directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-core git commit: FC-29 - AuditMgr.getUserAuthZ cannot pull back failedOnly
Date Sat, 20 Dec 2014 16:20:41 GMT
Repository: directory-fortress-core
Updated Branches:
  refs/heads/rfc4370 [created] 3966a1518


FC-29 - AuditMgr.getUserAuthZ cannot pull back failedOnly


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/3966a151
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/3966a151
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/3966a151

Branch: refs/heads/rfc4370
Commit: 3966a15188bc8b2ccd6ed99e7be0af0664cdc33e
Parents: 94935f5
Author: Shawn McKinney <smckinney@apache.org>
Authored: Sat Dec 20 10:19:56 2014 -0600
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Sat Dec 20 10:19:56 2014 -0600

----------------------------------------------------------------------
 build.properties                                |  26 ++--
 build.xml                                       |   3 +-
 ivy.xml                                         |   2 +-
 pom.xml                                         |   2 +-
 .../directory/fortress/core/GlobalIds.java      |  15 ++-
 .../core/ldap/ApacheDsDataProvider.java         |  15 ++-
 .../directory/fortress/core/rbac/AuditDAO.java  |   4 +-
 .../directory/fortress/core/rbac/PermDAO.java   |  14 +-
 .../fortress/core/rbac/Permission.java          |   1 +
 .../directory/fortress/core/rbac/User.java      |  63 ++++++++-
 .../fortress/core/util/attr/AttrHelper.java     | 133 ++++++-------------
 .../fortress/core/AccessMgrConsole.java         |  17 ++-
 .../fortress/core/AdminMgrConsole.java          |  27 ++++
 .../fortress/core/AuditMgrConsole.java          | 121 +++++++++++++++--
 .../fortress/core/ReviewMgrConsole.java         |  18 +++
 .../fortress/core/rbac/AccessMgrImplTest.java   |  91 +++++++------
 .../fortress/core/rbac/AuditMgrImplTest.java    |  14 +-
 17 files changed, 390 insertions(+), 176 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/build.properties
----------------------------------------------------------------------
diff --git a/build.properties b/build.properties
index 70c4b89..ba4cb7a 100644
--- a/build.properties
+++ b/build.properties
@@ -32,7 +32,7 @@
 ########################################################################
 
 # Use this Fortress Core version:
-version=1.0-RC39
+version=1.0-RC40-SNAPSHOT
 
 # Enable local.mode property if your machine does not have connection to Internet and runtime dependencies have already downloaded to FORTRESS_HOME/lib folder on this machine:
 #local.mode=true
@@ -63,14 +63,16 @@ http.protocol=http
 ########################################################################
 
 # This param tells fortress what type of ldap server in use:
-#ldap.server.type=openldap
-ldap.server.type=apacheds
+ldap.server.type=openldap
+#ldap.server.type=apacheds
 # This is the default:
 ldap.client.type=apache
 
 # These parameters point fortress to LDAP host:
 ldap.host=localhost
-ldap.port=10389
+ldap.port=389
+#ldap.host=fortressdemo2.com
+#ldap.port=10636
 
 #ldap.uris=ldap://${ldap.host}:${ldap.port}
 # These are needed for client SSL connections with LDAP Server:
@@ -79,7 +81,7 @@ ldap.port=10389
 #enable.ldap.ssl.debug=true
 #key.store=/home/smckinn/fortress/builder/src/test/resources/certs/mykeystore
 #key.store.password=changeit
-#trust.store=/home/smckinn/fortress/builder/src/test/resources/certs/mytruststore
+#trust.store=/home/smckinn/GIT/fortressDev/directory-fortress-core/src/test/resources/certs/mytruststore
 #trust.store.password=changeit
 #trust.store.set.prop=true
 
@@ -112,8 +114,8 @@ audits.dn=cn=log
 groups.dn=ou=Groups,${suffix}
 
 # These are the connection parameters used for LDAP service account:
-#root.dn=cn=Manager,${suffix}
-root.dn=uid=admin,ou=system
+root.dn=cn=Manager,${suffix}
+#root.dn=uid=admin,ou=system
 # Used to load OpenLDAP admin root password in slapd.conf and was encrypted using 'slappasswd' command:
 root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU
 # This OpenLDAP admin root pass is bound for fortress.properties used by 'admin' pooled connections:
@@ -127,9 +129,13 @@ admin.max.conn=10
 user.min.conn=1
 user.max.conn=10
 
-# Used for searching slapd logger.  Leave zeros when using apacheds:
-min.log.conn=0
-max.log.conn=0
+# Used for searching slapd logger.  Comment out for ApacheDS or other directory servers:
+log.admin.user=cn=Manager,cn=log
+log.admin.pw=secret
+
+# Used for slapd logger connection pool.  Leave zeros when using apacheds:
+min.log.conn=1
+max.log.conn=3
 
