Re: [J2] group and role hierarchy

Wed, 16 Jun 2004 09:59:27 -0700 

I can do a review and apply the patch later tonight.

Regards,

Ate

David Le Strat wrote:

Artem,

This is awesome.  Thank you for the patch.  I am
leaving tonight and won't have time to apply the
patch, does someone else have the time to take care of
this?

Regards,

David.

--- "Grinshtein, Artem"
<[EMAIL PROTECTED]> wrote:

Hello,

This is a patch for the security component that
enables hierarchical roles and groups. The patch
contains implementation of generalization and
agrregation strategies. The default strategy is
generalization. It's possible to set different
strategies for groups and roles.

The group/role hierarchy is resolved by adding
grope/role principals dependend on strategy to the
user's subject.

Regards,
Artem


-----Urspr�ngliche Nachricht-----
Von: David Le Strat [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 8. Juni 2004 03:27
An: Jetspeed Developers List
Betreff: Re: [J2] group and role hierarchy


Artem,

You are absolutely correct. We need to tackle 

this,

The current implementation does not do a good job 

at

this yet. Patches are welcome ;)

I believe that the most common implementation is 

the

generalization strategy. This should be the 

default

in my mind.  Supporting multiple strategies is I
believe a nice to have for now.  Thoughts?

Regards,

David.

--- "Grinshtein, Artem"
<[EMAIL PROTECTED]> wrote:

Hello All,

IMHO, the term "hierarchical" is not clearly 

defined

in jetspeed.  There is more than one meaning for
hierarchical roles/groups according to
http://www.doc.ic.ac.uk/~ecl1/papers/rbac99.pdf.


For example, there're 3 hierarchical roles:
-R1
--R1.1
--R1.2
with persmissions:
grand R1 { permission P1 }
grand R1.1 { permission P2 }
grand R1.2 { permission P3 }

By a generalisation hierarchy ("is 

a"-hierarchy):

R1 has [P1]
R1 has [P1,P2]
R1 has [P1,P3]

and by a agrregation hierarchy ("part of")
R1 has [P1,P2,P3]
R1 has [P2]
R1 has [P3].

What type of hierarchy will be supported? Does 

it

make any sence to support different types?

Regards,
Artem









---------------------------------------------------------------------

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]






__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 



---------------------------------------------------------------------

To unsubscribe, e-mail: 

[EMAIL PROTECTED]

For additional commands, e-mail: 

[EMAIL PROTECTED]


Index: 

jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\AbstractSecurityTestcase.java

===================================================================

RCS File:


/home/cvspublic/jakarta-jetspeed-2/components/security/src/test/org/apache/jetspeed/security/AbstractSecurityTestcase.java

retrieving revision 1.1
diff -u -r1.1


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\AbstractSecurityTestcase.java

---


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\AbstractSecurityTestcase.java

+++


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\AbstractSecurityTestcase.java

16 Jun 2004 14:19:37 -0000
@@ -6,6 +6,13 @@
 */
package org.apache.jetspeed.security;

+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.security.auth.Subject;
+
import


org.apache.jetspeed.components.persistence.store.util.PersistenceSupportedTestCase;

import
org.apache.jetspeed.security.impl.GroupManagerImpl;
import


org.apache.jetspeed.security.impl.PermissionManagerImpl;

@@ -54,5 +61,24 @@
{
super(arg0);
}
+ + /**
+ * Returns subject's principals of type claz + * + * @param subject
+ * @param claz
+ * @return Returns subject's principals of type
claz
+ */
+ protected Collection getPrincipals( Subject
subject, Class claz){
+ List principals=new ArrayList();
+ for (Iterator iter =
subject.getPrincipals().iterator(); iter.hasNext();)
+ {
+ Object element = iter.next();
+ if ( claz.isInstance(element) ) + principals.add(element);
+ + }
+ return principals;
+ }

}
Index:


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestGroupManager.java

===================================================================

RCS File:


