add role profiles

git-svn-id: https://svn.apache.org/repos/asf/maven/archiva/trunk@450822 13f79535-47bb-0310-9956-ffa450edef68
2006-09-28 12:06:45 +00:00 · 2006-09-28 12:06:45 +00:00 · 46926538b8
parent 1e99374aee
commit 46926538b8
20 changed files with 253 additions and 540 deletions
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
@ -18,14 +18,42 @@ package org.apache.maven.archiva.security;
 public class ArchivaRoleConstants
 {
    public static final String DELIMITER = " - ";
    // globalish roles
    public static final String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator";
    public static final String USER_ADMINISTRATOR_ROLE = "User Administrator";
    public static final String REGISTERED_USER_ROLE = "Registered User";
    public static final String GUEST_ROLE = "Guest";
    // dynamic role prefixes
    public static final String REPOSITORY_MANAGER_ROLE_PREFIX = "Repository Manager";
    public static final String REPOSITORY_OBSERVER_ROLE_PREFIX = "Repository Observer";
    // operations
    public static final String OPERATION_MANAGE_USERS = "archiva-manage-users";
    public static final String OPERATION_MANAGE_CONFIGURATION = "archiva-manage-configuration";
    public static final String OPERATION_ACTIVE_GUEST = "archiva-guest";
    public static final String OPERATION_RUN_INDEXER = "archiva-run-indexer";
    public static final String OPERATION_REGENERATE_INDEX = "archiva-regenerate-index";
    public static final String OPERATION_ACCESS_REPORT = "archiva-access-reports";
    public static final String OPERATION_ADD_REPOSITORY = "archiva-add-repository";
    public static final String OPERATION_REPOSITORY_ACCESS = "archiva-read-repository";
    public static final String OPERATION_DELETE_REPOSITORY = "archiva-delete-repository";
    public static final String OPERATION_EDIT_REPOSITORY = "archiva-edit-repository";
    public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
@ -39,6 +39,12 @@ public class ArchivaSystemAdministratorRoleProfile
        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_USERS );
        operations.add( ArchivaRoleConstants.OPERATION_RUN_INDEXER );
        operations.add( ArchivaRoleConstants.OPERATION_REGENERATE_INDEX );
        operations.add( ArchivaRoleConstants.OPERATION_ACCESS_REPORT ); // TODO: does this need to be templated?
        operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
        return operations;
    }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepsitoryManagerDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepsitoryManagerDynamicRoleProfile.java
@ -0,0 +1,61 @@
 package org.apache.maven.archiva.security;
 /*
 * Copyright 2005-2006 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.codehaus.plexus.rbac.profile.AbstractDynamicRoleProfile;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 /**
 * @plexus.component role="org.codehaus.plexus.rbac.profile.DynamicRoleProfile"
 * role-hint="archiva-repository-manager"
 */
 public class RepsitoryManagerDynamicRoleProfile
    extends AbstractDynamicRoleProfile
 {
    public String getRoleName( String string )
    {
        return ArchivaRoleConstants.REPOSITORY_MANAGER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string;
    }
    public List getOperations()
    {
        List operations = new ArrayList();
        // I'm not sure these are appropriate roles.
        operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
        return operations;
    }
    public List getDynamicChildRoles( String string )
    {
        return Collections.singletonList(
            ArchivaRoleConstants.REPOSITORY_OBSERVER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string );
    }
    public boolean isAssignable()
    {
        return true;
    }
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepsitoryObserverDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepsitoryObserverDynamicRoleProfile.java
@ -0,0 +1,47 @@
 package org.apache.maven.archiva.security;
 /*
 * Copyright 2005-2006 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.codehaus.plexus.rbac.profile.AbstractDynamicRoleProfile;
 import java.util.List;
 import java.util.ArrayList;
 /**
 * @plexus.component role="org.codehaus.plexus.rbac.profile.DynamicRoleProfile"
 * role-hint="archiva-repository-observer"
 */
 public class RepsitoryObserverDynamicRoleProfile
    extends AbstractDynamicRoleProfile
 {
    public String getRoleName( String string )
    {
        return ArchivaRoleConstants.REPOSITORY_OBSERVER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string;
    }
    public List getOperations()
    {
        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
        return operations;
    }
    public boolean isAssignable()
    {
        return true;
    }
 }
--- a/archiva-security/src/main/resources/META-INF/plexus/components.xml
+++ b/archiva-security/src/main/resources/META-INF/plexus/components.xml
@ -63,5 +63,25 @@
        </requirement>
      </requirements>
    </component>
    <component>
      <role>org.codehaus.plexus.rbac.profile.DynamicRoleProfile</role>
      <role-hint>archiva-repository-manager</role-hint>
