Package org.apache.wiki.auth.permissions

Class GroupPermission

java.lang.Object
java.security.Permission
org.apache.wiki.auth.permissions.GroupPermission
All Implemented Interfaces:
java.io.Serializable, java.security.Guard
public final class GroupPermission
extends java.security.Permission
implements java.io.Serializable

Permission to perform an operation on a group in a given wiki. Permission actions include: view, edit, delete.

The target of a permission is a single group or collection in a given wiki. The syntax for the target is the wiki name, followed by a colon (:) and the name of the group. “All wikis” can be specified using a wildcard (*). Group collections may also be specified using a wildcard. For groups, the wildcard may be a prefix, suffix, or all by itself. Examples of targets include:

*:*
*:TestPlanners
*:*Planners
*:Test*
mywiki:TestPlanners
mywiki:*Planners
mywiki:Test*

For a given target, certain permissions imply others:

  • edit implies view
  • delete implies edit and view

Targets that do not include a wiki prefix never imply others.

GroupPermission accepts a special target called <groupmember> that means “all groups that a user is a member of.” When included in a policy file grant block, it functions like a wildcard. Thus, this block: 

  grant signedBy "jspwiki",
    principal org.apache.wiki.auth.authorize.Role "Authenticated" {
      permission org.apache.wiki.auth.permissions.GroupPermission "*:<groupmember>", "edit";
means, “allow Authenticated users to edit any groups they are members of.” The wildcard target (*) does not imply <groupmember>; it must be granted explicitly.
Since:
2.4.17
See Also:
Serialized Form

  • Field Summary

    Fields
    Modifier and Type Field Description
    static GroupPermission DELETE
    Convenience constant that denotes GroupPermission( "*:*, "delete" ).
    static java.lang.String DELETE_ACTION
    Action for deleting a group or collection of groups.
    protected static int DELETE_MASK  
    static GroupPermission EDIT
    Convenience constant that denotes GroupPermission( "*:*, "edit" ).
    static java.lang.String EDIT_ACTION
    Action for editing a group or collection of groups.
    protected static int EDIT_MASK  
    static java.lang.String MEMBER_TOKEN
    Special target token that denotes all groups that a Subject's Principals are members of.
    static GroupPermission VIEW
    Convenience constant that denotes GroupPermission( "*:*, "view" ).
    static java.lang.String VIEW_ACTION
    Action for viewing a group or collection of groups.
    protected static int VIEW_MASK  

  • Constructor Summary

    Constructors
    Modifier Constructor Description
    protected GroupPermission()
    For serialization purposes
      GroupPermission​(java.lang.String group, java.lang.String actions)
    Creates a new GroupPermission for a specified group and set of actions.

  • Method Summary

    Modifier and Type Method Description
    protected static int createMask​(java.lang.String actions)
    Protected method that creates a binary mask based on the actions specified.
    boolean equals​(java.lang.Object obj)
    Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.
    java.lang.String getActions()
    Returns the actions for this permission: “view”, “edit”, or “delete”.
    java.lang.String getGroup()
    Returns the name of the wiki group represented by this permission.
    java.lang.String getWiki()
    Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.
    int hashCode()
    Returns the hash code for this GroupPermission.
    protected static int impliedMask​(int mask)
    Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.
    boolean implies​(java.security.Permission permission)
    GroupPermissions can only imply other GroupPermissions; no other permission types are implied.
    protected boolean impliesMember​(java.security.Permission permission)
    Returns true if this GroupPermission was created with the token <groupmember> and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission.
    java.lang.String toString()
    Prints a human-readable representation of this permission.

    Methods inherited from class java.security.Permission

    checkGuard, getName, newPermissionCollection

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

  • Field Details

  • Constructor Details

    • GroupPermission

      protected GroupPermission()
      For serialization purposes

    • GroupPermission

      public GroupPermission​(java.lang.String group, java.lang.String actions)
      Creates a new GroupPermission for a specified group and set of actions. Group should include a prepended wiki name followed by a colon (:). If the wiki name is not supplied or starts with a colon, the group refers to all wikis.
      Parameters:
      group - the wiki group
      actions - the allowed actions for this group

  • Method Details

    • equals

      public boolean equals​(java.lang.Object obj)
      Two PagePermission objects are considered equal if their actions (after normalization), wiki and target are equal.
      Specified by:
      equals in class java.security.Permission
      Parameters:
      obj - the object to compare
      Returns:
      the result of the comparison
      See Also:
      Object.equals(java.lang.Object)

