org.jboss.security.identity.RoleGroup Java Examples

private Set<Principal> getPrincipalSetFromRole(Role role)
{
   Set<Principal> principalsSet = new HashSet<Principal>();
   if(role instanceof RoleGroup)
   {
      RoleGroup rg = (RoleGroup) role;
      Collection<Role> rolesList = rg.getRoles();
      for(Role r: rolesList)
      {
        principalsSet.add(new SimplePrincipal(r.getRoleName()));      
      }
   }
   else
      principalsSet.add(new SimplePrincipal(role.getRoleName()));
   return principalsSet;
}
 

/**
 * @see AuthorizationModule#initialize(javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map, org.jboss.security.identity.RoleGroup)
 */
public void initialize(Subject subject, CallbackHandler handler, Map<String,Object> sharedState,
      Map<String,Object> options, RoleGroup subjectRole)
{
   this.subject = subject;
   this.handler = handler;
   this.sharedState = sharedState;
   this.options = options;
   //Check if there is a delegate map via options
   if(options != null)
   {
      String commaSeparatedDelegates = (String)options.get("delegateMap");
      if(commaSeparatedDelegates != null && commaSeparatedDelegates.length() > 0)
         populateDelegateMap(commaSeparatedDelegates);
   } 
   this.role = subjectRole;
}
 

/**
 * Process the ejb request
 * @param callerRoles
 * @return
 */ 
private int process(RoleGroup callerRoles) 
{ 
   int result = AuthorizationContext.DENY;
   EJBXACMLUtil util = new EJBXACMLUtil();
   try
   {
      RequestContext requestCtx = util.createXACMLRequest(this.ejbName,
            this.ejbMethod, this.ejbPrincipal, callerRoles);
      
      PolicyDecisionPoint pdp = util.getPDP(policyRegistration, this.policyContextID); 
      if(pdp == null)
         throw PicketBoxMessages.MESSAGES.invalidNullProperty("PDP");

      ResponseContext response = pdp.evaluate(requestCtx);
      result = response.getDecision() == XACMLConstants.DECISION_PERMIT ? 
            AuthorizationContext.PERMIT : AuthorizationContext.DENY;
   }
   catch(Exception e)
   {
      PicketBoxLogger.LOGGER.debugIgnoredException(e);
      result = AuthorizationContext.DENY;
   }  
   return result;
}
 

/**
  * 
  * @param ejbName
  * @param methodName
  * @param principal
  * @param callerRoles
  * @return
  * @throws Exception
  */
 public RequestContext createXACMLRequest(String ejbName, String methodName,
       Principal principal, RoleGroup callerRoles) throws Exception
 {  
    String action = methodName;
    //Create an action type
    ActionType actionType = getActionType( action );

    RequestContext requestCtx = this.getRequestContext(ejbName, actionType, principal, callerRoles);

    if(PicketBoxLogger.LOGGER.isDebugEnabled())
    {
       ByteArrayOutputStream baos = new ByteArrayOutputStream();

       requestCtx.marshall(baos);
       PicketBoxLogger.LOGGER.debug(new String(baos.toByteArray()));
    }
    return requestCtx;
}
 

private RequestContext getRequestContext( String ejbName, ActionType actionType,
      Principal principal, RoleGroup callerRoles ) throws IOException
{
   if(principal == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("principal");

   RequestContext requestCtx = RequestResponseContextFactory.createRequestCtx();

   //Create a subject type
   SubjectType subject = this.getSubjectType( principal, callerRoles ); 

   //Create a resource type
   ResourceType resourceType = getResourceType( ejbName ); 

   //Create an Environment Type (Optional)
   EnvironmentType environmentType = getEnvironmentType();

   //Create a Request Type
   RequestType requestType = getRequestType( subject, resourceType, actionType, environmentType );

   requestCtx.setRequest( requestType );
   
   return requestCtx; 
}
 

private SubjectType getSubjectType( Principal principal, RoleGroup callerRoles )
{
   String subjectID_NS =  XACMLConstants.ATTRIBUTEID_SUBJECT_ID;
   String roleID_NS = XACMLConstants.ATTRIBUTEID_ROLE;
   String principalName = principal.getName();
   
