jena-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cla...@apache.org
Subject [2/2] jena git commit: Fixes for JENA-855. Added principal as an argument to SecurityEvaluator functions.
Date Tue, 20 Jan 2015 21:04:56 GMT
Fixes for JENA-855.  Added principal as an argument to SecurityEvaluator functions.


Project: http://git-wip-us.apache.org/repos/asf/jena/repo
Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/23d1bde2
Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/23d1bde2
Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/23d1bde2

Branch: refs/heads/master
Commit: 23d1bde29ec4985584a63dfc209155115a7959c2
Parents: cd62e6d
Author: Claude Warren <claude@apache.org>
Authored: Tue Jan 20 21:00:44 2015 +0000
Committer: Claude Warren <claude@apache.org>
Committed: Tue Jan 20 21:00:44 2015 +0000

----------------------------------------------------------------------
 .../apache/jena/security/SecurityEvaluator.java | 512 +++++++++---------
 .../security/graph/SecuredCapabilities.java     |  18 +-
 .../graph/SecuredGraphEventManager.java         | 531 +++++++------------
 .../security/impl/CachedSecurityEvaluator.java  | 117 ++--
 .../jena/security/impl/SecuredItemImpl.java     |  16 +-
 .../security/model/impl/SecuredRDFListImpl.java |   2 +-
 .../security/model/impl/SecuredRSIterator.java  |   2 +-
 .../jena/security/query/SecuredQueryEngine.java |  14 +-
 .../security/query/rewriter/OpRewriter.java     |   5 +-
 .../query/rewriter/SecuredFunction.java         |   3 +-
 .../security/utils/PermStatementFilter.java     |   9 +-
 .../jena/security/utils/PermTripleFilter.java   |   9 +-
 .../jena/security/utils/RDFListSecFilter.java   |   9 +-
 .../jena/security/MockSecurityEvaluator.java    |  16 +-
 .../security/ModelBasedSecurityEvaluator.java   |  35 +-
 .../jena/security/StaticSecurityEvaluator.java  |  41 +-
 .../graph/CachedSecurityEvaluatorTest.java      |  27 +
 .../security/graph/BulkUpdateHandlerTest.java   |  57 +-
 .../graph/CrossIDGraphEventManagerTest.java     |  78 +++
 .../security/graph/GraphEventManagerTest.java   | 127 +----
 .../security/graph/RecordingGraphListener.java  | 106 ++++
 .../graph/SecuredPrefixMappingTest.java         |  68 +--
 .../security/model/SecuredModelDetailTest.java  |  20 +-
 .../jena/security/query/QueryEngineTest.java    |  97 ++--
 24 files changed, 971 insertions(+), 948 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java b/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java
index e2ccd96..ab8ea1d 100644
--- a/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java
+++ b/jena-security/src/main/java/org/apache/jena/security/SecurityEvaluator.java
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -28,68 +28,71 @@ import org.apache.commons.lang.builder.HashCodeBuilder;
  * SecurityEvaluator.
  * <p>
  * The security evaluator is the link between the graph security system and an
- * external
- * security system. This interface specifies the methods that are required by
- * the graph
- * security system. It is assumed that the implementation will handle tracking
- * the current
- * user and will query some underlying data source to determine what actions the
- * user can
- * and can not take.
- * </p><p>
- * All questions of white listing or black listing will be handled in the concrete
- * implementation.
- * </p><p>
+ * external security system. This interface specifies the methods that are
+ * required by the graph security system. It is assumed that the implementation
+ * will handle tracking the current user and will query some underlying data
+ * source to determine what actions the user can and can not take.
+ * </p>
+ * <p>
+ * All questions of white listing or black listing will be handled in the
+ * concrete implementation.
+ * </p>
+ * <p>
  * Implementations of this class should probably cache any evaluate calculations
- * as the evaluate methods are called frequently.  However, the underlying classes
- * do cache results within a single method check.
+ * as the evaluate methods are called frequently. However, the underlying
+ * classes do cache results within a single method check.
  * </p>
  * <p>
  * <dl>
  * <dt>Secured operations</dt>
- * <dd>The security system recognizes and secures each of the CRUD (Create, Read, Update and Delete)
- * operations as represented by the Action enumeration.</dd>
+ * <dd>The security system recognizes and secures each of the CRUD (Create,
+ * Read, Update and Delete) operations as represented by the Action enumeration.
+ * </dd>
  * </dl>
  * <dl>
  * <dt>Levels of security</dt>
- * <dd>The security interfaces operates at two (2) levels: graph (or Model) and triple.
- * <p>At the the graph level the security evaluator may restrict CRUD access to the graph or model as a whole.
- * When evaluating the restriction, if the user it not permitted to perform the operation on the 
- * graph or model access is denied.  If the user is permitted any triple restrictions are evaluated.
- * </p><p>
- * At the triple level the security evaluator may restrict CRUD access to specific triples.  In order
- * to skip potentially expensive triple security checks the system will generally ask if the user is 
- * permitted the CRUD action on any triple.  This is represented by the SecTriple 
- * <code>(ANY, ANY, ANY)</code>.  
+ * <dd>The security interfaces operates at two (2) levels: graph (or Model) and
+ * triple.
+ * <p>
+ * At the the graph level the security evaluator may restrict CRUD access to the
+ * graph or model as a whole. When evaluating the restriction, if the user it
+ * not permitted to perform the operation on the graph or model access is
+ * denied. If the user is permitted any triple restrictions are evaluated.
+ * </p>
+ * <p>
+ * At the triple level the security evaluator may restrict CRUD access to
+ * specific triples. In order to skip potentially expensive triple security
+ * checks the system will generally ask if the user is permitted the CRUD action
+ * on any triple. This is represented by the SecTriple
+ * <code>(ANY, ANY, ANY)</code>.
  * <ul>
  * <li>
- * If the system does not support triple level security the system should always return <code>true</code>.
- * </li>
- * If the system does support triple level security and is unable to verify that the user can execute
- * the CRUD action against any arbitrary triple the system should return <code>false</code>.
- * </li>
- * <li>See <code>SecNode.ANY</code>, <code>SecNode.FUTURE</code>, and <code>SecNode.VARIABLE</code>
- * for discussion of specifics of their respective usages.</li> 
+ * If the system does not support triple level security the system should always
+ * return <code>true</code>.</li>
+ * If the system does support triple level security and is unable to verify that
+ * the user can execute the CRUD action against any arbitrary triple the system
+ * should return <code>false</code>. </li>
+ * <li>See <code>SecNode.ANY</code>, <code>SecNode.FUTURE</code>, and
+ * <code>SecNode.VARIABLE</code> for discussion of specifics of their respective
+ * usages.</li>
  * </ul>
  * </p>
  * </dd>
  * </dl>
  * <dl>
  * <dt>
- * 
+ *
  * </p>
  */
-public interface SecurityEvaluator
-{
+public interface SecurityEvaluator {
 	/**
 	 * Identifies a sepcific CRUD actions.
 	 */
-	static enum Action
-	{
+	static enum Action {
 		/**
 		 * Allow creation of the object in question.
 		 */
-		Create, 
+		Create,
 		/**
 		 * Allow the user to read the object in question.
 		 */
@@ -97,50 +100,48 @@ public interface SecurityEvaluator
 		/**
 		 * Allow the user to update the object in question
 		 */
-		Update, 
+		Update,
 		/**
 		 * Allow the user to delete the object in question.
 		 */
 		Delete
-		
+
 	}
 
 	/**
 	 * A node in the evaluation.
 	 * <p>
 	 * A node with no value represents a node of that type but unknown
-	 * exactitude. (e.g.
-	 * <code>SecNode(URI,"")</code> is a URI but of unknown value. Useful for systems that
-	 * restrict
-	 * type creation.
-	 * </p><p>
-	 * <code>SecNode(Anonymous,"")</code> represents an anonymous node that will be created.
-	 * Otherwise anonymous
-	 * node values are the values within the secured graph.
-	 * </p><p>
+	 * exactitude. (e.g. <code>SecNode(URI,"")</code> is a URI but of unknown
+	 * value. Useful for systems that restrict type creation.
+	 * </p>
+	 * <p>
+	 * <code>SecNode(Anonymous,"")</code> represents an anonymous node that will
+	 * be created. Otherwise anonymous node values are the values within the
+	 * secured graph.
+	 * </p>
+	 * <p>
 	 * An "Any" node type matches any node.
 	 * </p>
 	 */
-	public static class SecNode implements Comparable<SecNode>
-	{
+	public static class SecNode implements Comparable<SecNode> {
 