 ########################################################################
 # 9. GROUP OBJECT CLASS DEFINITIONS

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/build.xml
----------------------------------------------------------------------
diff --git a/build.xml b/build.xml
index 1cd1b6a..1ac04d7 100644
--- a/build.xml
+++ b/build.xml
@@ -174,7 +174,8 @@
        <property name="apacheJMeter_core.jar" value="${lib.dir}/ApacheJMeter_core-2.11.jar"/>
        <property name="apacheJMeter_java.jar" value="${lib.dir}/ApacheJMeter_java-2.11.jar"/>
        <property name="apacheds-all.jar" value="${lib.dir}/apacheds-all-2.0.0-M18.jar"/>
-       <property name="apacheds-api-all.jar" value="${lib.dir}/api-all-1.0.0-M25.jar"/>
+       <property name="apacheds-api-all.jar" value="${lib.dir}/api-all-1.0.0-M27-SNAPSHOT.jar"/>
+<!--       <property name="apacheds-api-all.jar" value="${lib.dir}/api-all-1.0.0-M25.jar"/>-->
        <property name="mina-core.jar" value="${lib.dir}/mina-core-2.0.7.jar"/>
        <property name="opencsv.jar" value="${lib.dir}/opencsv-2.3.jar"/>
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/ivy.xml
----------------------------------------------------------------------
diff --git a/ivy.xml b/ivy.xml
index 3f14d97..1f4f876 100755
--- a/ivy.xml
+++ b/ivy.xml
@@ -48,7 +48,7 @@
         <dependency org="org.slf4j" name="slf4j-api" rev="1.7.5" conf="default->master"/>
         <dependency org="org.slf4j" name="slf4j-log4j12" rev="1.7.5" conf="default->master"/>
         <dependency org="org.slf4j" name="slf4j-jcl" rev="1.7.5" conf="default->master"/>
-        <dependency org="org.apache.directory.api" name="api-all" rev="1.0.0-M25" conf="default->master"/>
+<!--        <dependency org="org.apache.directory.api" name="api-all" rev="1.0.0-M25" conf="default->master"/>-->
         <dependency org="org.apache.directory.server" name="apacheds-all" rev="2.0.0-M18" conf="default->master"/>
         <dependency org="net.sf.opencsv" name="opencsv" rev="2.3" conf="default->master" />
         <dependency org="org.apache.jmeter" name="ApacheJMeter_core" rev="2.11" conf="default->master" />

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index cd17188..666b18d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,7 +123,7 @@
     <version.ant.launcher>1.9.1</version.ant.launcher>
     <version.antlr>2.7.7</version.antlr>
     <version.apacheds>2.0.0-M18</version.apacheds>
-    <version.api.all>1.0.0-M25</version.api.all>
+    <version.api.all>1.0.0-M27-SNAPSHOT</version.api.all>
     <version.commons.beanutils>1.7.0</version.commons.beanutils>
     <version.commons.beanutils-core>1.8.0</version.commons.beanutils-core>
     <version.commons.codec>1.2</version.commons.codec>

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/GlobalIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/GlobalIds.java b/src/main/java/org/apache/directory/fortress/core/GlobalIds.java
index 7e12f20..d4a02c8 100755
--- a/src/main/java/org/apache/directory/fortress/core/GlobalIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/GlobalIds.java
@@ -272,6 +272,12 @@ public class GlobalIds
       *  **  OpenAccessMgr AUDIT
       *  ************************************************************************
       */
+
+    public final static int AUTHZ_COMPARE_FAILURE_FLAG = 5;
+    /**
+     * This string will be appended to the operation name to force failure on compare.
+     */
+    public final static String FAILED_AUTHZ_INDICATOR = "%failed%";
     /**
      * This object class contains Fortress audit contextual information.
      */
@@ -383,6 +389,11 @@ public class GlobalIds
     public final static String POBJ_NAME = "ftObjNm";
 
     /**
+     * Attribute name for storing Fortress permission object id.
+     */
+    public static final String POBJ_ID = "ftObjId";
+
+    /**
      * Attribute name for storing parent node names for hierarchical processing.
      */
     public final static String PARENT_NODES = "ftParents";
@@ -473,7 +484,8 @@ public class GlobalIds
         .getProperty( LDAP_FILTER_SIZE_PROP ) != null );
     public static final String APACHE_LDAP_API = "apache";
     public static final String AUTH_Z_FAILED = "authzfailed";
-    public static final String AUTH_Z_FAILED_VALUE = "ftOpNm=" + AUTH_Z_FAILED;
+    public static final String POP_NAME = "ftOpNm";
+    public static final String AUTH_Z_FAILED_VALUE = POP_NAME + "=" + AUTH_Z_FAILED;
 
     /**
      * maximum number of entries allowed for ldap filter replacements.
@@ -539,5 +551,4 @@ public class GlobalIds
      */
     public static final String ALL = "all";
     public static final String NULL = "null";
-    public static final String POP_NAME = "ftOpNm";
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
index a0280d2..753c346 100644
--- a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
+++ b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
@@ -64,6 +64,9 @@ import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
 import org.apache.directory.api.ldap.model.message.SearchRequest;
 import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
 import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthz;
+import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthzImpl;
+
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.ldap.client.api.DefaultPoolableLdapConnectionFactory;
 import org.apache.directory.ldap.client.api.LdapConnection;
@@ -83,6 +86,8 @@ import org.apache.directory.fortress.core.util.time.Constraint;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.naming.ldap.ExtendedResponse;
+
 
 /**
  * Abstract class contains methods to perform low-level entity to ldap persistence.  These methods are called by the
@@ -153,6 +158,7 @@ public abstract class ApacheDsDataProvider
 
     private static final PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl();
 
