/*
   jGuard is a security framework based on top of jaas (java authentication and authorization security).
   it is written for web applications, to resolve simply, access control problems.
   
   http://sourceforge.net/projects/jguard/
   
   Copyright (C) 2004  Charles GAY
   
   This library is free software; you can redistribute it and/or
  modify it under the terms of the GNU Lesser General Public
  License as published by the Free Software Foundation; either
  version 2.1 of the License, or (at your option) any later version.
  
  This library is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.
  
  You should have received a copy of the GNU Lesser General Public
  License along with this library; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  
  
  jGuard project home page:
  http://sourceforge.net/projects/jguard/
  
  */
  package net.sf.jguard.ext.authorization.manager;
  
  import net.sf.jguard.core.authorization.manager.AuthorizationManager;
  import java.security.Permission;
  import java.security.PermissionCollection;
  import java.security.Permissions;
  import java.security.Principal;
  import java.security.ProtectionDomain;
  import java.util.Arrays;
  import java.util.Collection;
  import java.util.Collections;
  import java.util.Enumeration;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.Iterator;
  import java.util.List;
  import java.util.Map;
  import java.util.Random;
  import java.util.Set;
  import java.util.Stack;
  import java.util.TreeSet;
  
  import java.util.logging.Level;
  import net.sf.jguard.core.authorization.permissions.Domain;
  import net.sf.jguard.core.authorization.permissions.JGNegativePermissionCollection;
  import net.sf.jguard.core.authorization.permissions.JGPermissionCollection;
  import net.sf.jguard.core.authorization.permissions.JGPositivePermissionCollection;
  import net.sf.jguard.core.authorization.permissions.NoSuchPermissionException;
  import net.sf.jguard.core.authorization.permissions.PermissionUtils;
  import net.sf.jguard.core.authorization.policy.ProtectionDomainUtils;
  import net.sf.jguard.core.principals.RolePrincipal;
  import net.sf.jguard.core.principals.UserPrincipal;
  import net.sf.jguard.ext.SecurityConstants;
  import net.sf.jguard.core.authorization.AuthorizationException;
  import net.sf.jguard.core.principals.PrincipalUtils;
  import org.slf4j.Logger;
  import org.slf4j.LoggerFactory;
  
  /**
   * Abstract class inherited by all the AuthorizationManager implementations.
   * @author <a href="mailto:diabolo512@users.sourceforge.net">Charles Gay</a>
   * @author <a href="mailto:tandilero@users.sourceforge.net">Maximiliano Batelli</a>
   *
   */
  public abstract class AbstractAuthorizationManager implements  AuthorizationManager {
  	/** Logger for this class */
  	private static final Logger logger = LoggerFactory.getLogger(AbstractAuthorizationManager.class.getName());
  
     
  
      protected String applicationName = null;
      protected  Map principals;
      protected  Set principalsSet;
      protected  Map domains;
      //we add also this Set of domains to certify Domain unicity
      protected  static Set domainsSet;
      protected  JGPermissionCollection urlp;
      //store all the permissions of all the domains
      protected Map permissions ;
      protected Set permissionsSet;
      //store the permissions set associated with the domain ids
      protected Map domainsPermissions;
      //  store the hierarcy while assembly the principals to after link
      protected Map hierarchyMap;
      protected Map options;
      private boolean negativePermissions;
      
      //permissions always granted set dynamically at startup
      protected Permissions alwaysGrantedPermissions = null;
      
      /**
       * initialize AuthorizationManager implementation.
      * @param options
      */
     public AbstractAuthorizationManager(Map options){
         super();
         principals = new HashMap();
         principalsSet = new TreeSet();
         domains = new HashMap();
         domainsSet = new TreeSet();
         permissions = new HashMap();
         permissionsSet = new HashSet();
         domainsPermissions = new HashMap();
         hierarchyMap = new HashMap();
         urlp = null;
         alwaysGrantedPermissions = new Permissions();
     	String negativePermission = (String)options.get(SecurityConstants.NEGATIVE_PERMISSIONS);
     	if(negativePermission!= null && negativePermission.equalsIgnoreCase("true")){
     		this.urlp = new JGNegativePermissionCollection();
     		this.negativePermissions = true;
     	}else{
     		this.urlp = new JGPositivePermissionCollection();
     		this.negativePermissions = false;
     	}
     }
 
