Addressed issues from previous commit.

pom.xml

@@ -6,7 +6,7 @@
   <groupId>edu.vt.middleware</groupId>
   <artifactId>edldap</artifactId>
   <packaging>jar</packaging>
-  <version>3.0</version>
+  <version>3.0-SNAPSHOT</version>
   <name>Enterprise Directory LDAP Libraries</name>
   <url>http://www.middleware.vt.edu/doku.php?id=middleware:ed:edldap</url>
   <licenses>
@@ -40,13 +40,18 @@
     <dependency>
       <groupId>org.cryptacular</groupId>
       <artifactId>cryptacular</artifactId>
-      <version>1.0-RC5-SNAPSHOT</version>
+      <version>1.0</version>
     </dependency>
     <dependency>
       <groupId>org.ldaptive</groupId>
       <artifactId>ldaptive-beans</artifactId>
       <version>1.0.4</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-expression</artifactId>
+      <version>3.2.4.RELEASE</version>
+    </dependency>
     <dependency>
       <groupId>com.sun.codemodel</groupId>
       <artifactId>codemodel</artifactId>

src/main/java/edu/vt/middleware/ldap/ed/EdAuth.java

@@ -19,8 +19,10 @@ import org.ldaptive.auth.BindAuthenticationHandler;
 import org.ldaptive.auth.SearchDnResolver;
 import org.ldaptive.beans.reflect.DefaultLdapEntryMapper;
 import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.EvaluationException;
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.ParseException;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 
@@ -176,15 +178,21 @@ public final class EdAuth implements EdAuthService
     final EdAuthorizationContext authorizationContext =
             new EdAuthorizationContext(attributesAndValues);
 
-    final ExpressionParser parser = new SpelExpressionParser();
-    final Expression exp = parser.parseExpression(authorizationExpression);
-    final EvaluationContext context =
-            new StandardEvaluationContext(authorizationContext);
+    try {
+      final ExpressionParser parser = new SpelExpressionParser();
+      final Expression exp = parser.parseExpression(authorizationExpression);
+      final EvaluationContext context =
+              new StandardEvaluationContext(authorizationContext);
 
-    if (!exp.getValue(context, Boolean.class)) {
+      if (!exp.getValue(context, Boolean.class)) {
+        throw new EdAuthAuthorizationException(
+              EdAuthAuthorizationException.
+                      EDAUTH_EXCEPTION_MSG_AUTHZ_FAILED);
+      }
+    } catch (EvaluationException | ParseException ee) {
       throw new EdAuthAuthorizationException(
               EdAuthAuthorizationException.
-                      EDAUTH_EXCEPTION_MSG_ATTR_NOT_RETURNED);
+                      EDAUTH_EXCEPTION_MSG_AUTHZ_EXPR_FAILED, ee);
     }
   }
 
@@ -253,9 +261,8 @@ public final class EdAuth implements EdAuthService
   /**
   * SpEL Authorization Context for this class.
   *
-  * @author  Middleware Services
   */
-  class EdAuthorizationContext
+  private class EdAuthorizationContext
   {
 
     /** Map representing the attributes and their values **/

src/main/java/edu/vt/middleware/ldap/ed/EdAuthAuthorizationException.java

@@ -6,8 +6,7 @@ package edu.vt.middleware.ldap.ed;
  * Authorization exception thrown by {@link
  * edu.vt.middleware.ldap.ed.EdAuth#authenticateAndAuthorize(
  * java.lang.String, org.ldaptive.Credential,
- * edu.vt.middleware.ldap.ed.AuthorizationMap,
- * edu.vt.middleware.ldap.ed.AuthorizationMethod)}.
+ * java.lang.String)}.
  *
  * @author  Middleware Services
  */
@@ -15,21 +14,31 @@ public class EdAuthAuthorizationException extends Exception
 {
 
   /**
-   * Error message for trying to authorize with attributes which the user
-   * doesn't have access to or has mistyped.
+   * Error message for authorization failure.
    */
-  public static final String EDAUTH_EXCEPTION_MSG_ATTR_NOT_RETURNED =
+  public static final String EDAUTH_EXCEPTION_MSG_AUTHZ_FAILED =
     "Could not match all attributes requested for authorization.";
 