 		/**
 		 * The types of nodes.
 		 */
-		public static enum Type
-		{
+		public static enum Type {
 			/**
 			 * A URI type node
 			 */
-			URI, 
+			URI,
 			/**
 			 * A Literal node.
 			 */
-			Literal, 
+			Literal,
 			/**
-			 * An anonymous node.  Also called a "blank" node.
+			 * An anonymous node. Also called a "blank" node.
 			 */
-			Anonymous, 
+			Anonymous,
 			/**
 			 * Any node.
 			 */
@@ -152,81 +153,80 @@ public interface SecurityEvaluator
 		 * <p>
 		 * Used in triple checks as follows:
 		 * <dl>
-		 * <dt><code>(ANY, ANY, ANY)</code>
-		 * </dt><dd>Asks if the user may perform the action on any triple. 
-		 * </dd>
-		 * <dt><code>(X, ANY, ANY)</code>
-		 * </dt><dd>Asks if the user may perform the action against
-		 * any triple where X is the subject.
-		 * </dd>
-		 * <dt><code>(ANY, X, ANY)</code>
-		 * </dt><dd>Asks if the user may perform the action against
-		 * any triple where X is the predicate.
-		 * </dd>
-		 * <dt><code>(SecNode.ANY, SecNode.ANY, SecNode.X)</code>
-		 * </dt><dd>Asks if if the user may perform the action against
-		 * any triple where X is the object.
-		 * </dd>
+		 * <dt><code>(ANY, ANY, ANY)</code></dt>
+		 * <dd>Asks if the user may perform the action on any triple.</dd>
+		 * <dt><code>(X, ANY, ANY)</code></dt>
+		 * <dd>Asks if the user may perform the action against any triple where
+		 * X is the subject.</dd>
+		 * <dt><code>(ANY, X, ANY)</code></dt>
+		 * <dd>Asks if the user may perform the action against any triple where
+		 * X is the predicate.</dd>
+		 * <dt><code>(SecNode.ANY, SecNode.ANY, SecNode.X)</code></dt>
+		 * <dd>Asks if if the user may perform the action against any triple
+		 * where X is the object.</dd>
 		 * </dl>
-		 * The <code>ANY</code> may occur multiple times and may occur with the 
+		 * The <code>ANY</code> may occur multiple times and may occur with the
 		 * <code>VARIABLE</code> and/or <code>FUTURE</code> nodes.
 		 * </p>
 		 */
 		public static final SecNode ANY = new SecNode(Type.Any, "any");
-		
+
 		/**
 		 * Indicates a variable in the triple.
 		 * <p>
-		 * </p>This differs from <code>ANY</code>
-		 * in that the system is asking if there are any prohibitions not if the user 
-		 * may perform. Thus queries with the VARIABLE type node should return <code>true</code>
-		 * where <code>ANY</code> returns <code>false</code>.  In general this type is used in the 
-		 * query to determine if triple level filtering of results must be performed.<p>
-		 * </p><p> 
+		 * </p>
+		 * This differs from <code>ANY</code> in that the system is asking if
+		 * there are any prohibitions not if the user may perform. Thus queries
+		 * with the VARIABLE type node should return <code>true</code> where
+		 * <code>ANY</code> returns <code>false</code>. In general this type is
+		 * used in the query to determine if triple level filtering of results
+		 * must be performed.
+		 * <p>
+		 * </p>
+		 * <p>
 		 * <dl>
-		 * <dt><code>(VARIABLE, X, Y )</code>
-		 * </dt><dd>
-		 * Asks if there are any prohibitions against the user seeing all subjects
-		 * that have property X and object Y.
-		 * </dd><dt>
-		 * <code>(X, VARIABLE, Y )</code>
-		 * </dt><dd>
-		 * Asks if there are any prohibitions against the user seeing all predicates
-		 * that have subject X and object Y.
-		 * </dd><dt>
-		 * <code>(X, Y, VARIABLE)</code>
-		 * </dt><dd>
-		 * Asks if there are any prohibitions against the user seeing all objects
-		 * that have subject X and predicate Y.
-		 * </dd>
+		 * <dt><code>(VARIABLE, X, Y )</code></dt>
+		 * <dd>
+		 * Asks if there are any prohibitions against the user seeing all
+		 * subjects that have property X and object Y.</dd>
+		 * <dt>
+		 * <code>(X, VARIABLE, Y )</code></dt>
+		 * <dd>
+		 * Asks if there are any prohibitions against the user seeing all
+		 * predicates that have subject X and object Y.</dd>
+		 * <dt>
+		 * <code>(X, Y, VARIABLE)</code></dt>
+		 * <dd>
+		 * Asks if there are any prohibitions against the user seeing all
+		 * objects that have subject X and predicate Y.</dd>
 		 * </dl>
-		 * The <code>VARIABLE</code> may occur multiple times and may occur with the 
-		 * <code>ANY</code> node.
+		 * The <code>VARIABLE</code> may occur multiple times and may occur with
+		 * the <code>ANY</code> node.
 		 * </p>
-		 *  
+		 * 
 		 */
 		public static final SecNode VARIABLE = new SecNode(Type.Any, "variable");
 
 		/**
 		 * This is an anonymous node that will be created in the future.
 		 * <p>
-		 * FUTURE is used to check that an anonymous node may be created in
-		 * as specific position in a triple.
-		 * </p><p> 
+		 * FUTURE is used to check that an anonymous node may be created in as
+		 * specific position in a triple.
+		 * </p>
+		 * <p>
 		 * <dl>
-		 * <dt><code>(FUTURE, X, Y )</code>
-		 * </dt><dd>
-		 * Asks if there the user may create an anonymous node 
-		 * that has property X and object Y.
-		 * </dd><dt>
-		 * <code>(X, Y, FUTURE)</code>
-		 * </dt><dd>
-		 * Asks if there the user may create an anonymous node 
-		 * that has subject X and property Y.
-		 * </dd>
+		 * <dt><code>(FUTURE, X, Y )</code></dt>
+		 * <dd>
+		 * Asks if there the user may create an anonymous node that has property
+		 * X and object Y.</dd>
+		 * <dt>
+		 * <code>(X, Y, FUTURE)</code></dt>
+		 * <dd>
+		 * Asks if there the user may create an anonymous node that has subject
+		 * X and property Y.</dd>
 		 * </dl>
-		 * The <code>FUTURE</code> may occur multiple times and may occur with the 
-		 * <code>ANY</code> node.
+		 * The <code>FUTURE</code> may occur multiple times and may occur with
+		 * the <code>ANY</code> node.
 		 * </p>
 		 */
 		public static final SecNode FUTURE = new SecNode(Type.Anonymous, "");
@@ -237,27 +237,27 @@ public interface SecurityEvaluator
 
 		/**
 		 * Create a SecNode of the type and value.
-		 * @param type The type of the node
-		 * @param value The value of the node.  A null is interpreted as an empty string.
+		 * 
+		 * @param type
+		 *            The type of the node
+		 * @param value
+		 *            The value of the node. A null is interpreted as an empty
+		 *            string.
 		 */
-		public SecNode( final Type type, final String value )
-		{
+		public SecNode(final Type type, final String value) {
 			this.type = type;
 			this.value = value == null ? "" : value;
 		}
 
 		@Override
-		public int compareTo( final SecNode node )
-		{
+		public int compareTo(final SecNode node) {
 			final int retval = type.compareTo(node.type);
 			return retval == 0 ? value.compareTo(node.value) : retval;
 		}
 
 		@Override
-		public boolean equals( final Object o )
-		{
-			if (o instanceof SecNode)
-			{
+		public boolean equals(final Object o) {
+			if (o instanceof SecNode) {
 				return this.compareTo((SecNode) o) == 0;
 			}
 			return false;
@@ -265,27 +265,25 @@ public interface SecurityEvaluator
 
 		/**
 		 * Get the type of the node.
+		 * 
 		 * @return The type of the node.
 		 */
-		public Type getType()
-		{
+		public Type getType() {
 			return type;
 		}
 
 		/**
 		 * Get the value of the node.
+		 * 
 		 * @return the value of the node
 		 */
-		public String getValue()
-		{
+		public String getValue() {
 			return value;
 		}
 
 		@Override
-		public int hashCode()
-		{
-			if (hashCode == null)
-			{
+		public int hashCode() {
+			if (hashCode == null) {
 				hashCode = new HashCodeBuilder().append(type).append(value)
 						.toHashCode();
 			}
@@ -293,8 +291,7 @@ public interface SecurityEvaluator
 		}
 
 		@Override
-		public String toString()
-		{
+		public String toString() {
 			return String.format("[%s:%s]", getType(), getValue());
 		}
 	}
@@ -302,8 +299,7 @@ public interface SecurityEvaluator
 	/**
 	 * An immutable triple of SecNodes.
 	 */
-	public static class SecTriple implements Comparable<SecTriple>
-	{
+	public static class SecTriple implements Comparable<SecTriple> {
 		private final SecNode subject;
 		private final SecNode predicate;
 		private final SecNode object;
@@ -317,24 +313,25 @@ public interface SecurityEvaluator
 