     /**
      * define the application's name, and propagate it into Principals.
      * this mechanism is done because application's name can only be known when the
      * first request is here (bad j2ee design....).
      * @param applicationName
      */
     public void setApplicationName(String applicationName){
 
         this.applicationName = applicationName;
         Iterator itPrincipalsSet = principalsSet.iterator();
         while(itPrincipalsSet.hasNext()){
             RolePrincipal principalTemp = (RolePrincipal)itPrincipalsSet.next();
             principalTemp.setApplicationName(applicationName);
         }
         Iterator itPrincipalsMap = principals.values().iterator();
         while(itPrincipalsMap.hasNext()){
             RolePrincipal principal = (RolePrincipal)itPrincipalsMap.next();
             principal.setApplicationName(applicationName);
         }
 
     }
     /**
      * with a collection of domain names, provide the corresponding set of URLDomains.
      * @param domainNames collection of domains.
      * @return URLPermission's Set
      */
     public Set getDomains(Collection domainNames) {
         Set doms = new HashSet();
         Iterator itDomNames = domainNames.iterator();
 
         while(itDomNames.hasNext()){
             JGPermissionCollection dom = (JGPermissionCollection)domains.get(itDomNames.next());
             doms.add(dom);
         }
 
         return doms;
     }
     /**
      * with a collection of URLPermissions names, provide the corresponding
      * set of URLPermissions.
      * @param permissionNames collection of permission names to grab.
      * @return URLPermission's Set
      */
     public Set getPermissions(Collection permissionNames) {
         Set perms = new HashSet();
         Iterator itPermNames = permissionNames.iterator();
 
         while(itPermNames.hasNext()){
             Permission perm;
             String permissionName = (String)itPermNames.next();
 			try {
 				perm = urlp.getPermission(permissionName);
             perms.add(perm);
 			} catch (NoSuchPermissionException e) {
 				logger.debug(" permission "+permissionName+" not found in JGPermissionCollection ");
 			}
         }
 
         return perms;
     }
     
 
     /**
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#refresh()
      */
     public abstract void refresh();
       
     
     
     /**
      * compare declared Principals in the application, with principals set of the user.
      * for the principals of the user, we retrieve corresponding permissions declared in the application,
      * and we regroup them in a PermissionCollection.
      * @param principals
      * @return PermissionCollection
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#getPermissionCollection(java.util.Set)
      * @see net.sf.jguard.core.authorization.manager.PermissionProvider
      */
     public PermissionCollection getPermissions(ProtectionDomain protectionDomain) {
        Set ppals = new HashSet(Arrays.asList(protectionDomain.getPrincipals()));
         UserPrincipal userPrincipal = ProtectionDomainUtils.getUserPrincipal(protectionDomain);
     	RolePrincipal tempUserPrincipal;
     	RolePrincipal tempDefinedPrincipal;
 
     	Iterator definedPrincipalsIt;
 
         JGPermissionCollection urlpUser = null;
     	if(!negativePermissions){
     		urlpUser = new JGPositivePermissionCollection();
     	}else{
     		urlpUser = new JGNegativePermissionCollection();
     	}
         
         Iterator userPrincipalsIt = ppals.iterator();
         
     	//add all RolePrincipal permissions to JGPermissionCollection
     	while(userPrincipalsIt.hasNext()){
     		Principal ppal = (Principal)userPrincipalsIt.next();
     		if (!(ppal instanceof RolePrincipal)) {
     			//we skip principal which are not RolePrincipal
     			//only jGuardPrincipals own permissions
     			continue;
     		}else{
     			tempUserPrincipal = (RolePrincipal) ppal;
     		}
     		
