incubator-rave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carlu...@apache.org
Subject svn commit: r1182987 - in /incubator/rave/trunk: rave-components/rave-core/ rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/ rave-components/rave-core...
Date Thu, 13 Oct 2011 17:06:53 GMT
Author: carlucci
Date: Thu Oct 13 17:06:52 2011
New Revision: 1182987

URL: http://svn.apache.org/viewvc?rev=1182987&view=rev
Log:
Initial model permission security framework code to support RAVE-100

Added:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ModelPermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/RavePermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/AuthenticationUtils.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/ModelPermissionEvaluatorTest.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluatorTest.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/RavePermissionEvaluatorTest.java
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/AuthenticationUtilsTest.java
Modified:
    incubator/rave/trunk/rave-components/rave-core/   (props changed)
    incubator/rave/trunk/rave-components/rave-core/src/main/resources/org/apache/rave/core-applicationContext.xml
    incubator/rave/trunk/rave-portal-resources/   (props changed)
    incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml

Propchange: incubator/rave/trunk/rave-components/rave-core/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Thu Oct 13 17:06:52 2011
@@ -1,7 +1,5 @@
-target
-
 .classpath
-
 .project
-
+target
+catalog.xml
 .settings

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ModelPermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ModelPermissionEvaluator.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ModelPermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/ModelPermissionEvaluator.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.security;
+
+import java.io.Serializable;
+import org.springframework.security.core.Authentication;
+
+/**
+ *
+ * @author carlucci
+ */
+public interface ModelPermissionEvaluator<T> {
+    
+    /**
+     * An enum representing all of the possible permissions a user can
+     * have on a Model object
+     */
+    public static enum Permission {
+        ADMINISTER,        
+        CREATE,        
+        DELETE,
+        READ,
+        UPDATE;
+
+        /**
+         * Returns the equivalent Permission enum from the supplied string
+         * 
+         * @param value string representing the enum to return
+         * @return the enum value
+         */
+        public static Permission fromString(String value) {
+            return Permission.valueOf(value.toUpperCase());
+        }
+    }
+    
+    Class<T> getType();
+    boolean hasPermission(Authentication authentication, T targetDomainObject, Permission
permission);
+    boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
Permission permission);
+    int getLoadOrder();
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluator.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluator.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.security.impl;
+
+import org.apache.rave.portal.security.ModelPermissionEvaluator;
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import org.springframework.security.core.Authentication;
+
+/**
+ * Abstract ModelPermissionEvaluator class that all model permission evaluators 
+ * should extend from.  It defines a couple common functions who's logic is 
+ * common across all ModelPermissionEvaluator implementations
+ * 
+ * @author carlucci
+ */
+public abstract class AbstractModelPermissionEvaluator<T> implements ModelPermissionEvaluator<T>
{
+        
+    /**
+     * The default hasPermission function implementation for 
+     * ModelPermissionEvaluator classes.  It checks to see if the Authentication
+     * supplied is an admin user to the system, which would trump all other
+     * fine-grained permission checks.
+     *      
+     * @param authentication the Authentication object to check
+     * @param targetDomainObject the targetDomainObject being checked (unused at this level)
+     * @param permission the Permission (unused at this level)
+     * @return true if the Authentication object is considered an admin, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, T targetDomainObject, Permission
permission) {
+        // check for admin role first as it will trump all other permission checks
+        return AuthenticationUtils.isAdmin(authentication);
+    }
+    
+    /**
+     * Returns the load order of the implemented ModelPermissionEvaluator.  This
+     * value is used by the RavePermissionEvaluator class when initializing 
+     * the map of Model->ModelPermissionEvaluator objects to be used by Rave.
+     * All of the default supplied ModelPermissionEvaluator classes will have a
+     * value of 1.  This function can be overridden by anyone who wishes to create
+     * their own ModelPermissionEvaluator implementations for specific domain
+     * objects.  The overridden function should return a value greater than 1
+     * so it is added to the map AFTER the default implementation, and thus
+     * replacing it since they use the same key.
+     * 
+     * @return the default loadOrder which is 1
+     */
+    @Override
+    public int getLoadOrder() {
+        // all default RavePermissionEvaluators will have a load order of 1
+        // implementers can override implementations by returning a load order
+        // greater than 1
+        return 1;
+    }
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import org.apache.rave.portal.model.Page;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+/**
+ * The default implementation of the ModelPermissionEvaluator for Page objects
+ * 
+ * NOTE: this is temporarily a stub placeholder to allow the security framework 
+ * code to be checked in and not break the autowiring code
+ * 
+ * TODO: implement this class
+ * 
+ * @author carlucci
+ */
+@Component
+public class DefaultPagePermissionEvaluator extends AbstractModelPermissionEvaluator<Page>
{
+
+    @Override
+    public Class<Page> getType() {
+        return Page.class;
+    }
+    
+    @Override
+    public boolean hasPermission(Authentication authentication, Page page, Permission permission)
{       
+        return true;
+    }    
+
+    @Override
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String
targetType, Permission permission) {
+        return true;
+    }
+    
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/RavePermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/RavePermissionEvaluator.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/RavePermissionEvaluator.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/RavePermissionEvaluator.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.rave.portal.security.ModelPermissionEvaluator;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Component;
+
+/**
+ * Custom PermissionEvaluator for Rave that stores a map of ModelPermissionEvaluators
+ * each of which is responsible for handling Domain Object Security for the Rave Model
+ * objects
+ * 
+ * @author carlucci
+ */
+@Component
+public class RavePermissionEvaluator implements PermissionEvaluator {
+    private Map<String, ModelPermissionEvaluator> modelPermissionEvaluatorMap;
+    
+    /**
+     * Constructor which will take in a component-scanned list of all ModelPermissionEvaluator