      <implementation>org.apache.maven.archiva.security.RepositoryManagerDynamicRoleProfile</implementation>
      <requirements>
        <requirement>
          <role>org.codehaus.plexus.security.rbac.RBACManager</role>
        </requirement>
      </requirements>
    </component>
    <component>
      <role>org.codehaus.plexus.rbac.profile.DynamicRoleProfile</role>
      <role-hint>archiva-repository-observer</role-hint>
      <implementation>org.apache.maven.archiva.security.RepositoryObserverDynamicRoleProfile</implementation>
      <requirements>
        <requirement>
          <role>org.codehaus.plexus.security.rbac.RBACManager</role>
        </requirement>
      </requirements>
    </component>
  </components>
 </component-set>
--- a/archiva-webapp/pom.xml
+++ b/archiva-webapp/pom.xml
@ -198,15 +198,20 @@
      </exclusions>
    </dependency>
    <dependency>
-        <groupId>org.codehaus.plexus.security</groupId>
+      <groupId>org.codehaus.plexus.security</groupId>
-        <artifactId>plexus-security-keys-jdo</artifactId>
+      <artifactId>plexus-security-keys-jdo</artifactId>
-        <version>1.0-SNAPSHOT</version>
+      <version>1.0-SNAPSHOT</version>
-      </dependency>
+    </dependency>
    <dependency>
      <groupId>org.codehaus.plexus</groupId>
      <artifactId>plexus-utils</artifactId>
      <version>1.2</version>
    </dependency>    
    <dependency>
      <groupId>org.codehaus.plexus</groupId>
      <artifactId>plexus-mail-sender-javamail</artifactId>
      <version>1.0-alpha-3</version>
    </dependency>    
    <dependency>
      <groupId>org.apache.derby</groupId>
      <artifactId>derby</artifactId>
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/ArchivaSecurityDefaults.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/ArchivaSecurityDefaults.java
@ -1,97 +0,0 @@
 package org.apache.maven.archiva.web;
 /*
 * Copyright 2001-2006 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.codehaus.plexus.security.user.User;
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 /**
 * ArchivaSecurityDefaults
 *
 * NOTE: this is targeted for removal with the forth coming rbac role templating 
 *
 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
 * @version $Id$
 */
 public interface ArchivaSecurityDefaults
 {
    public static final String ROLE = ArchivaSecurityDefaults.class.getName();
    public static final String GUEST_USERNAME = "guest";
    public static final String INDEX_REGENERATE_OPERATION = "regenerate-index";
    public static final String INDEX_REGENERATE_PERMISSION = "Regenerate Index";
    public static final String INDEX_RUN_OPERATION = "run-indexer";
    public static final String INDEX_RUN_PERMISSION = "Run Indexer";
    public static final String REPORTS_ACCESS_OPERATION = "access-reports";
    public static final String REPORTS_ACCESS_PERMISSION = "Access Reports";
    public static final String REPORTS_GENERATE_OPERATION = "generate-reports";
    public static final String REPORTS_GENERATE_PERMISSION = "Generate Reports";
    public static final String REPOSITORY_ACCESS = "Access Repository";
    public static final String REPOSITORY_ACCESS_OPERATION = "read-repository";
    public static final String REPOSITORY_ADD_OPERATION = "add-repository";
    public static final String REPOSITORY_ADD_PERMISSION = "Add Repository";
    public static final String REPOSITORY_DELETE = "Delete Repository";
    public static final String REPOSITORY_DELETE_OPERATION = "delete-repository";
    public static final String REPOSITORY_EDIT = "Edit Repository";
    public static final String REPOSITORY_EDIT_OPERATION = "edit-repository";
    public static final String REPOSITORY_MANAGER = "Repository Manager";
    public static final String REPOSITORY_OBSERVER = "Repository Observer";
    public static final String REPOSITORY_UPLOAD = "Repository Upload";
    public static final String REPOSITORY_UPLOAD_OPERATION = "upload-repository";
    public static final String ROLES_GRANT_OPERATION = "grant-roles";
    public static final String ROLES_GRANT_PERMISSION = "Grant Roles";
    public static final String ROLES_REMOVE_OPERATION = "remove-roles";
    public static final String ROLES_REMOVE_PERMISSION = "Remove Roles";
    public static final String SYSTEM_ADMINISTRATOR = "System Administrator";
    public static final String USER_ADMINISTRATOR = "User Administrator";
    public static final String USER_EDIT_OPERATION = "edit-user";
    public static final String USERS_EDIT_ALL_OPERATION = "edit-all-users";
    public static final String USERS_EDIT_ALL_PERMISSION = "Edit All Users";
    public void ensureDefaultsExist()
        throws RbacManagerException;
 }
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/DefaultArchivaSecurityDefaults.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/DefaultArchivaSecurityDefaults.java
@ -1,147 +0,0 @@
 package org.apache.maven.archiva.web;
 /*
 * Copyright 2001-2006 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.codehaus.plexus.logging.AbstractLogEnabled;
 import org.codehaus.plexus.personality.plexus.lifecycle.phase.Initializable;
