portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rwat...@apache.org
Subject svn commit: r1466334 - in /portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src: java/org/apache/jetspeed/om/page/ java/org/apache/jetspeed/om/page/impl/ java/org/apache/jetspeed/om/page/psml/ test/org/apache/jetspeed/page/
Date Wed, 10 Apr 2013 05:03:11 GMT
Author: rwatler
Date: Wed Apr 10 05:03:10 2013
New Revision: 1466334

URL: http://svn.apache.org/r1466334
Log:
JS2-1281: Implement security constraint reference expressions

Added:
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java
Modified:
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/PageManagerTestShared.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java
    portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java

Added: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java?rev=1466334&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java (added)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefExpression.java Wed Apr 10 05:03:10 2013
@@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Stack;
+
+/**
+ * SecurityConstraintsRefExpression
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+public class SecurityConstraintsRefExpression
+{
+    private String constraintsRef;
+    private List constraintsRefTokens;
+
+    SecurityConstraintsRefExpression(String constraintsRef, List constraintsRefTokens)
+    {
+        this.constraintsRef = constraintsRef;
+        this.constraintsRefTokens = constraintsRefTokens;
+    }
+
+    /**
+     * Check expression against action and principals. The security
+     * constraints and embedded logical operations are evaluated and
+     * the resulting permission is returned.
+     *
+     * @param action check action
+     * @param userPrincipals check user principals
+     * @param rolePrincipals check role principals
+     * @param groupPrincipals check group principals
+     * @return flag indicating permission grant
+     * @throws RuntimeException if expression evaluation error occurs
+     */
+    public boolean checkExpression(String action, List userPrincipals, List rolePrincipals, List groupPrincipals)
+    {
+        // evaluate postfix constraints ref tokens
+        Stack operandsStack = new Stack();
+        Iterator constraintsRefTokensIter = constraintsRefTokens.iterator();
+        while (constraintsRefTokensIter.hasNext())
+        {
+            SecurityConstraintsRefToken token = (SecurityConstraintsRefToken)constraintsRefTokensIter.next();
+            String tokenOperation = token.getOperation();
+            if (tokenOperation != null)
+            {
+                if (tokenOperation.equals(SecurityConstraintsRefToken.NOT_OPERATION))
+                {
+                    if (operandsStack.size() >= 1)
+                    {
+                        boolean operand = ((Boolean)operandsStack.pop()).booleanValue();
+                        operand = !operand;
+                        operandsStack.push(new Boolean(operand));
+                    }
+                    else
+                    {
+                        throw new RuntimeException("Missing NOT expression operand in \""+constraintsRef+"\"");
+                    }
+                }
+                else if (tokenOperation.equals(SecurityConstraintsRefToken.AND_OPERATION))
+                {
+                    if (operandsStack.size() >= 2)
+                    {
+                        boolean operand0 = ((Boolean)operandsStack.pop()).booleanValue();
+                        boolean operand1 = ((Boolean)operandsStack.pop()).booleanValue();
+                        boolean operand = (operand0 && operand1);
+                        operandsStack.push(new Boolean(operand));
+                    }
+                    else
+                    {
+                        throw new RuntimeException("Missing AND expression operand in \""+constraintsRef+"\"");
+                    }
+                }
+                else if (tokenOperation.equals(SecurityConstraintsRefToken.OR_OPERATION))
+                {
+                    if (operandsStack.size() >= 2)
+                    {
+                        boolean operand0 = ((Boolean)operandsStack.pop()).booleanValue();
+                        boolean operand1 = ((Boolean)operandsStack.pop()).booleanValue();
+                        boolean operand = (operand0 || operand1);
+                        operandsStack.push(new Boolean(operand));
+                    }
+                    else
+                    {
+                        throw new RuntimeException("Missing OR expression operand in \""+constraintsRef+"\"");
+                    }
+                }
+                else
+                {
+                    throw new RuntimeException("Unexpected expression operator "+tokenOperation+" in \""+constraintsRef+"\"");
+                }
+            }
+            else if (token.getConstraint() != null)
+            {
+                // evaluate security constraint operand and place on stack
+                boolean operand = checkExpressionConstraint(action, userPrincipals, rolePrincipals, groupPrincipals, token.getConstraint());
+                operandsStack.push(new Boolean(operand));
+            }
+            else
+            {
+                throw new RuntimeException("Unexpected expression token in \""+constraintsRef+"\"");
+            }
+        }
+
+        // return single operand left on stack
+        if (operandsStack.size() == 1)
+        {
+            return ((Boolean)operandsStack.pop()).booleanValue();
+        }
+        else
+        {
+            throw new RuntimeException("Unexpected expression operand in \""+constraintsRef+"\"");
+        }
+    }
+
+    /**
+     * Check expression constraint against action and principals. Note that
+     * expression constraints without permissions, denials, are treated as
+     * simply negative grants: they do not necessarily imply the expression
+     * check will fail as they do when specified or referenced as security
+     * constraints proper.
+     *
+     * @param action check action
+     * @param userPrincipals check user principals
+     * @param rolePrincipals check role principals
+     * @param groupPrincipals check group principals
+     * @param constraint check constraint
+     * @return flag indicating permission grant
+     */
+    private boolean checkExpressionConstraint(String action, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintImpl constraint)
+    {
+        if (constraint.getPermissions() != null)
+        {
+            // permitted if action matches permissions and user/role/group match principals
+            return (constraint.actionMatch(action) && constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true));
+        }
+        else
+        {
+            // permissions not specified: not permitted if any principal matched
+            return !constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false);
+        }
+    }
+}