+
     static
     {
         String host = Config.getProperty( LDAP_HOST, "localhost" );
@@ -909,6 +915,10 @@ public abstract class ApacheDsDataProvider
      * This method uses the compare ldap func to assert audit record into the directory server's configured audit
      * logger.
      *
+     * This is for one reason - to force the ldap server to maintain an audit trail on checkAccess api.
+     *
+     * Use proxy authz control (RFC4370) to assert the caller's id onto the record.
+     *
      * @param connection is LdapConnection object used for all communication with host.
      * @param dn         contains address of distinguished name to begin ldap search
      * @param userDn     dn for user node
@@ -927,8 +937,11 @@ public abstract class ApacheDsDataProvider
         compareRequest.setAttributeId( attribute.getId() );
         compareRequest.setAssertionValue( attribute.getString() );
 
+        // Assert the end user's dn onto the reqest using proxy authZ control so openldap can log who the user was (for authZ audit trail)
+        ProxiedAuthz proxiedAuthzControl = new ProxiedAuthzImpl();
+        proxiedAuthzControl.setAuthzId( "dn: " + userDn );
+        compareRequest.addControl( proxiedAuthzControl );
         CompareResponse response = connection.compare( compareRequest );
-
         return response.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS;
     }
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
index e273559..c8667ce 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
@@ -320,7 +320,7 @@ final class AuditDAO extends ApacheDsDataProvider
 
             if ( audit.isFailedOnly() )
             {
-                filter += "(!(" + REQRESULT + "=" + 6 + "))";
+                filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
             }
 
             if ( audit.getBeginDate() != null )
@@ -409,7 +409,7 @@ final class AuditDAO extends ApacheDsDataProvider
                 // TODO: fix this so filter by only the Fortress AuthZ entries and not the others:
                 if ( audit.isFailedOnly() )
                 {
-                    filter += "(!(" + REQRESULT + "=" + 6 + "))";
+                    filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
                 }
             }
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
index 1a7f1e9..b5a41ab 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
@@ -173,13 +173,12 @@ final class PermDAO extends ApacheDsDataProvider
     };
 
     private static final String PERM_NAME = "ftPermName";
-    private static final String POBJ_ID = "ftObjId";
     private static final String ROLES = "ftRoles";
     private static final String USERS = "ftUsers";
     private static final String[] PERMISSION_OP_ATRS =
         {
             GlobalIds.FT_IID, PERM_NAME, GlobalIds.POBJ_NAME, GlobalIds.POP_NAME, GlobalIds.DESC, SchemaConstants.OU_AT,
-            POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS
+            GlobalIds.POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS
     };
 
     private static final String[] PERMISION_OBJ_ATRS =
@@ -390,7 +389,7 @@ final class PermDAO extends ApacheDsDataProvider
             // objectid is optional:
             if ( VUtil.isNotNullOrEmpty( entity.getObjId() ) )
             {
-                entry.add( POBJ_ID, entity.getObjId() );
+                entry.add( GlobalIds.POBJ_ID, entity.getObjId() );
             }
 
             // type is optional:
@@ -854,6 +853,7 @@ final class PermDAO extends ApacheDsDataProvider
             isAuthZd = isAuthorized( session, outPerm );
 
             // This is done to leave an audit trail in ldap server log:
+            attributeValue = outPerm.getOpName();
             if ( isAuthZd )
             {
                 // Yes, set the operation name onto this attribute for storage into audit trail:
@@ -861,8 +861,8 @@ final class PermDAO extends ApacheDsDataProvider
             }
             else
             {
-                // No, set a simple error message onto this attribute for storage into audit trail:
-                attributeValue = "AuthZ Failed";
+                // Changing this attribute value forces the compare to fail.  This facilitates tracking of authorization failures events in the slapd access log (by searching for compare failures).
+                attributeValue = outPerm.getOpName() + GlobalIds.FAILED_AUTHZ_INDICATOR;
             }
 
             // There is a switch in fortress config to disable audit ops like this one.
@@ -1002,7 +1002,7 @@ final class PermDAO extends ApacheDsDataProvider
         entity.setSequenceId( sequence );
         entity.setAbstractName( getAttribute( le, PERM_NAME ) );
         entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
-        entity.setObjId( getAttribute( le, POBJ_ID ) );
+        entity.setObjId( getAttribute( le, GlobalIds.POBJ_ID ) );
         entity.setOpName( getAttribute( le, GlobalIds.POP_NAME ) );
         entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
         entity.setRoles( getAttributeSet( le, ROLES ) );
@@ -1460,7 +1460,7 @@ final class PermDAO extends ApacheDsDataProvider
 
         if ( objId != null && objId.length() > 0 )
         {
-            rDn = GlobalIds.POP_NAME + "=" + opName + "+" + POBJ_ID + "=" + objId;
+            rDn = GlobalIds.POP_NAME + "=" + opName + "+" + GlobalIds.POBJ_ID + "=" + objId;
         }
         else
         {

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
index a933947..e266778 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
@@ -751,6 +751,7 @@ public class Permission extends FortEntity implements Serializable
         return "Permission{" +
             "objName='" + objName + '\'' +
             ", opName='" + opName + '\'' +
+            ", objId='" + objId + '\'' +
             '}';
     }
 }