 		/**
 		 * Create the sec triple
-		 * @param subject The subject node.
-		 * @param predicate The predicate node.
-		 * @param object The object node.
-		 * @throws IllegalArgumentException is any value is null.
+		 * 
+		 * @param subject
+		 *            The subject node.
+		 * @param predicate
+		 *            The predicate node.
+		 * @param object
+		 *            The object node.
+		 * @throws IllegalArgumentException
+		 *             is any value is null.
 		 */
-		public SecTriple( final SecNode subject, final SecNode predicate,
-				final SecNode object )
-		{
-			if (subject == null)
-			{
+		public SecTriple(final SecNode subject, final SecNode predicate,
+				final SecNode object) {
+			if (subject == null) {
 				throw new IllegalArgumentException("Subject may not be null");
 			}
-			if (predicate == null)
-			{
+			if (predicate == null) {
 				throw new IllegalArgumentException("Predicate may not be null");
 			}
-			if (object == null)
-			{
+			if (object == null) {
 				throw new IllegalArgumentException("Object may not be null");
 			}
 			this.subject = subject;
@@ -343,25 +340,20 @@ public interface SecurityEvaluator
 		}
 
 		@Override
-		public int compareTo( final SecTriple o )
-		{
-			if (o == null)
-			{
+		public int compareTo(final SecTriple o) {
+			if (o == null) {
 				return 1;
 			}
 			int retval = subject.compareTo(o.subject);
-			if (retval == 0)
-			{
+			if (retval == 0) {
 				retval = predicate.compareTo(o.predicate);
 			}
 			return retval == 0 ? object.compareTo(o.object) : retval;
 		}
 
 		@Override
-		public boolean equals( final Object o )
-		{
-			if (o instanceof SecTriple)
-			{
+		public boolean equals(final Object o) {
+			if (o instanceof SecTriple) {
 				return this.compareTo((SecTriple) o) == 0;
 			}
 			return false;
@@ -370,32 +362,27 @@ public interface SecurityEvaluator
 		/**
 		 * @return the object node.
 		 */
-		public SecNode getObject()
-		{
+		public SecNode getObject() {
 			return object;
 		}
 
 		/**
 		 * @return the predicate node.
 		 */
-		public SecNode getPredicate()
-		{
+		public SecNode getPredicate() {
 			return predicate;
 		}
 
 		/**
 		 * @return the subject node.
 		 */
-		public SecNode getSubject()
-		{
+		public SecNode getSubject() {
 			return subject;
 		}
 
 		@Override
-		public int hashCode()
-		{
-			if (hashCode == null)
-			{
+		public int hashCode() {
+			if (hashCode == null) {
 				hashCode = new HashCodeBuilder().append(object)
 						.append(predicate).append(subject).toHashCode();
 			}
@@ -403,43 +390,46 @@ public interface SecurityEvaluator
 		}
 
 		@Override
-		public String toString()
-		{
+		public String toString() {
 			return String.format("( %s, %s, %s )", getSubject(),
 					getPredicate(), getObject());
 		}
 	}
 
 	/**
-	 * A collection of utility functions for the SecurityEvaluator implementations.
+	 * A collection of utility functions for the SecurityEvaluator
+	 * implementations.
 	 */
-	public static class Util
-	{
+	public static class Util {
 		/**
 		 * Return an array of actions as a set.
-		 * <p>The order of the collection is preserved</p>
-		 * @param actions The actions.
+		 * <p>
+		 * The order of the collection is preserved
+		 * </p>
+		 * 
+		 * @param actions
+		 *            The actions.
 		 * @return The set of actions.
 		 */
-		public static Set<Action> asSet( final Action[] actions )
-		{
+		public static Set<Action> asSet(final Action[] actions) {
 			return Util.asSet(Arrays.asList(actions));
 		}
 
 		/**
 		 * Return a collection of actions as a set.
-		 * <p>The order of the collection is preserved</p>
-		 * @param actions The collection of actions.
+		 * <p>
+		 * The order of the collection is preserved
+		 * </p>
+		 * 
+		 * @param actions
+		 *            The collection of actions.
 		 * @return The set of actions.
 		 */
-		public static Set<Action> asSet( final Collection<Action> actions )
-		{
-			if (actions instanceof Set)
-			{
+		public static Set<Action> asSet(final Collection<Action> actions) {
+			if (actions instanceof Set) {
 				return (Set<Action>) actions;
 			}
-			else
-			{
+			else {
 				return new LinkedHashSet<Action>(actions);
 			}
 		}
@@ -447,14 +437,17 @@ public interface SecurityEvaluator
 
 	/**
 	 * Determine if the action is allowed on the graph.
-	 * 
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
+	 *
 	 * @param action
 	 *            The action to perform
 	 * @param graphIRI
 	 *            The IRI of the graph to check
 	 * @return true if the action is allowed, false otherwise.
 	 */
-	public boolean evaluate( Action action, SecNode graphIRI );
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI);
 
 	/**
 	 * Determine if the action is allowed on the triple within the graph.
@@ -462,124 +455,161 @@ public interface SecurityEvaluator
 	 * The evaluation should be performed in the following order:
 	 * <ol>
 	 * <li>
-	 * If the triple contains a <code>VARIABLE</code> then this method must return <code>true</code> if
-	 * there are any restrictions where the remaining nodes are either constants or <code>ANY</code>
-	 * nodes.  This will force the system to use subsequent checks to verify access by substituting
-	 * the value of the <code>VARIABLE</code>s. <em>If the system can not quickly verify the solution
+	 * If the triple contains a <code>VARIABLE</code> then this method must
+	 * return <code>true</code> if there are any restrictions where the
+	 * remaining nodes are either constants or <code>ANY</code> nodes. This will
+	 * force the system to use subsequent checks to verify access by
+	 * substituting the value of the <code>VARIABLE</code>s.
+	 * <em>If the system can not quickly verify the solution
 	 * it is always acceptable to return <code>true</code>.</em>
 	 * <li>
-	 * Except as specified in the above check, if the triple contains an <code>ANY</code> then this 
-	 * method must return <code>false</code> if
-	 * there are any restrictions where the remaining nodes are held constant and the ANY
-	 * node is allowed to vary.  This checks is used to avoid subsequent explicit triple checks.
+	 * Except as specified in the above check, if the triple contains an
+	 * <code>ANY</code> then this method must return <code>false</code> if there
+	 * are any restrictions where the remaining nodes are held constant and the
+	 * ANY node is allowed to vary. This checks is used to avoid subsequent
+	 * explicit triple checks.
 	 * <em>If the system can not quickly verify the solution it is always
-	 * acceptable to return <code>false</code>.</em>
-	 * </li>
-	 * <li>All other triples are explict triples and the system must determine if the user is
-	 * permitted to perform the action on the triple. 
-	 * If the triple contains a <code>FUTURE</code> node that node should be considered as 
-	 * an anonymous or blank node that is not yet created.  It should only be used with 
-	 * <code>Create</code> actions and is asking if the user may create a blank node in that
-	 * position in the triple.</li>
+	 * acceptable to return <code>false</code>.</em></li>
+	 * <li>All other triples are explict triples and the system must determine
+	 * if the user is permitted to perform the action on the triple. If the
+	 * triple contains a <code>FUTURE</code> node that node should be considered
+	 * as an anonymous or blank node that is not yet created. It should only be
+	 * used with <code>Create</code> actions and is asking if the user may
+	 * create a blank node in that position in the triple.</li>
 	 * </ol>
 	 * </p>
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
+	 *
 	 * @param action
 	 *            The action to perform
 	 * @param graphIRI
-	 *            The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @param triple
 	 *            The triple to check
 	 * @return true if the action is allowed, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluate( Action action, SecNode graphIRI, SecTriple triple );
+	public boolean evaluate(Object principal, Action action, SecNode graphIRI,
+			SecTriple triple);
 
 	/**
 	 * Determine if all actions are allowed on the graph.
-	 * 
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
+	 *
 	 * @param actions
 	 *            The set of actions to perform
 	 * @param graphIRI
-	 *            The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @return true if all the actions are allowed, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluate( Set<Action> actions, SecNode graphIRI );
+	public boolean evaluate(Object principal, Set<Action> actions,
+			SecNode graphIRI);
 
 	/**
 	 * Determine if all the actions are allowed on the triple within the graph.
 	 * <p>
-	 * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation strategy.
+	 * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation
+	 * strategy.
 	 * </p>
+	 * 
 	 * @param actions
 	 *            The actions to perform.
 	 * @param graphIRI
-	 *            The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @param triple
 	 *            The triple to check
 	 * @return true if all the actions are allowed, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluate( Set<Action> actions, SecNode graphIRI,
-			SecTriple triple );
+	public boolean evaluate(Object principal, Set<Action> actions,
+			SecNode graphIRI, SecTriple triple);
 