Added: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java?rev=1466334&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java (added)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefParser.java Wed Apr 10 05:03:10 2013
@@ -0,0 +1,290 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Stack;
+
+/**
+ * SecurityConstraintsRefParser
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+public class SecurityConstraintsRefParser
+{
+    public static final String OPEN_PAREN = "(";
+    public static final String CLOSE_PAREN = ")";
+    public static final String NOT_OPERATION = SecurityConstraintsRefToken.NOT_OPERATION;
+    public static final String AND_OPERATION = SecurityConstraintsRefToken.AND_OPERATION;
+    public static final String OR_OPERATION = SecurityConstraintsRefToken.OR_OPERATION;
+
+    /**
+     * Parse security constraints reference string. If the reference contains an infix logical
+     * expression, return a security constraints reference expression. Otherwise, return a
+     * list of security constraints from reference.
+     *
+     * @param constraintsRef constraints reference name or infix expression
+     * @param pageSecurity page security context
+     * @return security constraints reference expression or list of security constraints
+     * @throws RuntimeException if expression parsing error occurs
+     */
+    public static Object parse(String constraintsRef, PageSecurity pageSecurity)
+    {
+        // parse infix constraints ref expression into postfix tokens
+        List postfixTokens = parseConstraintsRef(constraintsRef);
+        if (postfixTokens.isEmpty())
+        {
+            return null;
+        }
+
+        // single reference expression check
+        if (postfixTokens.size() == 1) {
+            String postfixToken = (String)postfixTokens.get(0);
+            if (!postfixToken.equals(AND_OPERATION) && !postfixToken.equals(OR_OPERATION) && !postfixToken.equals(NOT_OPERATION))
+            {
+                // return definition security constraints
+                SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(postfixToken);
+                if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+                {
+                    return new ArrayList(securityConstraintsDef.getSecurityConstraints());
+                }
+                return null;
+            }
+        }
+
+        // convert postfix expression tokens into constraints reference tokens
+        List constraintsRefTokens = new ArrayList();
+        Iterator postfixTokensIter = postfixTokens.iterator();
+        while (postfixTokensIter.hasNext()) {
+            String postfixToken = (String)postfixTokensIter.next();
+            if (postfixToken.equals(AND_OPERATION) || postfixToken.equals(OR_OPERATION) || postfixToken.equals(NOT_OPERATION))
+            {
+                // postfix operation
+                constraintsRefTokens.add(new SecurityConstraintsRefToken(postfixToken));
+            }
+            else
+            {
+                // postfix security constraints reference
+                SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(postfixToken);
+                if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+                {
+                    // multiple security constraints within an expression are treated as an
+                    // implicit "or": insert these as a postfix "or" sub expression
+                    boolean multipleConstraintsOrExpression = false;
+                    Iterator securityConstraintIter = securityConstraintsDef.getSecurityConstraints().iterator();
+                    while (securityConstraintIter.hasNext())
+                    {
+                        // postfix security constraint
+                        SecurityConstraintImpl securityConstraint = (SecurityConstraintImpl)securityConstraintIter.next();
+                        constraintsRefTokens.add(new SecurityConstraintsRefToken(postfixToken, securityConstraint));
+                        if (multipleConstraintsOrExpression)
+                        {
+                            // multiple security constraints postfix "or" operation
+                            constraintsRefTokens.add(new SecurityConstraintsRefToken(OR_OPERATION));
+                        }
+                        else
+                        {
+                            multipleConstraintsOrExpression = true;
+                        }
+                    }
+                }
+                else
+                {
+                    throw new RuntimeException("Unable to find security constraints reference "+postfixToken+" in \""+constraintsRef+"\"");
+                }
+            }
+        }
+
+        // return security constraints reference expression
+        return new SecurityConstraintsRefExpression(constraintsRef, constraintsRefTokens);
+    }
+
+    /**
+     * Parse infix expression security constraints reference string into postfix
+     * expression token strings.
+     *
+     * @param constraintsRef constraints reference name or infix expression
+     * @return list of postfix expression token strings.
+     * @throws RuntimeException if expression parsing error occurs
+     */
+    static List parseConstraintsRef(String constraintsRef)
+    {
+        List postfixTokens = new ArrayList();
+        Stack infixToPostfixStack = new Stack();
+        int tokenIndex = -1;
+        boolean token = false;
+        int parseIndex = 0;
+        int parseLimit = constraintsRef.length();
+        while (parseIndex < parseLimit)
+        {
+            char parseChar = constraintsRef.charAt(parseIndex);
+            if (token && !(Character.isJavaIdentifierPart(parseChar) || (parseChar == '-') || (parseChar == '.')))
+            {
+                infixToPostfix(constraintsRef, constraintsRef.substring(tokenIndex, parseIndex), parseIndex, infixToPostfixStack, postfixTokens);
+                token = false;
+            }
+            if (!token)
+            {
+                if (Character.isJavaIdentifierStart(parseChar))
+                {
+                    tokenIndex = parseIndex;
+                    token = true;
+                }
+                else if ((parseChar == '(') || (parseChar == ')') || (parseChar == '!'))
+                {
+                    infixToPostfix(constraintsRef, constraintsRef.substring(parseIndex, parseIndex+1), parseIndex, infixToPostfixStack, postfixTokens);
+                }
+                else if (((parseChar == '&') || (parseChar == '|')) && (parseIndex+1 < parseLimit) && (constraintsRef.charAt(parseIndex+1) == parseChar))
+                {
+                    infixToPostfix(constraintsRef, constraintsRef.substring(parseIndex, parseIndex+2), parseIndex, infixToPostfixStack, postfixTokens);
+                    parseIndex++;
+                }
+                else if (!Character.isWhitespace(parseChar))
+                {
+                    throw new RuntimeException("Illegal character '"+parseChar+"' at position "+parseIndex+" in \""+constraintsRef+"\"");
+                }
+            }
+            parseIndex++;
+        }
+        if (token)
+        {
+            infixToPostfix(constraintsRef, constraintsRef.substring(tokenIndex), parseIndex, infixToPostfixStack, postfixTokens);
+        }
+        infixToPostfix(constraintsRef, null, parseIndex, infixToPostfixStack, postfixTokens);
+        return postfixTokens;
+    }
+
+    /**
+     * Logical operator precedence map.
+     */
+    private static final Map OPERATOR_PRECEDENCE = new HashMap();
+    static
+    {
+        OPERATOR_PRECEDENCE.put(NOT_OPERATION, new Integer(2));
+        OPERATOR_PRECEDENCE.put(AND_OPERATION, new Integer(1));
+        OPERATOR_PRECEDENCE.put(OR_OPERATION, new Integer(0));
+    }
+
+    /**
+     * Process infix expression tokens into a postfix expression token list.
+     *
+     * @param expression infix expression
+     * @param token infix expression token or null to indicate end of expression
+     * @param parseIndex index of token in expression for error messages
+     * @param stack infix to postfix operations stack
+     * @param postfixTokens postfix expression tokens
+     */
+    private static void infixToPostfix(String expression, String token, int parseIndex, Stack stack, List postfixTokens)
+    {
+        // null token: end expression infix to postfix operation conversion
+        if (token == null)
+        {
+            if (!stack.empty())
+            {
+                String peek = (String)stack.peek();
+                while (!peek.equals(OPEN_PAREN))
+                {
+                    postfixTokens.add(stack.pop());
+                    if (stack.empty())
+                    {
+                        break;
+                    }
+                    peek = (String)stack.peek();
+                }
+                if (peek.equals(OPEN_PAREN))
+                {
+                    throw new RuntimeException("Missing paren at position "+parseIndex+" in \""+expression+"\"");
+                }
+            }
+            return;
+        }
+        // open paren: begin sub expression
+        if (token.equals(OPEN_PAREN))
+        {
+            stack.push(token);
+            return;
+        }
+        // close paren: end sub expression infix to postfix operation conversion
+        if (token.equals(CLOSE_PAREN))
+        {
+            boolean matchedParen = false;
+            if (!stack.empty())
+            {
+                String peek = (String)stack.peek();
+                while (!peek.equals(OPEN_PAREN))
+                {
+                    postfixTokens.add(stack.pop());
+                    if (stack.empty())
+                    {
+                        break;
+                    }
+                    peek = (String)stack.peek();
+                }
+                if (peek.equals(OPEN_PAREN))
+                {
+                    stack.pop();
+                    matchedParen = true;
+                }
+            }
+            if (!matchedParen)
+            {
+                throw new RuntimeException("Mismatched paren at position "+parseIndex+" in \""+expression+"\"");
+            }
+            return;
+        }
+        // map operation tokens
+        if (token.equals("&&") || (token.equalsIgnoreCase(AND_OPERATION) && !token.equals(AND_OPERATION)))
+        {
+            token = AND_OPERATION;
+        }
+        else if (token.equals("||") || (token.equalsIgnoreCase(OR_OPERATION) && !token.equals(OR_OPERATION)))
+        {
+            token = OR_OPERATION;
+        }
+        else if (token.equals("!") || (token.equalsIgnoreCase(NOT_OPERATION) && !token.equals(NOT_OPERATION)))
+        {
+            token = NOT_OPERATION;
+        }
+        // push non-operation tokens
+        Integer operatorPrecedence = (Integer)OPERATOR_PRECEDENCE.get(token);
+        if (operatorPrecedence == null)
+        {
+            postfixTokens.add(token);
+            return;
+        }
+        // infix to postfix operation conversion
+        if (!stack.empty())
+        {
+            String peek = (String)stack.peek();
+            while (!peek.equals(OPEN_PAREN) && (((Integer)OPERATOR_PRECEDENCE.get(peek)).intValue() >= operatorPrecedence.intValue()))
+            {
+                postfixTokens.add(stack.pop());
+                if (stack.empty())
+                {
+                    break;
+                }
+                peek = (String)stack.peek();
+            }
+        }
+        stack.push(token);
+    }
+}