 import org.codehaus.plexus.personality.plexus.lifecycle.phase.InitializationException;
 import org.codehaus.plexus.security.rbac.Operation;
 import org.codehaus.plexus.security.rbac.Permission;
 import org.codehaus.plexus.security.rbac.RBACManager;
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 /**
 * DefaultArchivaSecurityDefaults
 *
 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
 * @version $Id$
 * @plexus.component role="org.apache.maven.archiva.web.ArchivaSecurityDefaults"
 */
 public class DefaultArchivaSecurityDefaults
    extends AbstractLogEnabled
    implements ArchivaSecurityDefaults, Initializable
 {
    /**
     * @plexus.requirement
     */
    private RBACManager rbacManager;
    private boolean initialized = false;
    public void ensureDefaultsExist()
        throws RbacManagerException
    {
        if ( initialized )
        {
            return;
        }
        ensureOperationsExist();
        ensurePermissionsExist();
        ensureRolesExist();
        initialized = true;
    }
    private void ensureOperationExists( String operationName )
        throws RbacManagerException
    {
        if ( !rbacManager.operationExists( operationName ) )
        {
            Operation operation = rbacManager.createOperation( operationName );
            rbacManager.saveOperation( operation );
        }
    }
    private void ensureOperationsExist()
        throws RbacManagerException
    {
        ensureOperationExists( REPOSITORY_ADD_OPERATION );
        ensureOperationExists( REPOSITORY_EDIT_OPERATION );
        ensureOperationExists( REPOSITORY_DELETE_OPERATION );
        ensureOperationExists( INDEX_RUN_OPERATION );
        ensureOperationExists( INDEX_REGENERATE_OPERATION );
        ensureOperationExists( REPORTS_ACCESS_OPERATION );
        ensureOperationExists( REPORTS_GENERATE_OPERATION );
        ensureOperationExists( USER_EDIT_OPERATION );
        ensureOperationExists( USERS_EDIT_ALL_OPERATION );
        ensureOperationExists( ROLES_GRANT_OPERATION );
        ensureOperationExists( ROLES_REMOVE_OPERATION );
        ensureOperationExists( REPOSITORY_ACCESS_OPERATION );
        ensureOperationExists( REPOSITORY_UPLOAD_OPERATION );
    }
    private void ensurePermissionExists( String permissionName, String operationName, String resourceIdentifier )
        throws RbacManagerException
    {
        if ( !rbacManager.permissionExists( permissionName ) )
        {
            Permission editConfiguration =
                rbacManager.createPermission( permissionName, operationName, resourceIdentifier );
            rbacManager.savePermission( editConfiguration );
        }
    }
    private void ensurePermissionsExist()
        throws RbacManagerException
    {
        String globalResource = rbacManager.getGlobalResource().getIdentifier();
        ensurePermissionExists( REPORTS_ACCESS_PERMISSION, REPORTS_ACCESS_OPERATION, globalResource );
        ensurePermissionExists( REPORTS_GENERATE_PERMISSION, REPORTS_GENERATE_OPERATION, globalResource );
        ensurePermissionExists( INDEX_RUN_PERMISSION, INDEX_RUN_OPERATION, globalResource );
        ensurePermissionExists( INDEX_REGENERATE_PERMISSION, INDEX_REGENERATE_OPERATION, globalResource );
        ensurePermissionExists( REPOSITORY_ADD_PERMISSION, REPOSITORY_ADD_OPERATION, globalResource );
        ensurePermissionExists( REPOSITORY_ACCESS, "access-repository", globalResource );
        ensurePermissionExists( REPOSITORY_UPLOAD, REPOSITORY_UPLOAD_OPERATION, globalResource );
    }
    private void ensureRolesExist()
        throws RbacManagerException
    {
        /* TODO!
                    if ( !rbacManager.roleExists( SYSTEM_ADMINISTRATOR ) )
                    {
                        Role admin = rbacManager.createRole( SYSTEM_ADMINISTRATOR );
                        admin.addChildRoleName( rbacManager.getRole( USER_ADMINISTRATOR ).getName() );
                        admin.addPermission( rbacManager.getPermission( CONFIGURATION_EDIT_PERMISSION ) );
                        admin.addPermission( rbacManager.getPermission( INDEX_RUN_PERMISSION ) );
                        admin.addPermission( rbacManager.getPermission( REPOSITORY_ADD_PERMISSION ) );
                        admin.addPermission( rbacManager.getPermission( REPORTS_ACCESS_PERMISSION ) );
                        admin.addPermission( rbacManager.getPermission( REPORTS_GENERATE_PERMISSION ) );
                        admin.addPermission( rbacManager.getPermission( INDEX_REGENERATE_PERMISSION ) );
                        admin.setAssignable( true );
                        rbacManager.saveRole( admin );
                    }
        */
    }
    public void initialize()
        throws InitializationException
    {
        try
        {
            ensureDefaultsExist();
        }
        catch ( RbacManagerException e )
        {
            throw new InitializationException( e.getMessage(), e );
        }
    }
 }
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/ReportsAction.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/ReportsAction.java
@ -16,7 +16,6 @@ package org.apache.maven.archiva.web.action;
 * limitations under the License.
