From 28f1e4a66292ad75f09d63af9a017dca46a3c870 Mon Sep 17 00:00:00 2001
From: eitch <eitch@b4757028-c133-0410-b46f-93a16e12d406>
Date: Mon, 2 Aug 2010 23:20:54 +0000
Subject: [PATCH]

---
 config/PrivilegeContainer.xml                 |   2 +-
 config/PrivilegePolicies.xml                  |   6 ++
 config/PrivilegeRoles.xml                     |   5 +-
 config/PrivilegeUsers.xml                     |   3 +-
 config/Privileges.xml                         |   8 +-
 config/RestrictionPolicies.xml                |   6 --
 docs/PrivilegeHandlers.dia                    | Bin 0 -> 2034 bytes
 docs/PrivilegeModelPrivilege.dia              | Bin 0 -> 2063 bytes
 docs/PrivilegeModelUser.dia                   | Bin 0 -> 1752 bytes
 .../privilege/base/PrivilegeContainer.java    |  12 +--
 .../eitchnet/privilege/base/XmlConstants.java |   2 +-
 .../handler/DefaultPolicyHandler.java         |  47 ++++++----
 .../privilege/handler/SessionHandler.java     |   4 +-
 .../helper/BootstrapConfigurationHelper.java  |   2 +-
 .../privilege/model/Restrictable.java         |   4 +-
 .../privilege/policy/DefaultPrivilege.java    |  71 ++++++++++++++++
 .../privilege/policy/DefaultRestriction.java  |  80 ------------------
 ...ictionPolicy.java => PrivilegePolicy.java} |   5 +-
 .../privilege/test/PrivilegeTest.java         |  15 ++++
 .../privilege/test/TestRestrictable.java      |  35 ++++++++
 20 files changed, 186 insertions(+), 121 deletions(-)
 create mode 100644 config/PrivilegePolicies.xml
 delete mode 100644 config/RestrictionPolicies.xml
 create mode 100644 docs/PrivilegeHandlers.dia
 create mode 100644 docs/PrivilegeModelPrivilege.dia
 create mode 100644 docs/PrivilegeModelUser.dia
 create mode 100644 src/ch/eitchnet/privilege/policy/DefaultPrivilege.java
 delete mode 100644 src/ch/eitchnet/privilege/policy/DefaultRestriction.java
 rename src/ch/eitchnet/privilege/policy/{RestrictionPolicy.java => PrivilegePolicy.java} (60%)
 create mode 100644 test/ch/eitchnet/privilege/test/TestRestrictable.java

diff --git a/config/PrivilegeContainer.xml b/config/PrivilegeContainer.xml
index 0c64f7a94..e87acad3c 100644
--- a/config/PrivilegeContainer.xml
+++ b/config/PrivilegeContainer.xml
@@ -17,7 +17,7 @@
 	</EncryptionHandler>
 	<PolicyHandler class="ch.eitchnet.privilege.handler.DefaultPolicyHandler">
 		<Parameters>
-			<Parameter name="policyXmlFile" value="RestrictionPolicies.xml" />
+			<Parameter name="policyXmlFile" value="PrivilegePolicies.xml" />
 		</Parameters>
 	</PolicyHandler>
 
diff --git a/config/PrivilegePolicies.xml b/config/PrivilegePolicies.xml
new file mode 100644
index 000000000..2b2c6f486
--- /dev/null
+++ b/config/PrivilegePolicies.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PrivilegePolicies>
+
+	<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
+
+</PrivilegePolicies>
\ No newline at end of file
diff --git a/config/PrivilegeRoles.xml b/config/PrivilegeRoles.xml
index a09f1a393..89724934b 100644
--- a/config/PrivilegeRoles.xml
+++ b/config/PrivilegeRoles.xml
@@ -3,8 +3,11 @@
 
 	<Role name="PrivilegeAdmin" />
 	<Role name="admin">
-		<Privilege name="Service" />
+		<Privilege name="NoRestriction" />
 	</Role>
 	<Role name="user" />
+	<Role name="serviceExecutor">
+		<Privilege name="Service" />
+	</Role>
 
 </PrivilegeRoles>
\ No newline at end of file
diff --git a/config/PrivilegeUsers.xml b/config/PrivilegeUsers.xml
index cc8867f25..f03340020 100644
--- a/config/PrivilegeUsers.xml
+++ b/config/PrivilegeUsers.xml
@@ -7,8 +7,9 @@
 		<State>ENABLED</State>
 		<Locale>en_GB</Locale>
 		<Roles>
-			<Role>admin</Role>
 			<Role>PrivilegeAdmin</Role>
+			<Role>admin</Role>
+			<Role>serviceExecutor</Role>
 		</Roles>
 	</User>
 
diff --git a/config/Privileges.xml b/config/Privileges.xml
index e1fb1de4e..baec28f6c 100644
--- a/config/Privileges.xml
+++ b/config/Privileges.xml
@@ -1,10 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Privileges>
 
-	<Privilege name="Service" policy="DefaultRestriction">
+	<Privilege name="NoRestriction" policy="DefaultPrivilege">
 		<AllAllowed>true</AllAllowed>
 		<Deny></Deny>
 		<Allow></Allow>
 	</Privilege>
+	
+	<Privilege name="Service" policy="DefaultPrivilege">
+		<AllAllowed>false</AllAllowed>
+		<Deny></Deny>
+		<Allow>ch.eitchnet.privilege.test.TestRestrictable</Allow>
+	</Privilege>
 
