org.apache.wiki.auth.permissions
Class GroupPermission

java.lang.Object
  extended by java.security.Permission
      extended by org.apache.wiki.auth.permissions.GroupPermission
All Implemented Interfaces:
Serializable, Guard

public final class GroupPermission
extends Permission
implements Serializable

Permission to perform an operation on a group in a given wiki. Permission actions include: view, edit, delete.

The target of a permission is a single group or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the group. “All wikis” can be specified using a wildcard (*). Group collections may also be specified using a wildcard. For groups, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:

*:*
*:TestPlanners
*:*Planners
*:Test*
mywiki:TestPlanners
mywiki:*Planners
mywiki:Test*

For a given target, certain permissions imply others:

Targets that do not include a wiki prefix never imply others.

GroupPermission accepts a special target called <groupmember> that means “all groups that a user is a member of.” When included in a policy file grant block, it functions like a wildcard. Thus, this block:

  grant signedBy "jspwiki",
    principal org.apache.wiki.auth.authorize.Role "Authenticated" {
      permission org.apache.wiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
 
means, “allow Authenticated users to edit any groups they are members of.” The wildcard target (*) does not imply <groupmember>; it must be granted explicitly.

Since:
2.4.17
See Also:
Serialized Form

Field Summary
static GroupPermission DELETE
          Convenience constant that denotes GroupPermission( "*:*, "delete" ).
static String DELETE_ACTION
          Action for deleting a group or collection of groups.
protected static int DELETE_MASK
           
static GroupPermission EDIT
          Convenience constant that denotes GroupPermission( "*:*, "edit" ).
static String EDIT_ACTION
          Action for editing a group or collection of groups.
protected static int EDIT_MASK
           
static String MEMBER_TOKEN
          Special target token that denotes all groups that a Subject's Principals are members of.
static GroupPermission VIEW
          Convenience constant that denotes GroupPermission( "*:*, "view" ).
static String VIEW_ACTION
          Action for viewing a group or collection of groups.
protected static int VIEW_MASK
           
 
Constructor Summary
protected GroupPermission()
          For serialization purposes
  GroupPermission(String group, String actions)
          Creates a new GroupPermission for a specified group and set of actions.
 
Method Summary
protected static int createMask(String actions)
          Protected method that creates a binary mask based on the actions specified.
 boolean equals(Object obj)
          Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.
 String getActions()
          Returns the actions for this permission: “view”, “edit”, or “delete”.
 String getGroup()
          Returns the name of the wiki group represented by this permission.
 String getWiki()
          Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.
 int hashCode()
          Returns the hash code for this GroupPermission.
protected static int impliedMask(int mask)
          Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.
 boolean implies(Permission permission)
           GroupPermissions can only imply other GroupPermissions; no other permission types are implied.
protected  boolean impliesMember(Permission permission)
           Returns true if this GroupPermission was created with the token <groupmember> and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission.
 String toString()
          Prints a human-readable representation of this permission.
 
Methods inherited from class java.security.Permission
checkGuard, getName, newPermissionCollection
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

MEMBER_TOKEN

public static final String MEMBER_TOKEN
Special target token that denotes all groups that a Subject's Principals are members of.

See Also:
Constant Field Values

DELETE_ACTION

public static final String DELETE_ACTION
Action for deleting a group or collection of groups.

See Also:
Constant Field Values

EDIT_ACTION

public static final String EDIT_ACTION
Action for editing a group or collection of groups.

See Also:
Constant Field Values

VIEW_ACTION

public static final String VIEW_ACTION
Action for viewing a group or collection of groups.

See Also:
Constant Field Values

DELETE_MASK

protected static final int DELETE_MASK
See Also:
Constant Field Values

EDIT_MASK

protected static final int EDIT_MASK
See Also:
Constant Field Values

VIEW_MASK

protected static final int VIEW_MASK
See Also:
Constant Field Values

DELETE

public static final GroupPermission DELETE
Convenience constant that denotes GroupPermission( "*:*, "delete" ).


EDIT

public static final GroupPermission EDIT
Convenience constant that denotes GroupPermission( "*:*, "edit" ).


VIEW

public static final GroupPermission VIEW
Convenience constant that denotes GroupPermission( "*:*, "view" ).