     		//we don't add the RolePrincipal if its definition is false
     		if(!PermissionUtils.evaluatePrincipal(tempUserPrincipal, userPrincipal)) {
     			continue;
     		}
 
     		if (logger.isDebugEnabled()) {
     			logger.debug("getPermissionCollection() -  user's principal name="+ tempUserPrincipal.getLocalName());
     			logger.debug("getPermissionCollection() -  user's principal applicationName="
     					+ tempUserPrincipal.getApplicationName());
     		}
     		definedPrincipalsIt = principalsSet.iterator();
     		//we search the corresponding defined Principal
     		while(definedPrincipalsIt.hasNext()){
     			tempDefinedPrincipal = (RolePrincipal)definedPrincipalsIt.next();
     			if (logger.isDebugEnabled()) {
     				logger.debug("getPermissionCollection() -  system's principal name="
     						+ tempDefinedPrincipal.getLocalName());
     				logger.debug("getPermissionCollection() -  system's principal applicationName="
     						+ applicationName);
     			}
     			
     			//if RolePrincipal owned by the user(Authentication side) matches 
     			//with the RolePrincipal owned by the application(Authorization side),
     			//we add all the related permissions in the PermissionCollection of the user
     			if(tempDefinedPrincipal.equals(tempUserPrincipal)){
     				if (logger.isDebugEnabled()) {
     					logger.debug("getPermissionCollection() -  principal name="
     							+ tempUserPrincipal.getLocalName()
     							+ " is declared in this application ");
     				}
                     urlpUser.addAll(tempDefinedPrincipal.getAllPermissions());
                     Set tempset = tempDefinedPrincipal.getAllPermissions();
 
     				if (logger.isDebugEnabled()) {
     					logger.debug("getPermissionCollection() -  permissions granted are :"
     							+ tempset.toString());
     				}
 
     				break;
     			}
     		}
     	}
         
         //we add the permissions bound to the protectionDomain assigned statically by the classloader
         if(protectionDomain.getPermissions()!=null){
             urlpUser.addAll(protectionDomain.getPermissions());
         }
 
         if(logger.isDebugEnabled()){
         	logger.debug(" user has got "+urlpUser.size()+" permissions: \n"+urlpUser);
         }
         
         //resolve regexp in permissions
         JGPermissionCollection resolvedPermissions = (JGPermissionCollection)PermissionUtils.evaluatePermissionCollection(protectionDomain,(PermissionCollection)urlpUser);
         //we remove unresolved permissions
         //and replace them with the resolved one
         //we do that to preserve the JGpermissionCollection subclass
         //positive or negative
         urlpUser.clear();
         urlpUser.addAll(resolvedPermissions);
         
         //TODO CGA add Dynamic Separation Of Duty (DSOD) feature specified in RBAC
         //(Role based Access Control)
         //we will implement it as a Permissions subclass
         //it will check permissions against DSO constraint in a static way
         //in conjunction with the class WorkflowCheckerFactory
         
         Permissions result = PermissionUtils.mergePermissionCollections(urlpUser,alwaysGrantedPermissions);
     	return result;
     }
 
     /**
      * clone a RolePrincipal/Role and set its name with the name of the Principal to clone plus
      * a random number.
      * @param roleName RolePrincipal name to clone
      * @return cloned RolePrincipal with a different name : original JguardPrincipal name + Random integer betweeen 0 and 99999
      * @throws AuthorizationException
      */
     public Principal clonePrincipal(String roleName) throws AuthorizationException{
         Random rnd = new Random();
         String cloneName = roleName+rnd.nextInt(99999);
 
         return clonePrincipal(roleName, cloneName);
     }
 
     /**
      * clone a RolePrincipal/Role.
      * @param roleName RolePrincipal name to clone
      * @param cloneName RolePrincipal cloned name
      * @return cloned RolePrincipal with a different name : original JguardPrincipal name + Random integer betweeen 0 and 99999
      * @throws AuthorizationException
      */
     public Principal clonePrincipal(String roleName,String cloneName) throws AuthorizationException {
     	cloneName = RolePrincipal.getName(cloneName, applicationName);
     	Principal role = (Principal)principals.get(roleName);
     	Principal clone = null;
     	if(role instanceof RolePrincipal) {
             clone = (RolePrincipal)((RolePrincipal)role).clone();
             ((RolePrincipal)clone).setName(cloneName);
     	}
     	else
     		clone = PrincipalUtils.getPrincipal(role.getClass().getName(), cloneName);
 