Added: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java?rev=1466334&view=auto
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java (added)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/SecurityConstraintsRefToken.java Wed Apr 10 05:03:10 2013
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jetspeed.om.page;
+
+/**
+ * SecurityConstraintsRefToken
+ *
+ * @author <a href="mailto:rwatler@apache.org">Randy Watler</a>
+ * @version $Id$
+ */
+class SecurityConstraintsRefToken
+{
+    public static final String NOT_OPERATION = "not";
+    public static final String AND_OPERATION = "and";
+    public static final String OR_OPERATION = "or";
+
+    private String operation;
+    private String constraintsRef;
+    private SecurityConstraintImpl constraint;
+
+    SecurityConstraintsRefToken(String operation)
+    {
+        this.operation = operation;
+    }
+
+    SecurityConstraintsRefToken(String constraintsRef, SecurityConstraintImpl constraint)
+    {
+        this.constraintsRef = constraintsRef;
+        this.constraint = constraint;
+    }
+
+    public String getOperation()
+    {
+        return operation;
+    }
+
+    public String getConstraintsRef()
+    {
+        return constraintsRef;
+    }
+
+    public SecurityConstraintImpl getConstraint()
+    {
+        return constraint;
+    }
+}

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java?rev=1466334&r1=1466333&r2=1466334&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/impl/SecurityConstraintsImpl.java Wed Apr 10 05:03:10 2013
@@ -16,15 +16,19 @@
  */
 package org.apache.jetspeed.om.page.impl;
 
-import java.util.Iterator;
-import java.util.List;
-
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.jetspeed.om.common.SecurityConstraints;
 import org.apache.jetspeed.om.page.PageSecurity;
 import org.apache.jetspeed.om.page.SecurityConstraintImpl;
-import org.apache.jetspeed.om.page.SecurityConstraintsDef;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefExpression;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefParser;
 import org.apache.jetspeed.page.impl.DatabasePageManagerUtils;
 
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
 /**
  * SecurityConstraintsImpl
  *
@@ -33,6 +37,8 @@ import org.apache.jetspeed.page.impl.Dat
  */
 public class SecurityConstraintsImpl implements SecurityConstraints
 {
+    private final static Log log = LogFactory.getLog(SecurityConstraintsImpl.class);
+
     private String owner;
     private List constraints;
     private List constraintsRefs;
@@ -120,72 +126,100 @@ public class SecurityConstraintsImpl imp
             return;
         }
 
-        // skip missing or empty constraints: permit all access
-        List checkConstraints = getAllSecurityConstraints(pageSecurity);
-        if ((checkConstraints != null) && !checkConstraints.isEmpty())
-        {
-            // test each action, constraints check passes only
-            // if all actions are permitted for principals
-            Iterator actionsIter = actions.iterator();
-            while (actionsIter.hasNext())
+        try
+        {
+            // skip missing or empty constraints: permit all access
+            List checkConstraints = getAllSecurityConstraints(pageSecurity);
+            if ((checkConstraints != null) && !checkConstraints.isEmpty())
             {
-                // check each action:
-                // - if any actions explicity permitted, (including owner),
-                //   assume no permissions are permitted by default
-                // - if all constraints do not specify a permission, assume
-                //   access is permitted by default
-                String action = (String)actionsIter.next();
-                boolean actionPermitted = false;
-                boolean actionNotPermitted = false;
-                boolean anyActionsPermitted = (getOwner() != null);
-                
-                // check against constraints
-                Iterator checkConstraintsIter = checkConstraints.iterator();
-                while (checkConstraintsIter.hasNext())
+                // test each action, constraints check passes only
+                // if all actions are permitted for principals
+                Iterator actionsIter = actions.iterator();
+                while (actionsIter.hasNext())
                 {
-                    SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
-                    
-                    // if permissions specified, attempt to match constraint
-                    if (constraint.getPermissions() != null)
+                    // check each action:
+                    // - if any actions explicitly permitted, (including owner),
+                    //   assume no permissions are permitted by default
+                    // - if all constraints do not specify a permission or an
+                    //   expression, assume access is permitted by default
+                    String action = (String)actionsIter.next();
+                    boolean actionPermitted = false;
+                    boolean actionNotPermitted = false;
+                    boolean anyActionsPermitted = (getOwner() != null);
+
+                    // check against constraints and constraint ref expressions
+                    Iterator checkConstraintsIter = checkConstraints.iterator();
+                    while (checkConstraintsIter.hasNext())
                     {
-                        // explicit actions permitted
-                        anyActionsPermitted = true;
+                        Object constraintOrExpression = checkConstraintsIter.next();
+                        if (constraintOrExpression instanceof SecurityConstraintImpl)
+                        {
+                            // check constraint
+                            SecurityConstraintImpl constraint = (SecurityConstraintImpl)constraintOrExpression;
 