 </Privileges>
\ No newline at end of file
diff --git a/config/RestrictionPolicies.xml b/config/RestrictionPolicies.xml
deleted file mode 100644
index acda375fe..000000000
--- a/config/RestrictionPolicies.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<RestrictionPolicies>
-
-	<Policy name="DefaultRestriction" class="ch.eitchnet.privilege.policy.DefaultRestriction" />
-
-</RestrictionPolicies>
\ No newline at end of file
diff --git a/docs/PrivilegeHandlers.dia b/docs/PrivilegeHandlers.dia
new file mode 100644
index 0000000000000000000000000000000000000000..4f8da83b765831d300996f1c1f64ca25a1fdaabb
GIT binary patch
literal 2034
zcmaKqc{~#iAIA&1N^_>)k`0mHOha=H&3zPdOHq_%axcP6IdT_~99whW{2bG$jSRUm
z=ah_=4o9vW)11FwJ%2o}=XpJ^*Yo|nUf)07f4u*CgHrep{XQ=4Wj8m>q?R~tweCi*
zlB!028MB16ykrfU^egw<$`T=~O!B`~N-3c(1zi6_Dn@9wbD~5&AvYb_rI!Jn#)PD$
zv#9&3-(K)Rj1>0pue@^DK=$bwH5R3kh5LJB@~_veICi(!*B1wCXL8?dp50T42(iys
zl%V=+fIuK2eL#}v=qF!PT+=pah5!#KMD1@m){_0(<&%w9->iz3o;gJquid_78Sq{1
z^Ay%@AhNj)Dv^!hk!;*Ta;)}!s9_9zLoTXg@Hq4E+Pt}4aK7IpBaH@5TX@jl^Z^Yv
zEK8{fueUwZX}w8xQaC5^-LUN*mi+``@@>4)bqznXMRwE>Gq+0G%z2$ux|;w)6noue
z#?FtBmi(E%Y^KeAu<q16HE@p_xK0g(O7R*(EOI8}qy%Vxu4PwP4thrshGnh+8r<lO
z>sLYNOS_0WX#xNMx_y0lJQWeT6_N3hayFpII6lj4wyN)knZ@*rCVg1n4)@UyiDP~*
zZnr@O_NXT}7OF`<J`I5`1i_)TUUqSJ#?CEE+lYKjeF>jBKak<22DSR^NyoJk&)xIx
zfwC+`wzy(4wX+(w?+rP)rN9E0f_%Dcmu42mUGo!1E--9^Zm#O%YTVv`#E8bT=fK7Z
z;DOf4`x=>gS^ju($@5R9&PP1eiLTG%v;23;zVtTg0ZXkex?w(J3Ei{I?gFL?dn{m?
zJOYBhGA+jg(t>qP>lp6f*9>HquS{I$q|r6>wjW22tmZ7Hy%TT|>!&95^DdsWfRZu+
zPzhyu&(aH#W`o?NJq*6j6kR!A9bRQdgQUdB1igdtKDl2tXui)S;<0sQUE>35vW@8u
zDdJh#;n0RvTb%k)E{o2<mK`$}ou|WV>PhFq(3frCp*M;%Mx3P!xbb&&F6(}@TzqL}
z5wm`kgp|3dCy+20=c_fArL>&0z0}hRXV|Kq4*rhCOS82J3;FSdiF5L?tA?=NA_1%x
z4PH}%*Qgb1&+u^Uo@5S$dv&L7?DO|^(SrDs4=#Tr(<CEK_a)qHSom4|)90p|S7elZ
zzTow^XjE>5vcrbr{HW^KXctyBGqpdGV?#(U=OsU{>R=;i(?fED2XsU(H*L;dCRP9w
zJg(?gm<jn}Z0oZ*cTg2)yxZ)k?36vr{SDxtngETM?NWM5(b?MiPI#x;(4*4`!K-Um
zp14E09k7Q6lCPK_%9AdhGqS$)ZiA-4_tE`Y^>C2;iK(4K`UOhZ*ssOeq$fiLw=h40
z;pcrV%K<3+HV8Er{Q-Z+T3IcU9>#j3$38DQh-ifO)D#@QI`uW0$+zjZMp0=ofzq|?
zH~b11`Bq;<nusmh(kKkt#U0>(ML{~JLQgtnTMUvb+h&w-#d+nW*wylAbl#H<Oq0(H
zExu5WtXbjR^1yumstqadJU*{~_jzB6R>%DUJ46QH452;q_Z)^YrJB=;yaYv8C)Ag|
zsGO(X&qj^(l{+BFl=-Z`Ozz4l7maD?I5m5)k5PQpi=2r-524i1I;?_vhuWhkwIZ1N
zBaW!hpH{Au@&=C|NFCPZ3g-FB-z$<X2R1|g8zfFA8K+fIR4_kxVflv8CO>nqY&1tq
zUbwlyZ%v{aP|^=tfoYhsF4<I7T$@##8mqsF+Gr?3x_jerC~U(~vuXYDw>_=5+we#7
z7J9Z~yaYWdZQ(y+WPw4`L+eUHE$(&>xjY6Bz)0a6G#-xZ*L%*qDiy2i6*i-lVFfPR
z(HvwXSifcud0*1xzO>_Y_EHVxr^KX2AgBc}Rc?fuE_vOK`_v}rrB{6^=9dJ_Uw?xu
zQe=JC^|!{3MEp-h_A~aL><8{IjB4oN6D(vs*hLr`hLzBzLodrz)LU8%_hV!$gdO-H
z(AZxs^1gl=e_VmeASk|j2sTQW=@niyte=r5dDQFL)>J`H?t%irTJ_0NVQXeS<m8st
zY`2}<Jg56X6)4tx$SLKE7qW2)FbdU3JtQT<L@GaYxG)c0L%o3jjEfVrF@*A@4R{by
zVQ{P~JWtC;Y!1CL$Mav1Nm;iW97|mpQQl)|OQtbQfFfw)5)qlwnNy*|LxS&z1`%rL
z&Ftdd`BGEwT#0t`{mQ2wlT+Z!_9l6YQN@l$rkH8X0sqeAGkH#LRS=KbMj(!beJo-u
z50H6sV(}t?VjNv|rzzuNx6>LIT@z@^Ehs1?4pf9+_AVGk7DgL#Kji&iU?mV9m|*#)
zJ8yjaZ3&H)otOsI+62z4pRBwvr@7(MGP`@AK#&PFT8f_#YB=Sosq)#2=%HaRHoZ&X
zW55O<CJg-XLxv+9nTX$x=Bv)?<ljt<6d!%V>Ed)*kLe<;5J#5aFD|msue6SJHKsb%
zd4wFJEY+6D6OVX)Fnz1@{tCFYi8Bq0s$MudWB2$`*@SoU|9RMe=1@sg4ITofi%)8J
zs}0{O=tE{23{upZfp7fCG~6fsK#)I4Xr<GS9E4E+R}qQK%4k8@N~n+c^>HqN7#@Qd
zPSuI9AEM#IDyda=;9uQ2o2*n%v>IpEY3JI9@A_;T{vGz}WpmvDUq8B5uVMbsp??7W
CZ2*h_

