Page instantiation protection by combined ruleset.

wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/annotations/AnnotationsRoleAuthorizationStrategy.java

@@ -58,7 +58,7 @@ public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
 		final AuthorizeInstantiation classAnnotation = componentClass.getAnnotation(AuthorizeInstantiation.class);
 		if (classAnnotation != null)
 		{
-			authorized = hasAny(new Roles(classAnnotation.value()));
+			authorized = check(classAnnotation);
 		}
 		else
 		{
@@ -69,14 +69,51 @@ public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
 				final AuthorizeInstantiation packageAnnotation = componentPackage.getAnnotation(AuthorizeInstantiation.class);
 				if (packageAnnotation != null)
 				{
-					authorized = hasAny(new Roles(packageAnnotation.value()));
+					authorized = check(packageAnnotation);
+				}
+			}
+		}
+
+		// Check for multiple instantiations
+		final AuthorizeInstantiations authorizeInstantiationsAnnotation = componentClass
+			.getAnnotation(AuthorizeInstantiations.class);
+		if (authorizeInstantiationsAnnotation != null)
+		{
+			for (final AuthorizeInstantiation authorizeInstantiationAnnotation : authorizeInstantiationsAnnotation
+				.ruleset())
+			{
+				if (!check(authorizeInstantiationAnnotation))
+				{
+					authorized = false;
 				}
 			}
 		}
 
 		return authorized;
 	}
 
+	/**
+	 * Check if annotated instantiation is allowed.
+	 * 
+	 * @param authorizeInstantiationAnnotation
+	 *            The annotations information
+	 * @return False if the instantiation is not authorized
+	 */
+	private <T extends IRequestableComponent> boolean check(
+		final AuthorizeInstantiation authorizeInstantiationAnnotation)
+	{
+		// We are authorized unless we are found not to be
+		boolean authorized = true;
+
+		// Check class annotation first because it is more specific than package annotation
+		if (authorizeInstantiationAnnotation != null)
+		{
+			authorized = hasAny(new Roles(authorizeInstantiationAnnotation.value()));
+		}
+
+		return authorized;
+	}
+
 	/**
 	 * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
 	 *      org.apache.wicket.authorization.Action)

wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/annotations/AuthorizeInstantiations.java

@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.authroles.authorization.strategies.role.annotations;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Groups a set (technically an array) of {@link AuthorizeInstantiation}s for page authorization.
+ * 
+ * This offers the ability to instantiate a page based on combined permissions / roles required. It
+ * represents an AND relationship between the included permissions / roles.
+ * 
+ * This can be used like this:
+ * 
+ * <pre>
+ * &#064;AuthorizeInstantiations(ruleset = { &#064;AuthorizeInstantiation(&quot;ADMIN&quot;),
+ * 		&#064;AuthorizeInstantiation(&quot;MANAGER&quot;) })
+ * public class ForAdministrativeManagers extends WebPage
+ * {
+ * 	public ForAdministrativeManagers()
+ * 	{
+ * 		super();
+ * 	}
+ * }
+ * </pre>
+ * 
+ * @see org.apache.wicket.authorization.IAuthorizationStrategy
+ * @see AnnotationsRoleAuthorizationStrategy
+ * @see AuthorizeInstantiation
+ * @see AuthorizeInstantiations
+ * @author René Dieckmann (rene.dieckmann@menoto.de)
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ ElementType.TYPE })
+@Documented
+@Inherited
+public @interface AuthorizeInstantiations {
+
+	/**
+	 * The combined ruleset.
+	 * 
+	 * @return the combined ruleset
+	 */
+	AuthorizeInstantiation[] ruleset();
+}

wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authorization/strategies/role/annotations/AnnotationsRoleAuthorizationStrategyTest.java

@@ -134,6 +134,22 @@ public void deniesInstantiationWithoutRequiredRole() throws Exception
 				.isInstantiationAuthorized(TestComponent_Instantiate.class));
 	}
 
+	@Test
+	public void allowsInstantiationWithAllRequiredRoles() throws Exception
+	{
+		AnnotationsRoleAuthorizationStrategy strategy = new AnnotationsRoleAuthorizationStrategy(
+			roles("role1", "role2"));
+		assertTrue(strategy.isInstantiationAuthorized(TestComponent_Roleset_Instantiate.class));
+	}
+
+	@Test
+	public void deniesInstantiationWithoutAllRequiredRoles() throws Exception
+	{
+		AnnotationsRoleAuthorizationStrategy strategy = new AnnotationsRoleAuthorizationStrategy(
+			roles("role2"));
+		assertFalse(strategy.isInstantiationAuthorized(TestComponent_Roleset_Instantiate.class));
+	}
+
 	@Test
 	public void allowsResourceWithRequiredRole() throws Exception
 	{
@@ -179,6 +195,20 @@ private TestComponent_Instantiate()
 		}
 
 	}
+
+	@AuthorizeInstantiations(ruleset = { @AuthorizeInstantiation({ "role1" }),
+			@AuthorizeInstantiation({ "role2" }) })
+	private static class TestComponent_Roleset_Instantiate extends WebComponent
+	{
+
+		private static final long serialVersionUID = 1L;
+
+		private TestComponent_Roleset_Instantiate()
+		{
+			super("notUsed");
+		}
+
+	}
 
 	@AuthorizeAction(action = "RENDER", roles = {"role1"}, deny = {"role3"})
 	private static class TestComponent_Render extends WebComponent