-                        // test action permission match and user/role/group principal match
-                        if (constraint.actionMatch(action) &&
-                            constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+                            // if permissions specified, attempt to match constraint
+                            if (constraint.getPermissions() != null)
+                            {
+                                // explicit actions permitted
+                                anyActionsPermitted = true;
+
+                                // test action permission match and user/role/group principal match
+                                if (constraint.actionMatch(action) &&
+                                    constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+                                {
+                                    actionPermitted = true;
+                                    break;
+                                }
+                            }
+                            else
+                            {
+                                // permissions not specified: not permitted if any principal matched
+                                if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
+                                {
+                                    actionNotPermitted = true;
+                                    break;
+                                }
+                            }
+                        }
+                        else if (constraintOrExpression instanceof SecurityConstraintsRefExpression)
                         {
-                            actionPermitted = true;
-                            break;
+                            // check expression
+                            SecurityConstraintsRefExpression expression = (SecurityConstraintsRefExpression)constraintOrExpression;
+
+                            // assume actions are permitted in expression
+                            anyActionsPermitted = true;
+
+                            // check expression with action permission and user/role/group principals
+                            if (expression.checkExpression(action, userPrincipals, rolePrincipals, groupPrincipals))
+                            {
+                                actionPermitted = true;
+                                break;
+                            }
                         }
                     }
-                    else
+                
+                    // fail if any action not permitted
+                    if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
                     {
-                        // permissions not specified: not permitted if any principal matched
-                        if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
-                        {
-                            actionNotPermitted = true;
-                            break;
-                        }
+                        throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
                     }
                 }
-                
-                // fail if any action not permitted
-                if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
+            }
+            else
+            {
+                // fail for any action if owner specified
+                // since no other constraints were found
+                if ((getOwner() != null) && !actions.isEmpty())
                 {
-                    throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
+                    String action = (String)actions.get(0);
+                    throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
                 }
             }
         }
-        else
+        catch (Exception e)
         {
-            // fail for any action if owner specified
-            // since no other constraints were found
-            if ((getOwner() != null) && !actions.isEmpty())
-            {
-                String action = (String)actions.get(0);
-                throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
-            }
+            log.error("Security constraints check exception: "+e);
+            throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Exception detected: "+e);
         }
     }
 
@@ -202,7 +236,8 @@ public class SecurityConstraintsImpl imp
      * getAllSecurityConstraints
      *
      * @param pageSecurity page security definitions
-     * @return all security constraints
+     * @return all security constraints and constraints ref expressions
+     * @throws RuntimeException if expression parsing error occurs
      */
     private synchronized List getAllSecurityConstraints(PageSecurity pageSecurity)
     {
@@ -213,12 +248,12 @@ public class SecurityConstraintsImpl imp
         }
 
         // construct new ordered security constraints list
-        allConstraints = DatabasePageManagerUtils.createList();
+        List newAllConstraints = new ArrayList();
 
         // add any defined security constraints
         if ((getSecurityConstraints() != null) && !getSecurityConstraints().isEmpty())
         {
-            allConstraints.addAll(securityConstraints);
+            newAllConstraints.addAll(securityConstraints);
         }
 
         // add any security constraints references
@@ -227,11 +262,11 @@ public class SecurityConstraintsImpl imp
             List referencedConstraints = dereferenceSecurityConstraintsRefs(getSecurityConstraintsRefs(), pageSecurity);
             if (referencedConstraints != null)
             {
-                allConstraints.addAll(referencedConstraints);
+                newAllConstraints.addAll(referencedConstraints);
             }
         }
         
-        // add any global decurity constraints references
+        // add any global security constraints references
         if (pageSecurity != null)
         {
             List globalConstraintsRefs = pageSecurity.getGlobalSecurityConstraintsRefs();
@@ -240,12 +275,12 @@ public class SecurityConstraintsImpl imp
                 List referencedConstraints = dereferenceSecurityConstraintsRefs(globalConstraintsRefs, pageSecurity);
                 if (referencedConstraints != null)
                 {
-                    allConstraints.addAll(referencedConstraints);
+                    newAllConstraints.addAll(referencedConstraints);
                 }
             }
         }
-        
-        return allConstraints;
+
+        return allConstraints = newAllConstraints;
     }
 
     /**
@@ -260,9 +295,10 @@ public class SecurityConstraintsImpl imp
     /**
      * dereferenceSecurityConstraintsRefs
      *
-     * @param constraintsRefs contstraints references to be dereferenced
+     * @param constraintsRefs constraints references to be dereferenced
      * @param pageSecurity page security definitions
-     * @return security constraints
+     * @return security constraints and constraints ref expressions
+     * @throws RuntimeException if expression parsing error occurs
      */
     private List dereferenceSecurityConstraintsRefs(List constraintsRefs, PageSecurity pageSecurity)
     {
@@ -274,17 +310,34 @@ public class SecurityConstraintsImpl imp
             while (constraintsRefsIter.hasNext())
             {
                 String constraintsRef = (String)constraintsRefsIter.next();
-                SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(constraintsRef);
-                if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+                // parse constraints ref and return constraints/constraints ref expressions
+                Object constraintsOrExpression = SecurityConstraintsRefParser.parse(constraintsRef, pageSecurity);
+                if (constraintsOrExpression instanceof List)
                 {
                     if (constraints == null)
                     {
-                        constraints = DatabasePageManagerUtils.createList();
+                        constraints = new ArrayList();
                     }
-                    constraints.addAll(securityConstraintsDef.getSecurityConstraints());
+                    constraints.addAll((List)constraintsOrExpression);
+                }
+                else if (constraintsOrExpression instanceof SecurityConstraintsRefExpression)
+                {
+                    if (constraints == null)
+                    {
+                        constraints = new ArrayList();
+                    }
+                    constraints.add(constraintsOrExpression);
+                }
+                else if (constraintsOrExpression != null)
+                {
+                    throw new RuntimeException("Unexpected security constraints ref parser result");
                 }
             }
         }
+        else
+        {
+            throw new RuntimeException("Page security definitions not available");
+        }
         return constraints;
     }
 