+     * classes found by Spring component scanner.  The constructor builds the 
+     * internal Map by using the Model type (Model Class) as the key, thus ensuring
+     * only one ModelPermissionEvaluator class exists for each Model object.  The
+     * constructor first sorts the injected list of ModelPermissionEvaluator objects
+     * by the loadOrder field to allow overrides of the default ModelPermissionEvaluators.
+     * 
+     * @param modelPermissionEvaluatorList autowired injected list of all ModelPermissionEvaluator
classes found
+     *                                     by the component scanner
+     */
+    @Autowired
+    public RavePermissionEvaluator(List<ModelPermissionEvaluator> modelPermissionEvaluatorList)
{
+        // order all of the component scanned ModelPermissionEvaluators by their loadOrder
value
+        // to allow overrides of the default ModelPermissionEvaluator implementations, since
+        // we are storing them all in a map the higher order implementations will replace
the
+        // default lower ordered ones
+        Collections.sort(modelPermissionEvaluatorList, new Comparator<ModelPermissionEvaluator>(){
+            @Override
+            public int compare(ModelPermissionEvaluator o1, ModelPermissionEvaluator o2)
{
+                return new Integer(o1.getLoadOrder()).compareTo(new Integer(o2.getLoadOrder()));
+            }
+        }); 
+        
+        // build the map using the model type/class as the key
+        modelPermissionEvaluatorMap = new HashMap<String, ModelPermissionEvaluator>();
+        for (ModelPermissionEvaluator mpe : modelPermissionEvaluatorList) {
+            modelPermissionEvaluatorMap.put(mpe.getType().getName(), mpe);
+        }
+    }
+    
+    /**
+     * Checks to see if the Authentication object has the supplied permission  
+     * on the supplied domain object
+     * 
+     * @param authentication the Authentication object
+     * @param targetDomainObject the domain object needing permission check
+     * @param permission the permission to check
+     * @return true if passes the permission check, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, Object targetDomainObject,
Object permission) {      
+        // find the appropriate ModelPermissionEvaluator from the map based on 
+        // the targetDomainObject's class and invoke the hasPermission function
+        return getEvaluator(targetDomainObject.getClass().getName()).hasPermission(authentication,
targetDomainObject, Permission.fromString((String)permission));
+    }
+   
+    /**
+     * Checks to see if the Authentication object has the supplied permission 
+     * on the supplied targetType (model class name) and targetId (entityId).
+     * This method can be used when a permission check is needed and the method
+     * does not currently have the domain object, only its entityId     
+     * 
+     * @param authentication the Authentication object
+     * @param targetId the entityId of the targetType class
+     * @param targetType the class name of the domain object
+     * @param permission  permission the permission to check
+     * @return true if passes the permission check, false otherwise
+     */
+    @Override
+    public boolean hasPermission(Authentication authentication, Serializable targetId, String
targetType, Object permission) {  
+        // find the appropriate ModelPermissionEvaluator from the map based on 
+        // the targetType and invoke the hasPermission function
+        return getEvaluator(targetType).hasPermission(authentication, targetId, targetType,
Permission.fromString((String)permission));
+    }    
+     
+    private ModelPermissionEvaluator getEvaluator(String targetType) throws IllegalArgumentException
{        
+        ModelPermissionEvaluator mpe = modelPermissionEvaluatorMap.get(targetType);
+        if (mpe == null) {
+            throw new IllegalArgumentException("ModelPermissionEvaluator not found for type
" + targetType);
+        }
+        return mpe;
+    }
+}
\ No newline at end of file