Constructor Detail

GroupPermission

protected GroupPermission()
For serialization purposes


GroupPermission

public GroupPermission(String group,
                       String actions)
Creates a new GroupPermission for a specified group and set of actions. Group should include a prepended wiki name followed by a colon (:). If the wiki name is not supplied or starts with a colon, the group refers to all wikis.

Parameters:
group - the wiki group
actions - the allowed actions for this group
Method Detail

equals

public boolean equals(Object obj)
Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.

Specified by:
equals in class Permission
Parameters:
obj - the object to compare
Returns:
the result of the comparison
See Also:
Object.equals(java.lang.Object)

getActions

public String getActions()
Returns the actions for this permission: “view”, “edit”, or “delete”. The actions will always be sorted in alphabetic order, and will always appear in lower case.

Specified by:
getActions in class Permission
Returns:
the actions
See Also:
Permission.getActions()

getGroup

public String getGroup()
Returns the name of the wiki group represented by this permission.

Returns:
the page name

getWiki

public String getWiki()
Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.

Returns:
the wiki

hashCode

public int hashCode()
Returns the hash code for this GroupPermission.

Specified by:
hashCode in class Permission
Returns:
the hash code
See Also:
Object.hashCode()

implies

public boolean implies(Permission permission)

GroupPermissions can only imply other GroupPermissions; no other permission types are implied. One GroupPermission implies another if its actions if three conditions are met:

  1. The other GroupPermission’s wiki is equal to, or a subset of, that of this permission. This permission’s wiki is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
  2. The other GroupPermission’s target is equal to, or a subset of, the target specified by this permission. This permission’s target is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
  3. All of other GroupPermission’s actions are equal to, or a subset of, those of this permission

Specified by:
implies in class Permission
Parameters:
permission - the Permission to examine
Returns:
true if the GroupPermission implies the supplied Permission; false otherwise
See Also:
Permission.implies(java.security.Permission)

toString

public String toString()
Prints a human-readable representation of this permission.

Overrides:
toString in class Permission
Returns:
the string
See Also:
Object.toString()

impliedMask

protected static int impliedMask(int mask)
Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.

Parameters:
mask - binary mask for actions
Returns:
binary mask for implied actions

createMask

protected static int createMask(String actions)
Protected method that creates a binary mask based on the actions specified. This is used by implies(Permission).

Parameters:
actions - the actions for this permission, separated by commas
Returns:
the binary actions mask

impliesMember

protected boolean impliesMember(Permission permission)

Returns true if this GroupPermission was created with the token <groupmember> and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission. Thus, a GroupPermission with the group <groupmember> implies GroupPermission for group "TestGroup" only if the Subject is a member of TestGroup.

We make this determination by obtaining the current Thread’s AccessControlContext and requesting the SubjectDomainCombiner. If the combiner is not null, then we know that the access check was requested using a Subject; that is, that an upstream caller caused a Subject to be associated with the Thread’s ProtectionDomain by executing a Subject.doAs(Subject, java.security.PrivilegedAction) operation.

If a SubjectDomainCombiner exists, determining group membership is simple: just iterate through the Subject’s Principal set and look for all Principals of type GroupPrincipal. If the name of any Principal matches the value of the implied Permission’s getGroup() value, then the Subject is a member of this group -- and therefore this impliesMember call returns true.

This may sound complicated, but it really isn’t. Consider the following examples:

This object impliesMember parameter Calling Subject’s Principals Result
GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
GroupPrincipal ("TestGroup")
true
GroupPermission ("*:TestGroup") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
GroupPrincipal ("TestGroup")
false - this object does not contain <groupmember>
GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
GroupPrincipal ("FooGroup")
false - Subject does not contain GroupPrincipal matching implied Permission’s group (TestGroup)
GroupPermission ("<groupmember>") WikiPermission ("*:createGroups") WikiPrincipal ("Biff"),
GroupPrincipal ("TestGroup")
false - implied permission not of type GroupPermission
GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") - false - Subject.doAs() not called upstream

Note that JSPWiki’s access control checks are made inside of AuthorizationManager.checkPermission(org.apache.wiki.WikiSession, Permission), which performs a Subject.doAs() call. Thus, this Permission functions exactly the way it should during normal operations.

Parameters:
permission - the implied permission
Returns:
true if the calling Thread’s Subject contains a GroupPrincipal matching the implied GroupPermission’s group; false otherwise


Copyright © {inceptionYear}-2014 The Apache Software Foundation. All rights reserved.