 */
 import com.opensymphony.xwork.ActionSupport;
 import com.opensymphony.xwork.Preparable;
 import org.apache.maven.archiva.configuration.Configuration;
 import org.apache.maven.archiva.configuration.ConfigurationStore;
@ -29,8 +28,13 @@ import org.apache.maven.archiva.reporting.ReportExecutor;
 import org.apache.maven.archiva.reporting.ReportGroup;
 import org.apache.maven.archiva.reporting.ReportingDatabase;
 import org.apache.maven.archiva.reporting.ReportingStoreException;
 import org.apache.maven.archiva.security.ArchivaRoleConstants;
 import org.apache.maven.artifact.repository.ArtifactRepository;
 import org.apache.maven.artifact.resolver.filter.ArtifactFilter;
 import org.codehaus.plexus.security.rbac.Resource;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureAction;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionBundle;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionException;
 import org.codehaus.plexus.xwork.action.PlexusActionSupport;
 import java.util.ArrayList;
@ -42,10 +46,11 @@ import java.util.Map;
 * Repository reporting.
 *
 * @plexus.component role="com.opensymphony.xwork.Action" role-hint="reportsAction"
 * @todo split report access and report generation
 */
 public class ReportsAction
    extends PlexusActionSupport
-    implements Preparable
+    implements Preparable, SecureAction
 {
    /**
     * @plexus.requirement
@ -223,4 +228,15 @@ public class ReportsAction
    {
        this.filter = filter;
    }
    public SecureActionBundle getSecureActionBundle()
        throws SecureActionException
    {
        SecureActionBundle bundle = new SecureActionBundle();
        bundle.setRequiresAuthentication( true );
        bundle.addRequiredAuthorization( ArchivaRoleConstants.OPERATION_ACCESS_REPORT, Resource.GLOBAL );
        return bundle;
    }
 }
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/AbstractConfigureRepositoryAction.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/AbstractConfigureRepositoryAction.java
@ -24,9 +24,14 @@ import org.apache.maven.archiva.configuration.ConfigurationChangeException;
 import org.apache.maven.archiva.configuration.ConfigurationStore;
 import org.apache.maven.archiva.configuration.ConfigurationStoreException;
 import org.apache.maven.archiva.configuration.InvalidConfigurationException;
-import org.apache.maven.archiva.web.util.RoleManager;
+import org.apache.maven.archiva.security.ArchivaRoleConstants;
 import org.codehaus.plexus.xwork.action.PlexusActionSupport;
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureAction;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionBundle;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionException;
 import org.codehaus.plexus.rbac.profile.RoleProfileException;
 import org.codehaus.plexus.rbac.profile.RoleProfileManager;
 import java.io.IOException;
@ -37,7 +42,7 @@ import java.io.IOException;
 */
 public abstract class AbstractConfigureRepositoryAction
    extends PlexusActionSupport
-    implements ModelDriven, Preparable
+    implements ModelDriven, Preparable, SecureAction
 {
    /**
     * @plexus.requirement
@ -45,9 +50,9 @@ public abstract class AbstractConfigureRepositoryAction
    private ConfigurationStore configurationStore;
    /**
-     * @plexus.requirement
+     * @plexus.requirement role-hint="archiva"
     */
-    protected RoleManager roleManager;
+    protected RoleProfileManager roleProfileManager;
    /**
     * The repository.
@ -66,7 +71,7 @@ public abstract class AbstractConfigureRepositoryAction
    public String add()
        throws IOException, ConfigurationStoreException, InvalidConfigurationException, ConfigurationChangeException,
-        RbacManagerException
+        RbacManagerException, RoleProfileException
    {
        // TODO: if this didn't come from the form, go to configure.action instead of going through with re-saving what was just loaded
@ -82,7 +87,7 @@ public abstract class AbstractConfigureRepositoryAction
    public String edit()
        throws IOException, ConfigurationStoreException, InvalidConfigurationException, ConfigurationChangeException,
-        RbacManagerException
+        RbacManagerException, RoleProfileException
    {
        // TODO: if this didn't come from the form, go to configure.action instead of going through with re-saving what was just loaded
@ -98,12 +103,10 @@ public abstract class AbstractConfigureRepositoryAction
    private String saveConfiguration()
        throws IOException, ConfigurationStoreException, InvalidConfigurationException, ConfigurationChangeException,
-        RbacManagerException
+        RbacManagerException, RoleProfileException
    {
        addRepository();
        roleManager.addRepository( repository.getId() );
        configurationStore.storeConfiguration( configuration );
        // TODO: do we need to check if indexing is needed?