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java?rev=1466334&r1=1466333&r2=1466334&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/java/org/apache/jetspeed/om/page/psml/SecurityConstraintsImpl.java Wed Apr 10 05:03:10 2013
@@ -16,17 +16,18 @@
  */
 package org.apache.jetspeed.om.page.psml;
 
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.jetspeed.om.common.SecurityConstraints;
 import org.apache.jetspeed.om.page.PageSecurity;
 import org.apache.jetspeed.om.page.SecurityConstraintImpl;
-import org.apache.jetspeed.om.page.SecurityConstraintsDef;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefExpression;
+import org.apache.jetspeed.om.page.SecurityConstraintsRefParser;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
 
 /**
  * <p>
@@ -171,63 +172,101 @@ public class SecurityConstraintsImpl imp
             return;
         }
 
-        // skip missing or empty constraints: permit all access
-        List checkConstraints = getAllSecurityConstraints(pageSecurity);
-        if ((checkConstraints != null) && !checkConstraints.isEmpty())
+        try
         {
-            // test each action, constraints check passes only
-            // if all actions are permitted for principals
-            Iterator actionsIter = actions.iterator();
-            while (actionsIter.hasNext())
+            // skip missing or empty constraints: permit all access
+            List checkConstraints = getAllSecurityConstraints(pageSecurity);
+            if ((checkConstraints != null) && !checkConstraints.isEmpty())
             {
-                // check each action:
-                // - if any actions explicity permitted, assume no permissions
-                //   are permitted by default
-                // - if all constraints do not specify a permission, assume
-                //   access is permitted by default
-                String action = (String)actionsIter.next();
-                boolean actionPermitted = false;
-                boolean actionNotPermitted = false;
-                boolean anyActionsPermitted = false;
-                
-                // check against constraints
-                Iterator checkConstraintsIter = checkConstraints.iterator();
-                while (checkConstraintsIter.hasNext())
+                // test each action, constraints check passes only
+                // if all actions are permitted for principals
+                Iterator actionsIter = actions.iterator();
+                while (actionsIter.hasNext())
                 {
-                    SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
-                    
-                    // if permissions specified, attempt to match constraint
-                    if (constraint.getPermissions() != null)
+                    // check each action:
+                    // - if any actions explicitly permitted, (including owner),
+                    //   assume no permissions are permitted by default
+                    // - if all constraints do not specify a permission or an
+                    //   expression, assume access is permitted by default
+                    String action = (String)actionsIter.next();
+                    boolean actionPermitted = false;
+                    boolean actionNotPermitted = false;
+                    boolean anyActionsPermitted = (getOwner() != null);
+
+                    // check against constraints and constraint ref expressions
+                    Iterator checkConstraintsIter = checkConstraints.iterator();
+                    while (checkConstraintsIter.hasNext())
                     {
-                        // explicit actions permitted
-                        anyActionsPermitted = true;
+                        Object constraintOrExpression = checkConstraintsIter.next();
+                        if (constraintOrExpression instanceof SecurityConstraintImpl)
+                        {
+                            // check constraint
+                            SecurityConstraintImpl constraint = (SecurityConstraintImpl)constraintOrExpression;
 
-                        // test action permission match and user/role/group principal match
-                        if (constraint.actionMatch(action) &&
-                            constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+                            // if permissions specified, attempt to match constraint
+                            if (constraint.getPermissions() != null)
+                            {
+                                // explicit actions permitted
+                                anyActionsPermitted = true;
+
+                                // test action permission match and user/role/group principal match
+                                if (constraint.actionMatch(action) &&
+                                    constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
+                                {
+                                    actionPermitted = true;
+                                    break;
+                                }
+                            }
+                            else
+                            {
+                                // permissions not specified: not permitted if any principal matched
+                                if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
+                                {
+                                    actionNotPermitted = true;
+                                    break;
+                                }
+                            }
+                        }
+                        else if (constraintOrExpression instanceof SecurityConstraintsRefExpression)
                         {
-                            actionPermitted = true;
-                            break;
+                            // check expression
+                            SecurityConstraintsRefExpression expression = (SecurityConstraintsRefExpression)constraintOrExpression;
+
+                            // assume actions are permitted in expression
+                            anyActionsPermitted = true;
+
+                            // check expression with action permission and user/role/group principals
+                            if (expression.checkExpression(action, userPrincipals, rolePrincipals, groupPrincipals))
+                            {
+                                actionPermitted = true;
+                                break;
+                            }
                         }
                     }
-                    else
+
+                    // fail if any action not permitted
+                    if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
                     {
-                        // permissions not specified: not permitted if any principal matched
-                        if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
-                        {
-                            actionNotPermitted = true;
-                            break;
-                        }
+                        throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
                     }
                 }
-                
-                // fail if any action not permitted
-                if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
+            }
+            else
+            {
+                // fail for any action if owner specified
+                // since no other constraints were found
+                if ((getOwner() != null) && !actions.isEmpty())
                 {
-                    throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
+                    String action = (String)actions.get(0);
+                    throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
                 }
             }
         }
+        catch (Exception e)
+        {
+            log.error("Security constraints check exception: "+e);
+            throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Exception detected: "+e);
+        }
     }
 
     /**
@@ -236,7 +275,8 @@ public class SecurityConstraintsImpl imp
      * </p>
      *
      * @param pageSecurity
-     * @return all security constraints
+     * @return all security constraints and constraints ref expressions
+     * @throws RuntimeException if expression parsing error occurs
      */
     private synchronized List getAllSecurityConstraints(PageSecurity pageSecurity)
     {
@@ -248,12 +288,12 @@ public class SecurityConstraintsImpl imp
         }
 
