Examples of com.ecyrd.jspwiki.auth.authorize.Group

Package com.ecyrd.jspwiki.auth.authorize

Examples of com.ecyrd.jspwiki.auth.authorize.Group

com.ecyrd.jspwiki.auth.authorize.Group
Groups are a specialized type of ad-hoc role used by the wiki system. Unlike externally-provided roles (such as those provided by an LDAP server or web container), JSPWiki groups can be created dynamically by wiki users, without requiring special container privileges or administrator intervention. They are designed to provide a lightweight role-based access control system that complements existing role systems.

Group names are case-insensitive, and have a few naming restrictions, which are enforced by the {@link GroupManager}:
- Groups cannot have the same name as a built-in Role (e.g., "Admin", "Authenticated" etc.)
- Groups cannot have the same name as an existing user
Note: prior to JSPWiki 2.4.19, Group was an interface; it is now a concrete, final class.

Groups are related to {@link GroupPrincipal}s. A GroupPrincipal, when injected into the Principal set of a WikiSession's Subject, means that the user is a member of a Group of the same name -- it is, in essence, an "authorization token." GroupPrincipals, unlike Groups, are thread-safe, lightweight and immutable. That's why we use them in Subjects rather than the Groups themselves.
@author Andrew Jaquith @since 2.3

        GroupManager manager = m_engine.getGroupManager();
        SecurityEventTrap trap = new SecurityEventTrap();
        manager.addWikiEventListener( trap );


        // Create two groups; one with Janne in it, and one without
        Group groupTest1 = m_groupMgr.parseGroup( "Test1", "JanneJalkanen \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, groupTest1 );
        groupTest1 = m_groupMgr.getGroup( "Test1" );
        Principal principalTest1 = groupTest1.getPrincipal();


        Group groupTest2 = m_groupMgr.parseGroup( "Test2", "Alice \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, groupTest2 );
        groupTest2 = m_groupMgr.getGroup( "Test2" );
        Principal principalTest2 = groupTest2.getPrincipal();


        // We should see two security events (one for each group create)
        // We should also see a GroupPrincipal for group Test1, but not Test2
        assertEquals( 2, trap.events().length );
        assertTrue( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );


        // If we remove Test1, the GroupPrincipal should disappear
        m_groupMgr.removeGroup( "Test1" );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );


        // Now, add 'JanneJalkanen' to Test2 group manually; we should see the
        // GroupPrincipal
        groupTest2.add( new WikiPrincipal( "JanneJalkanen" ) );
        m_groupMgr.setGroup( session, groupTest2 );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertTrue( session.hasPrincipal( principalTest2 ) );


        // Remove 'JanneJalkenen' manually; the GroupPrincipal should disappear
        groupTest2.remove( new WikiPrincipal( "JanneJalkanen" ) );
        m_groupMgr.setGroup( session, groupTest2 );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );


        // Clean up

View Full Code Here

      assertEquals( oldName, profile.getFullname() );
      assertEquals( oldUserCount+1, m_db.getWikiNames().length );
      assertTrue( session.isAuthenticated() );
      
      // Setup Step 2: create a new group with our test user in it
      Group group = groupManager.parseGroup( m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true );
      groupManager.setGroup( session, group );
      
      // 2a. Make sure the group is created with the user in it, and the role is added to the Subject
      assertEquals( oldGroupCount+1, groupManager.getRoles().length );
      assertTrue  ( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertTrue  ( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse ( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertFalse ( group.isMember( new WikiPrincipal( newName  ) ) );
      assertTrue  ( groupManager.isUserInRole( session, group.getPrincipal() ) );
      
      // Setup Step 3: create a new page with our test user in the ACL
      String pageName = "TestPage" + now;
      m_engine.saveText( pageName, "Test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text." );
      