@ -114,7 +117,7 @@ public abstract class AbstractConfigureRepositoryAction
    }
    protected abstract void addRepository()
-        throws IOException;
+        throws IOException, RoleProfileException;
    public String input()
    {
@ -162,4 +165,19 @@ public abstract class AbstractConfigureRepositoryAction
    {
        return configuration;
    }
    public SecureActionBundle getSecureActionBundle()
        throws SecureActionException
    {
        SecureActionBundle bundle = new SecureActionBundle();
        if ( getRepoId() != null )
        {
            bundle.setRequiresAuthentication( true );
            // TODO: this is not right. It needs to change based on method
            bundle.addRequiredAuthorization( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY, getRepoId() );
        }
        return bundle;
    }
 }
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/ConfigureRepositoryAction.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/ConfigureRepositoryAction.java
@ -18,6 +18,11 @@ package org.apache.maven.archiva.web.action.admin;
 import org.apache.maven.archiva.configuration.AbstractRepositoryConfiguration;
 import org.apache.maven.archiva.configuration.RepositoryConfiguration;
 import org.apache.maven.archiva.security.ArchivaRoleConstants;
 import org.codehaus.plexus.rbac.profile.RoleProfileException;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionBundle;
 import org.codehaus.plexus.security.ui.web.interceptor.SecureActionException;
 import org.codehaus.plexus.security.rbac.Resource;
 import java.io.File;
 import java.io.IOException;
@ -41,7 +46,7 @@ public class ConfigureRepositoryAction
    }
    protected void addRepository()
-        throws IOException
+        throws IOException, RoleProfileException
    {
        RepositoryConfiguration repository = (RepositoryConfiguration) getRepository();
@ -55,6 +60,11 @@ public class ConfigureRepositoryAction
        }
        configuration.addRepository( repository );
        // TODO: double check these are configured on start up
        roleProfileManager.getDynamicRole( "archiva-repository-manager", repository.getId() );
        roleProfileManager.getDynamicRole( "archiva-repository-observer", repository.getId() );
    }
    protected AbstractRepositoryConfiguration createRepository()
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/interceptor/ConfigurationInterceptor.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/interceptor/ConfigurationInterceptor.java
@ -18,21 +18,9 @@ package org.apache.maven.archiva.web.interceptor;
 import com.opensymphony.xwork.ActionInvocation;
 import com.opensymphony.xwork.interceptor.Interceptor;
 import org.apache.maven.archiva.configuration.Configuration;
 import org.apache.maven.archiva.configuration.ConfigurationStore;
 import org.apache.maven.archiva.configuration.ConfigurationStoreException;
 import org.apache.maven.archiva.web.ArchivaSecurityDefaults;
 import org.apache.maven.archiva.web.util.RoleManager;
 import org.codehaus.plexus.logging.AbstractLogEnabled;
 import org.codehaus.plexus.security.rbac.RBACManager;
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 import org.codehaus.plexus.security.user.User;
 import org.codehaus.plexus.security.user.UserManager;
 import org.codehaus.plexus.security.user.UserNotFoundException;
 import java.util.Iterator;
 import java.util.Map;
 /**
 * An interceptor that makes the application configuration available
@ -50,28 +38,6 @@ public class ConfigurationInterceptor
     */
    private ConfigurationStore configurationStore;
    /**
     * @plexus.requirement
     */
    private RoleManager roleManager;
    /**
     * @plexus.requirement
     */
    private RBACManager rbacManager;
    /**
     * @plexus.requirement
     */
    private UserManager userManager;
    /**
     * @plexus.requirement
     */
    private ArchivaSecurityDefaults archivaDefaults;
    private boolean adminInitialized = false;
    /**
     *
     * @param actionInvocation
@ -81,30 +47,6 @@ public class ConfigurationInterceptor
    public String intercept( ActionInvocation actionInvocation )
        throws Exception
    {
        archivaDefaults.ensureDefaultsExist();
        ensureRepoRolesExist();
        if ( !adminInitialized )
        {
            adminInitialized = true;
            try
            {
                User user = userManager.findUser( "admin" );
                if ( user == null )
                {
                    getLogger().info( "No admin user configured - forwarding to admin user creation page." );
                    return "admin-user-needed";
                }
                getLogger().info( "Admin user found. No need to configure admin user." );
            }
            catch ( UserNotFoundException e )
            {
                getLogger().info( "No admin user found - forwarding to admin user creation page." );
                return "admin-user-needed";
            }
        }
        Configuration configuration = configurationStore.getConfigurationFromStore();
        if ( !configuration.isValid() )
@ -126,39 +68,6 @@ public class ConfigurationInterceptor
        }
    }
    public void ensureRepoRolesExist()
        throws RbacManagerException
    {
        try
        {
            if ( configurationStore.getConfigurationFromStore().isValid() )
            {
                Map repositories = configurationStore.getConfigurationFromStore().getRepositoriesMap();
                for ( Iterator i = repositories.keySet().iterator(); i.hasNext(); )
                {
                    String id = (String) i.next();