         // construct new ordered security constraints list
-        allConstraints = Collections.synchronizedList(new ArrayList(8));
+        List newAllConstraints = new ArrayList();
 
         // add any defined security constraints
         if (constraints != null)
         {
-            allConstraints.addAll(constraints);
+            newAllConstraints.addAll(constraints);
         }
 
         // add any security constraints references
@@ -262,7 +302,7 @@ public class SecurityConstraintsImpl imp
             List referencedConstraints = dereferenceSecurityConstraintsRefs(constraintsRefs, pageSecurity);
             if (referencedConstraints != null)
             {
-                allConstraints.addAll(referencedConstraints);
+                newAllConstraints.addAll(referencedConstraints);
             }
         }
 
@@ -275,12 +315,12 @@ public class SecurityConstraintsImpl imp
                 List referencedConstraints = dereferenceSecurityConstraintsRefs(globalConstraintsRefs, pageSecurity);
                 if (referencedConstraints != null)
                 {
-                    allConstraints.addAll(referencedConstraints);
+                    newAllConstraints.addAll(referencedConstraints);
                 }
             }
         }   
 
-        return allConstraints;
+        return allConstraints = newAllConstraints;
     }
 
     /**
@@ -288,14 +328,15 @@ public class SecurityConstraintsImpl imp
      * dereferenceSecurityConstraintsRefs
      * </p>
      *
-     * @param constraintsRefs
-     * @param pageSecurity
-     * @return security constraints
+     * @param constraintsRefs constraints references to be dereferenced
+     * @param pageSecurity page security definitions
+     * @return security constraints and constraints ref expressions
+     * @throws RuntimeException if expression parsing error occurs
      */
     private List dereferenceSecurityConstraintsRefs(List constraintsRefs, PageSecurity pageSecurity)
     {
         // access security document to dereference security
-        // constriants definitions
+        // constraints definitions
         List constraints = null;
         if (pageSecurity != null)
         {   
@@ -304,26 +345,34 @@ public class SecurityConstraintsImpl imp
             while (constraintsRefsIter.hasNext())
             {
                 String constraintsRef = (String)constraintsRefsIter.next();
-                SecurityConstraintsDef securityConstraintsDef = pageSecurity.getSecurityConstraintsDef(constraintsRef);
-                if ((securityConstraintsDef != null) && (securityConstraintsDef.getSecurityConstraints() != null))
+                // parse constraints ref and return constraints/constraints ref expressions
+                Object constraintsOrExpression = SecurityConstraintsRefParser.parse(constraintsRef, pageSecurity);
+                if (constraintsOrExpression instanceof List)
+                {
+                    if (constraints == null)
+                    {
+                        constraints = new ArrayList();
+                    }
+                    constraints.addAll((List)constraintsOrExpression);
+                }
+                else if (constraintsOrExpression instanceof SecurityConstraintsRefExpression)
                 {
                     if (constraints == null)
                     {
-                        constraints = Collections.synchronizedList(new ArrayList(constraintsRefs.size()));
+                        constraints = new ArrayList();
                     }
-                    constraints.addAll(securityConstraintsDef.getSecurityConstraints());
+                    constraints.add(constraintsOrExpression);
                 }
-                else
+                else if (constraintsOrExpression != null)
                 {
-                    log.error("dereferenceSecurityConstraintsRefs(): Unable to dereference \"" + constraintsRef + "\" security constraints definition.");
+                    throw new RuntimeException("Unexpected security constraints ref parser result");
                 }
             }
         }
         else
         {
-            log.error("dereferenceSecurityConstraintsRefs(): Missing page security, unable to dereference security constraints definitions.");
+            throw new RuntimeException("Page security definitions not available");
         }
-        
         return constraints;
     }
 }

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/PageManagerTestShared.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/PageManagerTestShared.java?rev=1466334&r1=1466333&r2=1466334&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/PageManagerTestShared.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/PageManagerTestShared.java Wed Apr 10 05:03:10 2013
@@ -16,29 +16,7 @@
  */
 package org.apache.jetspeed.page;
 
-import java.io.File;
-import java.io.FileFilter;
-import java.security.CodeSource;
-import java.security.Permission;
-import java.security.PermissionCollection;
-import java.security.Permissions;
-import java.security.Policy;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.ProtectionDomain;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.StringTokenizer;
-
-import javax.security.auth.Subject;
-
 import junit.framework.TestCase;
-
 import org.apache.jetspeed.cache.file.FileCache;
 import org.apache.jetspeed.idgenerator.IdGenerator;
 import org.apache.jetspeed.idgenerator.JetspeedIdGenerator;
@@ -68,10 +46,32 @@ import org.apache.jetspeed.security.JSSu
 import org.apache.jetspeed.security.PagePermission;
 import org.apache.jetspeed.security.RolePrincipal;
 import org.apache.jetspeed.security.UserPrincipal;
+import org.apache.jetspeed.security.impl.GroupPrincipalImpl;
 import org.apache.jetspeed.security.impl.PrincipalsSet;
 import org.apache.jetspeed.security.impl.RolePrincipalImpl;
 import org.apache.jetspeed.security.impl.UserPrincipalImpl;
 
+import javax.security.auth.Subject;
+import java.io.File;
+import java.io.FileFilter;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.StringTokenizer;
+
 /**
  * PageManagerTestShared
  * 
@@ -79,9 +79,9 @@ import org.apache.jetspeed.security.impl
  * @version $Id: $
  *          
  */
-interface PageManagerTestShared
+public interface PageManagerTestShared
 {
-    class Shared
+    public class Shared
     {
         /**
          * makeCastorXMLPageManager
@@ -140,7 +140,7 @@ interface PageManagerTestShared
 