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/User.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/User.java b/src/main/java/org/apache/directory/fortress/core/rbac/User.java
index 4f00ac1..235eecb 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/User.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/User.java
@@ -47,7 +47,7 @@ import org.apache.directory.fortress.core.util.time.Constraint;
  * <ol>
  * <li>Manager layer:  {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
  * <li>Process layer:  {@link UserP}, {@link RoleP}, {@link PermP},...</li>
- * <li>DAO layer: {@link UserDAO}, {@link org.apache.directory.fortress.core.rbac.dao.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link org.apache.directory.fortress.core.rbac.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
  * </ol>
  * Fortress clients must first instantiate the data entity before invoking one of the Manager APIs.  The caller must first
  * provide enough information to uniquely identity target record for the particular ldap operation performed.<br />
@@ -280,6 +280,67 @@ public class User extends FortEntity implements Constraint, Serializable
     @XmlTransient
     private byte[] jpegPhoto;
 
+    // RFC2307bis:
+    /*
+    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+    MAY ( userPassword $ loginShell $ gecos $ description ) )
+     */
+    private String uidNumber;
+    private String gidNumber;
+    private String homeDirectory;
+    private String loginShell;
+    private String gecos;
+
+    public String getUidNumber()
+    {
+        return uidNumber;
+    }
+
+    public void setUidNumber( String uidNumber )
+    {
+        this.uidNumber = uidNumber;
+    }
+
+    public String getGidNumber()
+    {
+        return gidNumber;
+    }
+
+    public void setGidNumber( String gidNumber )
+    {
+        this.gidNumber = gidNumber;
+    }
+
+    public String getHomeDirectory()
+    {
+        return homeDirectory;
+    }
+
+    public void setHomeDirectory( String homeDirectory )
+    {
+        this.homeDirectory = homeDirectory;
+    }
+
+    public String getLoginShell()
+    {
+        return loginShell;
+    }
+
+    public void setLoginShell( String loginShell )
+    {
+        this.loginShell = loginShell;
+    }
+
+    public String getGecos()
+    {
+        return gecos;
+    }
+
+    public void setGecos( String gecos )
+    {
+        this.gecos = gecos;
+    }
+
 
     /**
      * Default constructor not intended for external use and is typically used by internal Fortress classes.

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
index f1ab501..3b9ef0c 100755
--- a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
+++ b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
@@ -19,6 +19,9 @@
  */
 package org.apache.directory.fortress.core.util.attr;
 
+import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.api.ldap.model.name.Rdn;
 import org.apache.directory.api.util.DateUtils;
 import org.apache.directory.fortress.core.GlobalIds;
 import org.apache.directory.fortress.core.rbac.Administrator;
@@ -185,6 +188,44 @@ public class AttrHelper
 
 
     /**
+     * Break the authZ eqDn attribute into 1. permission object name, 2. op name and 3. object id (optional).
+     *
+     * @param authZ contains the raw dn format from openldap slapo access log data
+     * @return Permisison containing objName, opName and optionally the objId populated from the raw data.
+     */
+    public static Permission getAuthZPerm(AuthZ authZ) throws LdapInvalidDnException
+    {
+        // This will be returned to the caller:
+        Permission pOp = new Permission();
+        // Break dn into rdns for leaf and parent.  Use the 'type' field in rdn.
+        // The objId value is optional.  If present it will be part of the parent's relative distinguished name..
+        // Here the sample reqDN=ftOpNm=TOP2_2+ftObjId=002,ftObjNm=TOB2_1,ou=Permissions,ou=RBAC,dc=example,dc=com
+        // Will be mapped to objName=TOB2_1, opName=TOP2_2, objId=002, in the returned permission object.
+        Dn dn = new Dn( authZ.getReqDN() );
+        if(dn != null && dn.getRdns() != null && VUtil.isNotNullOrEmpty( dn.getRdns() ) )
+        {
+            for( Rdn rdn : dn.getRdns() )
+            {
+                // The rdn type attribute will be mapped to objName, opName and objId fields.
+                switch ( rdn.getType() )
+                {
+                    case GlobalIds.POP_NAME:
+                        pOp.setOpName( rdn.getType() );
+                        break;
+                    case GlobalIds.POBJ_NAME:
+                        pOp.setObjName( rdn.getType() );
+                        break;
+                    case GlobalIds.POBJ_ID:
+                        pOp.setObjId( rdn.getType() );
+                        break;
+                }
+            }
+        }
+        return pOp;
+    }
+
+
+    /**
      * Convert from raw ldap generalized time format to {@link java.util.Date}.
      * to decode the string.
      *
@@ -212,96 +253,4 @@ public class AttrHelper
         szTime = DateUtils.getGeneralizedTime( date );
         return szTime;
     }
-
-    /**
-     * Parse slapd access raw data to pull the permission name out.
-     *
-     * @param authZ raw data contained in Fortress audit entity.
-     * @return Permission contains {@link org.apache.directory.fortress.core.rbac.Permission#objName} and {@link org.apache.directory.fortress.core.rbac.Permission#opName}
-     */
-    public static Permission getAuthZPerm(AuthZ authZ)
-    {
-        int indx = 0;
-        //final int objectClass = 1;
-        final int oPNm = 2;
-        final int oBjNm = 3;
-        final int user = 4;
-        final int roles = 6;
-
-        // reqFilter
-        // <(&(objectClass=ftOperation)
-        // (ftOpNm=top1_10)(ftObjNm=tob2_4)
-        // (|(ftUsers=fttu3user4)
-        // (ftRoles=ftt3role1)
-        // (ftRoles=ftt3role2)
-        // (ftRoles=ftt3role3)
-        // (ftRoles=ftt3role4)
-        // (ftRoles=ftt3role5)
-        // (ftRoles=ftt3role6)
-        // (ftRoles=ftt3role7)
-        // (ftRoles=ftt3role8)
-        // (ftRoles=ftt3role9)
-        // (ftRoles=ftt3role10)))>
-
-        Permission pOp = new Permission();
-        if (authZ.getReqFilter() != null && authZ.getReqFilter().length() > 0)
-        {
-            StringTokenizer maxTkn = new StringTokenizer(authZ.getReqFilter(), "(");
-            //System.out.println("maxTken size=" + maxTkn.countTokens());
-            int numTokens = maxTkn.countTokens();
-            for (int i = 0; i < numTokens; i++)
-            {
-                String val = maxTkn.nextToken();
-                //System.out.println("token[" + i + "]=" + val);
-                switch (i)
-                {
-                    //case objectClass:
-                    //    indx = val.indexOf('=');
-                    //    if (indx >= 1)
-                    //    {
-                    //        String value = val.substring(indx + 1, val.length() - 1);
-                    //    }
-                    //    break;
-
-                    case oPNm:
-                        indx = val.indexOf('=');
-                        if (indx >= 1)
-                        {
-                            pOp.setOpName(val.substring(indx + 1, val.length() - 1));
-                        }
-                        break;
-
-                    case oBjNm:
-                        indx = val.indexOf('=');
-                        if (indx >= 1)
-                        {
-                            pOp.setObjName( val.substring( indx + 1, val.length() - 1 ) );
-                        }
-                        break;
-
-                    case user:
-                        indx = val.indexOf('=');
-                        if (indx >= 1)
-                        {
-                            pOp.setUser(val.substring(indx + 1, val.length() - 1));
-                        }
-                        break;
-
-                    default:
-                        int indx2 = 0;
-                        if (i >= roles)
-                        {
-                            indx = val.indexOf('=');
-                            indx2 = val.indexOf(')');
-                        }
-                        if (indx >= 1)
-                        {
-                            pOp.setRole(val.substring(indx + 1, indx2));
-                        }
-                        break;
-                }
-            }
-        }
-        return pOp;
-    }
 }