                    if ( !rbacManager.roleExists( "Repository Observer - " + id ) )
                    {
                        getLogger().info( "recovering Repository Observer - " + id );
                        roleManager.addRepository( id );
                    }
                    if ( !rbacManager.roleExists( "Repository Manager - " + id ) )
                    {
                        getLogger().info( "recovering Repository Manager - " + id );
                        roleManager.addRepository( id );
                    }
                }
            }
        }
        catch ( ConfigurationStoreException e )
        {
            throw new RuntimeException( "error with configurationStore()" );
        }
    }
    public void destroy()
    {
        // This space left intentionally blank
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/servlet/repository/RepositoryAccess.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/servlet/repository/RepositoryAccess.java
@ -22,16 +22,16 @@ import org.apache.maven.archiva.configuration.Configuration;
 import org.apache.maven.archiva.configuration.ConfigurationStore;
 import org.apache.maven.archiva.configuration.ConfigurationStoreException;
 import org.apache.maven.archiva.configuration.RepositoryConfiguration;
-import org.apache.maven.archiva.web.ArchivaSecurityDefaults;
+import org.apache.maven.archiva.security.ArchivaRoleConstants;
 import org.apache.maven.archiva.web.servlet.AbstractPlexusServlet;
 import org.codehaus.plexus.security.authentication.AuthenticationException;
 import org.codehaus.plexus.security.authentication.AuthenticationResult;
 import org.codehaus.plexus.security.authorization.AuthorizationException;
 import org.codehaus.plexus.security.policy.AccountLockedException;
 import org.codehaus.plexus.security.policy.MustChangePasswordException;
 import org.codehaus.plexus.security.system.SecuritySession;
 import org.codehaus.plexus.security.system.SecuritySystem;
 import org.codehaus.plexus.security.ui.web.filter.authentication.HttpAuthenticator;
 import org.codehaus.plexus.security.policy.AccountLockedException;
 import org.codehaus.plexus.security.policy.MustChangePasswordException;
 import org.codehaus.plexus.util.FileUtils;
 import org.codehaus.plexus.util.StringUtils;
@ -47,11 +47,10 @@ import java.util.Map;
 /**
 * RepositoryAccess - access read/write to the repository.
 *
 * @plexus.component role="org.apache.maven.archiva.web.servlet.PlexusServlet"
 *                   role-hint="repositoryAccess"
 * 
 * @author <a href="mailto:joakim@erdfelt.com">Joakim Erdfelt</a>
 * @version $Id$
 * @plexus.component role="org.apache.maven.archiva.web.servlet.PlexusServlet"
 * role-hint="repositoryAccess"
 * @todo CACHE REPOSITORY LIST
 */
 public class RepositoryAccess
@ -72,11 +71,6 @@ public class RepositoryAccess
     */
    private HttpAuthenticator httpAuth;
    /**
     * @plexus.requirement
     */
    private ArchivaSecurityDefaults archivaSecurity;
    /**
     * List of request methods that fall into the category of 'access' or 'read' of a repository.
     * All other method requests are to be considered 'write' or 'upload' requests.
@ -137,7 +131,7 @@ public class RepositoryAccess
            routeToErrorPage( response, "Invalid Repository ID." );
            return;
        }
-        
+
        // Authentication Tests.
        AuthenticationResult result;
@ -148,8 +142,8 @@ public class RepositoryAccess
            if ( !result.isAuthenticated() )
            {
                // Must Authenticate.
-                httpAuth.challenge( request, response, "Repository " + repoconfig.getName(), 
+                httpAuth.challenge( request, response, "Repository " + repoconfig.getName(),
-                                    new AuthenticationException("User Credentials Invalid") );
+                                    new AuthenticationException( "User Credentials Invalid" ) );
                return;
            }
        }
@ -161,12 +155,12 @@ public class RepositoryAccess
        catch ( AccountLockedException e )
        {
            httpAuth.challenge( request, response, "Repository " + repoconfig.getName(),
-                                new AuthenticationException("User account is locked") );
+                                new AuthenticationException( "User account is locked" ) );
        }
        catch ( MustChangePasswordException e )
        {
-            httpAuth.challenge( request, response, "Repository " + repoconfig.getName(),
+            httpAuth.challenge( request, response, "Repository " + repoconfig.getName(), new AuthenticationException(
-                                new AuthenticationException("You must change your password before you can attempt this again.") );
+                "You must change your password before you can attempt this again." ) );
        }
        // Authorization Tests.
@ -176,11 +170,11 @@ public class RepositoryAccess
        SecuritySession securitySession = httpAuth.getSecuritySession();
        try
        {
-            String permission = ArchivaSecurityDefaults.REPOSITORY_ACCESS;
+            String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
            if ( isWriteRequest )
            {
-                permission = ArchivaSecurityDefaults.REPOSITORY_UPLOAD;
+                permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
            }
            permission += " - " + repoconfig.getId();
@ -190,8 +184,8 @@ public class RepositoryAccess
            if ( !isAuthorized )
            {
                // Issue HTTP Challenge.