   //Create a subject type
   SubjectType subject = new SubjectType();
   AttributeType attribute = RequestAttributeFactory.createStringAttributeType( subjectID_NS, "jboss.org", principalName );

   subject.getAttribute().add( attribute );

   Collection<Role> rolesList = callerRoles.getRoles();
   if(rolesList != null)
   {
      for(Role role:rolesList)
      {
         String roleName = role.getRoleName(); 
         AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType( roleID_NS , "jboss.org", roleName );
         subject.getAttribute().add(attSubjectID);
      }
   }  
   return subject;
}
 

/** Does the current Subject have a role(a Principal) that equates to one
 of the role names. This method obtains the Group named 'Roles' from
 the principal set of the currently authenticated Subject as determined
 by the SecurityAssociation.getSubject() method and then creates a
 SimplePrincipal for each name in roleNames. If the role is a member of the
 Roles group, then the user has the role. This requires that the caller
 establish the correct SecurityAssociation subject prior to calling this
 method. In the past this was done as a side-effect of an isValid() call,
 but this is no longer the case.
 
 @param principal - ignored. The current authenticated Subject determines
 the active user and assigned user roles.
 @param rolePrincipals - a Set of Principals for the roles to check.
 
 @see java.security.acl.Group;
 @see Subject#getPrincipals()
 */
public boolean doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
{
   boolean hasRole = false;
   RoleGroup roles = this.getCurrentRoles(principal);
   if (PicketBoxLogger.LOGGER.isTraceEnabled())
   {
      PicketBoxLogger.LOGGER.traceBeginDoesUserHaveRole(principal, roles != null ? roles.toString() : "");
   }
   if(roles != null)
   {
      Iterator<Principal> iter = rolePrincipals.iterator();
      while( hasRole == false && iter.hasNext() )
      {
         Principal role = iter.next();
         hasRole = doesRoleGroupHaveRole(role, roles);
      }
      PicketBoxLogger.LOGGER.traceEndDoesUserHaveRole(hasRole);
   }
   return hasRole;
}
 

/** Check that the indicated application domain role is a member of the
 user's assigned roles. This handles the special AnybodyPrincipal and
 NobodyPrincipal independent of the Group implementation.
 
 @param role , the application domain role required for access
 @param userRoles , the set of roles assigned to the user
 @return true if role is in userRoles or an AnybodyPrincipal instance, false
 if role is a NobodyPrincipal or no a member of userRoles
 */
protected boolean doesRoleGroupHaveRole(Principal role, RoleGroup userRoles)
{
   // First check that role is not a NobodyPrincipal
   if (role instanceof NobodyPrincipal)
      return false;
   
   // Check for inclusion in the user's role set
   boolean isMember = userRoles.containsRole(new SimpleRole(role.getName())); 
   if (isMember == false)
   {   // Check the AnybodyPrincipal special cases
      isMember = (role instanceof AnybodyPrincipal);
   }
   
   return isMember;
}
 

private RoleGroup mapGroup(Principal principal, Map<String, Set<String>> principalRolesMap,
      RoleGroup mappedObject)
{
   Set<String> roleset = (Set<String>)principalRolesMap.get(principal.getName());
   if(roleset != null)
   {
      RoleGroup newRoles = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
      
      if(roleset != null)
      {
         for(String r:roleset)
         {
            newRoles.addRole(new SimpleRole(r));            
         }
      }
      
      mappedObject.clearRoles();
      mappedObject.addAll(newRoles.getRoles()); 
   } 
   return mappedObject;
}
 

private void addRole(String roleName, RoleGroup roleGroup)
{
   if (roleName != null)
   {
      try
      {
         SimpleRole role = new SimpleRole(roleName);
         PicketBoxLogger.LOGGER.traceAssignUserToRole(roleName);
         roleGroup.addRole(role);
      }
      catch (Exception e)
      {
         PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(roleName, e);
      }
   }
}
 