Added: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/AuthenticationUtils.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/AuthenticationUtils.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/AuthenticationUtils.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/util/AuthenticationUtils.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.util;
+
+import java.util.Collection;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * Utility function to hold common Authentication related helper functions
+ * 
+ * @author carlucci
+ */
+public class AuthenticationUtils {
+    public static final String ROLE_ADMIN = "ROLE_ADMIN";
+    
+    /**
+     * Checks to see if an Authentication object has a given role
+     * 
+     * @param authentication the Authentication object containing a list of 
+     *                       GrantedAuthority objects of which to check against
+     * @param role the role to check
+     * @return true if the role is found, false otherwise
+     */
+    public static boolean hasRole(Authentication authentication, String role) {
+        Collection<GrantedAuthority> grantedAuthorities = authentication.getAuthorities();
+        if (grantedAuthorities == null || role == null || role.isEmpty()) {
+            return false;
+        }
+
+        for (GrantedAuthority auth : grantedAuthorities) {
+            if (role.equalsIgnoreCase(auth.getAuthority())) {           
+                return true;
+            }
+        }
+
+        return false;
+    }
+    
+    /**
+     * Checks to see if the user has the super user admin role
+     * 
+     * @param authentication the Authentication object containing a list of 
+     *                       GrantedAuthority objects of which to check against
+     * @return true if the admin role is found, false otherwise
+     */
+    public static boolean isAdmin(Authentication authentication) {
+        return hasRole(authentication, ROLE_ADMIN);
+    }
+}

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/resources/org/apache/rave/core-applicationContext.xml
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/resources/org/apache/rave/core-applicationContext.xml?rev=1182987&r1=1182986&r2=1182987&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/resources/org/apache/rave/core-applicationContext.xml
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/resources/org/apache/rave/core-applicationContext.xml
Thu Oct 13 17:06:52 2011
@@ -54,6 +54,7 @@
     <context:component-scan base-package="org.apache.rave.portal.model"/>
     <context:component-scan base-package="org.apache.rave.portal.repository"/>
     <context:component-scan base-package="org.apache.rave.portal.service"/>
+    <context:component-scan base-package="org.apache.rave.portal.security"/>
     
     <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
         <property name="entityManagerFactory" ref="entityManagerFactory"/>