-                httpAuth.challenge( request, response, "Repository " + repoconfig.getName(), 
+                httpAuth.challenge( request, response, "Repository " + repoconfig.getName(),
-                                    new AuthenticationException("Authorization Denied.") );
+                                    new AuthenticationException( "Authorization Denied." ) );
                return;
            }
        }
@ -204,8 +198,8 @@ public class RepositoryAccess
        RepositoryMapping repo = getRepositoryMapping( repoconfig );
-        response.setHeader( "Server", getServletContext().getServerInfo() + " Archiva : "
+        response.setHeader( "Server",
-            + DAVUtilities.SERVLET_SIGNATURE );
+                            getServletContext().getServerInfo() + " Archiva : " + DAVUtilities.SERVLET_SIGNATURE );
        DAVTransaction transaction = new DAVTransaction( request, response );
        try
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/util/DefaultRoleManager.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/util/DefaultRoleManager.java
@ -1,97 +0,0 @@
 package org.apache.maven.archiva.web.util;
 /*
 * Copyright 2001-2006 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.apache.maven.archiva.web.ArchivaSecurityDefaults;
 import org.codehaus.plexus.logging.AbstractLogEnabled;
 import org.codehaus.plexus.security.rbac.Permission;
 import org.codehaus.plexus.security.rbac.RBACManager;
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 import org.codehaus.plexus.security.rbac.Resource;
 import org.codehaus.plexus.security.rbac.Role;
 import org.codehaus.plexus.security.user.User;
 import org.codehaus.plexus.security.user.UserManager;
 /**
 * DefaultRoleManager:
 * @todo remove!
 *
 * @author Jesse McConnell <jmcconnell@apache.org>
 * @version $Id:$
 * @plexus.component role="org.apache.maven.archiva.web.util.RoleManager"
 * role-hint="default"
 */
 public class DefaultRoleManager
    extends AbstractLogEnabled
    implements RoleManager
 {
    /**
     * @plexus.requirement
     */
    private RBACManager manager;
    public void addRepository( String repositoryName )
        throws RbacManagerException
    {
        // make the resource
        Resource repoResource = manager.createResource( repositoryName );
        repoResource = manager.saveResource( repoResource );
        // make the permissions
        Permission editRepo =
            manager.createPermission( ArchivaSecurityDefaults.REPOSITORY_EDIT + " - " + repositoryName );
        editRepo.setOperation( manager.getOperation( ArchivaSecurityDefaults.REPOSITORY_EDIT_OPERATION ) );
        editRepo.setResource( repoResource );
        editRepo = manager.savePermission( editRepo );
        Permission deleteRepo =
            manager.createPermission( ArchivaSecurityDefaults.REPOSITORY_DELETE + " - " + repositoryName );
        deleteRepo.setOperation( manager.getOperation( ArchivaSecurityDefaults.REPOSITORY_DELETE_OPERATION ) );
        deleteRepo.setResource( repoResource );
        deleteRepo = manager.savePermission( deleteRepo );
        Permission accessRepo =
            manager.createPermission( ArchivaSecurityDefaults.REPOSITORY_ACCESS + " - " + repositoryName );
        accessRepo.setOperation( manager.getOperation( ArchivaSecurityDefaults.REPOSITORY_ACCESS_OPERATION ) );
        accessRepo.setResource( repoResource );
        accessRepo = manager.savePermission( accessRepo );
        Permission uploadRepo =
            manager.createPermission( ArchivaSecurityDefaults.REPOSITORY_UPLOAD + " - " + repositoryName );
        uploadRepo.setOperation( manager.getOperation( ArchivaSecurityDefaults.REPOSITORY_UPLOAD_OPERATION ) );
        uploadRepo.setResource( repoResource );
        uploadRepo = manager.savePermission( uploadRepo );
        // make the roles
        Role repositoryObserver = manager.createRole( "Repository Observer - " + repositoryName );
        repositoryObserver.addPermission( manager.getPermission( ArchivaSecurityDefaults.REPORTS_ACCESS_PERMISSION ) );
        repositoryObserver.setAssignable( true );
        repositoryObserver = manager.saveRole( repositoryObserver );
        Role repositoryManager = manager.createRole( "Repository Manager - " + repositoryName );
        repositoryManager.addPermission( editRepo );
        repositoryManager.addPermission( deleteRepo );
        repositoryManager.addPermission( accessRepo );
        repositoryManager.addPermission( uploadRepo );
        repositoryManager.addPermission( manager.getPermission( ArchivaSecurityDefaults.REPORTS_GENERATE_PERMISSION ) );
        repositoryManager.addChildRoleName( repositoryObserver.getName() );
        repositoryManager.setAssignable( true );
        manager.saveRole( repositoryManager );
    }
 }
--- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/util/RoleManager.java
+++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/util/RoleManager.java
@ -1,34 +0,0 @@