/** 
 * Create the set of roles the user belongs to by parsing the roles.properties
 * data for username=role1,role2,...
 * 
 * @param username - name of user
 * @param roleGroup - group containing the user's roles
 * @param roles - the Properties containing the user=roles mappings
 * @return Group[] containing the sets of roles
 */
static void addRolesToGroup(String username, RoleGroup roleGroup, Properties roles)
{
   String[] roleNames = null;
   if (roles.containsKey(username))
   {
      String value = roles.getProperty(username);
      PicketBoxLogger.LOGGER.traceAdditionOfRoleToGroup(value, roleGroup.getRoleName());
      roleNames = parseRoles(value);
   }
   if (roleNames != null)
   {
      for (int i = 0; i < roleNames.length; i++)
      {
         roleGroup.addRole(new SimpleRole(roleNames[i]));
      }
   }
}
 

/**
 * Get the caller roles
 * @return 
 * @throws PicketBoxProcessingException 
 */
public RoleGroup getCallerRoles() throws PicketBoxProcessingException
{
   RoleGroup roleGroup = null;
   
   SecurityContext securityContext = null;
   try
   {
      securityContext = SecurityActions.getSecurityContext();
   }
   catch (PrivilegedActionException pae)
   {
      throw new PicketBoxProcessingException(pae.getCause());
   }
   if(securityContext != null)
      roleGroup = securityContext.getUtil().getRoles(); 
   return roleGroup;
}
 

public void performMapping(Map<String, Object> contextMap, RoleGroup mappedObject)
{
   if (contextMap == null || contextMap.isEmpty())
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextMap");

   //Obtain the principal to roles mapping
   Principal principal = getCallerPrincipal(contextMap);

   if (principal != null && rolesQuery != null)
   {
      String username = principal.getName();
      Util.addRolesToGroup(username, mappedObject, dsJndiName, rolesQuery, suspendResume, tm);
      result.setMappedObject(mappedObject);
   }

}
 

private int internalAuthorization(final Resource resource, Subject subject,
      RoleGroup role)
throws AuthorizationException
{
   if(this.authorizationContext == null)
      this.setAuthorizationContext( new JBossAuthorizationContext(this.securityDomain) );
    return this.authorizationContext.authorize(resource, subject, role); 
}
 

/**
 * @see AuthorizationModuleDelegate#authorize(org.jboss.security.authorization.Resource, javax.security.auth.Subject, org.jboss.security.identity.RoleGroup)
 */
public int authorize(Resource resource, Subject callerSubject, RoleGroup role)
{
   if(resource instanceof EJBResource == false)
      throw PicketBoxMessages.MESSAGES.invalidType(EJBResource.class.getName());

   EJBResource ejbResource = (EJBResource) resource;
   
   //Get the context map
   Map<String,Object> map = resource.getMap();
   if(map == null)
      throw PicketBoxMessages.MESSAGES.invalidNullProperty("resourceMap");

   this.policyRegistration = (PolicyRegistration) map.get(ResourceKeys.POLICY_REGISTRATION);
   
   this.roleName = (String)map.get(ResourceKeys.ROLENAME);
   this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK); 
   
   this.callerRunAs = ejbResource.getCallerRunAsIdentity();
   this.ejbMethod = ejbResource.getEjbMethod();
   this.ejbName = ejbResource.getEjbName();
   this.ejbPrincipal = ejbResource.getPrincipal();
   this.methodInterface = ejbResource.getEjbMethodInterface();
   this.methodRoles = ejbResource.getEjbMethodRoles();
   this.securityRoleReferences = ejbResource.getSecurityRoleReferences();
   this.ejbRestrictions = ejbResource.isEnforceEJBRestrictions();
   
   if(this.roleRefCheck == Boolean.TRUE)
      return checkRoleRef(role);
   else
      return process(role);
}
 

/**
 * Copy the principals from the second group into the first.
 * If the first group is null and the second group is not, the
 * first group will be made equal to the second group
 * @param source
 * @param toCopy
 */
private RoleGroup copyGroups(RoleGroup source, Group toCopy)
{
   if(toCopy == null)
      return source;
   if(source == null && toCopy != null) 
      source = this.getEmptyRoleGroup();
   Enumeration<? extends Principal> en = toCopy.members();
   while(en.hasMoreElements())
   {
      source.addRole(new SimpleRole(en.nextElement().getName())); 
   }
    
   return source;
}
 

private RoleGroup getCurrentRoles(Principal principal)
{ 
   //Check that the caller is authenticated to the current thread
   Subject subject = SubjectActions.getActiveSubject();  
   