literal 0
HcmV?d00001

diff --git a/docs/PrivilegeModelPrivilege.dia b/docs/PrivilegeModelPrivilege.dia
new file mode 100644
index 0000000000000000000000000000000000000000..f46a49ea6d6e8ef2aef5ea370e9d46035577ac02
GIT binary patch
literal 2063
zcmZ{Yc{mde1IJM!#$34@epZIujmBI#W<n!3%evfWZYJ-PJGpYi5@CjrE3{P7kUQr#
z<UY!=wh(gs-rw{7_dd_>`+1(v^Lf5fshlkTjP2AW+9`cXlkdS$o$5P-B1xw#B`NC0
z8Dz>!gBxJ8!uR4$#(ln?U(44*rxTBNZ4!a#H_F<iDYcB5X3GHtFRXK3OLlo+imphD
z{5UPwPg)l*__m1|a_41CleQ-HA3T75f8QR<=#p7$K3u)u^rJ@+t{)LTiRP+*FhdV$
zaY@_4f<-4GR8PIFlT?UF43#+B9{cq>o+~iJpu>YvVa92-B7xHZInR@}B&oBmgPKL7
zY0l(LUsEwUTsms9-RV)CzrOJ3^&XgPbeb!CRWwFXxTbG1#2K+I{;P>HUa)Vh$xjL;
zAaVG)Rb*jnj*3L&*3kgs(&-f~>y`yzI+LmG!U?udB7N?=jXWAQ6C=3u5ITJBTD-#f
zKjDaOw@oZ`6M1q|<jH@%*9cvVll`k9Be)A<dh?OO-kHg6hM)1WfR5Is()Zi!{Bh{D
z6E^D){VXrjfx-^sQD`gtudYH*Yw3H}B<t}p4rR4w2UeNe91Gbna%8()k*DQh?Rmy`
z>RH`A1~Z{rCd<Cn<cgs0t?C2edH<w`N8Ejvs04!%b^nPEWji6HhLmJIb3cmAX%n6P
zI}CcdOQ>AY9Az;iL#e0pcqZA3a;V~)8u8jK_75d;eBU6G9-eNP1Tahro;)g(gXVw=
zpMsxbOznKa9Ir2agXl6}%|ZlpUsPNOrUosw2_Z%hw6Pyf%<dYsk*?8iwh~S|bE@R(
zX9KNyX}mO1ONd?wh|0ftzS~v;xHFnZW${T)CJB)-r~ICN97&79RHEehAu*ZJX8!rM
z>>u;$h21-xmEybrGL}K{x+NBR1${o{Y6R9nzlI#!CZ{^s?h$pK+YKg^ee1Hohy&yy
zjc$K|BL~p%gC$4OCb&4FU4C>rx3u}->m!J#%s{ZaiglL{2)lx+lhdCVu{iS~!nA(X
zJ!VzSTTH8yuO~EHEv#BlfOkIb_axLPfGnGc`Lb3ymsB%}f5u+2t$sC2ikKk%GrS}W
z0Ltz*(RO+LY8I%serY&mcm^F#hOg9RDs{@cZNyQ`6HGIcfWDn)S9X5>j=uUFWO1=l
z`CZfy@t2p?m)X#?$bmI~@?I2j!&%onoM`Q_AuY;t{BHW36!Ii&jeN`dLB}>L_w7=Y
z29F0ZEd1jBj2EGha>s7N{Eb{%RM2f*5m`%gVVUIA>*vrY-K9tMH-VaMKb056Yifh-
z0xP&%A1NS4m#SCxtFI(kNF8e_MtS0wk;>}i%0{D~F|0SR2{+|w=du%v0TlW?ePV72
z;5)d`obXilKb4(a4+F0zQ<gh!1vK``e5&eP!ta}BRYS)_M7R1|oQ|19p1f<e=r4g2
zcsO4Qdc$o9`#J(i_PcAMf)3)&J)K)NmZiWb>HdX1`9$?<&dp7-JMaFRc?8}EW%lkk
zx|hQGd_}9g+>O#BS4xy;A4Ab<qpsn`%fuDjy=K0W+?NH2O^v=6ze%Tt`wUc0wF9=*
z|0U$lY~Pn@?}yZfW3>O_oF#|#!4sP|<iYWNxd}lEkTNvdBE=C+O8+d9F?m{tO~<<l
zSg#~1ASxil3ID^!+8ED<t7Nj_kSJ-@;pWV74a?>5m*eMA&kk5LVxsdIV*w_e9d2P5
z(2Lac<4s}Sp0-a|oG;+qX_O($zX^ph99D_$|6tK_UcAMiB|fp@jfQ?(1tj$G*tnqO
z1u@lj8O2Z&8+w7S1S2<J5C@kSN+E0!jT^=Cr+xOe<b#vqfhJ4LmL?5-pi;M&q_SDF
z3jK<Db-IY|S>os7D$(G51Rs=j@XmUlge!UsE9;Q{CoRH?-?M~+#A%-od%N5FIN9*>
ziM68bJq}E{0=iOR6n0(pnucdVxmp74wMP{eQ*12isH=g!TMQevDD|+qe8Y=C_*&cx
z_PI!-m`fU7<jRH;+`&USi@VuS{dsm8Dk!TFHwBkLo<fS7jTmH|$-10Th6D3}y`=wl
z!ExY$>>BdnUpt87jtY(#S-mx&gw(bi4P2G^>W@(Q{feU?RG!$}+S^bci_Tt)$lbaa
zZ}cska`}v8<lP$BMdjQ^)V1+YhcSO5kAND+pA?jnU=!Q<_JAAFv-GWKCXB1MV<<D6
zJZZNjNaO6HuEfbq=&wkA`kvO{xXrg&_3#RU1~*OVaxY3WV*4`WdH2N9BN;CDq=%i`
zXF#VrV7aPSxecG1wzpu&TtM!|#vpfyuyt=}XcwV&_j}|B9Rzxzr3x+eaHOH+muVQ|
zdz=oPV<GF#;|wD|in*vGLHoTb2YWo@V;kEl7hW;2_WwhuYj(DEugPZF;azksnc=7Z
z8Q{HGqIt|1>-sGLA2)rbwXZ>(jj26ey3rF9r_UP8JlU2TDic3^PS+?j-lFF}S6$rr
zO#HK`Zq7SzU0XgCHaP6ou=xswb;*un8yIBfZ@UKAn}h@!O#tLa550}podjL9@5Dn8
z=`Yw}-k!sl6#mtY>vn>YgP#r+8c|8Nn_xV_Iiso$#))~C9L|F1P`rYY!`ZDR&c@QW
zdaY0dEo4lCKx@_fQ7Z57Wv!MtbLCz8lB-Uo@Jv%x6QE(>fQ8E*<N{5OE686L!8%r^
j4)mUr`Wl@QmOuL;>03{1EdWe+JLFi>z8Nf$!NT%4t55!)

