GroupPermission (Apache JSPWiki 2.11.0.M6 API)

java.lang.Object
- java.security.Permission
- - org.apache.wiki.auth.permissions.GroupPermission

All Implemented Interfaces:

Serializable, Guard
```
public final class GroupPermission
extends Permission
implements Serializable
```
Permission to perform an operation on a group in a given wiki. Permission actions include: view, edit, delete.

The target of a permission is a single group or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the group. “All wikis” can be specified using a wildcard (*). Group collections may also be specified using a wildcard. For groups, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:

*:* *:TestPlanners *:*Planners *:Test* mywiki:TestPlanners mywiki:*Planners mywiki:Test*

For a given target, certain permissions imply others:
- edit implies view
- delete implies edit and view
Targets that do not include a wiki prefix never imply others.

GroupPermission accepts a special target called <groupmember> that means “all groups that a user is a member of.” When included in a policy file grant block, it functions like a wildcard. Thus, this block:
```
  grant signedBy "jspwiki",
    principal org.apache.wiki.auth.authorize.Role "Authenticated" {
      permission org.apache.wiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
 
```
means, “allow Authenticated users to edit any groups they are members of.” The wildcard target (*) does not imply <groupmember>; it must be granted explicitly.
Since:

2.4.17

See Also:

Serialized Form

Field Summary

Fields
Modifier and Type	Field and Description
`static GroupPermission`	`DELETE` Convenience constant that denotes `GroupPermission( ":, "delete" )`.
`static String`	`DELETE_ACTION` Action for deleting a group or collection of groups.
`protected static int`	`DELETE_MASK`
`static GroupPermission`	`EDIT` Convenience constant that denotes `GroupPermission( ":, "edit" )`.
`static String`	`EDIT_ACTION` Action for editing a group or collection of groups.
`protected static int`	`EDIT_MASK`
`static String`	`MEMBER_TOKEN` Special target token that denotes all groups that a Subject's Principals are members of.
`static GroupPermission`	`VIEW` Convenience constant that denotes `GroupPermission( ":, "view" )`.
`static String`	`VIEW_ACTION` Action for viewing a group or collection of groups.
`protected static int`	`VIEW_MASK`

Constructor Summary

Constructors
Modifier	Constructor and Description
`protected`	`GroupPermission()` For serialization purposes
	`GroupPermission(String group, String actions)` Creates a new GroupPermission for a specified group and set of actions.

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected static int`	`createMask(String actions)` Protected method that creates a binary mask based on the actions specified.
`boolean`	`equals(Object obj)` Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.
`String`	`getActions()` Returns the actions for this permission: “view”, “edit”, or “delete”.
`String`	`getGroup()` Returns the name of the wiki group represented by this permission.
`String`	`getWiki()` Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.
`int`	`hashCode()` Returns the hash code for this GroupPermission.
`protected static int`	`impliedMask(int mask)` Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.
`boolean`	`implies(Permission permission)` GroupPermissions can only imply other GroupPermissions; no other permission types are implied.
`protected boolean`	`impliesMember(Permission permission)` Returns `true` if this GroupPermission was created with the token `<groupmember>` and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission.
`String`	`toString()` Prints a human-readable representation of this permission.

Methods inherited from class java.security.Permission
checkGuard, getName, newPermissionCollection

Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail
- MEMBER_TOKEN
```
public static final String MEMBER_TOKEN
```
  Special target token that denotes all groups that a Subject's Principals are members of.
  
  See Also:
  
  Constant Field Values
- DELETE_ACTION
```
public static final String DELETE_ACTION
```
  Action for deleting a group or collection of groups.
  
  See Also:
  
  Constant Field Values
- EDIT_ACTION
```
public static final String EDIT_ACTION
```
  Action for editing a group or collection of groups.
  
  See Also:
  
  Constant Field Values
- VIEW_ACTION
```
public static final String VIEW_ACTION
```
  Action for viewing a group or collection of groups.
  
  See Also:
  
  Constant Field Values
- DELETE_MASK
```
protected static final int DELETE_MASK
```
  See Also:
  
  Constant Field Values
- EDIT_MASK
```
protected static final int EDIT_MASK
```
  See Also:
  
  Constant Field Values
- VIEW_MASK
```
protected static final int VIEW_MASK
```
  See Also:
  
  Constant Field Values
- DELETE
```
public static final GroupPermission DELETE
```
  Convenience constant that denotes GroupPermission( "*:*, "delete" ).
- EDIT
```
public static final GroupPermission EDIT
```
  Convenience constant that denotes GroupPermission( "*:*, "edit" ).
- VIEW
```
public static final GroupPermission VIEW
```
  Convenience constant that denotes GroupPermission( "*:*, "view" ).

Constructor Detail
- GroupPermission
```
protected GroupPermission()
```
  For serialization purposes
- GroupPermission
```
public GroupPermission(String group,
                       String actions)
```
  Creates a new GroupPermission for a specified group and set of actions. Group should include a prepended wiki name followed by a colon (:). If the wiki name is not supplied or starts with a colon, the group refers to all wikis.
  
