Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1001592 - in
 /geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src:
 main/java/org/apache/geronimo/web25/deployment/security/
 test/java/org/apache/geronimo/web25/deployment/security/
 test/resources/security/
Date: Mon, 27 Sep 2010 05:38:22 -0000
To: scm@geronimo.apache.org
From: xuhaihong@apache.org
Message-Id: <20100927053822.A9DDA2388999@eris.apache.org>

Author: xuhaihong
Date: Mon Sep 27 05:38:22 2010
New Revision: 1001592

URL: http://svn.apache.org/viewvc?rev=1001592&view=rev
Log:
GERONIMO-5578 WebResourcePermission must be added to the corresponding role for each distinct combination in the cross-product of url-pattern and role-name (Patch from Han Hong Fang)

Added:
    geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml   (with props)
Modified:
    geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
    geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
    geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java

Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java Mon Sep 27 05:38:22 2010
@@ -53,7 +53,7 @@ public class SpecSecurityBuilder {
     private final Map<UncheckedItem, HTTPMethods> uncheckedResourcePatterns = new HashMap<UncheckedItem, HTTPMethods>();
     private final Map<UncheckedItem, HTTPMethods> uncheckedUserPatterns = new HashMap<UncheckedItem, HTTPMethods>();
     private final Map<String, URLPattern> excludedPatterns = new HashMap<String, URLPattern>();
-    private final Map<String, URLPattern> rolesPatterns = new HashMap<String, URLPattern>();
+    private final Map<String, Map<String, URLPattern>> rolesPatterns = new HashMap<String, Map<String, URLPattern>>();
     private final Set<URLPattern> allSet = new HashSet<URLPattern>();   // == allMap.values()
     private final Map<String, URLPattern> allMap = new HashMap<String, URLPattern>();   //uncheckedPatterns union excludedPatterns union rolesPatterns.
 //    private boolean useExcluded = false;
@@ -83,12 +83,19 @@ public class SpecSecurityBuilder {
 
     public void analyzeSecurityConstraints(SecurityConstraintType[] securityConstraintArray) {
         for (SecurityConstraintType securityConstraintType : securityConstraintArray) {
-            Map<String, URLPattern> currentPatterns;
+            Map<String, URLPattern> currentPatterns = null;
+            Set<String> roleNames = null;
             if (securityConstraintType.isSetAuthConstraint()) {
                 if (securityConstraintType.getAuthConstraint().getRoleNameArray().length == 0) {
                     currentPatterns = excludedPatterns;
                 } else {
-                    currentPatterns = rolesPatterns;
+                    roleNames = new HashSet<String>();
+                    for (RoleNameType roleName : securityConstraintType.getAuthConstraint().getRoleNameArray()) {
+                        roleNames.add(roleName.getStringValue().trim());
+                    }
+                    if (roleNames.remove("*")) {
+                        roleNames.addAll(securityRoles);
+                    }
                 }
             } else {
                 currentPatterns = uncheckedPatterns;
@@ -104,48 +111,46 @@ public class SpecSecurityBuilder {
                 UrlPatternType[] urlPatternTypeArray = webResourceCollectionType.getUrlPatternArray();
                 for (UrlPatternType urlPatternType : urlPatternTypeArray) {
                     String url = urlPatternType.getStringValue().trim();
-                    URLPattern pattern = currentPatterns.get(url);
-                    if (pattern == null) {
-                        pattern = new URLPattern(url);
-                        currentPatterns.put(url, pattern);
+                    if(currentPatterns == null) {
+                        for (String roleName : roleNames) {
+                            currentPatterns = rolesPatterns.get(roleName);
+                            if (currentPatterns == null) {
+                                currentPatterns = new HashMap<String, URLPattern>();
+                                rolesPatterns.put(roleName, currentPatterns);
+                            }
+                            analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, currentPatterns);
+                        }
+                    } else {
+                        analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, currentPatterns);
                     }
-
                     URLPattern allPattern = allMap.get(url);
                     if (allPattern == null) {
                         allPattern = new URLPattern(url);
                         allSet.add(allPattern);
                         allMap.put(url, allPattern);
                     }
+                    analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, allMap);
+                }
+            }
+        }
+    }
 