         //persist the newly created clone
         createPrincipal(clone);
 
     return clone;
     }
 
 
     /**
      * return Set of domains.
      * @return domains Set
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#listDomains()
      */
     public Set listDomains() throws AuthorizationException {
         return domainsSet;
     }
     /**
      * read an URLPermission.
      * @param permissionName
      * @throws AuthorizationException
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#readPermission(java.lang.String)
      */
     public Permission readPermission(String permissionName) throws AuthorizationException {
         try {
         return urlp.getPermission(permissionName);
 		} catch (NoSuchPermissionException e) {
 			throw new AuthorizationException(" permission "+permissionName+" not found ");
 		}
     }
     /**
      * return an Domain with its associated URLPermission set.
      * @param domainName
      * @return Domain
      * @throws AuthorizationException
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#readDomain(java.lang.String)
      */
     public JGPermissionCollection readDomain(String domainName) throws AuthorizationException{
     	JGPermissionCollection domainFound = (JGPermissionCollection)domains.get(domainName);
     	if(domainFound==null){
     		throw new AuthorizationException(" domain with name="+domainName+" is not found");
     	}
         return domainFound;
     }
     /**
      * return the corresponding application role.
      * @return role
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#readPrincipal(java.lang.String)
      * @throws AuthorizationException
      */
     public Principal readPrincipal(String roleName) throws AuthorizationException {
     	Principal principalFound = (Principal)principals.get(roleName);
     	if(principalFound==null){
     		throw new AuthorizationException(" principal with name="+roleName+" is not found");
     	}
         return principalFound;
     }
 
     /**
      * <p>Update the permissions from jGuardPrincipals that contains this domain.</p>
      * <p><b>Note:</b> This method is need because, first, there are no warranty that the reference
      * of domain in the RolePrincipal object are the same from domainsSet and map and, second, the
      * getPermissions method from RolePrincipal don't load the permissions from domains objects
      * (it use a internal set of permissions).</p>
      * @param domain the domain that will be updated in the principals
      */
     protected void updatePrincipals(Domain domain) {
         for (Iterator principalsIt = principalsSet.iterator(); principalsIt.hasNext(); ) {
             RolePrincipal principal = (RolePrincipal) principalsIt.next();
 
             //2005-06-01 vinipitta:
             //if the principal contains the domain we remove the domain from it and replace by the
             //current(updated) version of the domain. This forces the principal to update the
             //permission list
             if (principal.getDomains().contains(domain)) {
                 principal.removeDomain(domain);
                 //if we use the principal.getDomains().add method instead then this will not work!
                 principal.addDomain(domain);
                 domainsSet.remove(domain);
                 domainsSet.add(domain);
                 domains.remove(domain.getName());
                 domains.put(domain.getName(),domain);
             }
         }
     }
 
     /**
      * <p>Update the permissions from jGuardPrincipals <b>and</b> the associated domain.</p>
      * <p><b>Note:</b> This method is need because, first, there are no warranty that the reference
      * of domain in the RolePrincipal object are the same from domainsSet and map and, second, the
      * getPermissions method from RolePrincipal don't load the permissions from domains objects
      * (it use a internal set of permissions).</p>
      * @param permission whose domain will be updated in the principals
      */
     protected void updatePrincipals(Permission permission) {
         for (Iterator principalsIt = principalsSet.iterator(); principalsIt.hasNext(); ) {
             RolePrincipal principal = (RolePrincipal) principalsIt.next();
             Domain domain = getDomain(permission);
             //2005-06-01 vinipitta:
             //if the principal contains the domain we remove the domain from it and replace by the
             //current(updated) version of the domain. This forces the principal to update the
             //permission list
             if (principal.getDomains().contains(domain)) {
                 principal.removeDomain(domain);
                 //if we use the principal.getDomains().add method instead then this will not work!
                 principal.addDomain(domain);
                 domainsSet.remove(domain);
                 domainsSet.add(domain);
                 domains.remove(domain.getName());
                 domains.put(domain.getName(),domain);
               //we  handle the use case when the principal is ited directly
               //to a permission and not indirectly through a domain
             }else if(principal.getOrphanedPermissions().contains(permission)){
                principal.getOrphanedPermissions().remove(permission);
                principal.getOrphanedPermissions().add(permission);
                principal.getPermissions().remove(permission);
                principal.getPermissions().add(permission);
 
