OACC v2.0.0-rc.3

Release date: 2015-07-14

Summary of changes in this release:

• adds grant/revoke permission methods
• adds methods to delete resources and domains
• adds query authorization
• adds set-based versions of methods that previously only accepted vararg permissions
• removes methods that are overloaded with the session resource or its domain as the default accessor or target domain
• modifies getEffectivePermission-methods to include permissions acquired implicitly via super-user privileges
• modifies methods that take vararg permission arguments to validate that they don't contain identical duplicates
• fortifies StrongCleanablePasswordEncryptor with checks for null arguments
• fixes two bugs related to setting duplicate permission that differ in grant option, as described in more detail below
• updates test suite for the aforementioned API changes
• updates Javadoc comments with the aforementioned API changes

Summary of API changes:

• New feature Grant/Revoke permission methods
  • For more fine-grained control of permission assignment, OACC now also provides grant and revoke methods for each permission type, which allow to add or remove one (or more) permissions from the set of existing direct permissions, respectively
• New feature Delete resources and domains
  • Adds new deleteResource() method that will perform a cascading delete of a resource from the security graph
  • Adds new deleteDomain() method that will delete a domain and any nested child domains
• New feature Query authorization
  • Allows for control of which resources can be inquired about via new *QUERY system resource permission
  • All query methods now check if the session resource is authorized to query. This affects:
    • permission retrieval methods
    • permission verification methods
    • resource retrieval by permissions methods
• Set-based versions for all vararg methods
  • All methods that take vararg permission parameters use a pattern to enforce a compile-time check that at least one permission parameter has been passed, which unfortunately doesn't allow for an elegant Collections-compatible way to call the method; for this reason such methods now also have a version that takes a Set of permissions instead of the vararg pattern
• Overloaded method removal
  • Removes methods that are overloaded by defaulting the accessor resource or target domain based on the session resource, such as
    • permission assertion methods
    • has-permission methods
    • get-permission methods
    • createResource
    • getResourcesByResourcePermissions/-AndDomain
  • The only methods remaining in the OACC API overloaded for convenience' sake are those that accept permission parameters as Sets or as varargs
• More consistent and comprehensive permission handling
  • The getResourcePermissionNames() method now includes any applicable system permissions in its result set
  • All getEffectivePermission-methods now explicitly include any permissions acquired implicitly via super-user privileges
• Parameter validation
  • Modifies methods that take vararg permission arguments to validate that they don't contain identical duplicates.
    Note that this modification changes the behavior from previously silently ignoring such duplicates to now throwing an exception!

Bug fixes:

• fixes #15 - setDomainCreatePermissions() now checks for duplicate create permission with differing grant options to prevent a SQLException
• fixes #14 - setResourceCreatePermissions() now checks for duplicate *CREATE permission with differing grant options to prevent a SQLException

Corresponding oacc-db release:
The version of the oacc-db database configuration scripts to be used with this release can be found here.