/home/cvspublic/jakarta-jetspeed-2/components/security/src/test/org/apache/jetspeed/security/TestGroupManager.java

retrieving revision 1.4
diff -u -r1.4


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestGroupManager.java

---


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestGroupManager.java

+++


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestGroupManager.java

16 Jun 2004 14:38:02 -0000
@@ -14,13 +14,9 @@
 */
package org.apache.jetspeed.security;

-import java.security.Principal;
import java.util.Collection;
-import java.util.HashSet;
import java.util.prefs.Preferences;

-import javax.security.auth.Subject;
-
import junit.framework.Test;
import junit.framework.TestSuite;

@@ -123,15 +119,10 @@
        try
        {
            gms.addUserToGroup("anonuser1",
"testusertogroup1.group1");
-            Collection principals =


ums.getUser("anonuser1").getSubject().getPrincipals();

-            Principal found =
-                SecurityHelper.getPrincipal(
-                    new Subject(false, new
HashSet(principals), new HashSet(), new HashSet()),
-                    GroupPrincipal.class);
-            assertNotNull("found principal is
null", found);
+            Collection principals =


ums.getUser("anonuser1").getSubject().getPrincipals();

assertTrue(
- "found principal should be
testusertogroup1.group1, " + found.getName(),
- found.getName().equals("testusertogroup1.group1"));
+ "anonuser1 should contain
testusertogroup1.group1",
+ principals.contains(new
GroupPrincipalImpl("testusertogroup1.group1")));
}
catch (SecurityException sex)
{
@@ -208,10 +199,12 @@
{
gms.removeGroup("testgroup1.group1");
Collection principals =


ums.getUser("anonuser2").getSubject().getPrincipals();

-            assertEquals(
-                "principal size should be == 3
after removing testgroup1.group1, for principals: "
+ principals.toString(),
-                3,
-                principals.size());
+            // because of hierarchical groups
+            //
+            //assertEquals(
+            //    "principal size should be == 3
after removing testgroup1.group1, for principals: "
+ principals.toString(),
+            //    3,
+            //    principals.size());
            assertFalse(
                "anonuser2 should not contain
testgroup1.group1",
                principals.contains(new
GroupPrincipalImpl("testgroup1.group1")));
Index:


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestRoleManager.java

===================================================================

RCS File:


/home/cvspublic/jakarta-jetspeed-2/components/security/src/test/org/apache/jetspeed/security/TestRoleManager.java

retrieving revision 1.4
diff -u -r1.4


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestRoleManager.java

---


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestRoleManager.java

+++


jakarta-jetspeed-2\components\security\src\test\org\apache\jetspeed\security\TestRoleManager.java

16 Jun 2004 14:33:39 -0000
@@ -14,13 +14,9 @@
 */
package org.apache.jetspeed.security;

-import java.security.Principal;
import java.util.Collection;
-import java.util.HashSet;
import java.util.prefs.Preferences;

-import javax.security.auth.Subject;
-
import junit.framework.Test;
import junit.framework.TestSuite;

@@ -121,15 +117,11 @@
try
{
rms.addRoleToUser("anonuser1",
"testusertorole1.role1");
+ Collection principals =


ums.getUser("anonuser1").getSubject().getPrincipals();

- Principal found =
- SecurityHelper.getPrincipal(
- new Subject(false, new
HashSet(principals), new HashSet(), new HashSet()),
- RolePrincipal.class);
- assertNotNull("found principal is
null", found);
assertTrue(
- "found principal should be
testusertorole1.role1, " + found.getName(),
- found.getName().equals("testusertorole1.role1"));
+ "anonuser1 should contain
testusertorole1.role1",
+ principals.contains(new
RolePrincipalImpl("testusertorole1.role1")));
}
catch (SecurityException sex)
{
@@ -207,10 +199,12 @@
{
rms.removeRole("testrole1.role1");
Collection principals =


ums.getUser("anonuser2").getSubject().getPrincipals();

-            assertEquals(
-                "principal size should be == 3
after removing testrole1.role1, for principals: " +
principals.toString(),


=== message truncated ===>
---------------------------------------------------------------------

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:


[EMAIL PROTECTED]





__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to