             }
         }
     }
 
     /**
      * update the principals with this updated domain.
      * it implies a suppress and an addition.
      * @param newDomain
      * @param oldDomainName
      */
     protected void updatePrincipals(JGPermissionCollection newDomain, String oldDomainName) {
         JGPermissionCollection domain = new Domain(oldDomainName);
 
         for (Iterator principalsIt = principalsSet.iterator(); principalsIt.hasNext(); ) {
             RolePrincipal principal = (RolePrincipal) principalsIt.next();
 
             //2005-06-01 vinipitta:
             //if the principal contains the domain we remove the domain from it and replace by the
             //current(updated) version of the domain. This forces the principal to update the
             //permission list
             if (principal.getDomains().contains(domain)) {
                 principal.removeDomain(domain);
                 //if we use the principal.getDomains().add method instead then this will not work!
                 principal.addDomain(newDomain);
             }
         }
     }
 
 
     /**
      * Remove the domain from all principals that have relationship with this domain.
      * @param domainName the name of the domain that will be removed
      */
     protected void removeDomainFromPrincipals(String domainName) {
         JGPermissionCollection domain = new Domain(domainName);
 
         for (Iterator principalsIt = principalsSet.iterator(); principalsIt.hasNext(); ) {
             RolePrincipal principal = (RolePrincipal) principalsIt.next();
             if (principal.getDomains().contains(domain)) {
                 principal.removeDomain(domain);
                 domains.remove(domain);
                 domainsSet.remove(domain);
             }
         }
     }
 
     /**
      * Remove the permission from all principals that have relationship with this permission like a
      * orphaned permission (directly), or through a domain (indirectly).
      * @param permissionName the name of the permission that will be removed
      */
     protected void removePermissionFromPrincipals(String permissionName) {
         Permission permission = (Permission) permissions.get(permissionName);
 
         for (Iterator principalsIt = principalsSet.iterator(); principalsIt.hasNext(); ) {
             RolePrincipal principal = (RolePrincipal) principalsIt.next();
             if (principal.getOrphanedPermissions().contains(permission)) {
                 principal.getOrphanedPermissions().remove(permission);
                 principal.getPermissions().remove(permission);
                 logger.debug("removePermissionFromPrincipals: " + permission);
             }else if(principal.getPermissionsFromDomains().contains(permission)){
                 principal.getPermissionsFromDomains().remove(permission);
                 principal.getPermissions().remove(permission);
                 logger.debug("removePermissionFromPrincipals: " + permission);
             }
         }
     }
 
 	/**
 	 * return the domain which contains the permission.
 	 * @param permission
 	 * @return domain which owns the permission or null if no domain contains
 	 * this permisison
 	 */
 	protected  Domain getDomain(Permission permission){
 	    Iterator iterator = domainsSet.iterator();
 	    while(iterator.hasNext()){
 	    	Domain temp = (Domain)iterator.next();
 	    	if(temp.containsPermission(permission)){
 	    		return temp;
 	    	}
 	    }
 	    //no domains contains this permission
 		return null;
 	}
 
