apache · spyhunter99 · Dec 15, 2025
diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/core/Engine.java b/jspwiki-api/src/main/java/org/apache/wiki/api/core/Engine.java
@@ -110,6 +110,14 @@ public interface Engine {
 
     /** The name of the property containing the ACLManager implementing class. The value is {@value}. */
     String PROP_ACL_MANAGER_IMPL = "jspwiki.aclManager";
+
+    /**
+     * The name of the property containing the AuthorizationManager implementing
+     * class. The value is {@value}.
+     *
+     * @since 3.0.0
+     */
+    String PROP_AUTHZ_MANAGER_IMPL = "jspwiki.authZManager";
 
     /** The name of the property containing the ReferenceManager implementing class. The value is {@value}. */
     String PROP_REF_MANAGER_IMPL = "jspwiki.refManager";

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/WikiEngine.java b/jspwiki-main/src/main/java/org/apache/wiki/WikiEngine.java
@@ -276,6 +276,7 @@ public void initialize( final Properties props ) throws WikiException {
         //
         try {
             final String aclClassName = m_properties.getProperty( PROP_ACL_MANAGER_IMPL, ClassUtil.getMappedClass( AclManager.class.getName() ).getName() );
+            final String authClassName = m_properties.getProperty( PROP_AUTHZ_MANAGER_IMPL, ClassUtil.getMappedClass( AuthorizationManager.class.getName() ).getName() );
             final String urlConstructorClassName = TextUtil.getStringProperty( props, PROP_URLCONSTRUCTOR, "DefaultURLConstructor" );
             final Class< URLConstructor > urlclass = ClassUtil.findClass( "org.apache.wiki.url", urlConstructorClassName );
 
@@ -289,7 +290,7 @@ public void initialize( final Properties props ) throws WikiException {
             initComponent( VariableManager.class, props );
             initComponent( SearchManager.class, this, props );
             initComponent( AuthenticationManager.class );
-            initComponent( AuthorizationManager.class );
+            initComponent( authClassName, AuthorizationManager.class );
             initComponent( UserManager.class );
             initComponent( GroupManager.class );
             initComponent( EditorManager.class, this );

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/DefaultAuthorizationManager.java
@@ -61,10 +61,14 @@ Licensed to the Apache Software Foundation (ASF) under one
 import java.security.cert.Certificate;
 import java.text.MessageFormat;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
 import java.util.ResourceBundle;
+import java.util.Set;
 import java.util.WeakHashMap;
+import org.apache.wiki.auth.acl.adv.AdvancedAcl;
+import org.apache.wiki.auth.acl.adv.RuleNode;
 
 
 /**
@@ -85,7 +89,7 @@ public class DefaultAuthorizationManager implements AuthorizationManager {
     /** Cache for storing ProtectionDomains used to evaluate the local policy. */
     private final Map< Principal, ProtectionDomain > m_cachedPds = new WeakHashMap<>();
 
-    private Engine m_engine;
+    protected Engine m_engine;
 
     private LocalPolicy m_localPolicy;
 
@@ -135,7 +139,35 @@ public boolean checkPermission( final Session session, final Permission permissi
             fireEvent( WikiSecurityEvent.ACCESS_ALLOWED, user, permission );
             return true;
         }
+        if (acl instanceof AdvancedAcl) {
+            AdvancedAcl a2 = (AdvancedAcl) acl;
+            Set<String> roles = new HashSet<>();
+            roles.add(session.getLoginPrincipal().getName());
+            if (session.getRoles() != null) {
+                for (Principal p : session.getRoles()) {
+                    roles.add(p.getName());
+                }
+            }
+            RuleNode node = a2.getNode(permission);
+            if (node == null) {
+                fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
+                return true;
+            }
+            Set<String> potentialRoles = node.getAllRoles();
+            for (String s : potentialRoles) {
+                if (hasRoleOrPrincipal(session, new WikiPrincipal(s))) {
+                    roles.add(s);
+                }
+            }
 
+            if (node.evaluate(roles)) {
+                //granted..
+                fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
+                return true;
+            }
+            fireEvent( WikiSecurityEvent.ACCESS_DENIED, user, permission );
+            return false;
+        }
         // Next, iterate through the Principal objects assigned this permission. If the context's subject possesses
         // any of these, the action is allowed.
         final Principal[] aclPrincipals = acl.findPrincipals( permission );

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/DefaultAclManager.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/DefaultAclManager.java
@@ -49,6 +49,12 @@ Licensed to the Apache Software Foundation (ASF) under one
 import java.util.TreeMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.apache.wiki.auth.acl.adv.AdvancedAcl;
+import org.apache.wiki.auth.acl.adv.NotNode;
+import org.apache.wiki.auth.acl.adv.OperatorNode;
+import org.apache.wiki.auth.acl.adv.RoleNode;
+import org.apache.wiki.auth.acl.adv.RuleNode;
+import org.apache.wiki.auth.acl.adv.RuleParser;
 