literal 0
HcmV?d00001

diff --git a/docs/PrivilegeModelUser.dia b/docs/PrivilegeModelUser.dia
new file mode 100644
index 0000000000000000000000000000000000000000..86d5b1149545da120c81855694cad0df40d5ba97
GIT binary patch
literal 1752
zcmV;}1}FI+iwFP!000021MOW~Z`(E)eb28jT%b>hEX9^DO_O3PFl<1E7Hjit&@wG^
zrA3vb;`(L3eU#<Ik!;1bZe6k?AW5y#-yta;^5fC5{Qkp_1#jI`sh9|^+m2<oTQu;*
zlm-5E`|j&+7sK|4o3r;*M&6kpUy?=3ydzNYtLye$>+oHtvs^AMzEVUBX>k@=igx}X
zoRf|z)M?+GwOUUDOo=A(xy@OkwPce>(^fzh^twGE-Zx*0D44dBQk!y~;6k?U3BPW?
znXQj@XA`EAit|kDkoa^WDfyNk+BU~%R3vmrWj5?06pEQ5dKK;z$%zyHeo|&rN|{1|
zfAi*+YE9*vq*|Mk+j#pbn+v2DMEWe)#WMZFlg_xb-0mno`p(ep+LwdwL%*C3H)$4*
zHw!15g=1<Q3aKSwdKYpc1g9iOP_>L`aUA6lZid)%&2oxIpE0e)f%?w~SI0CUIsM4E
zQ`zfFHhrGFsS-I+mTao$;~zD3R}y_yQ}lbL*o4!4wP%5@Ec~jP@Y$=gp24?oFF6{L
zXt_(obVyz5p1wr*5t~wVV3?)L<V2cpiggb4dbZrL9h02OEZA!ZPF7TI!vDHms#}{2
zyqR%Y#MA8l;nkBq5tF~Er#Fqg`}4MS(fY`VQtfRLVp0$`y>5T9(>;}Kn~7v5!JV!O
z#dbW|=NH{<+jnP<yx@~bHnucXCxOpt5`SckT!UcQ?v*pN`d#<DXZ77;fRxk4*b_3?
z%@C?-(HdYqh3vNKVfq+a?yxs{ayTWh=9Kw!oews!+)?W27X!;AOsRC~PUR#^rvNCE
zaZwSE*gTlh5QdNo8tB^MlZkn+p=1`|xuy1`E{eiXQl-X^|DkG!5+<1@+RPZWK|QQl
zM>Z;*Y83%GvPtEEHsh_fo?A*1*58^n3Yi&tj=eeAnKvJ2&7NH>{-&44CIzNrP6K~;
z?%dAIgK`*}_<lOmuJnSen{Z(Ew=Ks`A5ICdbPkoX(Y6a-nHl5!FhW`-I1NG5AG+Q)
z1j1|@`FJLF=l%FxYep7~uddq*5eO9$&m>h!ui^~LBuGh!k0O$c%3}BrYeJD442PL2
zT>L8d^wWg1??uTR3cgwh8P1tks7Bcem8y&vr=;;e4_8GIGrv97;_=e_PWe66%p>cb
zDS3qoS7*4tI_3IiGh>}tmED?@s>Kub9LzLrYnYkXdew~4=8#ilZ4Nd)@DAcSm5%ee
z;GPcPBf7Fbs$`pzpG0OQfM~%V3-78W2le92-XStuptwwqX8erMlD9IZH$pprU)Fys
zgELnldKRxTq}@$eeOT*6oN=aC``~C0E%r!ar^D>o_Z=y-7U;g1ykq5w{llX$++NA5
zA@YQ#NlPK8AP>j`@|;MX8Iww5=>dDdo&xMq5z;nr2iz&T=lP<EZjL>7l_P>cAka@E
zkTi8x%`H7tzvcQWS%KdA`U)fhiC#X5xbO&XZV9@r77o+_b@ox`Bp21z0nj;cw{;O3
z>e0Gxe?P=mY13X}Ml0q{b1HDB_3JjLx#riEGqMJw^HKfQw0?cgG}DA$>W0>3jn1^L
z)vv?{@tia5FOf4>!<hzW8k}ixroov8XBwPoaHheT24@<aX>g{!K4%(kZ$ce|uw2BI
zCfPmX)W<CvFbO*IE7zGX%j(RR&beEo&U|UdLUS(`n!C2uv)yyYvFuu<=He|nPHOJD
zZUq_YQBrdapLzcLusT3qhP(`U8S*mZWys5rmmx1hUWU93c^UFD<Ymaq5XB%b=gP~1
zGj9dzfI6VgiPRyS|H8Rg(&nBRu<0l82mE>Y{F%~Vb<32-eNFHPJSw#gi6w{xBEcZ=
z>J0+j3O<PDICXy#&9T=XMN1x&?hNYxFq-4MlINuN8+cCo7pmex1;+p!18@w$F#yK^
z90PC+z%c;F02~8w48Sq)KXDAGWEb=Y9`_8X44N~(XaM8^c^Z3GpxM%XWeu{23vdVA
zc@;N1BR&5rzR>_H57-0t6kyM1e9a9A1dBk<Etoz0dn{a@fAo7~8d}+)*?R}JzA@Uk
zJM~CT*d@nlgEViFe=L|&$utQ(I?lUv+fKYJ2lhRpa`lpDl{{&iNb}e5Og)WL!4&iY
z%}2em=A#SeyjP?5=pud=$$2;S9u3ykqmebN)p=CBJ^wl5k(<3WGN|5o^pQ%<X3Wd`
z<{X%hU_OHR2<9W0k6=E6`3UACn2%sSg82yMBbbjM!b60|T`ZW7Kpv0>1`4nT?16y-
u1OkCzpn!n_1_~G`V4(O328!f0Co3v%&XO1A$2ZNrIr|qZGas^Rs{jBt5M;ps