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
index 6880857..dce7be3 100755
--- a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
@@ -276,12 +276,21 @@ class AccessMgrConsole
         {
             VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, "AccessMgrConsole.checkAccess");
             ReaderUtil.clearScreen();
+            Permission perm = new Permission();
             System.out.println("Enter object name:");
-            String objName = ReaderUtil.readLn();
+            perm.setObjName( ReaderUtil.readLn() );
             System.out.println("Enter operation name:");
-            String opName = ReaderUtil.readLn();
-            boolean result = am.checkAccess(session, new Permission(objName, opName));
-            System.out.println("CheckAccess return [" + result + "] for user [" + session.getUserId() + "] objName [" + objName + "] operationName [" + opName + "]");
+            perm.setOpName( ReaderUtil.readLn() );
+            System.out.println("Enter object id (or NULL to skip):");
+            String val = ReaderUtil.readLn();
+            if ( val != null && val.length() > 0 )
+            {
+                perm.setObjId( val );
+            }
+
+            boolean result = am.checkAccess( session, perm );
+            System.out.println("CheckAccess return [" + result + "] for user [" + session.getUserId() + "], objName [" + perm.getObjName() + "], operationName [" + perm.getOpName() + "]" +
+                ", objId [" + perm.getObjId() + "]");
             System.out.println("ENTER to continue");
         }
         catch (SecurityException e)

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java
index 207e77b..11f8597 100755
--- a/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java
@@ -302,6 +302,21 @@ class AdminMgrConsole
     }
 
 
+    private void enterPosixAccount(User user)
+    {
+        System.out.println("Enter UID_NUMBER:");
+        user.setUidNumber(ReaderUtil.readLn());
+        System.out.println("Enter GID_NUMBER:");
+        user.setGidNumber(ReaderUtil.readLn());
+        System.out.println("Enter HOME_DIRECTORY:");
+        user.setHomeDirectory(ReaderUtil.readLn());
+        System.out.println("Enter LOGIN_SHELL:");
+        user.setLoginShell(ReaderUtil.readLn());
+        System.out.println("Enter GECOS:");
+        user.setGecos(ReaderUtil.readLn());
+    }
+
+
     /**
      * Adds a feature to the User attribute of the AdminMgrConsole object
      */
@@ -334,6 +349,13 @@ class AdminMgrConsole
                 enterTemporal(ue);
             }
 
+            System.out.println("Do you want to set posix account attributes on User - Y or N");
+            choice = ReaderUtil.readLn();
+            if (choice != null && choice.equalsIgnoreCase("Y"))
+            {
+                enterPosixAccount( ue );
+            }
+
             System.out.println("Enter Role name (or NULL to skip):");
             String val = ReaderUtil.readLn();
             for (int i = 0; val != null && val.length() > 0; i++)
@@ -405,6 +427,11 @@ class AdminMgrConsole
         {
             LOG.error("addUser caught SecurityException rc=" + e.getErrorId() + ", msg=" + e.getMessage(), e);
         }
+        catch(Exception e)
+        {
+            LOG.error( "addUser caught Exception=" + e );
+            e.printStackTrace();
+        }
         ReaderUtil.readChar();
     }
 

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java
index fa7d3f8..6e98de6 100755
--- a/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java
@@ -19,6 +19,9 @@
  */
 package org.apache.directory.fortress.core;
 