-                    String[] httpMethodTypeArray = webResourceCollectionType.getHttpMethodArray();
-                    if (httpMethodTypeArray.length == 0) {
-                        pattern.addMethod("");
-                        allPattern.addMethod("");
-                    } else {
-                        for (String aHttpMethodTypeArray : httpMethodTypeArray) {
-                            String method = (aHttpMethodTypeArray == null ? null : aHttpMethodTypeArray.trim());
-                            if (method != null) {
-                                pattern.addMethod(method);
-                                allPattern.addMethod(method);
-                            }
-                        }
-                    }
-                    if (currentPatterns == rolesPatterns) {
-                        RoleNameType[] roleNameTypeArray = securityConstraintType.getAuthConstraint().getRoleNameArray();
-                        for (RoleNameType roleNameType : roleNameTypeArray) {
-                            String role = roleNameType.getStringValue().trim();
-                            if (role.equals("*")) {
-                                pattern.addAllRoles(securityRoles);
-                            } else {
-                                pattern.addRole(role);
-                            }
-                        }
-                    }
-
-                    pattern.setTransport(transport);
+    private void analyzeURLPattern(String urlPattern, String[] httpMethods, String transport, Map<String, URLPattern> currentPatterns) {
+        URLPattern pattern = currentPatterns.get(urlPattern);
+        if (pattern == null) {
+            pattern = new URLPattern(urlPattern);
+            currentPatterns.put(urlPattern, pattern);
+        }
+        if (httpMethods.length == 0) {
+            pattern.addMethod("");
+        } else {
+            for (String httpMethod : httpMethods) {
+                if (httpMethod != null) {
+                    pattern.addMethod(httpMethod.trim());
                 }
             }
         }
+        pattern.setTransport(transport);
     }
 
     public void removeExcludedDups() {
@@ -153,7 +158,9 @@ public class SpecSecurityBuilder {
             String url = excluded.getKey();
             URLPattern pattern = excluded.getValue();
             removeExcluded(url, pattern, uncheckedPatterns);
-            removeExcluded(url, pattern, rolesPatterns);
+            for (Map<String, URLPattern> rolePatterns : rolesPatterns.values()) {
+                removeExcluded(url, pattern, rolePatterns);
+            }
         }
     }
 
@@ -177,21 +184,17 @@ public class SpecSecurityBuilder {
                 policyConfiguration.addToExcludedPolicy(new WebUserDataPermission(name, actions));
             }
         }
-
-        for (URLPattern pattern : rolesPatterns.values()) {
-            String name = pattern.getQualifiedPattern(allSet);
-            String actions = pattern.getMethods();
-            WebResourcePermission permission = new WebResourcePermission(name, actions);
-
-            for (String roleName : pattern.getRoles()) {
-                policyConfiguration.addToRole(roleName, permission);
+        for (Map.Entry<String, Map<String, URLPattern>> entry : rolesPatterns.entrySet()) {
+            for (URLPattern pattern : entry.getValue().values()) {
+                String name = pattern.getQualifiedPattern(allSet);
+                String actions = pattern.getMethods();
+                WebResourcePermission permission = new WebResourcePermission(name, actions);
+                policyConfiguration.addToRole(entry.getKey(), permission);
+                HTTPMethods methods = pattern.getHTTPMethods();
+                int transportType = pattern.getTransport();
+                addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
             }
-            HTTPMethods methods = pattern.getHTTPMethods();
-            int transportType = pattern.getTransport();
-
-            addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
         }
-
         for (URLPattern pattern : uncheckedPatterns.values()) {
             String name = pattern.getQualifiedPattern(allSet);
             HTTPMethods methods = pattern.getHTTPMethods();
@@ -246,8 +249,7 @@ public class SpecSecurityBuilder {
 
             policyConfiguration.addToUncheckedPolicy(new WebUserDataPermission(item.getName(), actions));
         }
-
-//        System.out.println(policyConfiguration.getAudit());
+        //System.out.println(policyConfiguration.getAudit());
         return policyConfiguration.getComponentPermissions();
     }
 

Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java Mon Sep 27 05:38:22 2010
@@ -38,7 +38,6 @@ public class URLPattern {
     private final String pattern;
     private final HTTPMethods httpMethods = new HTTPMethods();
     private int transport;
-    private final HashSet<String> roles = new HashSet<String>();
 