literal 0
HcmV?d00001

diff --git a/src/ch/eitchnet/privilege/base/PrivilegeContainer.java b/src/ch/eitchnet/privilege/base/PrivilegeContainer.java
index 1ffc36d3b..acd6ee315 100644
--- a/src/ch/eitchnet/privilege/base/PrivilegeContainer.java
+++ b/src/ch/eitchnet/privilege/base/PrivilegeContainer.java
@@ -130,10 +130,10 @@ public class PrivilegeContainer {
 		String policyHandlerClassName = policyHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
 		PolicyHandler policyHandler = ClassHelper.instantiateClass(policyHandlerClassName);
 
-		// instantiate modification handler
-		Element modificationHandlerElement = containerRootElement.element(XmlConstants.XML_HANDLER_MODEL);
-		String modificationHandlerClassName = modificationHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
-		ModelHandler modelHandler = ClassHelper.instantiateClass(modificationHandlerClassName);
+		// instantiate model handler
+		Element modelHandlerElement = containerRootElement.element(XmlConstants.XML_HANDLER_MODEL);
+		String modelHandlerClassName = modelHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
+		ModelHandler modelHandler = ClassHelper.instantiateClass(modelHandlerClassName);
 
 		try {
 			persistenceHandler.initialize(persistenceHandlerElement);
@@ -162,11 +162,11 @@ public class PrivilegeContainer {
 			throw new PrivilegeException("PolicyHandler " + policyHandlerClassName + " could not be initialized");
 		}
 		try {
-			modelHandler.initialize(modificationHandlerElement);
+			modelHandler.initialize(modelHandlerElement);
 			modelHandler.setPersistenceHandler(persistenceHandler);
 		} catch (Exception e) {
 			logger.error(e, e);
-			throw new PrivilegeException("ModificationHandler " + modificationHandlerClassName
+			throw new PrivilegeException("ModificationHandler " + modelHandlerClassName
 					+ " could not be initialized");
 		}
 
diff --git a/src/ch/eitchnet/privilege/base/XmlConstants.java b/src/ch/eitchnet/privilege/base/XmlConstants.java
index 727841b53..d2c7400e4 100644
--- a/src/ch/eitchnet/privilege/base/XmlConstants.java
+++ b/src/ch/eitchnet/privilege/base/XmlConstants.java
@@ -19,7 +19,7 @@ public class XmlConstants {
 	public static final String XML_ROOT_PRIVILEGE_ROLES = "PrivilegeRoles";
 	public static final String XML_ROOT_PRIVILEGES = "Privileges";
 	public static final String XML_ROOT_PRIVILEGE_USERS = "PrivilegesUsers";
-	public static final String XML_ROOT_RESTRICTION_POLICIES = "RestrictionPolicies";
+	public static final String XML_ROOT_PRIVILEGE_POLICIES = "PrivilegePolicies";
 
