private PageManager pageManager;
+    protected PageManager pageManager;
 
-    private String somePortletId;
+    protected String somePortletId;
     
     public static void main(String args[])
     {
@@ -64,7 +63,7 @@
     protected void setUp() throws Exception
     {
         super.setUp();
-        pageManager = (PageManager)ctx.getBean("securePageManager");
+        pageManager = (PageManager)ctx.getBean("pageManager");
     }
 
     public static Test suite()
@@ -110,7 +109,7 @@
         Subject guestSubject = new Subject(true, principals, new HashSet(), new HashSet());
 
         // setup test as admin user
-        Exception setup = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+        Exception setup = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -202,14 +201,14 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (setup != null)
         {
             throw setup;
         }
 
         // access test as admin user
-        Exception adminAccess = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+        Exception adminAccess = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -241,14 +240,14 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (adminAccess != null)
         {
             throw adminAccess;
         }
 
         // access test as user user
-        Exception userAccess = (Exception)Subject.doAs(userSubject, new PrivilegedAction()
+        Exception userAccess = (Exception)Subject.doAsPrivileged(userSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -301,14 +300,14 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (userAccess != null)
         {
             throw userAccess;
         }
 
         // access test as manager user
-        Exception managerAccess = (Exception)Subject.doAs(managerSubject, new PrivilegedAction()
+        Exception managerAccess = (Exception)Subject.doAsPrivileged(managerSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -359,14 +358,14 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (managerAccess != null)
         {
             throw managerAccess;
         }
 
         // access test as guest user
-        Exception guestAccess = (Exception)Subject.doAs(guestSubject, new PrivilegedAction()
+        Exception guestAccess = (Exception)Subject.doAsPrivileged(guestSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -424,14 +423,14 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (guestAccess != null)
         {
             throw guestAccess;
         }
 
         // cleanup test as admin user
-        Exception cleanup = (Exception)Subject.doAs(adminSubject, new PrivilegedAction()
+        Exception cleanup = (Exception)Subject.doAsPrivileged(adminSubject, new PrivilegedAction()
             {
                 public Object run()
                 {
@@ -456,7 +455,7 @@
                         return e;
                     }
                 }
-            });
+            }, null);
         if (cleanup != null)
         {
             throw cleanup;

Added: portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java?rev=345432&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
(added)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/org/apache/jetspeed/page/TestSecurePermissionsDatabasePageManager.java
Thu Nov 17 19:37:59 2005
@@ -0,0 +1,188 @@
+/*
+ * Copyright 2000-2004 The Apache Software Foundation.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.page;
+
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.Principal;
+import java.security.ProtectionDomain;
+
+import org.apache.jetspeed.security.FolderPermission;
+import org.apache.jetspeed.security.FragmentPermission;
+import org.apache.jetspeed.security.GroupPrincipal;
+import org.apache.jetspeed.security.PagePermission;
+import org.apache.jetspeed.security.RolePrincipal;
+import org.apache.jetspeed.security.UserPrincipal;
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+/**
+ * TestSecurePermissionsDatabasePersistence
+ * 
+ * @author <a href="rwatler@apache.org">Randy Watler</a>
+ * @version $Id: $
+ *          
+ */
+public class TestSecurePermissionsDatabasePageManager extends TestSecureDatabasePageManager
+{
+    public static class PageManagerPermissionsPolicy extends Policy
+    {
+        private Policy defaultPolicy;
+
+        public PageManagerPermissionsPolicy(Policy defaultPolicy)
+        {
+            this.defaultPolicy = defaultPolicy;
+        }
+
+        public boolean implies(ProtectionDomain domain, Permission permission)
+        {
+            // classify policy query for local test case; this implementation
+            // is not optimized: multiple protection domains exist on the
+            // call stack, so this method will be invoked 2-3 times for each
+            // access check with the identical principals and permission
+            Principal[] principals = domain.getPrincipals();
+            if ((principals != null) && (principals.length > 0) &&
+                ((permission instanceof FolderPermission) ||
+                 (permission instanceof PagePermission) ||
+                 (permission instanceof FragmentPermission)))
+            {
+                // check permission using principals if available
+                Permissions permissions = new Permissions();
+                for (int i = 0; (i < principals.length); i++)
+                {
+                    if (principals[i] instanceof UserPrincipal)
+                    {
+                        // get permissions for users
+                        String user = principals[i].getName();
+                        if (user.equals("admin"))
+                        {
+                            // owner permissions
+                            permissions.add(new FolderPermission("/", "view, edit"));
+                            permissions.add(new PagePermission("/default-page.psml", "view,
edit"));
+                        }
+                        else if (user.equals("user"))
+                        {
+                            // owner permissions
+                            permissions.add(new FragmentPermission("/default-page.psml/some-app::SomePortlet",
"view, edit"));
+                            
+                            // granted permissions
+                            permissions.add(new PagePermission("/user-page.psml", "view,
edit"));
+                            permissions.add(new FragmentPermission("/user-page.psml/*", "view"));
+                        }
+                        
+                        // public view permissions
+                        permissions.add(new FolderPermission("/", "view"));
+                        permissions.add(new PagePermission("/default-page.psml", "view"));
+                        permissions.add(new PagePermission("/page.security", "view"));
+                        permissions.add(new FragmentPermission("security::*", "view"));
+                    }
+                    else if (principals[i] instanceof RolePrincipal)
+                    {
+                        // get permissions for roles
+                        String role = principals[i].getName();
+                        if (role.equals("admin"))
+                        {
+                            // global permissions
+                            permissions.add(new FolderPermission("<<ALL FILES>>",
"view, edit"));
+                            permissions.add(new FragmentPermission("<<ALL FRAGMENTS>>",
"view, edit"));
+                        }
+                        else if (role.equals("manager"))
+                        {
+                            // granted permissions
+                            permissions.add(new PagePermission("/default-page.psml", "edit"));
+                        }
+                    }
+                }
+                
+                // check permission
+                if (permissions.implies(permission))
+                {
+                    return true;
+                }
+            }
+
+            // check default permissions
+            if (defaultPolicy != null)
+            {
+                return defaultPolicy.implies(domain, permission);
+            }
+            return false;
+        }
+
+        public PermissionCollection getPermissions(ProtectionDomain domain)
+        {
+            // return default permissions only since
+            // domain and permsission not available
+            if (defaultPolicy != null)
+            {
+                return defaultPolicy.getPermissions(domain);
+            }
+            return new Permissions();
+        }
+
+        public PermissionCollection getPermissions(CodeSource codesource)
+        {
+            // return default permissions only since
+            // domain and permsission not available
+            if (defaultPolicy != null)
+            {
+                return defaultPolicy.getPermissions(codesource);
+            }
+            return new Permissions();
+        }
+
+        public void refresh()
+        {
+            // propagate refresh
+            if (defaultPolicy != null)
+            {
+                defaultPolicy.refresh();
+            }
+        }
+    }
+
+    public static void main(String args[])
+    {
+        junit.awtui.TestRunner.main(new String[]
+        { TestSecurePermissionsDatabasePageManager.class.getName() });
+    }
+    
+    protected void setUp() throws Exception
+    {
+        super.setUp();
+
+        // configure custom policy for test
+        Policy.setPolicy(new PageManagerPermissionsPolicy(Policy.getPolicy()));
+        Policy.getPolicy().refresh();
+    }
+
+    public static Test suite()
+    {
+        // All methods starting with "test" will be executed in the test suite.
+        return new TestSuite(TestSecurePermissionsDatabasePageManager.class);
+    }
+    
+    protected String[] getConfigurations()
+    {
+        return new String[]
+        { "secure-permissions-database-page-manager.xml", "transaction.xml" };
+    }
+}