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/ModelPermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/ModelPermissionEvaluatorTest.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/ModelPermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/ModelPermissionEvaluatorTest.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security;
+
+import org.apache.rave.portal.security.impl.AbstractModelPermissionEvaluator;
+import org.junit.Test;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import static org.junit.Assert.*;
+import static org.hamcrest.CoreMatchers.*;
+
+/**
+ *
+ * @author carlucci
+ */
+public class ModelPermissionEvaluatorTest {
+    
+    @Test
+    public void testPermissionFromString() {
+        assertThat(AbstractModelPermissionEvaluator.Permission.fromString("read"), is(Permission.READ));
+    }
+    
+    @Test(expected=IllegalArgumentException.class)
+    public void testPermissionFromString_invalidValue() {
+        AbstractModelPermissionEvaluator.Permission.fromString("unknown_permission");
+    }  
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluatorTest.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/AbstractModelPermissionEvaluatorTest.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+
+/**
+ *
+ * @author carlucci
+ */
+public class AbstractModelPermissionEvaluatorTest {
+    private FooModelPermissionEvaluator fooModelPermissionEvaluator;
+    private Authentication authentication;
+    private FooModel fooModel;    
+    
+    @Before
+    public void setUp() {
+        authentication = createMock(Authentication.class);
+        fooModel = new FooModel();
+        fooModelPermissionEvaluator = new FooModelPermissionEvaluator();
+    }
+         
+    @Test
+    public void testGetLoadOrder() {
+        // test that the default loadOrder value is 1
+        assertThat(fooModelPermissionEvaluator.getLoadOrder(), is(1));
+    }
+
+    @Test
+    public void testHasPermission_authenticationUserIsAdmin() {        
+        List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+                
+        expect(authentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(authentication);
+        assertThat(fooModelPermissionEvaluator.hasPermission(authentication, fooModel, Permission.READ),
is(true));
+        verify(authentication);
+    }
+
+    @Test
+    public void testHasPermission_authenticationUserIsNotAdmin() {        
+        List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_THAT_IS_NOT_ADMIN"));
+                
+        expect(authentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(authentication);
+        assertThat(fooModelPermissionEvaluator.hasPermission(authentication, fooModel, Permission.READ),
is(false));
+        verify(authentication);
+    }    
+        
+    @Test
+    public void testHasPermission_nullAuthorities() {                        
+        expect(authentication.getAuthorities()).andReturn(null);
+        replay(authentication);
+        assertThat(fooModelPermissionEvaluator.hasPermission(authentication, fooModel, Permission.READ),
is(false));
+        verify(authentication);
+    }
+    
+    class FooModel {
+        public FooModel() {
+            
+        }
+    }
+            
+    class FooModelPermissionEvaluator extends AbstractModelPermissionEvaluator<FooModel>
{
+        @Override
+        public Class<FooModel> getType() {
+            return FooModel.class;
+        }
+
+        @Override
+        public boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Permission permission) {
+            return true;
+        }
+                
+    }       
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/RavePermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/RavePermissionEvaluatorTest.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/RavePermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/RavePermissionEvaluatorTest.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.impl;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.rave.portal.security.ModelPermissionEvaluator;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.springframework.security.core.Authentication;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+
+/**
+ *
+ * @author carlucci
+ */
+public class RavePermissionEvaluatorTest {
+    private RavePermissionEvaluator ravePermissionEvaluator;
+    private Authentication authentication;
+    private FooModel fooModel;
+    
+    private String VALID_PERMISSION = "read";
+    private Long VALID_FOO_ID = 4L;
+    
+    
+    @Before
+    public void setUp() {
+        List<ModelPermissionEvaluator> modelPermissionEvaluatorList = new ArrayList<ModelPermissionEvaluator>();
+        modelPermissionEvaluatorList.add(new FooModelPermissionEvaluator());            
          
+        ravePermissionEvaluator = new RavePermissionEvaluator(modelPermissionEvaluatorList);
+        
+        authentication = createMock(Authentication.class);
+        fooModel = new FooModel();
+    }
+    
+    @Test
+    public void testLoadOrderOverride() {
+        ModelPermissionEvaluator<FooModel> mockedOverriddenPermissionEvaluator = createMock(ModelPermissionEvaluator.class);
                             
+        expect(mockedOverriddenPermissionEvaluator.getType()).andReturn(FooModel.class);
+        expect(mockedOverriddenPermissionEvaluator.getLoadOrder()).andReturn(2);
+        expect(mockedOverriddenPermissionEvaluator.hasPermission(authentication, fooModel,
Permission.fromString(VALID_PERMISSION))).andReturn(true);        
+        replay(mockedOverriddenPermissionEvaluator);
+        
+         List<ModelPermissionEvaluator> modelPermissionEvaluatorList = new ArrayList<ModelPermissionEvaluator>();
+        // note we are adding the overide instance first to verify the Collections.sort works
as expected
+        modelPermissionEvaluatorList.add(mockedOverriddenPermissionEvaluator);
+        modelPermissionEvaluatorList.add(new FooModelPermissionEvaluator());            
          