 	/**
 	 * Determine if any of the actions are allowed on the graph.
-	 * 
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
+	 *
 	 * @param actions
 	 *            The actions to perform
 	 * @param graphIRI
-	 *            The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @return true true if any the actions are allowed, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluateAny( Set<Action> actions, SecNode graphIRI );
+	public boolean evaluateAny(Object principal, Set<Action> actions,
+			SecNode graphIRI);
 
 	/**
-	 * Determine if any of the actions are allowed on the triple within the graph.
+	 * Determine if any of the actions are allowed on the triple within the
+	 * graph.
 	 * <p>
-	 * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation strategy.
+	 * See evaluate( Action, SecNode, SecTriple ) for discussion of evaluation
+	 * strategy.
 	 * </p>
-	 * 
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
+	 *
 	 * @param actions
 	 *            The actions to check.
 	 * @param graphIRI
-	 *           The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @param triple
 	 *            The triple to check
 	 * @return true if any the actions are allowed, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluateAny( Set<Action> actions, SecNode graphIRI,
-			SecTriple triple );
+	public boolean evaluateAny(Object principal, Set<Action> actions,
+			SecNode graphIRI, SecTriple triple);
 
 	/**
 	 * Determine if the user is allowed to update the "from" triple to the "to"
 	 * triple.
 	 * <p>
-	 * Update is a special case since it modifies one triple to be another.  So the user must 
-	 * have permissions to change the "from" triple into the "to" triple.
-	 * 
+	 * Update is a special case since it modifies one triple to be another. So
+	 * the user must have permissions to change the "from" triple into the "to"
+	 * triple.
+	 *
+	 * @param principal
+	 *            The principal that is attempting the action.
 	 * @param graphIRI
-	 *            The IRI of the graph to the action is being taken upon.  May be <code>ANY</code>.
+	 *            The IRI of the graph to the action is being taken upon. May be
+	 *            <code>ANY</code>.
 	 * @param from
 	 *            The triple to be changed
 	 * @param to
 	 *            The value to change it to.
 	 * @return true if the user may make the change, false otherwise.
-	 * @throws IllegalArgumentException if any argument is null.
+	 * @throws IllegalArgumentException
+	 *             if any argument is null.
 	 */
-	public boolean evaluateUpdate( SecNode graphIRI, SecTriple from,
-			SecTriple to );
+	public boolean evaluateUpdate(Object principal, SecNode graphIRI,
+			SecTriple from, SecTriple to);
 
 	/**
 	 * returns the current principal or null if there is no current principal.
-	 * 
-	 * All security evaluation methods use this method to determine who
-	 * the call is being executed as. This allows subsystems (like the listener system) 
-	 * to capture the current user
-	 * and evaluate later calls in terms of that user.
-	 * 
+	 *
+	 * All security evaluation methods use this method to determine who the call
+	 * is being executed as. This allows subsystems (like the listener system)
+	 * to capture the current user and evaluate later calls in terms of that
+	 * user.
+	 *
 	 * @return The current principal
 	 */
 	public Object getPrincipal();

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java
index d39e116..55dac8f 100644
--- a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java
+++ b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredCapabilities.java
@@ -62,7 +62,7 @@ public class SecuredCapabilities implements Capabilities
 	@Override
 	public boolean addAllowed()
 	{
-		return securityEvaluator.evaluate(Action.Update, graphIRI)
+		return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
 				&& capabilities.addAllowed();
 	}
 
@@ -73,12 +73,14 @@ public class SecuredCapabilities implements Capabilities
 	@Override
 	public boolean addAllowed( final boolean everyTriple )
 	{
-		boolean retval = securityEvaluator.evaluate(Action.Update, graphIRI)
+		Object principal = securityEvaluator.getPrincipal();
+		
+		boolean retval = securityEvaluator.evaluate(principal, Action.Update, graphIRI)
 				&& capabilities.addAllowed(everyTriple);
 		if (retval && everyTriple)
 		{
 			// special security check
-			retval = securityEvaluator.evaluate(Action.Create, graphIRI,
+			retval = securityEvaluator.evaluate(principal, Action.Create, graphIRI,
 					SecTriple.ANY);
 		}
 		return retval;
@@ -96,7 +98,7 @@ public class SecuredCapabilities implements Capabilities
 	@Override
 	public boolean deleteAllowed()
 	{
-		return securityEvaluator.evaluate(Action.Update, graphIRI)
+		return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
 				&& capabilities.deleteAllowed();
 	}
 
@@ -107,12 +109,14 @@ public class SecuredCapabilities implements Capabilities
 	@Override
 	public boolean deleteAllowed( final boolean everyTriple )
 	{
-		boolean retval = securityEvaluator.evaluate(Action.Update, graphIRI)
+		Object principal = securityEvaluator.getPrincipal();
+		
+		boolean retval = securityEvaluator.evaluate(principal, Action.Update, graphIRI)
 				&& capabilities.addAllowed(everyTriple);
 		if (retval && everyTriple)
 		{
 			// special security check
-			retval = securityEvaluator.evaluate(Action.Delete, graphIRI,
+			retval = securityEvaluator.evaluate(principal, Action.Delete, graphIRI,
 					SecTriple.ANY);
 		}
 		return retval;
@@ -136,7 +140,7 @@ public class SecuredCapabilities implements Capabilities
 	@Override
 	public boolean iteratorRemoveAllowed()
 	{
-		return securityEvaluator.evaluate(Action.Update, graphIRI)
+		return securityEvaluator.evaluate(securityEvaluator.getPrincipal(), Action.Update, graphIRI)
 				&& capabilities.iteratorRemoveAllowed();
 	}
 

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java
index 70549f4..229c953 100644
--- a/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java
+++ b/jena-security/src/main/java/org/apache/jena/security/graph/SecuredGraphEventManager.java
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,16 +17,6 @@
  */
 package org.apache.jena.security.graph;
 
-import com.hp.hpl.jena.graph.Graph;
-import com.hp.hpl.jena.graph.GraphEventManager;
-import com.hp.hpl.jena.graph.GraphListener;
-import com.hp.hpl.jena.graph.Triple;
-import com.hp.hpl.jena.graph.impl.CollectionGraph;
-import com.hp.hpl.jena.util.iterator.ExtendedIterator;
-import com.hp.hpl.jena.util.iterator.NiceIterator;
-import com.hp.hpl.jena.util.iterator.WrappedIterator;
-
-import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
@@ -45,21 +35,26 @@ import org.apache.jena.security.impl.CachedSecurityEvaluator;
 import org.apache.jena.security.impl.SecuredItemImpl;
 import org.apache.jena.security.utils.PermTripleFilter;
 
+import com.hp.hpl.jena.graph.Graph;
+import com.hp.hpl.jena.graph.GraphEventManager;
+import com.hp.hpl.jena.graph.GraphListener;
+import com.hp.hpl.jena.graph.Triple;
+import com.hp.hpl.jena.graph.impl.CollectionGraph;
+import com.hp.hpl.jena.util.iterator.ExtendedIterator;
+import com.hp.hpl.jena.util.iterator.NiceIterator;
+import com.hp.hpl.jena.util.iterator.WrappedIterator;
+
 /**
- * Since we sit between the graph and other items we have  to determine when the message is 
- * first seen and send it to the underlying graph if necessary.
+ * Since we sit between the graph and other items we have to determine when the
+ * message is first seen and send it to the underlying graph if necessary.
  */
-public class SecuredGraphEventManager implements GraphEventManager
-{
-	private class SecuredGraphListener implements GraphListener
-	{
+public class SecuredGraphEventManager implements GraphEventManager {
+	private class SecuredGraphListener implements GraphListener {
 		private final GraphListener wrapped;
 		private final Object runAs;
 
-		SecuredGraphListener( final GraphListener wrapped )
-		{
-			if (wrapped == null)
-			{
+		SecuredGraphListener(final GraphListener wrapped) {
+			if (wrapped == null) {
 				throw new IllegalArgumentException(
 						"Wrapped listener may not be null");
 			}
@@ -67,32 +62,25 @@ public class SecuredGraphEventManager implements GraphEventManager
 			this.runAs = securedGraph.getSecurityEvaluator().getPrincipal();
 		}
 
-		private Triple[] getArray( final Graph g, final Triple[] triples,
-				final Set<Action> perms )
-		{
+		private Triple[] getArray(final Graph g, final Triple[] triples,
+				final Set<Action> perms) {
 			Triple[] retval = triples;
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(perms, sg.getModelNode()))
-				{
-					if (!evaluator.evaluateAny(perms, sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs, perms, sg.getModelNode())) {
+					if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						final List<Triple> list = wrapPermIterator(sg,
 								Arrays.asList(triples).iterator(), perms)
 								.toList();
 						retval = list.toArray(new Triple[list.size()]);
 					}
-					else
-					{
+					else {
 						retval = triples;
 					}
 				}
-				else
-				{
+				else {
 					retval = new Triple[0];
 				}
 			}
@@ -100,248 +88,196 @@ public class SecuredGraphEventManager implements GraphEventManager
 		}
 