 /**
  * Default implementation that parses Acls from wiki page markup.
@@ -91,10 +97,40 @@ public void initialize( final Engine engine, final Properties props ) {
     public Acl parseAcl( final Page page, final String ruleLine ) throws WikiSecurityException {
         Acl acl = page.getAcl();
         if (acl == null) {
-            acl = Wiki.acls().acl();
+            acl = Wiki.acls().acl();    
         }
 
         try {
+            if (ruleLine.contains(" AND ")
+                    || ruleLine.contains(" NOT ")
+                    || ruleLine.contains(" OR ")) {
+                try {
+                    if (acl == null || !(acl instanceof AdvancedAcl)) {
+                        acl = new AdvancedAcl();
+                    }
+                    final StringTokenizer fieldToks = new StringTokenizer(ruleLine);
+                    //burn off the allow tag
+                    fieldToks.nextToken();
+                    //get the permission flag. i.e. edit, view, etc
+                    final String actions = fieldToks.nextToken();
+                    StringBuilder sb = new StringBuilder();
+                    while (fieldToks.hasMoreTokens()) {
+                        sb.append(fieldToks.nextToken() + " ");
+                    }
+                    RuleParser parser = new RuleParser(sb.toString());
+                    RuleNode node = parser.parse();
+                    ((AdvancedAcl) acl).addRuleNode(node, actions);
+                    recursiveResolve(node);
+                    page.setAcl(acl);
+                    LOG.debug(acl.toString());
+                    return acl;
+                } catch (final NoSuchElementException nsee) {
+                    LOG.warn("Invalid access rule: " + ruleLine + " - defaults will be used.");
+                    throw new WikiSecurityException("Invalid access rule: " + ruleLine, nsee);
+                } catch (final IllegalArgumentException iae) {
+                    throw new WikiSecurityException("Invalid permission type: " + ruleLine, iae);
+                }
+            }
             final StringTokenizer fieldToks = new StringTokenizer(ruleLine);
             fieldToks.nextToken();
             final String actions = fieldToks.nextToken();
@@ -128,7 +164,19 @@ public Acl parseAcl( final Page page, final String ruleLine ) throws WikiSecurit
 
         return acl;
     }
-
+  private void recursiveResolve(RuleNode node) {
+        if (node == null) {
+            return;
+        }
+        if (node instanceof OperatorNode) {
+            recursiveResolve(((OperatorNode) node).getLeft());
+            recursiveResolve(((OperatorNode) node).getRight());
+        } else if (node instanceof NotNode) {
+            recursiveResolve(((NotNode) node).getChild());
+        } else if (node instanceof RoleNode) {
+            ((RoleNode) node).setPrincipal(m_auth.resolvePrincipal(((RoleNode) node).getRole()));
+        }
+    }
 
     /** {@inheritDoc} */
     @Override

diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/adv/AdvancedAcl.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/adv/AdvancedAcl.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright 2025 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wiki.auth.acl.adv;
+
+import java.security.Permission;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import org.apache.wiki.api.core.AclEntry;
+import org.apache.wiki.auth.acl.Acl;
+
+/**
+ * an extension to the base ACL classes that provides boolean logic, tyical use
+ * case is for role/group membership
+ *
+ * @since 3.0.0
+ * @see AclEntry
+ * @see AclImpl
+ * @see DefaultAclManager
+ */
+public class AdvancedAcl implements org.apache.wiki.api.core.Acl, Acl {
+
+    private Map<String, RuleNode> nodes = new HashMap<>();
+
+    @Override
+    public boolean addEntry(AclEntry entry) {
+        if (entry instanceof AdvancedAcl e) {
+            this.nodes.putAll(e.nodes);
+            return true;
+        }
+        return false;
+    }
+
+    @Override
+    public Enumeration<AclEntry> aclEntries() {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public boolean isEmpty() {
+        return nodes.isEmpty();
+    }
+
+    @Override
+    public Principal[] findPrincipals(Permission permission) {
+        final List< Principal> principals = new ArrayList<>();
+        final Enumeration< AclEntry> entries = aclEntries();
+        while (entries.hasMoreElements()) {
+            final AclEntry entry = entries.nextElement();
+            final Enumeration< Permission> permissions = entry.permissions();
+            while (permissions.hasMoreElements()) {
+                final Permission perm = permissions.nextElement();
+                if (perm.implies(permission)) {
+                    principals.add(entry.getPrincipal());
+                }
+            }
+        }
+        return principals.toArray(new Principal[0]);
+    }
+
+    @Override
+    public AclEntry getAclEntry(Principal principal) {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
+
+    @Override
+    public boolean removeEntry(AclEntry entry) {
+        boolean success = false;
+        if (entry instanceof AdvancedAcl e) {
+            for (String s : e.nodes.keySet()) {
+                RuleNode remove = nodes.remove(s);
+                if (remove != null) {
+                    success = true;
+                }
+            }
+
+        }
+        return success;
+    }
+
+    public void addRuleNode(RuleNode node, String actions) {
+        nodes.put(actions, node);
+    }
+
+    public RuleNode getNode(Permission permission) {
+        return nodes.get(permission.getActions());
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+
+        for (Entry<String, RuleNode> e : nodes.entrySet()) {
+            sb.append("[{ALLOW ").append(e.getKey()).append(" ").append(e.toString()).append("}]\n");
+        }
+        return sb.toString();
+    }
+
+}
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/adv/NotNode.java b/jspwiki-main/src/main/java/org/apache/wiki/auth/acl/adv/NotNode.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2025 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wiki.auth.acl.adv;
+
+import java.util.Set;
+
+/**
+ *
+ * @author AO
+ */
+public class NotNode extends RuleNode {
+    private final RuleNode child;
+
+    public RuleNode getChild() {
+        return child;
+    }
+
+    public NotNode(RuleNode child) {
+        this.child = child;
+    }
+
+    @Override
+    public boolean evaluate(java.util.Set<String> userRoles) {
+       return !child.evaluate(userRoles);
+    }
+
+    @Override
+    public String toString() {
+        return "(NOT " + child + ")";
+    }
+
+    @Override
+    public Set<String> getAllRoles() {
+        return child.getAllRoles();
+    }
+}