 	public static final String XML_HANDLER_PERSISTENCE = "PersistenceHandler";
 	public static final String XML_HANDLER_ENCRYPTION = "EncryptionHandler";
diff --git a/src/ch/eitchnet/privilege/handler/DefaultPolicyHandler.java b/src/ch/eitchnet/privilege/handler/DefaultPolicyHandler.java
index a72f5c996..27dff956d 100644
--- a/src/ch/eitchnet/privilege/handler/DefaultPolicyHandler.java
+++ b/src/ch/eitchnet/privilege/handler/DefaultPolicyHandler.java
@@ -24,8 +24,9 @@ import ch.eitchnet.privilege.helper.ConfigurationHelper;
 import ch.eitchnet.privilege.helper.XmlHelper;
 import ch.eitchnet.privilege.i18n.PrivilegeException;
 import ch.eitchnet.privilege.model.Restrictable;
+import ch.eitchnet.privilege.model.internal.Privilege;
 import ch.eitchnet.privilege.model.internal.Role;
-import ch.eitchnet.privilege.policy.RestrictionPolicy;
+import ch.eitchnet.privilege.policy.PrivilegePolicy;
 
 /**
  * @author rvonburg
@@ -33,7 +34,7 @@ import ch.eitchnet.privilege.policy.RestrictionPolicy;
  */
 public class DefaultPolicyHandler implements PolicyHandler {
 
-	private Map<String, Class<RestrictionPolicy>> policyMap;
+	private Map<String, Class<PrivilegePolicy>> policyMap;
 
 	/**
 	 * @see ch.eitchnet.privilege.handler.PolicyHandler#actionAllowed(ch.eitchnet.privilege.model.internal.Role,
@@ -48,26 +49,38 @@ public class DefaultPolicyHandler implements PolicyHandler {
 		else if (restrictable == null)
 			throw new PrivilegeException("Restrictable may not be null!");
 
-		// validate restriction key for this restrictable
-		String restrictionKey = restrictable.getRestrictionKey();
-		if (restrictionKey == null || restrictionKey.length() < 3) {
+		// validate PrivilegeName for this restrictable
+		String privilegeName = restrictable.getPrivilegeName();
+		if (privilegeName == null || privilegeName.length() < 3) {
 			throw new PrivilegeException(
-					"The RestrictionKey may not be shorter than 3 characters. Invalid Restrictable "
+					"The PrivilegeName may not be shorter than 3 characters. Invalid Restrictable "
 							+ restrictable.getClass().getName());
 		}
 
-		// get restriction policy class
-		Class<RestrictionPolicy> policyClazz = policyMap.get(restrictionKey);
-		if (policyClazz == null) {
-			throw new PrivilegeException("No RestrictionPolicy exists for the RestrictionKey " + restrictionKey
-					+ " for Restrictable " + restrictable.getClass().getName());
+		// If the role does not have this privilege, then stop as another role might have this privilege
+		if (!role.hasPrivilege(privilegeName)) {
+			return false;
 		}
 
-		// instantiate policy
-		RestrictionPolicy policy = ClassHelper.instantiateClass(policyClazz);
+		// get the privilege for this restrictable
+		Privilege privilege = PrivilegeContainer.getInstance().getModelHandler().getPrivilege(privilegeName);
+		if (privilege == null) {
+			throw new PrivilegeException("No Privilege exists with the name " + privilegeName + " for Restrictable "
+					+ restrictable.getClass().getName());
+		}
 
-		// delegate checking to restriction policy
-		return policy.actionAllowed(role, restrictable);
+		// get the policy class configured for this privilege
+		Class<PrivilegePolicy> policyClazz = policyMap.get(privilege.getPolicy());
+		if (policyClazz == null) {
+			throw new PrivilegeException("PrivilegePolicy " + privilege.getPolicy() + " does not exist for Privilege "
+					+ privilegeName);
+		}
+
+		// instantiate the policy
+		PrivilegePolicy policy = ClassHelper.instantiateClass(policyClazz);
+
+		// delegate checking to privilege policy
+		return policy.actionAllowed(role, privilege, restrictable);
 	}
 
 	/**
@@ -95,7 +108,7 @@ public class DefaultPolicyHandler implements PolicyHandler {
 					+ policyFile.getAbsolutePath());
 		}
 
-		policyMap = new HashMap<String, Class<RestrictionPolicy>>();
+		policyMap = new HashMap<String, Class<PrivilegePolicy>>();
 
 		// parse policy xml file to XML document
 		Element containerRootElement = XmlHelper.parseDocument(policyFile).getRootElement();
@@ -105,7 +118,7 @@ public class DefaultPolicyHandler implements PolicyHandler {
 			String policyName = policyElement.attributeValue(XmlConstants.XML_ATTR_NAME);
 			String policyClass = policyElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
 
-			Class<RestrictionPolicy> clazz = ClassHelper.loadClass(policyClass);
+			Class<PrivilegePolicy> clazz = ClassHelper.loadClass(policyClass);
 
 			policyMap.put(policyName, clazz);
 		}
diff --git a/src/ch/eitchnet/privilege/handler/SessionHandler.java b/src/ch/eitchnet/privilege/handler/SessionHandler.java
index d019d0dbe..10e0b4fa4 100644
--- a/src/ch/eitchnet/privilege/handler/SessionHandler.java
+++ b/src/ch/eitchnet/privilege/handler/SessionHandler.java
@@ -49,7 +49,7 @@ public interface SessionHandler extends PrivilegeContainerObject {
 	public boolean isCertificateValid(Certificate certificate);
 