 		@Override
-		public void notifyAddArray( final Graph g, final Triple[] triples )
-		{
+		public void notifyAddArray(final Graph g, final Triple[] triples) {
 			final Triple[] added = getArray(g, triples,
 					SecuredGraphEventManager.ADD);
 
-			if (added.length > 0)
-			{
+			if (added.length > 0) {
 				wrapped.notifyAddArray(g, added);
 			}
 		}
 
 		@Override
-		public void notifyAddGraph( final Graph g, final Graph added )
-		{
+		public void notifyAddGraph(final Graph g, final Graph added) {
 			Graph addGraph = added;
-			if (g instanceof SecuredGraph)
-			{
+			if (g instanceof SecuredGraph) {
 				final SecuredGraph sg = (SecuredGraph) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-						sg.getModelNode()))
-				{
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
+						sg.getModelNode())) {
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.ADD, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						final List<Triple> lst = added.find(Triple.ANY)
 								.toList();
 						addGraph = new CollectionGraph(Arrays.asList(getArray(
 								g, lst.toArray(new Triple[lst.size()]),
 								SecuredGraphEventManager.ADD)));
 					}
-					else
-					{
+					else {
 						addGraph = added;
 					}
 				}
-				else
-				{
+				else {
 					addGraph = new CollectionGraph(
 							Collections.<Triple> emptyList());
 				}
 			}
-			if (addGraph.size() > 0)
-			{
+			if (addGraph.size() > 0) {
 				wrapped.notifyAddGraph(g, addGraph);
 
 			}
 		}
 
 		@Override
-		public void notifyAddIterator( final Graph g, final Iterator<Triple> it )
-		{
+		public void notifyAddIterator(final Graph g, final Iterator<Triple> it) {
 
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
 				// only report if we can write to the graph
-				if (evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-						sg.getModelNode()))
-				{
+				if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
+						sg.getModelNode())) {
 					final ExtendedIterator<Triple> iter = wrapPermIterator(sg,
 							it, SecuredGraphEventManager.ADD);
-					try
-					{
+					try {
 						wrapped.notifyAddIterator(g, iter);
-					}
-					finally
-					{
+					} finally {
 						iter.close();
 					}
 				}
 			}
-			else
-			{
+			else {
 				wrapped.notifyAddIterator(g, it);
 			}
 
 		}
 
 		@Override
-		public void notifyAddList( final Graph g, final List<Triple> triples )
-		{
+		public void notifyAddList(final Graph g, final List<Triple> triples) {
 			List<Triple> list = triples;
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-						sg.getModelNode()))
-				{
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs, SecuredGraphEventManager.ADD,
+						sg.getModelNode())) {
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.ADD, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						list = wrapPermIterator(sg, triples.iterator(),
 								SecuredGraphEventManager.ADD).toList();
 					}
-					else
-					{
+					else {
 						list = triples;
 					}
 				}
-				else
-				{
+				else {
 					list = Collections.emptyList();
 				}
 			}
 
-			if (list.size() > 0)
-			{
+			if (list.size() > 0) {
 
 				wrapped.notifyAddList(g, list);
 			}
 		}
 
 		@Override
-		public void notifyAddTriple( final Graph g, final Triple t )
-		{
+		public void notifyAddTriple(final Graph g, final Triple t) {
 			boolean notify = false;
-			if (g instanceof SecuredGraph)
-			{
+			if (g instanceof SecuredGraph) {
 				final SecuredGraph sg = (SecuredGraph) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				notify = evaluator.evaluateAny(SecuredGraphEventManager.ADD,
-						sg.getModelNode());
-				if (notify)
-				{
-					notify = evaluator.evaluateAny(
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				notify = evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.ADD, sg.getModelNode());
+				if (notify) {
+					notify = evaluator.evaluateAny(runAs,
 							SecuredGraphEventManager.ADD, sg.getModelNode(),
 							SecuredItemImpl.convert(t));
 				}
 			}
-			else
-			{
+			else {
 				notify = true;
 			}
-			if (notify)
-			{
+			if (notify) {
 				wrapped.notifyAddTriple(g, t);
 			}
 		}
 
 		@Override
-		public void notifyDeleteArray( final Graph g, final Triple[] triples )
-		{
+		public void notifyDeleteArray(final Graph g, final Triple[] triples) {
 			Triple[] deleted = triples;
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-						sg.getModelNode()))
-				{
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.DELETE, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						final List<Triple> list = wrapPermIterator(sg,
 								Arrays.asList(triples).iterator(),
 								SecuredGraphEventManager.DELETE).toList();
 						deleted = list.toArray(new Triple[list.size()]);
 					}
-					else
-					{
+					else {
 						deleted = triples;
 					}
 				}
-				else
-				{
+				else {
 					deleted = new Triple[0];
 				}
 			}
 
-			if (deleted.length > 0)
-			{
+			if (deleted.length > 0) {
 				wrapped.notifyDeleteArray(g, deleted);
 			}
 		}
 
 		@Override
-		public void notifyDeleteGraph( final Graph g, final Graph removed )
-		{
-			if (g instanceof SecuredGraphImpl)
-			{
+		public void notifyDeleteGraph(final Graph g, final Graph removed) {
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-						sg.getModelNode()))
-				{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.DELETE, sg.getModelNode())) {
 					Graph g2 = removed;
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.DELETE, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						g2 = new CollectionGraph(
 								removed.find(Triple.ANY)
-										.filterKeep(
-												new PermTripleFilter(
-														SecuredGraphEventManager.DELETE,
-														sg, evaluator))
-										.toList());
+								.filterKeep(
+										new PermTripleFilter(
+												SecuredGraphEventManager.DELETE,
+												sg, evaluator))
+												.toList());
 
 					}
 					wrapped.notifyDeleteGraph(g, g2);
 				}
-				else
-				{
+				else {
 					// do nothing.
 				}
 			}
-			else
-			{
+			else {
 				wrapped.notifyDeleteGraph(g, removed);
 			}
 		}
 
 		@Override
-		public void notifyDeleteIterator( final Graph g,
-				final Iterator<Triple> it )
-		{
+		public void notifyDeleteIterator(final Graph g,
+				final Iterator<Triple> it) {
 			Iterator<Triple> iter = it;
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-						sg.getModelNode()))
-				{
-
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.DELETE, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						iter = WrappedIterator.create(it).filterKeep(
 								new PermTripleFilter(
 										SecuredGraphEventManager.DELETE, sg,
@@ -350,34 +286,27 @@ public class SecuredGraphEventManager implements GraphEventManager
 					// else use the default list as all can bee seen
 					wrapped.notifyDeleteIterator(g, iter);
 				}
-				else
-				{
+				else {
 					// do nothing.
 				}
 			}
-			else
-			{
+			else {
 				wrapped.notifyDeleteIterator(g, iter);
 			}
 
 		}
 
 		@Override
-		public void notifyDeleteList( final Graph g, final List<Triple> triples )
-		{
+		public void notifyDeleteList(final Graph g, final List<Triple> triples) {
 			List<Triple> list = triples;
-			if (g instanceof SecuredGraphImpl)
-			{
+			if (g instanceof SecuredGraphImpl) {
 				final SecuredGraphImpl sg = (SecuredGraphImpl) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				if (evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-						sg.getModelNode()))
-				{
-					if (!evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-							sg.getModelNode(),
-							SecuredItemImpl.convert(Triple.ANY)))
-					{
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				if (evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.DELETE, sg.getModelNode())) {
+					if (!evaluator.evaluateAny(runAs,
+							SecuredGraphEventManager.DELETE, sg.getModelNode(),
+							SecuredItemImpl.convert(Triple.ANY))) {
 						list = WrappedIterator
 								.create(triples.iterator())
 								.filterKeep(
@@ -387,67 +316,55 @@ public class SecuredGraphEventManager implements GraphEventManager
 					}
 					// else use the default list as all can bee seen
 				}
-				else
-				{
+				else {
 					list = Collections.emptyList();
 				}
 			}
 
-			if (list.size() > 0)
-			{
+			if (list.size() > 0) {
 				wrapped.notifyDeleteList(g, list);
 			}
 		}
 