+import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.api.ldap.model.name.Rdn;
 import org.apache.directory.fortress.core.rbac.Bind;
 import org.apache.directory.fortress.core.rbac.AuthZ;
 import org.apache.directory.fortress.core.rbac.Mod;
@@ -33,6 +36,7 @@ import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.List;
+import java.util.StringTokenizer;
 
 class AuditMgrConsole
 {
@@ -448,19 +452,26 @@ class AuditMgrConsole
                 }
 
                 System.out.println("    userId          " + AttrHelper.getAuthZId(authZ.getReqAuthzID()));
-                Permission pOp = AttrHelper.getAuthZPerm(authZ);
-                System.out.println("    Resource Name   " + pOp.getObjName());
-                System.out.println("    Operation       " + pOp.getOpName());
-                // TODO: fix the NPE that happens here:
-                //System.out.println("    Success?        " + authZ.getReqEntries().equals("1"));
-                int rCtr = 0;
-                if (pOp.getRoles() != null)
+                try
                 {
-                    for (String role : pOp.getRoles())
+                    Permission pOp = AttrHelper.getAuthZPerm(authZ);
+                    System.out.println("    Resource Name   " + pOp.getObjName());
+                    System.out.println("    Operation       " + pOp.getOpName());
+                    int rCtr = 0;
+                    if (pOp != null && pOp.getRoles() != null)
                     {
-                        System.out.println("    Role[" + rCtr++ + "]         " + role);
+                        // TODO: fix the NPE that happens here:
+                        System.out.println("    Success?        " + authZ.getReqEntries().equals(GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG));
+                        for (String role : pOp.getRoles())
+                        {
+                            System.out.println("    Role[" + rCtr++ + "]         " + role);
+                        }
                     }
                 }
+                catch(LdapInvalidDnException e)
+                {
+                    System.out.println("LdapInvalidDnException=" + e);
+                }
                 //System.out.println("    reqStart        [" + authZ.getReqStart() + "]");
                 //System.out.println("    reqEnd          [" + authZ.getReqEnd() + "]");
                 System.out.println();
@@ -843,4 +854,96 @@ class AuditMgrConsole
         ReaderUtil.readChar();
     }
 
+
+    /**
+     * Parse slapd access raw data to pull the permission name out.
+     *
+     * @param authZ raw data contained in Fortress audit entity.
+     * @return Permission contains {@link org.apache.directory.fortress.core.rbac.Permission#objName} and {@link org.apache.directory.fortress.core.rbac.Permission#opName}
+     */
+    private Permission getAuthZPerm2(AuthZ authZ)
+    {
+        int indx = 0;
+        //final int objectClass = 1;
+        final int oPNm = 2;
+        final int oBjNm = 3;
+        final int user = 4;
+        final int roles = 6;
+
+        // reqFilter
+        // <(&(objectClass=ftOperation)
+        // (ftOpNm=top1_10)(ftObjNm=tob2_4)
+        // (|(ftUsers=fttu3user4)
+        // (ftRoles=ftt3role1)
+        // (ftRoles=ftt3role2)
+        // (ftRoles=ftt3role3)
+        // (ftRoles=ftt3role4)
+        // (ftRoles=ftt3role5)
+        // (ftRoles=ftt3role6)
+        // (ftRoles=ftt3role7)
+        // (ftRoles=ftt3role8)
+        // (ftRoles=ftt3role9)
+        // (ftRoles=ftt3role10)))>
+
+        Permission pOp = new Permission();
+        if (authZ.getReqFilter() != null && authZ.getReqFilter().length() > 0)
+        {
+            StringTokenizer maxTkn = new StringTokenizer(authZ.getReqFilter(), "=");
+            //System.out.println("maxTken size=" + maxTkn.countTokens());
+            int numTokens = maxTkn.countTokens();
+            for (int i = 0; i < numTokens; i++)
+            {
+                String val = maxTkn.nextToken();
+                //System.out.println("token[" + i + "]=" + val);
+                switch (i)
+                {
+                    //case objectClass:
+                    //    indx = val.indexOf('=');
+                    //    if (indx >= 1)
+                    //    {
+                    //        String value = val.substring(indx + 1, val.length() - 1);
+                    //    }
+                    //    break;
+
+                    case oPNm:
+                        indx = val.indexOf('=');
+                        if (indx >= 1)
+                        {
+                            pOp.setOpName(val.substring(indx + 1, val.length() - 1));
+                        }
+                        break;
+
+                    case oBjNm:
+                        indx = val.indexOf('=');
+                        if (indx >= 1)
+                        {
+                            pOp.setObjName( val.substring( indx + 1, val.length() - 1 ) );
+                        }
+                        break;
+
+                    case user:
+                        indx = val.indexOf('=');
+                        if (indx >= 1)
+                        {
+                            pOp.setUser(val.substring(indx + 1, val.length() - 1));
+                        }
+                        break;
+
+                    default:
+                        int indx2 = 0;
+                        if (i >= roles)
+                        {
+                            indx = val.indexOf('=');
+                            indx2 = val.indexOf(')');
+                        }
+                        if (indx >= 1)
+                        {
+                            pOp.setRole(val.substring(indx + 1, indx2));
+                        }
+                        break;
+                }
+            }
+        }
+        return pOp;
+    }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java
index 777df92..e9533ba 100755
--- a/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java
@@ -163,6 +163,7 @@ class ReviewMgrConsole
                 System.out.println("    orgUnitId   [" + ue.getOu() + "]");
                 System.out.println("    pwpolicy    [" + ue.getPwPolicy() + "]");
                 printTemporal(ue, "USER");
+                printPosixAccount(ue, "POSIX" );
                 printAddress(ue.getAddress(), "ADDRESS");
                 printPhone(ue.getPhones(), "PHONES");
                 printPhone(ue.getMobiles(), "MOBILES");
@@ -223,6 +224,7 @@ class ReviewMgrConsole
                 System.out.println("    pwpolicy    [" + ue.getPwPolicy() + "]");
                 System.out.println("    seqId       [" + ue.getSequenceId() + "]");
                 printTemporal(ue, "USER");
+                printPosixAccount(ue, "POSIX" );
                 printAddress(ue.getAddress(), "ADDRESS");
                 printPhone(ue.getPhones(), "PHONES");
                 printPhone(ue.getMobiles(), "MOBILES");
@@ -289,6 +291,7 @@ class ReviewMgrConsole
                 System.out.println("    orgUnitId   [" + ue.getOu() + "]");
                 System.out.println("    pwpolicy    [" + ue.getPwPolicy() + "]");
                 printTemporal(ue, "USER");
+                printPosixAccount(ue, "POSIX" );
                 printAddress(ue.getAddress(), "ADDRESS");
                 printPhone(ue.getPhones(), "PHONES");
                 printPhone(ue.getMobiles(), "MOBILES");
@@ -452,6 +455,19 @@ class ReviewMgrConsole
         }
     }
 