      // 3a. Make sure the page got saved, and that ONLY our test user has permission to read it.
      WikiPage p = m_engine.getPage( pageName );
      assertEquals ( oldPageCount+1, pageManager.getTotalPageCount() );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue   ( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      WikiSession bobSession = WikiSessionTest.authenticatedSession( m_engine, Users.BOB, Users.BOB_PASS );
      assertFalse  ( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );
      
      // Setup Step 4: change the user name in the profile and see what happens
      profile = m_db.newProfile();
      profile.setEmail    ( "testuser@testville.com" );
      profile.setLoginName( oldLogin );
      profile.setFullname ( newName );
      profile.setPassword ( "password" );
      m_mgr.setUserProfile( session, profile );
      
      // Test 1: the wiki session should have the new wiki name in Subject
      Principal[] principals = session.getPrincipals();
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( oldLogin ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( oldName  ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( newLogin ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( newName  ) ) );
      
      // Test 2: our group should not contain the old name OR login name any more
      // (the full name is always used)
      group = groupManager.getGroup( m_groupName );
      assertFalse( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertFalse( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertTrue ( group.isMember( new WikiPrincipal( newName  ) ) );
      
      // Test 3: our page should not contain the old wiki name OR login name
      // in the ACL any more (the full name is always used)
      p = m_engine.getPage( pageName );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );
      
      // Test 4: our page text should have been re-written
      // (The new full name should be in the ACL, but the login name should have been removed)
      String expectedText = "[{ALLOW view Alice," + newName + "}]\nTest text.  More text.\r\n";
      String actualText = m_engine.getText( pageName );
      assertEquals( expectedText, actualText );
      
      // Remove our test page
      m_engine.deletePage( pageName );
      
      // Setup Step 6: re-create the group with our old test user names in it
      group = groupManager.parseGroup( m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true );
      groupManager.setGroup( session, group );
      
      // Setup Step 7: Save a new page with the old login/wiki names in the ACL again
      // The test user should still be able to see the page (because the login name matches...)
      pageName = "TestPage2" + now;
      m_engine.saveText( pageName, "More test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text." );
      p = m_engine.getPage( pageName );
      assertEquals ( oldPageCount+1, pageManager.getTotalPageCount() );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue   ( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse  ( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );
      
      // Setup Step 8: re-save the profile with the new login name
      profile = m_db.newProfile();
      profile.setEmail    ( "testuser@testville.com" );
      profile.setLoginName( newLogin );
      profile.setFullname ( oldName );
      profile.setPassword ( "password" );
      m_mgr.setUserProfile( session, profile );


      // Test 5: the wiki session should have the new login name in Subject
      principals = session.getPrincipals();
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( oldLogin ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( oldName  ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( newLogin ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( newName  ) ) );
      
      // Test 6: our group should not contain the old name OR login name any more
      // (the full name is always used)
      group = groupManager.getGroup( m_groupName );
      assertFalse( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertTrue ( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newName  ) ) );
      
      // Test 7: our page should not contain the old wiki name OR login name
      // in the ACL any more (the full name is always used)
      p = m_engine.getPage( pageName );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );
      
      // Test 8: our page text should have been re-written
      // (The new full name should be in the ACL, but the login name should have been removed)
      expectedText = "[{ALLOW view Alice," + oldName + "}]\nMore test text.  More text.\r\n";
      actualText = m_engine.getText( pageName );
      assertEquals( expectedText, actualText );
      
      // CLEANUP: delete the profile; user and page; should be back to old counts
      m_db.deleteByLoginName( newLogin );
      assertEquals( oldUserCount, m_db.getWikiNames().length );
      
      groupManager.removeGroup( group.getName() );
      assertEquals( oldGroupCount, groupManager.getRoles().length );
      
      m_engine.deletePage( pageName );
      assertEquals( oldPageCount, pageManager.getTotalPageCount() );
  }

View Full Code Here


        // Create a new "asserted" session for Bob
        session = WikiSessionTest.assertedSession( m_engine, Users.BOB );