             return new CastorXmlPageManager(idGen, handlerFactory, folderHandler, cache, permissionsEnabled, constraintsEnabled);
         }
-
+        
         /**
          * makeListFromCSV
          *
@@ -201,8 +201,8 @@ interface PageManagerTestShared
         /**
          * testSecurePageManager
          *
-         * @param test case
-         * @param page manager
+         * @param test test case
+         * @param pageManager page manager
          */
         static void testSecurePageManager(final TestCase test, final PageManager pageManager) throws Exception
         {
@@ -552,6 +552,9 @@ interface PageManagerTestShared
                             TestCase.assertNotNull(page0.getRootFragment());
                             TestCase.assertNotNull(page0.getRootFragment().getFragments());
                             TestCase.assertEquals(1, page0.getRootFragment().getFragments().size());
+                            TestCase.assertNotNull(page0.getRootFragment());
+                            TestCase.assertNotNull(page0.getRootFragment().getFragments());
+                            TestCase.assertEquals(1, page0.getRootFragment().getFragments().size());
                             TestCase.assertNull(page0.getFragmentById(somePortletId[0]));
                             TestCase.assertTrue(page0.getFragmentsByName("some-app::SomePortlet").isEmpty());
                             Link link = pageManager.getLink("/default.link");
@@ -644,6 +647,428 @@ interface PageManagerTestShared
                 throw cleanup;
             }
         }
+
+        /**
+         * testSecurityConstraintsRefExpressions
+         *
+         * @param test test case
+         * @param pageManager page manager
+         */
+        static void testSecurityConstraintsRefExpressions(final TestCase test, final PageManager pageManager) throws Exception
+        {
+            // reset page manager cache
+            pageManager.reset();
+
+            // setup test subjects
+            Principal userPrincipal = new UserPrincipalImpl("admin");
+            Set principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            Subject adminSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            userPrincipal = new UserPrincipalImpl("user-with-admin");
+            Principal rolePrincipal = new RolePrincipalImpl("admin");
+            principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            principals.add(rolePrincipal);
+            Subject userWithAdminSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            userPrincipal = new UserPrincipalImpl("user");
+            principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            Subject userSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            userPrincipal = new UserPrincipalImpl("test-group-user");
+            Principal groupPrincipal = new GroupPrincipalImpl("test-group");
+            principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            principals.add(groupPrincipal);
+            Subject testGroupUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            userPrincipal = new UserPrincipalImpl("test-role-user");
+            rolePrincipal = new RolePrincipalImpl("test-role");
+            principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            principals.add(rolePrincipal);
+            Subject testRoleUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            userPrincipal = new UserPrincipalImpl("test-group-role-user");
+            groupPrincipal = new GroupPrincipalImpl("test-group");
+            rolePrincipal = new RolePrincipalImpl("test-role");
+            principals = new PrincipalsSet();
+            principals.add(userPrincipal);
+            principals.add(groupPrincipal);
+            principals.add(rolePrincipal);
+            Subject testGroupRoleUserSubject = new Subject(true, principals, new HashSet(), new HashSet());
+
+            // setup test as admin
+            Exception setup = (Exception) JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        // reset page manager to initial state
+                        try
+                        {
+                            Folder removeRootFolder = pageManager.getFolder("/");
+                            pageManager.removeFolder(removeRootFolder);
+                            pageManager.reset();
+                        }
+                        catch (FolderNotFoundException e)
+                        {
+                        }
+
+                        // create test documents and folders
+                        Folder folder = pageManager.newFolder("/");
+                        SecurityConstraints constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        List constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("public-view");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        folder.setSecurityConstraints(constraints);
+                        pageManager.updateFolder(folder);
+
+                        PageSecurity pageSecurity = pageManager.newPageSecurity();
+                        List constraintsDefs = new ArrayList(5);
+                        SecurityConstraintsDef constraintsDef = pageManager.newSecurityConstraintsDef();
+                        constraintsDef.setName("public-view");
+                        List defConstraints = new ArrayList(1);
+                        SecurityConstraint defConstraint = pageManager.newPageSecuritySecurityConstraint();
+                        defConstraint.setUsers(Shared.makeListFromCSV("*"));
+                        defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+                        defConstraints.add(defConstraint);
+                        constraintsDef.setSecurityConstraints(defConstraints);
+                        constraintsDefs.add(constraintsDef);
+                        constraintsDef = pageManager.newSecurityConstraintsDef();
+                        constraintsDef.setName("test-group");
+                        defConstraints = new ArrayList(1);
+                        defConstraint = pageManager.newPageSecuritySecurityConstraint();
+                        defConstraint.setGroups(Shared.makeListFromCSV("test-group"));
+                        defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+                        defConstraints.add(defConstraint);
+                        constraintsDef.setSecurityConstraints(defConstraints);
+                        constraintsDefs.add(constraintsDef);
+                        constraintsDef = pageManager.newSecurityConstraintsDef();
+                        constraintsDef.setName("test-role");
+                        defConstraints = new ArrayList(1);
+                        defConstraint = pageManager.newPageSecuritySecurityConstraint();
+                        defConstraint.setRoles(Shared.makeListFromCSV("test-role"));
+                        defConstraint.setPermissions(Shared.makeListFromCSV("view"));
+                        defConstraints.add(defConstraint);
+                        constraintsDef.setSecurityConstraints(defConstraints);
+                        constraintsDefs.add(constraintsDef);
+                        constraintsDef = pageManager.newSecurityConstraintsDef();
+                        constraintsDef.setName("admin-role");
+                        defConstraints = new ArrayList(1);
+                        defConstraint = pageManager.newPageSecuritySecurityConstraint();
+                        defConstraint.setRoles(Shared.makeListFromCSV("admin"));
+                        defConstraint.setPermissions(Shared.makeListFromCSV("view,edit"));
+                        defConstraints.add(defConstraint);
+                        constraintsDef.setSecurityConstraints(defConstraints);
+                        constraintsDefs.add(constraintsDef);
+                        constraintsDef = pageManager.newSecurityConstraintsDef();
+                        constraintsDef.setName("admin-user");
+                        defConstraints = new ArrayList(1);
+                        defConstraint = pageManager.newPageSecuritySecurityConstraint();
+                        defConstraint.setUsers(Shared.makeListFromCSV("admin"));
+                        defConstraint.setPermissions(Shared.makeListFromCSV("view,edit"));
+                        defConstraints.add(defConstraint);
+                        constraintsDef.setSecurityConstraints(defConstraints);
+                        constraintsDefs.add(constraintsDef);
+                        pageSecurity.setSecurityConstraintsDefs(constraintsDefs);
+                        List globalConstraintsRefs = new ArrayList(1);
+                        globalConstraintsRefs.add("admin-role or admin-user");
+                        pageSecurity.setGlobalSecurityConstraintsRefs(globalConstraintsRefs);
+                        pageManager.updatePageSecurity(pageSecurity);
+
+                        Page page = pageManager.newPage("/default-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("public-view");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        page = pageManager.newPage("/or-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        List inlineConstraints = new ArrayList(1);
+                        SecurityConstraint constraint = pageManager.newPageSecurityConstraint();
+                        constraint.setUsers(Shared.makeListFromCSV("user"));
+                        constraint.setPermissions(Shared.makeListFromCSV("view"));
+                        inlineConstraints.add(constraint);
+                        constraints.setSecurityConstraints(inlineConstraints);
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("test-group || test-role");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        page = pageManager.newPage("/and-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("test-group and test-role");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        page = pageManager.newPage("/not-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("not test-role");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        page = pageManager.newPage("/and-not-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("public-view and not test-group");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        page = pageManager.newPage("/paren-page.psml");
+                        constraints = pageManager.newSecurityConstraints();
+                        constraints.setOwner("admin");
+                        constraintsRefs = new ArrayList(1);
+                        constraintsRefs.add("((test-group||test-role)&&!admin-role)");
+                        constraints.setSecurityConstraintsRefs(constraintsRefs);
+                        page.setSecurityConstraints(constraints);
+                        pageManager.updatePage(page);
+
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (setup != null)
+            {
+                throw setup;
+            }
+
+            // reset page manager
+            pageManager.reset();
+
+            // test as admin
+            Exception adminAccess = (Exception) JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-page.psml");
+                        assertPageAccessGranted(pageManager, "/not-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-not-page.psml");
+                        assertPageAccessGranted(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (adminAccess != null)
+            {
+                throw adminAccess;
+            }
+
+            // test as user with admin
+            Exception userWithAdminAccess = (Exception) JSSubject.doAsPrivileged(userWithAdminSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-page.psml");
+                        assertPageAccessGranted(pageManager, "/not-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-not-page.psml");
+                        assertPageAccessGranted(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (userWithAdminAccess != null)
+            {
+                throw userWithAdminAccess;
+            }
+
+            // test as user
+            Exception userAccess = (Exception) JSSubject.doAsPrivileged(userSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessDenied(pageManager, "/and-page.psml");
+                        assertPageAccessGranted(pageManager, "/not-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-not-page.psml");
+                        assertPageAccessDenied(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (userAccess != null)
+            {
+                throw userAccess;
+            }
+
+            // test as test group user
+            Exception testGroupUserAccess = (Exception) JSSubject.doAsPrivileged(testGroupUserSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessDenied(pageManager, "/and-page.psml");
+                        assertPageAccessGranted(pageManager, "/not-page.psml");
+                        assertPageAccessDenied(pageManager, "/and-not-page.psml");
+                        assertPageAccessGranted(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (testGroupUserAccess != null)
+            {
+                throw testGroupUserAccess;
+            }
+
+            // test as test role user
+            Exception testRoleUserAccess = (Exception) JSSubject.doAsPrivileged(testRoleUserSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessDenied(pageManager, "/and-page.psml");
+                        assertPageAccessDenied(pageManager, "/not-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-not-page.psml");
+                        assertPageAccessGranted(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (testRoleUserAccess != null)
+            {
+                throw testRoleUserAccess;
+            }
+
+            // test as test group role user
+            Exception testGroupRoleUserAccess = (Exception) JSSubject.doAsPrivileged(testGroupRoleUserSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        assertPageAccessGranted(pageManager, "/default-page.psml");
+                        assertPageAccessGranted(pageManager, "/or-page.psml");
+                        assertPageAccessGranted(pageManager, "/and-page.psml");
+                        assertPageAccessDenied(pageManager, "/not-page.psml");
+                        assertPageAccessDenied(pageManager, "/and-not-page.psml");
+                        assertPageAccessGranted(pageManager, "/paren-page.psml");
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (testGroupRoleUserAccess != null)
+            {
+                throw testGroupRoleUserAccess;
+            }
+
+            // cleanup test as admin user
+            Exception cleanup = (Exception)JSSubject.doAsPrivileged(adminSubject, new PrivilegedAction()
+            {
+                public Object run()
+                {
+                    try
+                    {
+                        // cleanup by removing root folder
+                        try
+                        {
+                            Folder remove = pageManager.getFolder("/");
+                            TestCase.assertEquals("/", remove.getPath());
+                            pageManager.removeFolder(remove);
+                        }
+                        catch (FolderNotFoundException e)
+                        {
+                            TestCase.assertTrue("Folder / NOT FOUND", false);
+                        }
+
+                        return null;
+                    }
+                    catch (Exception e)
+                    {
+                        return e;
+                    }
+                }
+            }, null);
+            if (cleanup != null)
+            {
+                throw cleanup;
+            }
+        }
+
+        static void assertPageAccessGranted(PageManager pageManager, String path) throws Exception
+        {
+            try
+            {
+                pageManager.getPage(path);
+            }
+            catch (SecurityException se)
+            {
+                TestCase.fail("Page "+path+" access denied");
+            }
+        }
+
+        static void assertPageAccessDenied(PageManager pageManager, String path) throws Exception
+        {
+            try
+            {
+                pageManager.getPage(path);
+                TestCase.fail("Page "+path+" access granted");
+            }
+            catch (SecurityException se)
+            {
+            }
+        }
     }
 