+    static void printPosixAccount(User user, String label)
+    {
+        if (user != null)
+        {
+            System.out.println("    " + label + ":");
+            System.out.println("        uid number  [" + user.getUidNumber() + "]");
+            System.out.println("        gid number  [" + user.getGidNumber() + "]");
+            System.out.println("        home dir    [" + user.getHomeDirectory() + "]");
+            System.out.println("        login shell [" + user.getLoginShell() + "]");
+            System.out.println("        gecos       [" + user.getGecos() + "]");
+        }
+    }
+
     private static void printAddress(Address address, String label)
     {
         if (address != null)
@@ -519,6 +535,7 @@ class ReviewMgrConsole
                 System.out.println("    surname     [" + ue.getSn() + "]");
                 System.out.println("    orgUnitId   [" + ue.getOu() + "]");
                 System.out.println("    pwpolicy    [" + ue.getPwPolicy() + "]");
+                printPosixAccount(ue, "POSIX" );
                 printTemporal(ue, "USER");
                 if (ue.getRoles() != null)
                 {
@@ -921,6 +938,7 @@ class ReviewMgrConsole
                 System.out.println("    surname     [" + ue.getSn() + "]");
                 System.out.println("    orgUnitId   [" + ue.getOu() + "]");
                 printTemporal(ue, "USER");
+                printPosixAccount(ue, "POSIX" );
                 System.out.println();
             }
             System.out.println("ENTER to continue");

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java
index eaaca95..dad0a89 100755
--- a/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java
@@ -29,6 +29,7 @@ import junit.framework.Test;
 import junit.framework.TestCase;
 import junit.framework.TestSuite;
 
+import org.apache.directory.fortress.core.util.attr.VUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -55,7 +56,16 @@ public class AccessMgrImplTest extends TestCase
     {
         TestSuite suite = new TestSuite();
         //suite.addTest(new AccessMgrImplTest("testDropActiveRole"));
-        suite.addTest( new AccessMgrImplTest( "testCreateSessionWithRolesTrusted" ) );
+/*
+        suite.addTest( new AdminMgrImplTest( "testResetPassword" ) );
+        suite.addTest( new AccessMgrImplTest( "testAuthenticateReset" ) );
+        suite.addTest( new AdminMgrImplTest( "testChangePassword" ) );
+        suite.addTest( new AccessMgrImplTest( "testAuthenticate" ) );
+        suite.addTest( new AdminMgrImplTest( "testLockUserAccount" ) );
+        suite.addTest( new AccessMgrImplTest( "testAuthenticateLocked" ) );
+        suite.addTest( new AdminMgrImplTest( "testUnlockUserAccount" ) );
+*/
+        suite.addTest( new AccessMgrImplTest( "testCheckAccess" ) );
         return suite;
     }
 
@@ -300,7 +310,7 @@ public class AccessMgrImplTest extends TestCase
                 try
                 {
                     accessMgr.authenticate( user.getUserId(), user.getPassword() );
-                    accessMgr.authenticate( user.getUserId(), user.getPassword() );
+                    //accessMgr.authenticate( user.getUserId(), user.getPassword() );
                     fail( CLS_NM + ".authenticateResetUsers failed test" );
                 }
                 catch ( SecurityException se )
@@ -709,20 +719,12 @@ public class AccessMgrImplTest extends TestCase
         checkAccess( "CHCK-ACS TU1_UPD TO1 TOP1 ", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1,
             PermTestData.OPS_TOP1, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3 );
         checkAccess( "CHCK-ACS TU3 TO3 TOP1 ", UserTestData.USERS_TU3, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3,
-            PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1 );
+            PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2 );
         checkAccess( "CHCK-ACS TU4 TO4 TOP1 ", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2,
-            PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1 );
+            PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3 );
     }
 
