Hi guys,

i might be mistaken but it seems like PortalSecurityPermissionCollection has a bug in loadPermission method.
The error conditions are as follows
when a user is a memeber of several roles the loadPermission method constructs permissions list which corresponds to the Role that appears to be first in the set ("Roles" principal). As a result, if "Admin" is NOT the first role returned, the user will not have the permissions granted to Admin role.

I've fixed this error in my source but not very clear where should I post(publish) the fix.

below is the fixed loadPermission method

protected void loadPermission(String permType, String uri) throws Exception {
 String rootP = "/portalobject/";
 if (PermissionTypes.INSTANCE.equals(permType)) {
 rootP = "/instance/";
 }

 Enumeration roles = this.getAllRoles();

 this.permissionsList.clear();

 MBeanServer server = MBeanServerLocator.locateJBoss();
 ObjectName oname = new ObjectName("portal:service=TreeCache,type=persistent");
 Fqn fqn = Fqn.fromString(rootP + uri);

 ObjectEntry oe = (ObjectEntry) server.invoke(oname, "get", new Object[] { fqn, "constraints" }, new String[] {
 "org.jboss.cache.Fqn", "java.lang.Object" });
 if (oe != null) {
 Set constraints = (Set) oe.getValue();
 int len = constraints != null ? constraints.size() : 0;
 Object[] scarr = constraints.toArray();

 // check if at lest one user Role has permissions fo the uri
 if (roles != null) {
 while (roles.hasMoreElements()) {
 Principal rolePrincipal = (Principal) roles.nextElement();
 String role = rolePrincipal.getName();

 for (int i1 = 0; i1 < len; i1++) {
 SecurityConstraint sc = (SecurityConstraint) scarr[i1];
 String scrole = sc.getRole();
 if (scrole.equals(SecurityConstants.UNCHECKED_ROLE_NAME) == false && !role.equals(scrole))
 continue;
 Iterator iter = sc.getActions().iterator();
 while (iter.hasNext()) {
 String actionstr = (String) iter.next();
 this.permissionsList.add(getPortalPermission(permType, actionstr, uri));
 }
 }
 }
 }
 }
}

private Enumeration getAllRoles() throws Exception {
 Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
 log.debug("Subject=" + subject);
 Enumeration roles;

 List uncheckedRole = new LinkedList();
 uncheckedRole.add(new SimpleGroup(SecurityConstants.UNCHECKED_ROLE_NAME));
 roles = Collections.enumeration(uncheckedRole);

 if (subject != null) {
 Set principals = subject.getPrincipals();
 Iterator iter = principals != null ? principals.iterator() : null;
 while (iter != null && iter.hasNext()) {
 Principal p = (Principal) iter.next();
 if (p instanceof Group) {
 Group gp = (Group) p;
 if ("Roles".equals(gp.getName()) == false)
 continue;
 roles = gp.members();
 break;
 }
 }
 }
 return roles;
}