+        ravePermissionEvaluator = new RavePermissionEvaluator(modelPermissionEvaluatorList);
+        
+        assertThat(ravePermissionEvaluator.hasPermission(authentication, fooModel, VALID_PERMISSION),
is(true));        
+        verify(mockedOverriddenPermissionEvaluator);    
+    }
+    
+    @Test
+    public void testHasPermission_3args() {        
+        assertThat(ravePermissionEvaluator.hasPermission(authentication, fooModel, VALID_PERMISSION),
is(true));        
+    }
+    
+    @Test(expected=IllegalArgumentException.class)
+    public void testHasPermission_3args_invalidEvaluator() {        
+        List<String> list = new ArrayList<String>();
+        assertThat(ravePermissionEvaluator.hasPermission(authentication, list, VALID_PERMISSION),
is(true));        
+    }    
+    
+    @Test
+    public void testHasPermission_4args() {    
+        assertThat(ravePermissionEvaluator.hasPermission(authentication, VALID_FOO_ID, FooModel.class.getName(),
VALID_PERMISSION), is(true));        
+    }
+    
+    class FooModel {
+        public FooModel() {
+            
+        }
+    }
+    
+    class FooModelPermissionEvaluator extends AbstractModelPermissionEvaluator<FooModel>
{
+        @Override
+        public Class<FooModel> getType() {
+            return FooModel.class;
+        }
+
+        @Override
+        public boolean hasPermission(Authentication authentication, FooModel foo, Permission
permission) {
+            return true;
+        }
+        
+        @Override
+        public boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Permission permission) {
+            return true;
+        }
+    }       
+}

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/AuthenticationUtilsTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/AuthenticationUtilsTest.java?rev=1182987&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/AuthenticationUtilsTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/util/AuthenticationUtilsTest.java
Thu Oct 13 17:06:52 2011
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rave.portal.security.util;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+import java.util.List;
+import java.util.ArrayList;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+/**
+ *
+ * @author carlucci
+ */
+public class AuthenticationUtilsTest {
+    private Authentication authentication;    
+    private final String VALID_ROLE = "MY_ROLE";
+    private final String INVALID_ROLE = "UNKNOWN_ROLE";
+    
+    @Before
+    public void setup() {
+        authentication = createMock(Authentication.class);
+    }
+    
+    @Test
+    public void testHasRole() {    
+        List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(VALID_ROLE));
+                
+        expect(authentication.getAuthorities()).andReturn(grantedAuthoritiesList).anyTimes();
+        replay(authentication);
+        
+        assertThat(AuthenticationUtils.hasRole(authentication, VALID_ROLE), is(true));
+        assertThat(AuthenticationUtils.hasRole(authentication, INVALID_ROLE), is(false));
+        assertThat(AuthenticationUtils.hasRole(authentication, null), is(false));
+        assertThat(AuthenticationUtils.hasRole(authentication, ""), is(false));
+    }
+
+
+    @Test
+    public void testIsAdmin_validAdmin() {
+        List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+                
+        expect(authentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(authentication);
+        
+        assertThat(AuthenticationUtils.isAdmin(authentication), is(true));
+    }
+    
+    @Test
+    public void testIsAdmin_notValidAdmin() {
+        List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(VALID_ROLE));
+                
+        expect(authentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(authentication);
+        
+        assertThat(AuthenticationUtils.isAdmin(authentication), is(false));
+    }    
+}
\ No newline at end of file

Propchange: incubator/rave/trunk/rave-portal-resources/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Thu Oct 13 17:06:52 2011
@@ -1,7 +1,5 @@
-target
-
 .classpath
-
 .project
-
+target
+catalog.xml
 .settings

Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml?rev=1182987&r1=1182986&r2=1182987&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
(original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
Thu Oct 13 17:06:52 2011
@@ -58,4 +58,16 @@
             </security:password-encoder>
         </security:authentication-provider>
     </security:authentication-manager>
+    
+    <!-- enable the spring security annotations -->
+    <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
+        <security:expression-handler ref="expressionHandler"/>
+    </security:global-method-security>
+    
+    <!-- override the default permissionEvaluator bean used by Spring Security with our
custom RavePermissionEvaluator -->
+    <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
+        <property name="permissionEvaluator">
+            <bean id="permissionEvaluator" class="org.apache.rave.portal.security.impl.RavePermissionEvaluator"/>
+        </property>
+    </bean>
 </beans>



Mime
View raw message