   //Deal with the security context
   SecurityContext sc = SubjectActions.getSecurityContext(); 
   if(sc == null)
   {
      sc = new JBossSecurityContext(securityDomain); 
      SubjectActions.setSecurityContext(sc);   
   } 
   
   return getCurrentRoles(principal,subject,sc); 
}
 

private AuthorizationModule instantiateModule(ClassLoader cl, String name, Map<String, Object> map, RoleGroup subjectRoles)
      throws PrivilegedActionException
{
   AuthorizationModule am = null;
   try
   {
      Class<?> clazz;
      try
      {
         if(cl == null)
         {
            cl = getClass().getClassLoader();
         }
         clazz = cl.loadClass(name);
      }
      catch (Exception ignore)
      {
         ClassLoader tcl = SecurityActions.getContextClassLoader();
         clazz = tcl.loadClass(name);
      }

      am = (AuthorizationModule) clazz.newInstance();
   }
   catch (Exception e)
   {
      PicketBoxLogger.LOGGER.debugFailureToInstantiateClass(name, e);
   }
   if (am == null)
      throw new IllegalStateException(PicketBoxMessages.MESSAGES.failedToInstantiateClassMessage(AuthorizationModule.class));
   am.initialize(this.authenticatedSubject, this.callbackHandler, this.sharedState, map, subjectRoles);
   return am;
}
 

private void initializeModules(Resource resource, RoleGroup role, List<AuthorizationModule> modules,
      List<ControlFlag> controlFlags) throws PrivilegedActionException
{
   AuthorizationInfo authzInfo = getAuthorizationInfo(securityDomainName, resource);
   if (authzInfo == null)
      throw PicketBoxMessages.MESSAGES.failedToObtainAuthorizationInfo(securityDomainName);

   ClassLoader moduleCL = null;
   List<String> jbossModuleNames = authzInfo.getJBossModuleNames();
   if(!jbossModuleNames.isEmpty())
   {
 	  ClassLoaderLocator cll = ClassLoaderLocatorFactory.get();
 	  if( cll != null)
 	  {
 		  moduleCL = cll.get(jbossModuleNames);
 	  }
   }
   AuthorizationModuleEntry[] entries = authzInfo.getAuthorizationModuleEntry();
   int len = entries != null ? entries.length : 0;
   for (int i = 0; i < len; i++)
   {
 	  AuthorizationModuleEntry entry = entries[i];
 	  ControlFlag flag = entry.getControlFlag();
 	  if (flag == null)
 	  {
 		  flag = ControlFlag.REQUIRED;
 	  }

 	  controlFlags.add(flag);
 	  AuthorizationModule module = instantiateModule(moduleCL, entry.getPolicyModuleName(), entry.getOptions(), role); 
 	  modules.add(module);
   }
}
 

/**
 * @see AuthorizationManager#authorize(Resource, Subject, RoleGroup) 
 */
public int authorize(Resource resource, Subject subject,
      RoleGroup role) throws AuthorizationException
{
   this.validateResource(resource);
   return internalAuthorization(resource, subject, role);
}
 

/**
 * <p>
 * Gets the {@code MappingInfo} instance that can map objects of the specified class. 
 * </p>
 * 
 * @param t the class of the objects that are to be mapped.
 * @return the {@code MappingInfo} instance that must be used to map objects of the specified class.
 * @deprecated use {@link ApplicationPolicy#getMappingInfo(String)} instead.
 */
@Deprecated
public <T> MappingInfo getMappingInfo(Class<T> t)
{
   if (t == RoleGroup.class)
      return this.getRoleMappingInfo();
   if (t == Principal.class)
      return this.getPrincipalMappingInfo();

   throw PicketBoxMessages.MESSAGES.invalidType(RoleGroup.class.getName() + "/" + Principal.class.getName());
}
 

private RoleGroup getRoleGroup(Group roleGroup)
{
   if(roleGroup == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleGroup");
   SimpleRoleGroup srg = new SimpleRoleGroup(roleGroup.getName());
   Enumeration<? extends Principal> principals = roleGroup.members();
   while(principals.hasMoreElements())
   {
      srg.addRole(new SimpleRole(principals.nextElement().getName()));
   }
   return srg;  
}
 

private HashSet<Principal> getRolesAsSet(RoleGroup roles)
{
   HashSet<Principal> userRoles = null;
   if( roles != null )
   {
      userRoles = new HashSet<Principal>();
      Collection<Role> rolesList = roles.getRoles();
      for(Role r: rolesList)
      {
         userRoles.add(new SimplePrincipal(r.getRoleName()));
      } 
   }
   return userRoles;
}
 

/**
 * Given a JAAS Subject, will look for {@code Group} principals
 * with name "Roles" and return that in a {@code RoleGroup}
 * @param subject
 * @return a RoleGroup containing the roles
 */
public static RoleGroup getRolesFromSubject(Subject subject)
{
   Set<Group> groupPrincipals = subject.getPrincipals(Group.class);
   if(groupPrincipals!= null)
   {
      for(Group groupPrincipal: groupPrincipals)
      {
         if(SecurityConstants.ROLES_IDENTIFIER.equals(groupPrincipal.getName()))
               return new SimpleRoleGroup(groupPrincipal);  
      }
   }
   return null;
}
 

/**
 * Extract the Authorization header and validate the bearer token if it exists. If it does, and is validated, this
 * builds the org.jboss.security.SecurityContext authenticated Subject that drives the container APIs as well as
 * the authorization layers.
 *
 * @param exchange        - the http request exchange object
 * @param securityContext - the current security context that
 * @return one of AUTHENTICATED, NOT_AUTHENTICATED or NOT_ATTEMPTED depending on the header and authentication outcome.
 */
@SuppressWarnings("deprecation")
@Override
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    String jwtToken = new UndertowBearerTokenExtractor(authContextInfo, exchange).getBearerToken();
    if (jwtToken != null) {
        try {
            identityManager = securityContext.getIdentityManager();
            JWTCredential credential = new JWTCredential(jwtToken, authContextInfo);
            // Install the JWT principal as the caller
            Account account = identityManager.verify(credential.getName(), credential);
            if (account != null) {
                JsonWebToken jwtPrincipal = (JsonWebToken) account.getPrincipal();
                preparePrincipalProducer(jwtPrincipal);
                securityContext.authenticationComplete(account, "MP-JWT", false);
                // Workaround authenticated JWTPrincipal not being installed as user principal
                // https://issues.jboss.org/browse/WFLY-9212
                org.jboss.security.SecurityContext jbSC = SecurityContextAssociation.getSecurityContext();
                Subject subject = jbSC.getUtil().getSubject();
                jbSC.getUtil().createSubjectInfo(jwtPrincipal, jwtToken, subject);
                RoleGroup roles = extract(subject);
                jbSC.getUtil().setRoles(roles);
                UndertowLogger.SECURITY_LOGGER.debugf("Authenticated caller(%s) for path(%s) with roles: %s",
                        credential.getName(), exchange.getRequestPath(), account.getRoles());
                return AuthenticationMechanismOutcome.AUTHENTICATED;
            } else {
                UndertowLogger.SECURITY_LOGGER.info("Failed to authenticate JWT bearer token");
                return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
        } catch (Exception e) {
            UndertowLogger.SECURITY_LOGGER.infof(e, "Failed to validate JWT bearer token");
            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    // No suitable header has been found in this request,
    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
 

/**
 * @see AuthorizationModuleDelegate#authorize(org.jboss.security.authorization.Resource, javax.security.auth.Subject, org.jboss.security.identity.RoleGroup)
 */
public int authorize(Resource resource, Subject callerSubject, RoleGroup role)
{
   if(resource instanceof EJBResource == false)
      throw PicketBoxMessages.MESSAGES.invalidType(EJBResource.class.getName());

   EJBResource ejbResource = (EJBResource) resource;
   
   //Get the context map
   Map<String,Object> map = resource.getMap();
   if(map == null)
      throw PicketBoxMessages.MESSAGES.invalidNullProperty("resourceMap");

   this.policyRegistration = (PolicyRegistration) map.get(ResourceKeys.POLICY_REGISTRATION);  
   if(this.policyRegistration == null)
      throw PicketBoxMessages.MESSAGES.invalidNullProperty(ResourceKeys.POLICY_REGISTRATION);

   this.callerRunAs = ejbResource.getCallerRunAsIdentity();
   this.ejbName = ejbResource.getEjbName();
   this.ejbMethod = ejbResource.getEjbMethod();
   this.ejbPrincipal = ejbResource.getPrincipal();
   this.policyContextID = ejbResource.getPolicyContextID();
   if(policyContextID == null)
      throw PicketBoxMessages.MESSAGES.invalidNullProperty("contextID");

   this.securityRoleReferences = ejbResource.getSecurityRoleReferences();
   
   //isCallerInRole checks
   this.roleName = (String)map.get(ResourceKeys.ROLENAME); 
   
   Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK)); 
   if(roleRefCheck)
      return checkRoleRef(role); //Base class handles this
   
   return process(role);
}
 

private int checkRoleRef(Subject callerSubject, RoleGroup callerRoles)
{
   //This has to be the EJBRoleRefPermission
   EJBRoleRefPermission ejbRoleRefPerm = new EJBRoleRefPermission(ejbName,roleName);
   boolean policyDecision = checkWithPolicy(ejbRoleRefPerm, callerSubject, callerRoles);
   if( policyDecision == false && PicketBoxLogger.LOGGER.isDebugEnabled() )
   {
      PicketBoxLogger.LOGGER.debugJACCDeniedAccess(ejbRoleRefPerm.toString(), callerSubject,
              callerRoles != null ? callerRoles.toString() : null);
   }
   return policyDecision ? AuthorizationContext.PERMIT : AuthorizationContext.DENY; 
}
 

/**
 * @see AuthorizationModuleDelegate#authorize(org.jboss.security.authorization.Resource, javax.security.auth.Subject, org.jboss.security.identity.RoleGroup)
 */
public int authorize(Resource resource, Subject callerSubject, RoleGroup role)
{
   if(resource instanceof EJBResource == false)
      throw PicketBoxMessages.MESSAGES.invalidType(EJBResource.class.getName());

   EJBResource ejbResource = (EJBResource) resource;
   
   //Get the context map
   Map<String,Object> map = resource.getMap();
   if(map == null)
      throw PicketBoxMessages.MESSAGES.invalidNullProperty("resourceMap");

   this.policyRegistration = (PolicyRegistration) map.get(ResourceKeys.POLICY_REGISTRATION);
   
   this.ejbCS = ejbResource.getCodeSource();
   this.ejbMethod = ejbResource.getEjbMethod();
   this.ejbName = ejbResource.getEjbName();
   this.methodInterface = ejbResource.getEjbMethodInterface();
   RunAs runAs = ejbResource.getCallerRunAsIdentity();
   if (runAs instanceof RunAsIdentity)
     this.callerRunAs = RunAsIdentity.class.cast(runAs);
   
   //isCallerInRole checks
   this.roleName = (String)map.get(ResourceKeys.ROLENAME); 
   
   this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK);
   if(this.roleRefCheck == Boolean.TRUE)
      return checkRoleRef(callerSubject, role);
   else
      return process(callerSubject, role);
}
 

/**
 * Extract the Roles group and return it as a RoleGroup
 *
 * @param subject authenticated subject
 * @return RoleGroup from "Roles"
 */
protected RoleGroup extract(Subject subject) {
    Optional<Principal> match = subject.getPrincipals()
            .stream()
            .filter(g -> g.getName().equals(SecurityConstants.ROLES_IDENTIFIER))
            .findFirst();
    Group rolesGroup = (Group) match.get();
    RoleGroup roles = new SimpleRoleGroup(rolesGroup);
    return roles;
}
 

public boolean containsAtleastOneRole(RoleGroup anotherRole)
{
   if (anotherRole == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("anotherRole");
   CopyOnWriteArrayList<Role> roleList = new CopyOnWriteArrayList<Role>(anotherRole.getRoles());
   for (Role r : roleList)
   {
      if (this.containsAll(r))
         return true;
   }
   return false;
}