    • getActions

      public java.lang.String getActions()
      Returns the actions for this permission: “view”, “edit”, or “delete”. The actions will always be sorted in alphabetic order, and will always appear in lower case.
      Specified by:
      getActions in class java.security.Permission
      Returns:
      the actions
      See Also:
      Permission.getActions()

    • getGroup

      public java.lang.String getGroup()
      Returns the name of the wiki group represented by this permission.
      Returns:
      the page name

    • getWiki

      public java.lang.String getWiki()
      Returns the name of the wiki containing the group represented by this permission; may return the wildcard string.
      Returns:
      the wiki

    • hashCode

      public int hashCode()
      Returns the hash code for this GroupPermission.
      Specified by:
      hashCode in class java.security.Permission
      Returns:
      the hash code
      See Also:
      Object.hashCode()

    • implies

      public boolean implies​(java.security.Permission permission)

      GroupPermissions can only imply other GroupPermissions; no other permission types are implied. One GroupPermission implies another if its actions if three conditions are met:

      1. The other GroupPermission’s wiki is equal to, or a subset of, that of this permission. This permission’s wiki is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
      2. The other GroupPermission’s target is equal to, or a subset of, the target specified by this permission. This permission’s target is considered a superset of the other if it contains a matching prefix plus a wildcard, or a wildcard followed by a matching suffix.
      3. All of other GroupPermission’s actions are equal to, or a subset of, those of this permission
      Specified by:
      implies in class java.security.Permission
      Parameters:
      permission - the Permission to examine
      Returns:
      true if the GroupPermission implies the supplied Permission; false otherwise
      See Also:
      Permission.implies(java.security.Permission)

    • toString

      public java.lang.String toString()
      Prints a human-readable representation of this permission.
      Overrides:
      toString in class java.security.Permission
      Returns:
      the string
      See Also:
      Object.toString()

    • impliedMask

      protected static int impliedMask​(int mask)
      Creates an “implied mask” based on the actions originally assigned: for example, delete implies edit; edit implies view.
      Parameters:
      mask - binary mask for actions
      Returns:
      binary mask for implied actions

    • createMask

      protected static int createMask​(java.lang.String actions)
      Protected method that creates a binary mask based on the actions specified. This is used by implies(Permission).
      Parameters:
      actions - the actions for this permission, separated by commas
      Returns:
      the binary actions mask

    • impliesMember

      protected boolean impliesMember​(java.security.Permission permission)

      Returns true if this GroupPermission was created with the token <groupmember> and the current thread’s Subject is a member of the Group indicated by the implied GroupPermission. Thus, a GroupPermission with the group <groupmember> implies GroupPermission for group "TestGroup" only if the Subject is a member of TestGroup.

      We make this determination by obtaining the current Thread’s AccessControlContext and requesting the SubjectDomainCombiner. If the combiner is not null, then we know that the access check was requested using a Subject; that is, that an upstream caller caused a Subject to be associated with the Thread’s ProtectionDomain by executing a Subject.doAs(Subject, java.security.PrivilegedAction) operation.

      If a SubjectDomainCombiner exists, determining group membership is simple: just iterate through the Subject’s Principal set and look for all Principals of type GroupPrincipal. If the name of any Principal matches the value of the implied Permission’s getGroup() value, then the Subject is a member of this group -- and therefore this impliesMember call returns true.

      This may sound complicated, but it really isn’t. Consider the following examples:

      This object impliesMember parameter Calling Subject’s Principals Result
      GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
      GroupPrincipal ("TestGroup")      		 true
      GroupPermission ("*:TestGroup") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
      GroupPrincipal ("TestGroup")      		 false - this object does not contain <groupmember>
      GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") WikiPrincipal ("Biff"),
      GroupPrincipal ("FooGroup")      		 false - Subject does not contain GroupPrincipal matching implied Permission’s group (TestGroup)
      GroupPermission ("<groupmember>") WikiPermission ("*:createGroups") WikiPrincipal ("Biff"),
      GroupPrincipal ("TestGroup")      		 false - implied permission not of type GroupPermission
      GroupPermission ("<groupmember>") GroupPermission ("*:TestGroup") - false - Subject.doAs() not called upstream

      Note that JSPWiki’s access control checks are made inside of AuthorizationManager.checkPermission(org.apache.wiki.WikiSession, Permission), which performs a Subject.doAs() call. Thus, this Permission functions exactly the way it should during normal operations.

      Parameters:
      permission - the implied permission
      Returns:
      true if the calling Thread’s Subject contains a GroupPrincipal matching the implied GroupPermission’s group; false otherwise