 	/**
 	 * add the permission to the corresponding role.
 	 * if the permission is not persisted, we persist it and create
 	 * a corresponding Domain with the same name.
 	 * @param roleName role updated
 	 * @param perm permission to add
 	 * @throws AuthorizationException
 	 */
 	public void addToPrincipal(String roleName, Permission perm) throws AuthorizationException {
 		RolePrincipal role = (RolePrincipal) principals.get(roleName);
 		if(role == null){
 			throw new SecurityException(" Principal/role "+roleName+" does not exists ");
 		}
 		//if permission does not exists, we add it
 		// and create a corresponding domain with the same name
 		if(!permissionsSet.contains(perm)){
 			permissionsSet.add(perm);
 			permissions.put(perm.getName(),perm);
 			createDomain(perm.getName());
 			createPermission(perm,perm.getName());
 		}
 		role.addPermission(perm);
 	}
 
 	/**
 	 * add the domain to the role, and
 	 * persist the domain if it does not exists?
 	 * @param roleName
 	 * @param domain
 	 * @throws AuthorizationException
 	 */
 	public void addToPrincipal(String roleName,Domain domain) throws AuthorizationException{
 		RolePrincipal role = (RolePrincipal) principals.get(roleName);
 		if(role == null){
 			throw new SecurityException(" Principal/role "+roleName+" does not exists ");
 		}
 
 		if(domainsSet.contains(domain)){
 			domainsSet.add(domain);
 			domains.put(domain.getName(),domain);
 			createDomain(domain.getName());
 		}
 
 		role.addDomain(domain);
 	}
 
 	/**
      * This commands establishes a new immediate inheritance relationship
      * between the existing principals/principals roleAsc and the roleDesc.
      * The command is valid if and only if the role roleAsc is not an immediate
      * ascendant of roleDesc, and descendant does
      * not properly inherit roleAsc principal/role (in order to avoid cycle creation).
      *
      * @param principalAscName  the principal/role <strong>local</strong> name that will inherite.
      * @param principalDescName the principal/role <strong>local</strong> name that will be inherited.
      * @throws AuthorizationException if the inheritance already exists or create a cycle.
      */
     public void addInheritance(String principalAscName, String principalDescName) throws AuthorizationException {
 
     	//getting the principals
         Principal principalAsc = (Principal) principals.get(principalAscName);
         Principal principalDesc = (Principal) principals.get(principalDescName);
 
         if (principalAscName.equals(principalDescName)){
             logger.error("ascendant and descendant cannot be the same principal ");
             throw new AuthorizationException("ascendant and descendant cannot be the same principal ");
         }
 
         if (principalAsc == null) {
             logger.error("Role " + principalAscName + " not found!");
             throw new AuthorizationException("Role " + principalAscName + " not found!");
         }
 
         if (principalDesc == null) {
             logger.error("Role " + principalDescName + " not found!");
             throw new AuthorizationException("Role " + principalDescName + " not found!");
         }
 
     	if(!RolePrincipal.class.isAssignableFrom(principalAsc.getClass())
     		||!RolePrincipal.class.isAssignableFrom(principalDesc.getClass())){
     		throw new AuthorizationException(" role inheritance is only supported by RolePrincipal \n roleAsc class="+principalAsc.getClass().getName()+" \n roleDesc class="+principalDesc.getClass().getName());
     	}
 
         //check if the roleAsc is immediate ascendant of roleDesc
         for (Iterator it = ((RolePrincipal)principalAsc).getDescendants().iterator(); it.hasNext(); ) {
             if (principalDesc.equals(it.next())) {
                 logger.error("Role " + principalAscName + " is immediate ascendant of role " + principalDescName + "!");
                 throw new AuthorizationException("Role " + principalAscName + " is immediate ascendant of role " + principalDescName + "!");
             }
         }
 
         //check if roleDesc inherit roleAsc
         //use a stack instead of a recursive method
         Stack rolesToCheck = new Stack();
         //used to check first all principals from one level before check the next level
         Stack rolesFromNextLevel = new Stack();
         rolesToCheck.addAll(((RolePrincipal)principalDesc).getDescendants());
 
         while (!rolesToCheck.isEmpty()) {
             RolePrincipal role = (RolePrincipal) rolesToCheck.pop();
             if (principalAsc.equals(role)) {
                 logger.error("Role " + principalAscName + " cannot inherit role "
                         + principalDescName + " because " + principalDescName + " inherit "
                         + principalAscName);
                 throw new AuthorizationException("Role " + principalAscName + " cannot inherit role "
                         + principalDescName + " because " + principalDescName + " inherit "
                         + principalAscName);
             }
 
             rolesFromNextLevel.addAll(role.getDescendants());
 