        // Set up a group without Bob in it
        Group test = m_groupMgr.parseGroup( "Test", "Alice \n Charlie", true );
        m_groupMgr.setGroup( m_session, test );


        // Bob should have two roles: ASSERTED and ALL
        principals = session.getRoles();
        assertTrue( "Bob in ALL", ArrayUtils.contains( principals, Role.ALL ) );
        assertTrue( "Bob in ASSERTED", ArrayUtils.contains( principals, Role.ASSERTED ) );
        assertFalse( "Bob not in ANONYMOUS", ArrayUtils.contains( principals, Role.ANONYMOUS ) );
        assertFalse( "Bob not in Test", ArrayUtils.contains( principals, test.getPrincipal() ) );


        // Re-save group "Test" with Bob as a member
        test = m_groupMgr.parseGroup( "Test", "Alice \n Bob \nCharlie", true );
        m_groupMgr.setGroup( m_session, test );


        // Bob not authenticated: should still have only two romes
        principals = session.getRoles();
        assertTrue( "Bob in ALL", ArrayUtils.contains( principals, Role.ALL ) );
        assertTrue( "Bob in ASSERTED", ArrayUtils.contains( principals, Role.ASSERTED ) );
        assertFalse( "Bob not in ANONYMOUS", ArrayUtils.contains( principals, Role.ANONYMOUS ) );
        assertFalse( "Bob in Test", ArrayUtils.contains( principals, test.getPrincipal() ) );


        // Elevate Bob to "authenticated" status
        session = WikiSessionTest.authenticatedSession( m_engine, Users.BOB, Users.BOB_PASS );


        // Re-save the group; Bob should possess the role now
        test = m_groupMgr.parseGroup( "Test", "Alice \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, test );
        principals = session.getRoles();
        assertTrue( "Bob in ALL", ArrayUtils.contains( principals, Role.ALL ) );
        assertFalse( "Bob in ASSERTED", ArrayUtils.contains( principals, Role.ASSERTED ) );
        assertFalse( "Bob not in ANONYMOUS", ArrayUtils.contains( principals, Role.ANONYMOUS ) );
        assertTrue( "Bob in Test", ArrayUtils.contains( principals, test.getPrincipal() ) );


        // Cleanup
        m_groupMgr.removeGroup( "Test" );
    }

View Full Code Here

                m_engine,
                Users.ALICE,
                new Principal[] { it, engineering, admin } );


        // Create two groups: Alice should be part of group Bar, but not Foo
        Group fooGroup = m_groupMgr.parseGroup( "Foo", "", true );
        Group barGroup = m_groupMgr.parseGroup( "Bar", "", true );
        barGroup.add( alice );
        m_groupMgr.setGroup( m_session, fooGroup );
        m_groupMgr.setGroup( m_session, barGroup );


        // Test user principal posession: Alice isn't considered to
        // have the "Alice" principal because she's not authenticated
        assertFalse ( "Alice has Alice", m_auth.hasRoleOrPrincipal( session, new WikiPrincipal( Users.ALICE ) ) );
        assertFalse ( "Alice has Alice", m_auth.hasRoleOrPrincipal( session, new TestPrincipal( Users.ALICE ) ) );
        assertFalse( "Alice not has Bob", m_auth.hasRoleOrPrincipal( session, new WikiPrincipal( Users.BOB ) ) );
        assertFalse( "Alice not has Bob", m_auth.hasRoleOrPrincipal( session, new TestPrincipal( Users.BOB ) ) );


        // Built-in role memberships
        assertTrue( "Alice in ALL", m_auth.hasRoleOrPrincipal( session, Role.ALL ) );
        assertFalse( "Alice not in ANONYMOUS", m_auth.hasRoleOrPrincipal( session, Role.ANONYMOUS ) );
        assertTrue( "Alice in ASSERTED", m_auth.hasRoleOrPrincipal( session, Role.ASSERTED ) );
        assertFalse( "Alice not in AUTHENTICATED", m_auth.hasRoleOrPrincipal( session, Role.AUTHENTICATED ) );