 		@Override
-		public void notifyDeleteTriple( final Graph g, final Triple t )
-		{
+		public void notifyDeleteTriple(final Graph g, final Triple t) {
 			boolean notify = false;
-			if (g instanceof SecuredGraph)
-			{
+			if (g instanceof SecuredGraph) {
 				final SecuredGraph sg = (SecuredGraph) g;
-				final SecurityEvaluator evaluator = CachedSecurityEvaluator
-						.getInstance(sg.getSecurityEvaluator(), runAs);
-				notify = evaluator.evaluateAny(SecuredGraphEventManager.DELETE,
-						sg.getModelNode());
-				if (notify)
-				{
-					notify = evaluator.evaluateAny(
+				final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+				notify = evaluator.evaluateAny(runAs,
+						SecuredGraphEventManager.DELETE, sg.getModelNode());
+				if (notify) {
+					notify = evaluator.evaluateAny(runAs,
 							SecuredGraphEventManager.DELETE, sg.getModelNode(),
 							SecuredItemImpl.convert(t));
 				}
 			}
-			else
-			{
+			else {
 				notify = true;
 			}
-			if (notify)
-			{
+			if (notify) {
 				wrapped.notifyDeleteTriple(g, t);
 			}
 		}
 
 		@Override
-		public void notifyEvent( final Graph source, final Object value )
-		{
+		public void notifyEvent(final Graph source, final Object value) {
 			wrapped.notifyEvent(source, value);
 		}
 
 		private ExtendedIterator<Triple> wrapPermIterator(
 				final SecuredGraphImpl sg, final Iterator<Triple> it,
-				final Set<Action> perms )
-		{
-			final SecurityEvaluator evaluator = CachedSecurityEvaluator
-					.getInstance(sg.getSecurityEvaluator(), runAs);
-			if (!evaluator.evaluateAny(perms, sg.getModelNode(),
-					SecuredItemImpl.convert(Triple.ANY)))
-			{
+				final Set<Action> perms) {
+			final SecurityEvaluator evaluator = new CachedSecurityEvaluator(sg.getSecurityEvaluator(), runAs);
+			if (!evaluator.evaluateAny(runAs, perms, sg.getModelNode(),
+					SecuredItemImpl.convert(Triple.ANY))) {
 				// nope so wrap the iterator with security iterator
 				return WrappedIterator.create(it).filterKeep(
 						new PermTripleFilter(perms, sg, evaluator));
 			}
 			return WrappedIterator.create(it);
-		}
+				}
 
 	}
 
@@ -459,251 +376,203 @@ public class SecuredGraphEventManager implements GraphEventManager
 
 	private static Set<Action> ADD;
 
-	static
-	{
+	static {
 		SecuredGraphEventManager.ADD = new HashSet<Action>(
-				Arrays.asList(new Action[] { Action.Create, Action.Read }));
+				Arrays.asList(new Action[] {
+						Action.Create, Action.Read
+				}));
 		SecuredGraphEventManager.DELETE = new HashSet<Action>(
-				Arrays.asList(new Action[] { Action.Delete, Action.Read }));
+				Arrays.asList(new Action[] {
+						Action.Delete, Action.Read
+				}));
 	}
 
-	public SecuredGraphEventManager( final SecuredGraph securedGraph,
-			final Graph baseGraph, final GraphEventManager manager )
-	{
+	public SecuredGraphEventManager(final SecuredGraph securedGraph,
+			final Graph baseGraph, final GraphEventManager manager) {
 		this.securedGraph = securedGraph;
 		this.baseGraph = baseGraph;
 		manager.register(this);
 	}
 
-	private synchronized Collection<SecuredGraphListener> getListenerCollection()
-	{
+	private synchronized Collection<SecuredGraphListener> getListenerCollection() {
 		ExtendedIterator<SecuredGraphListener> retval = NiceIterator
 				.emptyIterator();
-		for (final Collection<SecuredGraphListener> coll : listenerMap.values())
-		{
+		for (final Collection<SecuredGraphListener> coll : listenerMap.values()) {
 			retval = retval.andThen(coll.iterator());
 		}
 		return retval.toList();
 	}
 
 	@Override
-	public boolean listening()
-	{
+	public boolean listening() {
 		return !listenerMap.isEmpty();
 	}
 
 	@Override
-	public void notifyAddArray( final Graph g, final Triple[] triples )
-	{
+	public void notifyAddArray(final Graph g, final Triple[] triples) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyAddArray(securedGraph, triples);
 			}
-			else
-			{
+			else {
 				sgl.notifyAddArray(g, triples);
 			}
 		}
 	}
 
 	@Override
-	public void notifyAddGraph( final Graph g, final Graph added )
-	{
+	public void notifyAddGraph(final Graph g, final Graph added) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyAddGraph(securedGraph, added);
 			}
-			else
-			{
+			else {
 				sgl.notifyAddGraph(g, added);
 			}
 		}
 	}
 
 	@Override
-	public void notifyAddIterator( final Graph g, final Iterator<Triple> it )
-	{
+	public void notifyAddIterator(final Graph g, final Iterator<Triple> it) {
 		notifyAddIterator(g, WrappedIterator.create(it).toList());
 		baseGraph.equals(g);
 	}
 
 	@Override
-	public void notifyAddIterator( final Graph g, final List<Triple> triples )
-	{
+	public void notifyAddIterator(final Graph g, final List<Triple> triples) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyAddIterator(securedGraph, triples.iterator());
 			}
-			else
-			{
+			else {
 				sgl.notifyAddIterator(g, triples.iterator());
 			}
 		}
 	}
 
 	@Override
-	public void notifyAddList( final Graph g, final List<Triple> triples )
-	{
+	public void notifyAddList(final Graph g, final List<Triple> triples) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyAddList(securedGraph, triples);
 			}
-			else
-			{
+			else {
 				sgl.notifyAddList(g, triples);
 			}
 		}
 	}
 
 	@Override
-	public void notifyAddTriple( final Graph g, final Triple t )
-	{
+	public void notifyAddTriple(final Graph g, final Triple t) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyAddTriple(securedGraph, t);
 			}
-			else
-			{
+			else {
 				sgl.notifyAddTriple(g, t);
 			}
 		}
 	}
 
 	@Override
-	public void notifyDeleteArray( final Graph g, final Triple[] triples )
-	{
+	public void notifyDeleteArray(final Graph g, final Triple[] triples) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyDeleteArray(securedGraph, triples);
 			}
-			else
-			{
+			else {
 				sgl.notifyDeleteArray(g, triples);
 			}
 		}
 	}
 
 	@Override
-	public void notifyDeleteGraph( final Graph g, final Graph removed )
-	{
+	public void notifyDeleteGraph(final Graph g, final Graph removed) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyDeleteGraph(securedGraph, removed);
 			}
-			else
-			{
+			else {
 				sgl.notifyDeleteGraph(g, removed);
 			}
 		}
 	}
 
 	@Override
-	public void notifyDeleteIterator( final Graph g, final Iterator<Triple> it )
-	{
+	public void notifyDeleteIterator(final Graph g, final Iterator<Triple> it) {
 		notifyDeleteIterator(g, WrappedIterator.create(it).toList());
 	}
 
 	@Override
-	public void notifyDeleteIterator( final Graph g, final List<Triple> triples )
-	{
+	public void notifyDeleteIterator(final Graph g, final List<Triple> triples) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyDeleteIterator(securedGraph, triples.iterator());
 			}
-			else
-			{
+			else {
 				sgl.notifyDeleteIterator(g, triples.iterator());
 			}
 		}
 	}
 
 	@Override
-	public void notifyDeleteList( final Graph g, final List<Triple> L )
-	{
+	public void notifyDeleteList(final Graph g, final List<Triple> L) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyDeleteList(securedGraph, L);
 			}
-			else
-			{
+			else {
 				sgl.notifyDeleteList(g, L);
 			}
 		}
 	}
 
 	@Override
-	public void notifyDeleteTriple( final Graph g, final Triple t )
-	{
+	public void notifyDeleteTriple(final Graph g, final Triple t) {
 		final boolean wrap = baseGraph.equals(g);
 
-		for (final SecuredGraphListener sgl : getListenerCollection())
-		{
-			if (wrap)
-			{
+		for (final SecuredGraphListener sgl : getListenerCollection()) {
+			if (wrap) {
 				sgl.notifyDeleteTriple(securedGraph, t);
 			}
-			else
-			{
+			else {
 				sgl.notifyDeleteTriple(g, t);
 			}
 		}
 	}
 
 	@Override
-	public void notifyEvent( final Graph source, final Object value )
-	{
-		if (source instanceof SecuredGraph && securedGraph.equals(source))
-		{
-			baseGraph.getEventManager().notifyEvent( baseGraph, value);
+	public void notifyEvent(final Graph source, final Object value) {
+		if ((source instanceof SecuredGraph) && securedGraph.equals(source)) {
+			baseGraph.getEventManager().notifyEvent(baseGraph, value);
 		}
 		else {
-		
+
 			final boolean wrap = baseGraph.equals(source);
 
-			for (final SecuredGraphListener sgl : getListenerCollection())
-			{
-				if (wrap)
-				{
+			for (final SecuredGraphListener sgl : getListenerCollection()) {
+				if (wrap) {
 					sgl.notifyEvent(securedGraph, value);
 				}
-				else
-				{
+				else {
 					sgl.notifyEvent(source, value);
 				}
 			}
@@ -711,11 +580,9 @@ public class SecuredGraphEventManager implements GraphEventManager
 	}
 