             //is time to go to next level
             if (rolesToCheck.isEmpty()) {
                 rolesToCheck.addAll(rolesFromNextLevel);
 
                 //clear the second level stack
                 rolesFromNextLevel.clear();
             }
         }
 
         //update in-memory role
         ((RolePrincipal)principalAsc).getDescendants().add(principalDesc);
 
         //update xml
         updatePrincipal((RolePrincipal)principalAsc);
     }
 
     /**
      * @param roleAscName  the role that inherit.
      * @param roleDescName the role that is inherited.
      * @throws AuthorizationException if the inheritance already exists or create a cycle.
      */
     public void deleteInheritance(String roleAscName, String roleDescName) throws AuthorizationException {
         RolePrincipal roleAsc = (RolePrincipal) principals.get(roleAscName);
         roleAsc.getDescendants().remove(principals.get(roleDescName));
         updatePrincipal(roleAsc);
     }
 
     /**
      * replace the inital principal with the new one.
      * @param principal RolePrincipal updated
      * @throws AuthorizationException
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#updatePrincipal(net.sf.jguard.core.principals.RolePrincipal)
      */
     public void updatePrincipal(Principal principal) throws AuthorizationException {
         deletePrincipal(principal);
         createPrincipal(principal);
         logger.debug(" updated principal="+principal);
     }
 
     /**
 	 * assembly the hierarchy of jGuardPrincipals.
 	 */
 	protected void assemblyHierarchy() {
 		//now that every principal is mapped, assembly the hierarchy.
 		for (Iterator it = hierarchyMap.keySet().iterator(); it.hasNext(); ) {
 		    String ascendantName = (String) it.next();
 		    RolePrincipal ascendant = (RolePrincipal) principals.get(ascendantName);
 
 		    for (Iterator it2 = ((List) hierarchyMap.get(ascendantName)).iterator(); it2.hasNext(); ) {
 		    	RolePrincipal descendant = (RolePrincipal) it2.next();
 		        ascendant.getDescendants().add(descendant);
 		        logger.debug("Role " + ascendantName + " inherits from role " + descendant.getLocalName());
 		    }
 		}
 	}
     /**
      *
      * @param principal
      */
     protected void deleteReferenceInHierarchy(RolePrincipal principal){
           String principalName = principal.getLocalName();
 
           //clean the hierarchy
           for (Iterator it = hierarchyMap.keySet().iterator(); it.hasNext(); ) {
         	  String ascendantName = (String) it.next();
         	  if(principalName.equals(ascendantName)){
         		  //we remove in memory the deleted principal
         		  hierarchyMap.remove(ascendantName);
         	  }else{
         		  List descendants = (List) hierarchyMap.get(ascendantName);
         		  descendants.remove(principal);
         	  }
           }
 
           //clean descendants references in the principal Map
           Collection values = principals.values();
           Iterator itValues = values.iterator();
           while(itValues.hasNext()){
         	  RolePrincipal ppalTemp = (RolePrincipal)itValues.next();
         	  ppalTemp.getDescendants().remove(principal);
           }
 
           //clean descendants references in the principal Set
           Iterator itPrincipalsSet = principalsSet.iterator();
           while(itPrincipalsSet.hasNext()){
                RolePrincipal ppalTemp = (RolePrincipal)itPrincipalsSet.next();
                ppalTemp.getDescendants().remove(principal);
           }
 
     }
 
     /**
      * return the principal's Set.
      * @return principal's Set
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#listPrincipals()
      */
     public Set listPrincipals()  {
        return principalsSet;
     }
     /**
      * return all the permissions.
      * @return URLPermission container
      * @see net.sf.jguard.ext.authorization.manager.AuthorizationManager#listPermissions()
      */
     public JGPermissionCollection listPermissions() {
         return new JGPositivePermissionCollection(permissionsSet);
     }
 