 	/**
-	 * @param user
+	 * @param username
 	 * @param password
 	 * 
 	 * @return
@@ -57,5 +57,5 @@ public interface SessionHandler extends PrivilegeContainerObject {
 	 * @throws AccessDeniedException
 	 *             if the user credentials are not valid
 	 */
-	public Certificate authenticate(String user, String password);
+	public Certificate authenticate(String username, String password);
 }
diff --git a/src/ch/eitchnet/privilege/helper/BootstrapConfigurationHelper.java b/src/ch/eitchnet/privilege/helper/BootstrapConfigurationHelper.java
index 14001dc08..db99ea0be 100644
--- a/src/ch/eitchnet/privilege/helper/BootstrapConfigurationHelper.java
+++ b/src/ch/eitchnet/privilege/helper/BootstrapConfigurationHelper.java
@@ -49,7 +49,7 @@ public class BootstrapConfigurationHelper {
 
 	private static String hashAlgorithm = "SHA-256";
 
-	private static String policyXmlFile = "RestrictionPolicies.xml";
+	private static String policyXmlFile = "PrivilegePolicies.xml";
 
 	private static String defaultPersistenceHandler = "ch.eitchnet.privilege.handler.DefaultPersistenceHandler";
 	private static String defaultSessionHandler = "ch.eitchnet.privilege.handler.DefaultSessionHandler";
diff --git a/src/ch/eitchnet/privilege/model/Restrictable.java b/src/ch/eitchnet/privilege/model/Restrictable.java
index 9a2952fac..155876e23 100644
--- a/src/ch/eitchnet/privilege/model/Restrictable.java
+++ b/src/ch/eitchnet/privilege/model/Restrictable.java
@@ -16,7 +16,7 @@ package ch.eitchnet.privilege.model;
  */
 public interface Restrictable {
 
-	public String getRestrictionKey();
+	public String getPrivilegeName();
 
-	public Object getRestrictionValue();
+	public Object getPrivilegeValue();
 }
diff --git a/src/ch/eitchnet/privilege/policy/DefaultPrivilege.java b/src/ch/eitchnet/privilege/policy/DefaultPrivilege.java
new file mode 100644
index 000000000..097214169
--- /dev/null
+++ b/src/ch/eitchnet/privilege/policy/DefaultPrivilege.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010
+ * 
+ * Robert von Burg
+ * eitch@eitchnet.ch
+ * 
+ * All rights reserved.
+ * 
+ */
+
+package ch.eitchnet.privilege.policy;
+
+import ch.eitchnet.privilege.i18n.PrivilegeException;
+import ch.eitchnet.privilege.model.Restrictable;
+import ch.eitchnet.privilege.model.internal.Privilege;
+import ch.eitchnet.privilege.model.internal.Role;
+
+/**
+ * @author rvonburg
+ * 
+ */
+public class DefaultPrivilege implements PrivilegePolicy {
+
+	/**
+	 * @see ch.eitchnet.privilege.policy.PrivilegePolicy#actionAllowed(ch.eitchnet.privilege.model.internal.Role,
+	 *      ch.eitchnet.privilege.model.internal.Privilege, ch.eitchnet.privilege.model.Restrictable)
+	 */
+	@Override
+	public boolean actionAllowed(Role role, Privilege privilege, Restrictable restrictable) {
+
+		// validate user is not null
+		if (role == null)
+			throw new PrivilegeException("Role may not be null!");
+
+		// get the PrivilegeName
+		String privilegeName = restrictable.getPrivilegeName();
+		if (privilegeName == null || privilegeName.isEmpty()) {
+			throw new PrivilegeException("The PrivilegeName for the Restrictable is null or empty: " + restrictable);
+		}
+
+		// does this role have privilege for any values?
+		if (privilege.isAllAllowed())
+			return true;
+
+		// get the value on which the action is to be performed
+		Object object = restrictable.getPrivilegeValue();
+
+		// DefaultPrivilege policy expects the privilege value to be a string
+		if (!(object instanceof String)) {
+			throw new PrivilegeException(Restrictable.class.getName() + " " + restrictable.getClass().getSimpleName()
+					+ " has returned a non-string privilege value!");
+		}
+
+		String privilegeValue = (String) object;
+
+		// first check values not allowed
+		for (String denied : privilege.getDenyList()) {
+			if (denied.equals(privilegeValue))
+				return false;
+		}
+
+		// now check values allowed
+		for (String allowed : privilege.getAllowList()) {
+			if (allowed.equals(privilegeValue))
+				return true;
+		}
+
+		// default is not allowed
+		return false;
+	}
+}
diff --git a/src/ch/eitchnet/privilege/policy/DefaultRestriction.java b/src/ch/eitchnet/privilege/policy/DefaultRestriction.java
deleted file mode 100644
index d0d27d1e8..000000000
--- a/src/ch/eitchnet/privilege/policy/DefaultRestriction.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (c) 2010
- * 
- * Robert von Burg
- * eitch@eitchnet.ch
- * 
- * All rights reserved.
- * 
- */
-
-package ch.eitchnet.privilege.policy;
-
-import ch.eitchnet.privilege.base.PrivilegeContainer;
-import ch.eitchnet.privilege.i18n.PrivilegeException;
-import ch.eitchnet.privilege.model.Restrictable;
-import ch.eitchnet.privilege.model.internal.Privilege;
-import ch.eitchnet.privilege.model.internal.Role;
-
-/**
- * @author rvonburg
- * 
- */
-public class DefaultRestriction implements RestrictionPolicy {
-
-	/**
-	 * @see ch.eitchnet.privilege.policy.RestrictionPolicy#actionAllowed(java.lang.String,
-	 *      ch.eitchnet.privilege.model.internal.Role, ch.eitchnet.privilege.model.Restrictable)
-	 */
-	@Override
-	public boolean actionAllowed(Role role, Restrictable restrictable) {
-
-		// validate user is not null
-		if (role == null)
-			throw new PrivilegeException("Role may not be null!");
-
-		// get the restriction key
-		String restrictionKey = restrictable.getRestrictionKey();
-		if (restrictionKey == null || restrictionKey.isEmpty()) {
-			throw new PrivilegeException("The restriction key for the Restrictable is null or empty: " + restrictable);
-		}
-
-		// get restriction object for users role
-		Privilege privilege = PrivilegeContainer.getInstance().getModelHandler().getPrivilege(restrictionKey);
-
-		// no restriction object means no privilege
-		// TODO should default deny/allow policy be configurable?
-		if (privilege == null)
-			return false;
-
-		// does this role have privilege for any values?
-		if (privilege.isAllAllowed())
-			return true;
-
-		// get the value on which the action is to be performed
-		Object object = restrictable.getRestrictionValue();
-
-		// DefaultRestriction policy expects the restriction value to be a string
-		if (!(object instanceof String)) {
-			throw new PrivilegeException(Restrictable.class.getName() + " " + restrictable.getClass().getSimpleName()
-					+ " has returned a non-string restriction value!");
-		}
-
-		String restrictionValue = (String) object;
-
-		// first check values not allowed
-		for (String denied : privilege.getDenyList()) {
-			if (denied.equals(restrictionValue))
-				return false;
-		}
-
-		// now check values allowed
-		for (String allowed : privilege.getAllowList()) {
-			if (allowed.equals(restrictionValue))
-				return true;
-		}
-
-		// default is not allowed
-		return false;
-	}
-}
diff --git a/src/ch/eitchnet/privilege/policy/RestrictionPolicy.java b/src/ch/eitchnet/privilege/policy/PrivilegePolicy.java
similarity index 60%
rename from src/ch/eitchnet/privilege/policy/RestrictionPolicy.java
rename to src/ch/eitchnet/privilege/policy/PrivilegePolicy.java
index 093ca1468..44c679e5b 100644
--- a/src/ch/eitchnet/privilege/policy/RestrictionPolicy.java
+++ b/src/ch/eitchnet/privilege/policy/PrivilegePolicy.java
@@ -11,13 +11,14 @@
 package ch.eitchnet.privilege.policy;
 