     /**
      * Construct an instance of the utility class for <code>WebModuleConfiguration</code>.
@@ -176,19 +175,6 @@ public class URLPattern {
         return transport;
     }
 
-    public void addRole(String role) {
-        roles.add(role);
-    }
-
-    public void addAllRoles(Collection<String> collection) {
-        roles.addAll(collection);
-    }
-
-    public HashSet<String> getRoles() {
-        return roles;
-    }
-
-
     /**
      * TODO this is kinda weird without an explanation
      * @param obj object to compare with

Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java Mon Sep 27 05:38:22 2010
@@ -21,30 +21,17 @@
 package org.apache.geronimo.web25.deployment.security;
 
 import java.net.URL;
-import java.util.Collection;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.Collections;
-import java.util.jar.JarFile;
-import java.security.PermissionCollection;
 import java.security.Permission;
+import java.security.PermissionCollection;
 
 import javax.security.jacc.WebResourcePermission;
 import javax.security.jacc.WebUserDataPermission;
 
 import junit.framework.TestCase;
-import org.apache.geronimo.common.DeploymentException;
-import org.apache.geronimo.deployment.ModuleIDBuilder;
-import org.apache.geronimo.gbean.AbstractName;
-import org.apache.geronimo.j2ee.deployment.EARContext;
-import org.apache.geronimo.j2ee.deployment.Module;
-import org.apache.geronimo.kernel.Naming;
-import org.apache.geronimo.xbeans.javaee.WebAppType;
-import org.apache.geronimo.xbeans.javaee.WebAppDocument;
+
 import org.apache.geronimo.security.jacc.ComponentPermissions;
-import org.apache.geronimo.web25.deployment.AbstractWebModuleBuilder;
+import org.apache.geronimo.xbeans.javaee.WebAppDocument;
+import org.apache.geronimo.xbeans.javaee.WebAppType;
 import org.apache.xmlbeans.XmlOptions;
 
 /**
@@ -86,7 +73,7 @@ public class SpecSecurityParsingTest ext
         assertFalse(implies(new WebResourcePermission("/Test", ""), permissions, null));
         assertFalse(implies(new WebResourcePermission("/Test", "!"), permissions, null));
     }
-    
+
     public void testExcludedConstraint() throws Exception {
         URL srcXml = classLoader.getResource("security/web3.xml");
         WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
@@ -164,6 +151,20 @@ public class SpecSecurityParsingTest ext
         assertTrue(implies(p, permissions, null));
     }
 
+    public void testDifferentRoleDifferentHttpMethod() throws Exception {
+        URL srcXml = classLoader.getResource("security/web6.xml");
+        WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
+        WebAppType webAppType = webAppDoc.getWebApp();
+        SpecSecurityBuilder builder = new SpecSecurityBuilder();
+        ComponentPermissions permissions = builder.buildSpecSecurityConfig(webAppType);
+        Permission p = new WebResourcePermission("/app/*", "GET");
+        assertTrue(implies(p, permissions, "userGet"));
+        assertFalse(implies(p, permissions, "userPost"));
+        p = new WebResourcePermission("/app/home", "POST");
+        assertTrue(implies(p, permissions, "userPost"));
+        assertFalse(implies(p, permissions, "userGet"));
+    }
+
     private boolean implies(Permission p, ComponentPermissions permissions, String role) {
         PermissionCollection excluded = permissions.getExcludedPermissions();
         if (excluded.implies(p)) return false;
@@ -173,5 +174,4 @@ public class SpecSecurityParsingTest ext
         PermissionCollection rolePermissions = permissions.getRolePermissions().get(role);
         return rolePermissions != null && rolePermissions.implies(p);
     }
-
 }

Added: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml?rev=1001592&view=auto
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml (added)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml Mon Sep 27 05:38:22 2010
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+         version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource1</web-resource-name>
+            <url-pattern>/app/*</url-pattern>
+            <url-pattern>/app/home</url-pattern>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>userGet</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource2</web-resource-name>
+            <url-pattern>/app/*</url-pattern>
+            <url-pattern>/app/home</url-pattern>
+            <http-method>POST</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>userPost</role-name>
+        </auth-constraint>
+    </security-constraint>
+</web-app>
\ No newline at end of file

Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml