portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From woon...@apache.org
Subject svn commit: r603896 - in /portals/jetspeed-2/trunk/components/jetspeed-security/src: main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java test/java/org/apache/jetspeed/security/TestUserManager.java
Date Thu, 13 Dec 2007 11:46:44 GMT
Author: woonsan
Date: Thu Dec 13 03:46:41 2007
New Revision: 603896

URL: http://svn.apache.org/viewvc?rev=603896&view=rev
Log:
[JS2-21] Missing Security Feature: Check roles assigned to any group to user belongs
Fixed the issue.

Now it conforms to the following requirements:

1. The Role definition in Servlet 2.3 SRV.12.4 (which according to portlet PLT.20.2 also applies
for portlets) specifies that a user is in a specific role either when assigned directly to
the user or when assigned to a group the user belongs to.
Thus according to this definition the isUserInRole() should also check the roles assigned
to any group to user belongs to.

2. Concerning the following use-case:
assume the 'groovy.psml' has constraints allowing role 'admin' and group 'engineering' to
view.
assume the user 'user' is only in group 'accounting' and doesn't have role 'admin'.
assume the group 'accounting' has no roles (initially)
-> the user doesn't get access to the groovy.psml.

Now add role 'admin' to group 'accounting'.
-> the user now has "gets" the role 'admin'
-> the user gets access to the 'groovy.psml'

Modified:
    portals/jetspeed-2/trunk/components/jetspeed-security/src/main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
    portals/jetspeed-2/trunk/components/jetspeed-security/src/test/java/org/apache/jetspeed/security/TestUserManager.java

Modified: portals/jetspeed-2/trunk/components/jetspeed-security/src/main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/jetspeed-security/src/main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java?rev=603896&r1=603895&r2=603896&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/jetspeed-security/src/main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
(original)
+++ portals/jetspeed-2/trunk/components/jetspeed-security/src/main/java/org/apache/jetspeed/security/impl/UserManagerImpl.java
Thu Dec 13 03:46:41 2007
@@ -64,6 +64,12 @@
     private String anonymousUser = "guest";
     private User guest = null;
     
+    /** 
+     * Flag whether the principals's user group matches the user group to which the role
has been mapped. (See SRV.12.4) 
+     * If this flag is set to true, roles can be inherited to users via groups.
+     */
+    private boolean rolesInheritableViaGroups = true;
+    
     /**
      * @param securityProvider
      *            The security provider.
@@ -154,7 +160,12 @@
     {
         return this.anonymousUser;
     }
-
+    
+    public void setRolesInheritableViaGroups(boolean rolesInheritableViaGroups)
+    {
+        this.rolesInheritableViaGroups = rolesInheritableViaGroups;
+    }
+    
     /**
      * @see org.apache.jetspeed.security.UserManager#authenticate(java.lang.String,
      *      java.lang.String)
@@ -392,7 +403,18 @@
 
         principals.add(userPrincipal);
         principals.addAll(securityMappingHandler.getRolePrincipals(username));
-        principals.addAll(securityMappingHandler.getGroupPrincipals(username));
+        Set groupPrincipals = securityMappingHandler.getGroupPrincipals(username);
+        principals.addAll(groupPrincipals);
+        
+        if (this.rolesInheritableViaGroups)
+        {
+            for (Iterator it = groupPrincipals.iterator(); it.hasNext(); )
+            {
+                Principal groupPrincipal = (Principal) it.next();
+                Set rolePrincipalsInGroup = securityMappingHandler.getRolePrincipalsInGroup(groupPrincipal.getName());
+                principals.addAll(rolePrincipalsInGroup);
+            }
+        }
 
         Subject subject = null;
         if (getAnonymousUser().equals(username))

Modified: portals/jetspeed-2/trunk/components/jetspeed-security/src/test/java/org/apache/jetspeed/security/TestUserManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/jetspeed-security/src/test/java/org/apache/jetspeed/security/TestUserManager.java?rev=603896&r1=603895&r2=603896&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/jetspeed-security/src/test/java/org/apache/jetspeed/security/TestUserManager.java
(original)
+++ portals/jetspeed-2/trunk/components/jetspeed-security/src/test/java/org/apache/jetspeed/security/TestUserManager.java
Thu Dec 13 03:46:41 2007
@@ -19,7 +19,10 @@
 import java.security.Principal;
 import java.util.Collection;
 import java.util.Iterator;
+import java.util.List;
+import java.util.ArrayList;
 import java.util.prefs.Preferences;
+import java.security.Principal;
 
 import javax.security.auth.Subject;
 import javax.security.auth.login.LoginContext;
@@ -144,6 +147,76 @@
         // Test the User Preferences.
         Preferences preferences = user.getPreferences();
         assertEquals("expected user node == /user/test", "/user/test", preferences.absolutePath());
+        
+        // Test if roles are inheritable to a user via groups
+        try
+        {
+            // If user 'inheritedUser' belongs to group 'inheritingGroup' and group 'group'
has role 'assignedRole', then
+            // the role 'assignedRole' can be inherited to the user 'inheritedUser' via group
'inheritingGroup'.
+            
+            ums.addUser("inheritedUser", "password");
+            gms.addGroup("inheritingGroup");
+            gms.addUserToGroup("inheritedUser", "inheritingGroup");
+            rms.addRole("assignedRole");
+            rms.addRoleToGroup("assignedRole", "inheritingGroup");
+            User testUser = ums.getUser("inheritedUser");
+
+            List principalNames = new ArrayList();
+            for (Iterator it = testUser.getSubject().getPrincipals().iterator(); it.hasNext();
)
+            {
+                Principal p = (Principal) it.next();
+                principalNames.add(p.getName());
+            }
+            
+            assertTrue("user is expected to have a user principal named inheritedUser.",
principalNames.contains("inheritedUser"));
+            assertTrue("user is expected to have a group principal named inheritingGroup.",
principalNames.contains("inheritingGroup"));
+            assertTrue("user is expected to have a role principal named assignedRole which
is inherited via the group.", principalNames.contains("assignedRole"));
+            
+            // However, roles from role manager should not contain the role 'assignedRole'
+            // because the role 'assignedRole' is not directly assigned to user 'inheritedUser'.
+            // For example, the Users Admin portlet uses RoleManager to retrieve roles directly
assigned to a user.
+            
+            List userRoleNames = new ArrayList();
+            for (Iterator it = rms.getRolesForUser("inheritedUser").iterator(); it.hasNext();
)
+            {
+                Role role = (Role) it.next();
+                userRoleNames.add(role.getPrincipal().getName());
+            }
+            
+            assertFalse("role 'assignedRole' is not expected to be retrieved because the
role 'assignedRole' is not directly assigned to user 'inheritedUser'.", userRoleNames.contains("assignedRole"));
+        }
+        catch (SecurityException sex)
+        {
+            assertTrue("failed to test 'rolesInheritableViaGroups' mode in testGetUser(),
" + sex, false);
+        }
+        finally
+        {
+            // Cleanup test.
+            try
+            {
+                rms.removeRole("assignedRole");
+            }
+            catch (SecurityException sex)
+            {
+            }
+            
+            try
+            {
+                gms.removeGroup("inheritingGroup");
+            }
+            catch (SecurityException sex)
+            {
+            }
+            
+            try
+            {
+                ums.removeUser("inheritedUser");
+            }
+            catch (SecurityException sex)
+            {
+            }
+        }
+
     }
 
     /**



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message