Modified: portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml?rev=345432&r1=345431&r2=345432&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml
(original)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/secure-database-page-manager.xml
Thu Nov 17 19:37:59 2005
@@ -35,7 +35,7 @@
     </bean>
 
     <!-- Transaction Proxying -->
-    <bean id="org.apache.jetspeed.page.PageManager" name="securePageManager" parent="baseTransactionProxy">
+    <bean id="org.apache.jetspeed.page.PageManager" name="pageManager" parent="baseTransactionProxy">
         <property name="proxyInterfaces">
             <value>org.apache.jetspeed.page.PageManager</value>
         </property>

Added: portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml?rev=345432&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
(added)
+++ portals/jetspeed-2/trunk/components/page-manager/src/test/secure-permissions-database-page-manager.xml
Thu Nov 17 19:37:59 2005
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+<!--
+Copyright 2004 The Apache Software Foundation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<beans>
+
+    <!-- Page Manager -->
+    <bean id="org.apache.jetspeed.page.PageManagerImpl" 
+          name="securePermissionsPageManagerImpl"
+          init-method="init"
+          class="org.apache.jetspeed.page.impl.DatabasePageManager">
+        <!-- OJB configuration file resource path -->
+        <constructor-arg index="0"><value>JETSPEED-INF/ojb/page-manager-repository.xml</value></constructor-arg>
      
+        <!-- folder/page/link cache size, default=128, min=128 -->
+        <constructor-arg index="1"><value>128</value></constructor-arg>
+        <!-- folder/page/link cache expires seconds, default=150, infinite=0, min=30 -->
+        <constructor-arg index="2"><value>0</value></constructor-arg>
+        <!-- permissions security enabled flag, default=false -->
+        <constructor-arg index="3"><value>true</value></constructor-arg>
+        <!-- constraints security enabled flag, default=true -->
+        <constructor-arg index="4"><value>false</value></constructor-arg>
+    </bean>
+
+    <!-- Transaction Proxying -->
+    <bean id="org.apache.jetspeed.page.PageManager" name="pageManager" parent="baseTransactionProxy">
+        <property name="proxyInterfaces">
+            <value>org.apache.jetspeed.page.PageManager</value>
+        </property>
+        <property name="target">
+            <ref bean="securePermissionsPageManagerImpl" />
+        </property>
+        <property name="transactionAttributes">
+            <props>
+                <prop key="*">PROPAGATION_SUPPORTS</prop>
+                <prop key="get*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+                <prop key="update*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+                <prop key="remove*">PROPAGATION_REQUIRED,-org.apache.jetspeed.page.document.NodeException</prop>
+            </props>
+        </property>
+    </bean>
+
+
+</beans>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message