     /**

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java?rev=1466334&r1=1466333&r2=1466334&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureCastorXmlPageManager.java Wed Apr 10 05:03:10 2013
@@ -95,4 +95,13 @@ public class TestSecureCastorXmlPageMana
         // utilize standard secure page manager test
         Shared.testSecurePageManager(this, pageManager);
     }
+
+    public void testSecurityConstraintsRefExpressions() throws Exception
+    {
+        if (pageManager.getConstraintsEnabled())
+        {
+            // utilize standard secure page manager test
+            Shared.testSecurityConstraintsRefExpressions(this, pageManager);
+        }
+    }
 }

Modified: portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java?rev=1466334&r1=1466333&r2=1466334&view=diff
==============================================================================
--- portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java (original)
+++ portals/jetspeed-2/portal/branches/JETSPEED-2.1.4/components/page-manager/src/test/org/apache/jetspeed/page/TestSecureDatabasePageManager.java Wed Apr 10 05:03:10 2013
@@ -61,4 +61,13 @@ public class TestSecureDatabasePageManag
         // utilize standard secure page manager test
         Shared.testSecurePageManager(this, pageManager);
     }
+
+    public void testSecurityConstraintsRefExpressions() throws Exception
+    {
+        if (pageManager.getConstraintsEnabled())
+        {
+            // utilize standard secure page manager test
+            Shared.testSecurityConstraintsRefExpressions(this, pageManager);
+        }
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message