Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java (revision 1851536) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java (date 1547213366000) @@ -18,6 +18,7 @@ import java.security.Principal; import java.util.ArrayList; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; import javax.jcr.security.AccessControlManager; @@ -146,7 +147,7 @@ case 0: return RestrictionProvider.EMPTY; case 1: return configurations.get(0).getRestrictionProvider(); default: - List rps = new ArrayList<>(configurations.size()); + Set rps = new LinkedHashSet<>(configurations.size()); for (AuthorizationConfiguration c : configurations) { RestrictionProvider rp = c.getRestrictionProvider(); if (RestrictionProvider.EMPTY != rp) { Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfigurationTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfigurationTest.java (revision 1851536) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfigurationTest.java (date 1547214134000) @@ -25,6 +25,7 @@ import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl; +import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.OpenAuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider; @@ -33,11 +34,13 @@ import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; import org.jetbrains.annotations.NotNull; import org.junit.Test; +import org.mockito.Mockito; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.when; public class CompositeAuthorizationConfigurationTest extends AbstractSecurityTest { @@ -141,14 +144,34 @@ @Test public void testMultipleRestrictionProvider() { - CompositeAuthorizationConfiguration cc = getCompositeConfiguration( - createAuthorizationConfigurationImpl(), - createAuthorizationConfigurationImpl()); + // 2 authorization configuration with different RestrictionProvider + AuthorizationConfiguration ac = createAuthorizationConfigurationImpl(); + AuthorizationConfiguration ac2 = Mockito.mock(AuthorizationConfiguration.class); + when(ac2.getRestrictionProvider()).thenReturn(Mockito.mock(RestrictionProvider.class)); + when(ac2.getParameters()).thenReturn(ConfigurationParameters.EMPTY); + + CompositeAuthorizationConfiguration cc = getCompositeConfiguration(ac, ac2); RestrictionProvider rp = cc.getRestrictionProvider(); assertTrue(rp instanceof CompositeRestrictionProvider); } + @Test + public void testRedundantRestrictionProvider() { + // 2 authorization configuration sharing the same RestrictionProvider + AuthorizationConfiguration ac = createAuthorizationConfigurationImpl(); + AuthorizationConfiguration ac2 = Mockito.mock(AuthorizationConfiguration.class); + when(ac2.getRestrictionProvider()).thenReturn(ac.getRestrictionProvider()); + when(ac2.getParameters()).thenReturn(ConfigurationParameters.EMPTY); + + CompositeAuthorizationConfiguration cc = getCompositeConfiguration(ac, ac2); + + // composite should detect the duplication + RestrictionProvider rp = cc.getRestrictionProvider(); + assertFalse(rp instanceof CompositeRestrictionProvider); + assertSame(ac.getRestrictionProvider(), rp); + } + @Test public void testMultipleWithEmptyRestrictionProvider() { CompositeAuthorizationConfiguration cc = getCompositeConfiguration(