 	@Override
-	public synchronized GraphEventManager register( final GraphListener listener )
-	{
+	public synchronized GraphEventManager register(final GraphListener listener) {
 		Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
-		if (sgl == null)
-		{
+		if (sgl == null) {
 			sgl = new Stack<SecuredGraphListener>();
 		}
 		sgl.push(new SecuredGraphListener(listener));
@@ -725,17 +592,13 @@ public class SecuredGraphEventManager implements GraphEventManager
 
 	@Override
 	public synchronized GraphEventManager unregister(
-			final GraphListener listener )
-	{
+			final GraphListener listener) {
 		final Stack<SecuredGraphListener> sgl = listenerMap.get(listener);
-		if (sgl != null)
-		{
-			if (sgl.size() == 1)
-			{
+		if (sgl != null) {
+			if (sgl.size() == 1) {
 				listenerMap.remove(listener);
 			}
-			else
-			{
+			else {
 				sgl.pop();
 				listenerMap.put(listener, sgl);
 			}

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java b/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
index 342f35b..ffc2868 100644
--- a/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
+++ b/jena-security/src/main/java/org/apache/jena/security/impl/CachedSecurityEvaluator.java
@@ -6,9 +6,9 @@
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,91 +17,74 @@
  */
 package org.apache.jena.security.impl;
 
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.lang.reflect.Proxy;
-import java.util.LinkedHashSet;
 import java.util.Set;
 
-import org.apache.commons.lang.ClassUtils;
 import org.apache.jena.security.SecurityEvaluator;
 
 /**
  * A SecurityEvaluator that can be cached for later use.
  */
-public class CachedSecurityEvaluator implements InvocationHandler
-{
+public class CachedSecurityEvaluator implements SecurityEvaluator {
 	private final SecurityEvaluator wrapped;
 	private final Object origPrincipal;
 
-	// The getPrincipal() method.
-	private static Method GET_PRINCIPAL;
+	/**
+	 *
+	 * @param wrapped
+	 * @param runAs
+	 */
+	public CachedSecurityEvaluator(final SecurityEvaluator wrapped,
+			final Object runAs) {
+		this.origPrincipal = runAs;
+		this.wrapped = wrapped;
+	}
 
-	static
-	{
-		try
-		{
-			CachedSecurityEvaluator.GET_PRINCIPAL = SecurityEvaluator.class
-					.getMethod("getPrincipal");
-		}
-		catch (final SecurityException e)
-		{
-			throw new RuntimeException(e);
-		}
-		catch (final NoSuchMethodException e)
-		{
-			throw new RuntimeException(e);
-		}
+	@Override
+	public boolean evaluate(final Object principal, final Action action,
+			final SecNode graphIRI) {
+		return wrapped.evaluate(principal, action, graphIRI);
 	}
 
-	/**
-	 * Create an instance.
-	 * @param evaluator The security evaluator we are caching.
-	 * @param runAs The principal that we want to use when checking the permissions.
-	 * @return The proxied SecurityEvaluator.
-	 */
-	public static SecurityEvaluator getInstance(
-			final SecurityEvaluator evaluator, final Object runAs )
-	{
-		final Set<Class<?>> ifac = new LinkedHashSet<Class<?>>();
-		if (evaluator.getClass().isInterface())
-		{
-			ifac.add(evaluator.getClass());
-		}
-		ifac.addAll(ClassUtils.getAllInterfaces(evaluator.getClass()));
+	@Override
+	public boolean evaluate(final Object principal, final Action action,
+			final SecNode graphIRI, final SecTriple triple) {
+		return wrapped.evaluate(principal, action, graphIRI, triple);
+	}
 
-		return (SecurityEvaluator) Proxy.newProxyInstance(
-				SecuredItemImpl.class.getClassLoader(),
-				ifac.toArray(new Class<?>[ifac.size()]),
-				new CachedSecurityEvaluator(evaluator, runAs));
+	@Override
+	public boolean evaluate(final Object principal, final Set<Action> actions,
+			final SecNode graphIRI) {
+		return wrapped.evaluate(principal, actions, graphIRI);
 	}
 
-	/**
-	 * 
-	 * @param wrapped
-	 * @param runAs
-	 */
-	private CachedSecurityEvaluator( final SecurityEvaluator wrapped,
-			final Object runAs )
-	{
-		origPrincipal = runAs;
-		this.wrapped = wrapped;
+	@Override
+	public boolean evaluate(final Object principal, final Set<Action> actions,
+			final SecNode graphIRI, final SecTriple triple) {
+		return wrapped.evaluate(principal, actions, graphIRI, triple);
 	}
 
 	@Override
-	public Object invoke( final Object proxy, final Method method,
-			final Object[] args ) throws Throwable
-	{
-		// check for the special case methods
-		if (CachedSecurityEvaluator.GET_PRINCIPAL.equals(method))
-		{
-			return origPrincipal;
-		}
+	public boolean evaluateAny(final Object principal,
+			final Set<Action> actions, final SecNode graphIRI) {
+		return wrapped.evaluateAny(principal, actions, graphIRI);
+	}
 
-		// if we get here then the method is not being proxied so call the
-		// original method
-		// on the base item.
-		return method.invoke(wrapped, args);
+	@Override
+	public boolean evaluateAny(final Object principal,
+			final Set<Action> actions, final SecNode graphIRI,
+			final SecTriple triple) {
+		return wrapped.evaluateAny(principal, actions, graphIRI, triple);
+	}
+
+	@Override
+	public boolean evaluateUpdate(final Object principal,
+			final SecNode graphIRI, final SecTriple from, final SecTriple to) {
+		return wrapped.evaluateUpdate(principal, graphIRI, from, to);
+	}
 
+	@Override
+	public Object getPrincipal() {
+		return origPrincipal;
 	}
+
 }

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java b/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
index b095356..dac1036 100644
--- a/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
+++ b/jena-security/src/main/java/org/apache/jena/security/impl/SecuredItemImpl.java
@@ -334,7 +334,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Create, modelNode);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -352,7 +352,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Create, modelNode, t);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Create, modelNode, t);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -375,7 +375,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Delete, modelNode);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -393,7 +393,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Delete, modelNode, t);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Delete, modelNode, t);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -416,7 +416,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Read, modelNode);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -434,7 +434,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Read, modelNode, t);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Read, modelNode, t);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -457,7 +457,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluate(Action.Update, modelNode);
+			retval = securityEvaluator.evaluate(securityEvaluator.getPrincipal(),Action.Update, modelNode);
 			cachePut(key, retval);
 		}
 		return retval;
@@ -477,7 +477,7 @@ public abstract class SecuredItemImpl implements SecuredItem
 		Boolean retval = cacheGet(key);
 		if (retval == null)
 		{
-			retval = securityEvaluator.evaluateUpdate(modelNode, from, to);
+			retval = securityEvaluator.evaluateUpdate(securityEvaluator.getPrincipal(),modelNode, from, to);
 			cachePut(key, retval);
 		}
 		return retval;

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java
index d0b07c0..4397244 100644
--- a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java
+++ b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRDFListImpl.java
@@ -895,7 +895,7 @@ public class SecuredRDFListImpl extends SecuredResourceImpl implements
 		// have to be able to read and delete to delete all.
 		final Set<Action> perms = SecurityEvaluator.Util.asSet(new Action[] {
 				Action.Delete, Action.Read });
-		if (getSecurityEvaluator().evaluate(perms, this.getModelNode(),
+		if (getSecurityEvaluator().evaluate(getSecurityEvaluator().getPrincipal(), perms, this.getModelNode(),
 				SecuredItemImpl.convert(t)))
 		{
 			holder.getBaseItem().removeList();

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java
index 15d5626..3eae571 100644
--- a/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java
+++ b/jena-security/src/main/java/org/apache/jena/security/model/impl/SecuredRSIterator.java
@@ -55,7 +55,7 @@ public class SecuredRSIterator implements RSIterator
 		@Override
 		public boolean accept( final ReifiedStatement t )
 		{
-			return evaluator.evaluateAny(actions, modelNode,
+			return evaluator.evaluateAny(evaluator.getPrincipal(), actions, modelNode,
 					SecuredItemImpl.convert(t.getStatement().asTriple()));
 		}
 

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java b/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java
index 2068f65..b6e5e07 100644
--- a/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java
+++ b/jena-security/src/main/java/org/apache/jena/security/query/SecuredQueryEngine.java
@@ -93,49 +93,49 @@ public class SecuredQueryEngine extends QueryEngineMain
 			this.securityEvaluator = new SecurityEvaluator() {
 