 
 	/**
 	 * import data from the provided AbstractAuthorizationManager into
 	 * our AuthorizationManager.
 	 * @param authManager
 	 * @throws AuthorizationException
 	 */
 	public void importAuthorizationManager(AuthorizationManager authManager)throws AuthorizationException{
 		if(authManager.isEmpty()){
 			logger.warn(" authManager to import is empty ");
 			return;
 		}
 		//import domains set and associated permissions
                  Set domains = authManager.getDomainsSet();
                  Iterator itDomains = domains.iterator();
                  while(itDomains.hasNext()){
                          Domain domain = (Domain)itDomains.next();
                          createDomain(domain.getName());
                          Iterator itPermissions = domain.getPermissions().iterator();
                          while(itPermissions.hasNext()){
                          Permission perm = (Permission)itPermissions.next();
                          createPermission(perm,domain.getName());
                      }
                  }
 
 
                  //import principal set
                  Set Principals = authManager.getPrincipalsSet();
                  Iterator itPrincipals = Principals.iterator();
                  while(itPrincipals.hasNext()){
                          Principal principal = (Principal)itPrincipals.next();
                      createPrincipal(principal);
                  }
 
 
                  //import principal inheritance
                  Iterator itPrincipals2 = Principals.iterator();
                  while(itPrincipals2.hasNext()){
                          Principal principal = (Principal)itPrincipals2.next();
                          if(principal instanceof RolePrincipal){
                                  RolePrincipal ppal = (RolePrincipal)principal;
                          Set descendants = ppal.getDescendants();
                          Iterator itDescendants = descendants.iterator();
                          while(itDescendants.hasNext()){
                                  RolePrincipal descPrincipal = (RolePrincipal)itDescendants.next();
                                  addInheritance(getLocalName(principal),getLocalName(descPrincipal));
                          }
                      }
                  }
 
 
 	}
 
       
 	public final Set getDomainsSet() {
 		return Collections.unmodifiableSet(domainsSet);
 	}
 
 	public final Map getDomains() {
 		return Collections.unmodifiableMap(domains);
 	}
 
 	public final Map getDomainsPermissions() {
 		return Collections.unmodifiableMap(domainsPermissions);
 	}
 
 	public final Map getHierarchyMap() {
 		return Collections.unmodifiableMap(hierarchyMap);
 	}
 
 	public final Map getPermissions() {
 		return Collections.unmodifiableMap(permissions);
 	}
 
 
 	public final Set getPermissionsSet() {
 		return Collections.unmodifiableSet(permissionsSet);
 	}
 
 	public final Map getPrincipals() {
 		return Collections.unmodifiableMap(principals);
 	}
 
 
 	public final Set getPrincipalsSet() {
 		return Collections.unmodifiableSet(principalsSet);
 	}
 	 protected static String getLocalName(Principal principal) {
 			
 			String name = null;
 			if (principal instanceof RolePrincipal) {
 				RolePrincipal rolePrincipal = (RolePrincipal) principal;
 				name = rolePrincipal.getLocalName();
 			}else{
 				name = principal.getName();
 			}
 			return name;
 		}
         /**
 	 * add some permissions always granted by this Policy, like permission used to
 	 * <i>logoff</i> in webapp, or permissions used to reached the <i>AccessDenied</i> page.
 	 * @param permissions permissions always granted by this Policy
 	 */
 	final public void addAlwaysGrantedPermissions(Permissions permissions){
 		Enumeration perms= permissions.elements();
 		while(perms.hasMoreElements()){
 			alwaysGrantedPermissions.add((Permission)perms.nextElement());
 		}
 	}
         
        /**
         * return an <strong>unmodifiable</strong> Map of options.
         */
        final public Map getOptions(){
            return Collections.unmodifiableMap(options);
        }
        
        public String getApplicationName(){
            return applicationName;
        }
 }