        // Custom roles should be FALSE because Alice is asserted
        assertFalse( "Alice not in IT", m_auth.hasRoleOrPrincipal( session, it ) );
        assertFalse( "Alice not in Engineering", m_auth.hasRoleOrPrincipal( session, engineering ) );
        assertFalse( "Alice not in Finance", m_auth.hasRoleOrPrincipal( session, finance ) );


        // Group memberships should be FALSE because Alice is asserted
        assertFalse( "Alice not in Foo", m_auth.hasRoleOrPrincipal( session, fooGroup.getPrincipal() ) );
        assertFalse( "Alice not in Bar", m_auth.hasRoleOrPrincipal( session, barGroup.getPrincipal() ) );


        // Clean up
        m_groupMgr.removeGroup( "Foo" );
        m_groupMgr.removeGroup( "Bar" );
    }

View Full Code Here

                m_engine,
                Users.ALICE,
                new Principal[] { it, engineering, admin } );


        // Create two groups: Alice should be part of group Bar, but not Foo
        Group fooGroup = m_groupMgr.parseGroup( "Foo", "", true );
        Group barGroup = m_groupMgr.parseGroup( "Bar", "", true );
        barGroup.add( alice );
        m_groupMgr.setGroup( m_session, fooGroup );
        m_groupMgr.setGroup( m_session, barGroup );


        // Test user principal posession: user principals of different
        // types should still be "the same" if their names are equal
        assertTrue( "Alice has Alice", m_auth.hasRoleOrPrincipal( session, new WikiPrincipal( Users.ALICE ) ) );
        assertTrue( "Alice has Alice", m_auth.hasRoleOrPrincipal( session, new TestPrincipal( Users.ALICE ) ) );
        assertFalse( "Alice not has Bob", m_auth.hasRoleOrPrincipal( session, new WikiPrincipal( Users.BOB ) ) );
        assertFalse( "Alice not has Bob", m_auth.hasRoleOrPrincipal( session, new TestPrincipal( Users.BOB ) ) );


        // Built-in role membership
        assertTrue( "Alice in ALL", m_auth.hasRoleOrPrincipal( session, Role.ALL ) );
        assertFalse( "Alice not in ANONYMOUS", m_auth.hasRoleOrPrincipal( session, Role.ANONYMOUS ) );
        assertFalse( "Alice not in ASSERTED", m_auth.hasRoleOrPrincipal( session, Role.ASSERTED ) );
        assertTrue( "Alice in AUTHENTICATED", m_auth.hasRoleOrPrincipal( session, Role.AUTHENTICATED ) );


        // Custom roles
        assertTrue( "Alice in IT", m_auth.hasRoleOrPrincipal( session, it ) );
        assertTrue( "Alice in Engineering", m_auth.hasRoleOrPrincipal( session, engineering ) );
        assertFalse( "Alice not in Finance", m_auth.hasRoleOrPrincipal( session, finance ) );


        // Group memberships
        assertFalse( "Alice not in Foo", m_auth.hasRoleOrPrincipal( session, fooGroup.getPrincipal() ) );
        assertTrue( "Alice in Bar", m_auth.hasRoleOrPrincipal( session, barGroup.getPrincipal() ) );


        // Cleanup
        m_groupMgr.removeGroup( "Foo" );
        m_groupMgr.removeGroup( "Bar" );
    }

View Full Code Here

        Role it = new Role( "IT" );
        Role finance = new Role( "Finance" );


        // Create Group1 with Alice in it, Group2 without
        WikiSession session = WikiSessionTest.adminSession( m_engine );
        Group g1 = m_groupMgr.parseGroup( "Group1", "Alice", true );
        m_groupMgr.setGroup( session, g1 );
        Principal group1 = g1.getPrincipal();
        Group g2 = m_groupMgr.parseGroup( "Group2", "Bob", true );
        m_groupMgr.setGroup( session, g2 );
        Principal group2 = g2.getPrincipal();