 				@Override
-				public boolean evaluate( final Action action,
+				public boolean evaluate( final Object principal, final Action action,
 						final SecNode graphIRI )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluate( final Action action,
+				public boolean evaluate( final Object principal, final Action action,
 						final SecNode graphIRI, final SecTriple triple )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluate( final Set<Action> action,
+				public boolean evaluate( final Object principal, final Set<Action> action,
 						final SecNode graphIRI )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluate( final Set<Action> action,
+				public boolean evaluate( final Object principal, final Set<Action> action,
 						final SecNode graphIRI, final SecTriple triple )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluateAny( final Set<Action> action,
+				public boolean evaluateAny( final Object principal, final Set<Action> action,
 						final SecNode graphIRI )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluateAny( final Set<Action> action,
+				public boolean evaluateAny( final Object principal, final Set<Action> action,
 						final SecNode graphIRI, final SecTriple triple )
 				{
 					return true;
 				}
 
 				@Override
-				public boolean evaluateUpdate( final SecNode graphIRI,
+				public boolean evaluateUpdate( final Object principal, final SecNode graphIRI,
 						final SecTriple from, final SecTriple to )
 				{
 					return true;

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java
index 4659d06..263c742 100644
--- a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java
+++ b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/OpRewriter.java
@@ -242,7 +242,8 @@ public class OpRewriter implements OpVisitor
 	@Override
 	public void visit( final OpBGP opBGP )
 	{
-		if (!securityEvaluator.evaluate(Action.Read, graphIRI))
+		Object principal = securityEvaluator.getPrincipal();
+		if (!securityEvaluator.evaluate(principal, Action.Read, graphIRI))
 		{
 			if (silentFail)
 			{
@@ -255,7 +256,7 @@ public class OpRewriter implements OpVisitor
 		}
 
 		// if the user can read any triple just add the opBGP
-		if (securityEvaluator.evaluate(Action.Read, graphIRI, SecTriple.ANY))
+		if (securityEvaluator.evaluate(principal, Action.Read, graphIRI, SecTriple.ANY))
 		{
 			addOp(opBGP);
 		}

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java
index 5cd84d0..3675ec8 100644
--- a/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java
+++ b/jena-security/src/main/java/org/apache/jena/security/query/rewriter/SecuredFunction.java
@@ -71,10 +71,11 @@ public class SecuredFunction extends ExprFunctionN
 	
 	private boolean checkAccess( Binding values )
 	{
+		Object principal = securityEvaluator.getPrincipal();
 		for (final Triple t : bgp)
 		{
 			final SecTriple secT = createSecTriple(t, values);
-			if (!securityEvaluator.evaluate(Action.Read, graphIRI, secT))
+			if (!securityEvaluator.evaluate(principal, Action.Read, graphIRI, secT))
 			{
 				return false;
 			}

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java
index 8e8bb43..41c163a 100644
--- a/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java
+++ b/jena-security/src/main/java/org/apache/jena/security/utils/PermStatementFilter.java
@@ -39,6 +39,7 @@ public class PermStatementFilter extends Filter<Statement>
 	private final SecurityEvaluator evaluator;
 	private final SecNode modelNode;
 	private final Set<Action> actions;
+	private final Object principal;
 
 	/**
 	 * Creates a filter that requires that the user have all the permissions
@@ -55,6 +56,7 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(new Action[] { action });
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -74,6 +76,7 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(new Action[] { action });
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -91,6 +94,7 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -110,6 +114,7 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -127,6 +132,7 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -146,12 +152,13 @@ public class PermStatementFilter extends Filter<Statement>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	@Override
 	public boolean accept( final Statement s )
 	{
-		return evaluator.evaluateAny(actions, modelNode,
+		return evaluator.evaluateAny(principal, actions, modelNode,
 				SecuredItemImpl.convert(s.asTriple()));
 	}
 

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java
index f8d2fa6..505d7f8 100644
--- a/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java
+++ b/jena-security/src/main/java/org/apache/jena/security/utils/PermTripleFilter.java
@@ -39,6 +39,7 @@ public class PermTripleFilter extends Filter<Triple>
 	private final SecurityEvaluator evaluator;
 	private final SecNode modelNode;
 	private final Set<Action> actions;
+	private final Object principal;
 
 	/**
 	 * Creates a filter that requires that the user have all the permissions
@@ -54,6 +55,7 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(new Action[] { action });
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -73,6 +75,7 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(new Action[] { action });
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -90,6 +93,7 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -109,6 +113,7 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -126,6 +131,7 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = securedItem.getSecurityEvaluator();
+		this.principal = evaluator.getPrincipal();
 	}
 
 	/**
@@ -145,12 +151,13 @@ public class PermTripleFilter extends Filter<Triple>
 		this.modelNode = securedItem.getModelNode();
 		this.actions = SecurityEvaluator.Util.asSet(actions);
 		this.evaluator = evaluator;
+		this.principal = evaluator.getPrincipal();
 	}
 
 	@Override
 	public boolean accept( final Triple t )
 	{
-		return evaluator.evaluateAny(actions, modelNode,
+		return evaluator.evaluateAny(principal, actions, modelNode,
 				SecuredItemImpl.convert(t));
 	}
 

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java
----------------------------------------------------------------------
diff --git a/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java b/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java
index bfe6a98..286be4a 100644
--- a/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java
+++ b/jena-security/src/main/java/org/apache/jena/security/utils/RDFListSecFilter.java
@@ -31,9 +31,9 @@ import org.apache.jena.security.impl.SecuredItemImpl;
 
 public class RDFListSecFilter<T extends RDFList> extends Filter<T>
 {
-
-	private SecuredItem securedItem;
-	private Set<Action> perms;
+	private final SecuredItem securedItem;
+	private final Set<Action> perms;
+	private final Object principal;
 
 	public RDFListSecFilter( final SecuredItem securedItem, final Action perm )
 	{
@@ -45,13 +45,14 @@ public class RDFListSecFilter<T extends RDFList> extends Filter<T>
 	{
 		this.securedItem = securedItem;
 		this.perms = perms;
+		this.principal = securedItem.getSecurityEvaluator().getPrincipal();
 	}
 
 	@Override
 	public boolean accept( final RDFList o )
 	{
 		final Statement s = o.getRequiredProperty(RDF.first);
-		return securedItem.getSecurityEvaluator().evaluate(perms,
+		return securedItem.getSecurityEvaluator().evaluate(principal, perms,
 				securedItem.getModelNode(),
 				SecuredItemImpl.convert(s.asTriple()));
 	}

http://git-wip-us.apache.org/repos/asf/jena/blob/23d1bde2/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java
----------------------------------------------------------------------
diff --git a/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java b/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java
index c00602e..0981664 100644
--- a/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java
+++ b/jena-security/src/test/java/org/apache/jena/security/MockSecurityEvaluator.java
@@ -87,13 +87,13 @@ public class MockSecurityEvaluator implements SecurityEvaluator
 	}
 
 	@Override
-	public boolean evaluate( final Action action, final SecNode uri )
+	public boolean evaluate( final Object principal, final Action action, final SecNode uri )
 	{
 		return evaluate(action);
 	}
 
 	@Override
-	public boolean evaluate( final Action action, final SecNode graphIRI,
+	public boolean evaluate( final Object principal, final Action action, final SecNode graphIRI,
 			final SecTriple triple )
 	{
 		if (forceTripleChecks)
@@ -141,13 +141,13 @@ public class MockSecurityEvaluator implements SecurityEvaluator
 	}
 
 	@Override
-	public boolean evaluate( final Set<Action> action, final SecNode uri )
+	public boolean evaluate( final Object principal, final Set<Action> action, final SecNode uri )
 	{
 		return evaluate(action);
 	}
 
 	@Override
-	public boolean evaluate( final Set<Action> action, final SecNode graphIRI,
+	public boolean evaluate( final Object principal, final Set<Action> action, final SecNode graphIRI,
 			final SecTriple triple )
 	{
 		for (final Action a : action)
@@ -161,7 +161,7 @@ public class MockSecurityEvaluator implements SecurityEvaluator
 	}
 
 	@Override
-	public boolean evaluateAny( final Set<Action> action, final SecNode graphIRI )
+	public boolean evaluateAny( final Object principal, final Set<Action> action, final SecNode graphIRI )
 	{
 		for (final Action a : action)
 		{
@@ -174,14 +174,14 @@ public class MockSecurityEvaluator implements SecurityEvaluator
 	}
 
 	@Override
-	public boolean evaluateAny( final Set<Action> action,
+	public boolean evaluateAny( final Object principal, final Set<Action> action,
 			final SecNode graphIRI, final SecTriple triple )
 	{
-		return evaluateAny(action, graphIRI);
+		return evaluateAny( principal, action, graphIRI);
 	}
 
 	@Override
-	public boolean evaluateUpdate( final SecNode graphIRI,
+	public boolean evaluateUpdate( final Object principal, final SecNode graphIRI,
 			final SecTriple from, final SecTriple to )
 	{
 		return evaluate(Action.Update);


Mime
View raw message