 
-    /**
-     * @param msg
-     * @param uArray
-     * @param oArray
-     * @param opArray
-     * @param oArrayBad
-     * @param opArrayBad
-     */
     public static void checkAccess( String msg, String[][] uArray, String[][] oArray, String[][] opArray,
         String[][] oArrayBad, String[][] opArrayBad )
     {
@@ -741,32 +743,48 @@ public class AccessMgrImplTest extends TestCase
                     int j = 0;
                     for ( String[] op : opArray )
                     {
-                        // Call checkAccess method
-                        assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName ["
-                            + PermTestData.getName( obj ) + "] operationName [" + PermTestData.getName( op ) + "]",
-                            accessMgr.checkAccess(
-                                session,
-                                new Permission( PermTestData.getName( obj ), PermTestData.getName( op ), PermTestData
-                                    .getObjId( opArray[j] ) ) ) );
-
-                        // Call checkAccess method (this should fail):
-                        try
+                        Permission goodPerm;
+                        if( VUtil.isNotNullOrEmpty( PermTestData.getObjId( opArray[j] ) ) )
                         {
-                            boolean result = accessMgr.checkAccess( session, new Permission( PermTestData.getName( oArrayBad[i] ),
-                                PermTestData.getName( opArrayBad[j] ), PermTestData.getObjId( opArrayBad[j] ) ) );
-                            assertTrue(
-                                CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName ["
-                                    + PermTestData.getName( oArrayBad[i] ) + "] operationName ["
-                                    + PermTestData.getName( opArrayBad[j] ) + "]",
-                                !result );
+                            // with an objectId:
+                            goodPerm = new Permission(
+                                PermTestData.getName( obj ),
+                                PermTestData.getName( op ),
+                                PermTestData.getObjId( opArray[j] ) );
+                        }
+                        else
+                        {
+                            // without an objectId:
+                            goodPerm = new Permission(
+                                PermTestData.getName( obj ),
+                                PermTestData.getName( op ) );
+                        }
+
+                        // Positive test case, call checkAccess method, should return 'true':
+                        assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" +
+                                PermTestData.getName( obj ) + "] operationName [" + PermTestData.getName( op ) + "]",
+                            accessMgr.checkAccess( session, goodPerm ) );
+                        Permission badPerm;
+                        if( VUtil.isNotNullOrEmpty( PermTestData.getObjId( opArrayBad[j] ) ) )
+                        {
+                            // with an objectId:
+                            badPerm = new Permission(
+                                PermTestData.getName( oArrayBad[i] ),
+                                PermTestData.getName( opArrayBad[j] ),
+                                PermTestData.getObjId( opArrayBad[j] ) );
                         }
-                        catch (SecurityException se)
+                        else
                         {
-                            // The expected condition is security exception perm not exist:
-                            assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName ["
-                                + PermTestData.getName( oArrayBad[i] ) + "] operationName ["
-                                + PermTestData.getName( opArrayBad[j] ) + "], negative use case, incorrect exception id=" + se.getErrorId(), se.getErrorId() == GlobalErrIds.PERM_NOT_EXIST );
+                            // without an objectId:
+                            badPerm = new Permission(
+                                PermTestData.getName( oArrayBad[i] ),
+                                PermTestData.getName( opArrayBad[j] ) );
                         }
+                        //LOG.warn("Assert False userId [" + user.getUserId() + "], perm: " + badPerm);
+                        // Negative test case, call checkAccess method again, should return 'false':
+                        assertFalse( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" +
+                            PermTestData.getName( oArrayBad[i] ) + "] operationName [" + PermTestData.getName(
+                            opArrayBad[j] ) + "]", accessMgr.checkAccess( session, badPerm ) );
                         j++;
                     }
                     i++;
@@ -776,9 +794,8 @@ public class AccessMgrImplTest extends TestCase
         }
         catch ( SecurityException ex )
         {
-            LOG.error(
-                "checkAccess: failed with SecurityException rc=" + ex.getErrorId() + ", msg="
-                    + ex.getMessage(), ex );
+            LOG.error( "checkAccess: failed with SecurityException rc=" + ex.getErrorId() + ", " +
+                "msg=" + ex.getMessage(), ex );
             fail( ex.getMessage() );
         }
     }

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java
index 7a884d7..55ab13e 100755
--- a/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java
@@ -239,16 +239,14 @@ public class AuditMgrImplTest extends TestCase
 
     public void testSearchAuthZs()
     {
-        searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1, PermTestData.OPS_TOP1,
-            false );
+        searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1, PermTestData.OPS_TOP1, false );
         searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, false );
         searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2, false );
 
         // search for failed only:
-        searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3,
-            true );
-        searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1, true );
-        searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1, true );
+        searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, true );
+        searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2, true );
+        searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, true );
     }
 
 
@@ -282,8 +280,8 @@ public class AuditMgrImplTest extends TestCase
                         List<AuthZ> authZs = auditMgr.searchAuthZs( uAudit );
                         assertNotNull( authZs );
                         assertTrue(
-                            CLS_NM + "searchAuthZs failed search for successful authorization user ["
-                                + user.getUserId() + "]", authZs.size() > 0 );
+                            CLS_NM + "searchAuthZs failedOnly=" + failedOnly + ", search authorizations user ["
+                                + user.getUserId() + "], objName [" + uAudit.getObjName() + "], opName [" + uAudit.getOpName() + "], objId [" + uAudit.getObjId() + "]", authZs.size() > 0 );
                     }
                 }
             }


Mime
View raw message