  Parameters:
  
  group - the wiki group
  
  actions - the allowed actions for this group

Method Detail

equals
```
public boolean equals(Object obj)
```
Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.

Specified by:

equals in class Permission

Parameters:

obj - the object to compare

Returns:

the result of the comparison

See Also:

Object.equals(java.lang.Object)

getActions
```
public String getActions()
```
Returns the actions for this permission: “view”, “edit”, or “delete”. The actions will always be sorted in alphabetic order, and will always appear in lower case.

Specified by:

getActions in class Permission

Returns:

the actions

See Also:

Permission.getActions()

getGroup
```
public String getGroup()
```
Returns the name of the wiki group represented by this permission.

Returns:

the page name

getWiki
```
public String getWiki()
```
Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.

Returns:

the wiki

hashCode
```
public int hashCode()
```
Returns the hash code for this GroupPermission.

Specified by:

hashCode in class Permission

Returns:

the hash code

See Also:

Object.hashCode()

implies
```
public boolean implies(Permission permission)
```
GroupPermissions can only imply other GroupPermissions; no other permission types are implied. One GroupPermission implies another if its actions if three conditions are met:
1. The other GroupPermission’s wiki is equal to, or a subset of, that of this permission. This permission’s wiki is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
2. The other GroupPermission’s target is equal to, or a subset of, the target specified by this permission. This permission’s target is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
3. All of other GroupPermission’s actions are equal to, or a subset of, those of this permission
Specified by:

implies in class Permission

Parameters:

permission - the Permission to examine

Returns:

true if the GroupPermission implies the supplied Permission; false otherwise

See Also:

Permission.implies(java.security.Permission)

toString
```
public String toString()
```
Prints a human-readable representation of this permission.

Overrides:

toString in class Permission

Returns:

the string

See Also:

Object.toString()

impliedMask
```
protected static int impliedMask(int mask)
```
Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.

Parameters:

mask - binary mask for actions

Returns:

binary mask for implied actions

createMask
```
protected static int createMask(String actions)
```
Protected method that creates a binary mask based on the actions specified. This is used by implies(Permission).

Parameters:

actions - the actions for this permission, separated by commas

Returns:

the binary actions mask

impliesMember

protected boolean impliesMember(Permission permission)

Returns true if this GroupPermission was created with the token <groupmember> and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission. Thus, a GroupPermission with the group <groupmember> implies GroupPermission for group "TestGroup" only if the Subject is a member of TestGroup.

We make this determination by obtaining the current Thread’s AccessControlContext and requesting the SubjectDomainCombiner. If the combiner is not null, then we know that the access check was requested using a Subject; that is, that an upstream caller caused a Subject to be associated with the Thread’s ProtectionDomain by executing a Subject.doAs(Subject, java.security.PrivilegedAction) operation.

If a SubjectDomainCombiner exists, determining group membership is simple: just iterate through the Subject’s Principal set and look for all Principals of type GroupPrincipal. If the name of any Principal matches the value of the implied Permission’s getGroup() value, then the Subject is a member of this group -- and therefore this impliesMember call returns true.

This may sound complicated, but it really isn’t. Consider the following examples:

This object	`impliesMember` parameter	Calling Subject’s Principals	Result
`GroupPermission ("<groupmember>")`	`GroupPermission ("*:TestGroup")`	`WikiPrincipal ("Biff"), GroupPrincipal ("TestGroup")`	`true`
`GroupPermission ("*:TestGroup")`	`GroupPermission ("*:TestGroup")`	`WikiPrincipal ("Biff"), GroupPrincipal ("TestGroup")`	`false` - this object does not contain `<groupmember>`
`GroupPermission ("<groupmember>")`	`GroupPermission ("*:TestGroup")`	`WikiPrincipal ("Biff"), GroupPrincipal ("FooGroup")`	`false` - Subject does not contain GroupPrincipal matching implied Permission’s group (TestGroup)
`GroupPermission ("<groupmember>")`	`WikiPermission ("*:createGroups")`	`WikiPrincipal ("Biff"), GroupPrincipal ("TestGroup")`	`false` - implied permission not of type GroupPermission
`GroupPermission ("<groupmember>")`	`GroupPermission ("*:TestGroup")`	-	`false` - `Subject.doAs()` not called upstream

Note that JSPWiki’s access control checks are made inside of AuthorizationManager.checkPermission(org.apache.wiki.WikiSession, Permission), which performs a Subject.doAs() call. Thus, this Permission functions exactly the way it should during normal operations.

Parameters:: permission - the implied permission
Returns:: true if the calling Thread’s Subject contains a GroupPrincipal matching the implied GroupPermission’s group; false otherwise

Class GroupPermission

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.security.Permission

Methods inherited from class java.lang.Object

Field Detail

MEMBER_TOKEN

DELETE_ACTION

EDIT_ACTION

VIEW_ACTION

DELETE_MASK

EDIT_MASK

VIEW_MASK

DELETE

EDIT

VIEW

Constructor Detail

GroupPermission

GroupPermission

Method Detail

equals

getActions

getGroup

getWiki

hashCode

implies

toString

impliedMask

createMask

impliesMember