 package org.apache.maven.archiva.web.util;
 /*
 * Copyright 2005 The Apache Software Foundation.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 import org.codehaus.plexus.security.rbac.RbacManagerException;
 /**
 * RoleManager:
 *
 * @author Jesse McConnell <jmcconnell@apache.org>
 * @version $Id:$
 */
 public interface RoleManager
 {
    public static final String ROLE = RoleManager.class.getName();
    public void addRepository( String repositoryName )
        throws RbacManagerException;
 }
--- a/archiva-webapp/src/main/resources/META-INF/plexus/application.xml
+++ b/archiva-webapp/src/main/resources/META-INF/plexus/application.xml
@ -441,8 +441,5 @@
    <component>
      <role>org.apache.maven.archiva.scheduler.RepositoryTaskScheduler</role>
    </component>
    <component>
      <role>org.apache.maven.archiva.web.ArchivaSecurityDefaults</role>
    </component>
  </load-on-start>
 </plexus>
--- a/archiva-webapp/src/main/resources/META-INF/plexus/plexus-security.properties
+++ b/archiva-webapp/src/main/resources/META-INF/plexus/plexus-security.properties
@ -1,24 +0,0 @@
 #
 # properties that might be used in plexus-security initialization
 #
 #
 # operations
 #
 addRepositoryOperation=add-repository
 editRepositoryOperation=edit-repository
 deleteRepositoryOperation=delete-repository
 editConfiguration=edit-configuration
 runIndexer=run-indexer
 regenerateIndex=regenerate-index
 accessReports=access-reports
 generateReports=generate-reports
 editAllUsers=edit-all-users
 editUser=edit-user
 grantRoles=grant-roles
 removeRoles=remove-roles
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
@ -52,7 +52,7 @@
    </td>
    <%-- TODO: a "delete index and run now" operation should be here too (really clean, remove deletions that didn't get picked up) --%>
    <td>
-      <pss:ifAuthorized permission="run-indexer">
+      <pss:ifAuthorized permission="archiva-run-indexer">
        <a href="<ww:url action="runIndexer" />">Run Now</a>
      </pss:ifAuthorized>
    </td>
@ -82,7 +82,7 @@
 <div>
  <div style="float: right">
    <%-- TODO replace with icons --%>
-    <pss:ifAuthorized permission="add-repository">
+    <pss:ifAuthorized permission="archiva-add-repository">
      <ww:url id="addRepositoryUrl" action="addRepository" method="input"/>
      <ww:a href="%{addRepositoryUrl}">Add Repository</ww:a>
    </pss:ifAuthorized>
@ -104,7 +104,8 @@
        <ww:param name="repoId" value="%{'${repository.id}'}" />
      </ww:url>
      <%-- TODO replace with icons --%>
-      <pss:ifAuthorized permission="edit-repository" resource="${repository.id}"><ww:a href="%{editRepositoryUrl}">Edit Repository</ww:a></pss:ifAuthorized><pss:ifAuthorized permission="delete-repository" resource="${repository.id}"> <ww:a href="%{deleteRepositoryUrl}">Delete Repository</ww:a></pss:ifAuthorized>
+      <pss:ifAuthorized permission="archiva-edit-repository" resource="${repository.id}"><ww:a href="%{editRepositoryUrl}">Edit Repository</ww:a></pss:ifAuthorized>
      <pss:ifAuthorized permission="archiva-delete-repository" resource="${repository.id}"><ww:a href="%{deleteRepositoryUrl}">Delete Repository</ww:a></pss:ifAuthorized>
    </div>
    <h3>${repository.name}</h3>
    <table class="infoTable">
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/decorators/default.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/decorators/default.jsp
@ -92,10 +92,10 @@
        <my:currentWWUrl action="browse" namespace="/">Browse</my:currentWWUrl>
      </li>
    </ul>
-    <pss:ifAnyAuthorized permissions="archiva-manage-users,access-reports,archiva-manage-configuration">
+    <pss:ifAnyAuthorized permissions="archiva-manage-users,archiva-access-reports,archiva-manage-configuration">
      <h5>Manage</h5>
      <ul>
-        <pss:ifAuthorized permission="access-reports">
+        <pss:ifAuthorized permission="archiva-access-reports">
          <li class="none">
            <my:currentWWUrl action="reports" namespace="/admin">Reports</my:currentWWUrl>
          </li>
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/reports/reports.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/reports/reports.jsp
@ -34,7 +34,7 @@
 <div id="contentArea">
-<pss:ifAnyAuthorized permissions="generate-reports">
+<pss:ifAnyAuthorized permissions="archiva-generate-reports">
  <ww:form action="reports" namespace="/admin">
    <ww:select list="reports" label="Report" name="reportGroup" onchange="document.reports.submit();"/>
    <ww:select list="configuration.repositories" listKey="id" listValue="name" label="Repository" headerKey="-"
@ -55,7 +55,7 @@
    --%>
  <c:choose>
    <c:when test="${!database.inProgress}">
-      <pss:ifAuthorized permission="generate-reports">
+      <pss:ifAuthorized permission="archiva-generate-reports">
        <ww:url id="regenerateReportUrl" action="runReport" namespace="/admin">
          <ww:param name="repositoryId">${database.repository.id}</ww:param>
          <ww:param name="reportGroup" value="reportGroup"/>