        // Create anonymous session; not in ANY custom roles or groups
        session = WikiSessionTest.anonymousSession( m_engine );
        assertTrue ( "Anon anonymous", m_auth.hasRoleOrPrincipal( session, Role.ANONYMOUS ) );
        assertFalse( "Anon not asserted", m_auth.hasRoleOrPrincipal( session, Role.ASSERTED ) );

View Full Code Here

        Role it = new Role( "IT" );
        Role finance = new Role( "Finance" );


        // Create Group1 with Alice in it, Group2 without
        WikiSession session = WikiSessionTest.adminSession( m_engine );
        Group g1 = m_groupMgr.parseGroup( "Group1", "Alice", true );
        m_groupMgr.setGroup( session, g1 );
        Principal group1 = g1.getPrincipal();
        Group g2 = m_groupMgr.parseGroup( "Group2", "Bob", true );
        m_groupMgr.setGroup( session, g2 );
        Principal group2 = g2.getPrincipal();


        // Create anonymous session; not in ANY custom roles or groups
        session = WikiSessionTest.anonymousSession( m_engine );
        assertTrue ( "Anon anonymous", m_auth.isUserInRole( session, Role.ANONYMOUS ) );
        assertFalse( "Anon not asserted", m_auth.isUserInRole( session, Role.ASSERTED ) );

View Full Code Here

        assertFalse( principal.equals( m_auth.resolvePrincipal( "Admin" ) ) );
    }


    public void testResolveGroups() throws WikiException
    {
        Group group1 = m_groupMgr.parseGroup( "SampleGroup", "", true );
        m_groupMgr.setGroup( m_session, group1 );


        assertEquals( group1.getPrincipal(), m_auth.resolvePrincipal( "SampleGroup" ) );
        m_groupMgr.removeGroup( "SampleGroup" );


        // We shouldn't be able to spoof a built-in role
        try
        {
            Group group2 = m_groupMgr.parseGroup( "Authenticated", "", true );
            assertNotSame( group2.getPrincipal(), m_auth.resolvePrincipal( "Authenticated" ) );
        }
        catch ( WikiSecurityException e )
        {
            assertTrue ( "Authenticated not allowed as group name.", true );
        }

View Full Code Here

            fail( "Failed delete: " + e.getLocalizedMessage() );
        }




        // A wiki group should resolve to itself
        Group group1 = m_groupMgr.parseGroup( "SampleGroup", "", true );
        m_groupMgr.setGroup( m_session, group1 );
        assertEquals( group1.getPrincipal(), m_auth.resolvePrincipal( "SampleGroup" ) );
        m_groupMgr.removeGroup( "SampleGroup" );


        // A built-in role should resolve to itself
        assertEquals( Role.AUTHENTICATED, m_auth.resolvePrincipal( "Authenticated" ) );

View Full Code Here


        m_groupMgr.addWikiEventListener( m_trap );
        m_trap.clearEvents();


        // Add 3 test groups
        Group group;
        group = m_groupMgr.parseGroup( "Test", "Alice \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, group );
        group = m_groupMgr.parseGroup( "Test2", "Bob", true );
        m_groupMgr.setGroup( m_session, group );
        group = m_groupMgr.parseGroup( "Test3", "Fred Flintstone", true );

View Full Code Here

0 1

TOP

Related Classes of com.ecyrd.jspwiki.auth.authorize.Group

com.ecyrd.jspwiki.auth.acl.AclImplTest

com.ecyrd.jspwiki.auth.AuthenticationManagerTest

com.ecyrd.jspwiki.auth.AuthorizationManagerTest

com.ecyrd.jspwiki.auth.GroupManagerTest

com.ecyrd.jspwiki.auth.GroupPrincipal

com.ecyrd.jspwiki.auth.UserManagerTest

com.ecyrd.jspwiki.ui.Installer

com.ecyrd.jspwiki.WikiSession

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.