 import ch.eitchnet.privilege.model.Restrictable;
+import ch.eitchnet.privilege.model.internal.Privilege;
 import ch.eitchnet.privilege.model.internal.Role;
 
 /**
  * @author rvonburg
  * 
  */
-public interface RestrictionPolicy {
+public interface PrivilegePolicy {
 
-	public boolean actionAllowed(Role role, Restrictable restrictable);
+	public boolean actionAllowed(Role role, Privilege privilege, Restrictable restrictable);
 }
diff --git a/test/ch/eitchnet/privilege/test/PrivilegeTest.java b/test/ch/eitchnet/privilege/test/PrivilegeTest.java
index d7a6e748f..bfa8a7beb 100644
--- a/test/ch/eitchnet/privilege/test/PrivilegeTest.java
+++ b/test/ch/eitchnet/privilege/test/PrivilegeTest.java
@@ -26,6 +26,7 @@ import ch.eitchnet.privilege.handler.ModelHandler;
 import ch.eitchnet.privilege.i18n.AccessDeniedException;
 import ch.eitchnet.privilege.i18n.PrivilegeException;
 import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.Restrictable;
 import ch.eitchnet.privilege.model.UserRep;
 import ch.eitchnet.privilege.model.UserState;
 
@@ -185,4 +186,18 @@ public class PrivilegeTest {
 		PrivilegeContainer.getInstance().getModelHandler().addOrReplaceUser(certificate, userRep, null);
 		logger.info("Added user bob");
 	}
+
+	@Test
+	public void testPerformRestrictable() throws Exception {
+
+		Certificate certificate = PrivilegeContainer.getInstance().getSessionHandler().authenticate("eitch",
+				"1234567890");
+		org.junit.Assert.assertTrue("Certificate is null!", certificate != null);
+
+		// see if eitch can perform restrictable
+		Restrictable restrictable = new TestRestrictable();
+		boolean actionAllowed = PrivilegeContainer.getInstance().getSessionHandler().actionAllowed(certificate,
+				restrictable);
+		org.junit.Assert.assertTrue("eitch may not perform restrictable!", actionAllowed);
+	}
 }
diff --git a/test/ch/eitchnet/privilege/test/TestRestrictable.java b/test/ch/eitchnet/privilege/test/TestRestrictable.java
new file mode 100644
index 000000000..1f65beef6
--- /dev/null
+++ b/test/ch/eitchnet/privilege/test/TestRestrictable.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2010
+ * 
+ * Robert von Burg
+ * eitch@eitchnet.ch
+ * 
+ * All rights reserved.
+ * 
+ */
+
+package ch.eitchnet.privilege.test;
+
+import ch.eitchnet.privilege.model.Restrictable;
+
+/**
+ * @author rvonburg
+ *
+ */
+public class TestRestrictable implements Restrictable {
+
+	/**@see ch.eitchnet.privilege.model.Restrictable#getPrivilegeName()
+	 */
+	@Override
+	public String getPrivilegeName() {
+		return "Service";
+	}
+
+	/**@see ch.eitchnet.privilege.model.Restrictable#getPrivilegeValue()
+	 */
+	@Override
+	public Object getPrivilegeValue() {
+		return TestRestrictable.class.getName();
+	}
+
+}