-  /** Error message for trying to authorize with an empty authorization. */
+  /**
+   * Error message for a mistyped authorization expression string.
+   */
+  public static final String EDAUTH_EXCEPTION_MSG_AUTHZ_EXPR_FAILED =
+    "Could not evaluate authorization expression.";
+
+  /**
+   * Error message for trying to authorize with an empty authorization.
+   */
   public static final String EDAUTH_EXCEPTION_MSG_KEYSET_EMPTY =
     "Authorization expression cannot be empty.";
 
+  /**
+   * serialVersionUID
+   */
+  private static final long serialVersionUID = -6212572629038218021L;
 
   /** Creates a new EdAuthAuthorization exception. */
   public EdAuthAuthorizationException() {}
 
-
   /**
    * Creates a new EdAuthAuthorization exception.
    *

src/main/java/edu/vt/middleware/ldap/ed/EdAuthService.java

@@ -76,8 +76,14 @@ public interface EdAuthService extends EdOperation
    * @param  credential  credential for bind
    * @param  authorizationExpression  the SpEL expression to authorize with:
    * Available methods are hasAttributeValue(String attribute, String value)
-   * and hasAttribute(String attribute).  The entire expression evaluates to
-   * false authorization will fail with EdAuthAuthorizationException
+   * and hasAttribute(String attribute).  If the entire expression evaluates to
+   * false authorization will fail with EdAuthAuthorizationException.
+   * The following is an example authorization expression:
+   *<b>
+   * (hasAttributeValue('eduPersonAffiliation', 'VT-ACTIVE-MEMBER') &&
+   * hasAttributeValue('eduPersonAffiliation', 'VT-EMPLOYEE')) ||
+   * hasAttribute('eduPersonPrimaryAffiliation')
+   *</b>
    *
    * @throws  LdapException  if the authentication fails for any reason
    * @throws  EdAuthAuthorizationException  if the authorization fails for

src/test/java/edu/vt/middleware/ldap/ed/EdAuthTest.java

@@ -171,49 +171,52 @@ public class EdAuthTest
     );
 
     //Check for a failed authentication
-    LdapException requiredException1;
     try {
       edauth.authenticateAndAuthorize(
         authId,
         new Credential("THIS IS NOT THE PASSWORD"),
         "hasAttributeValue('" + authorizationAttribute + "', 'FAIL!')"
       );
-      requiredException1 = null;
-    } catch (LdapException ex) {
-      requiredException1 = ex;
+    } catch (Exception e) {
+      AssertJUnit.assertEquals(
+              LdapException.class, e.getClass());
     }
 
-    AssertJUnit.assertNotNull(requiredException1);
-
     //Check for a failed authorization
-    EdAuthAuthorizationException requiredException2;
     try {
       edauth.authenticateAndAuthorize(
         authId,
         password,
         "hasAttributeValue('" + authorizationAttribute + "', 'FAIL!')"
       );
-      requiredException2 = null;
-    } catch (EdAuthAuthorizationException ex) {
-      requiredException2 = ex;
+    } catch (Exception e) {
+      AssertJUnit.assertEquals(
+              EdAuthAuthorizationException.class, e.getClass());
     }
 
-    AssertJUnit.assertNotNull(requiredException2);
-
     //Check for empty authorization expression.
-    EdAuthAuthorizationException requiredException3;
     try {
       edauth.authenticateAndAuthorize(
         authId,
         password,
         ""
       );
-      requiredException3 = null;
-    } catch (EdAuthAuthorizationException ex) {
-      requiredException3 = ex;
+    } catch (Exception e) {
+      AssertJUnit.assertEquals(
+              EdAuthAuthorizationException.class, e.getClass());
     }
 
-    AssertJUnit.assertNotNull(requiredException3);
+    //Check for bad authorization expression.
+    try {
+      edauth.authenticateAndAuthorize(
+        authId,
+        password,
+        "this is a bad expression"
+      );
+    } catch (Exception e) {
+      AssertJUnit.assertEquals(
+              EdAuthAuthorizationException.class, e.getClass());
+    }
 
     AssertJUnit.assertTrue(authorized);
   }

[Daniel Fisher]

After far too much analysis... I recommend we drop the authorize method. This library focuses on data retrieval and this is the only place we stray from that. I believe that most of our clients are leveraging frameworks for authorization at this point. We should look for use cases going forward (3.1) to write adapters for those frameworks.

[Erdem A Memisyazici]

That's not quite true in that the library also provides authorization framework for Spring, Jetty, and Tomcat realms. This would be the container free version of an authentication scheme familiar to anyone who works within the Spring world. It really just covers all bases where auth/authz occurs using ED-x in my opinion.

[Daniel Fisher]

I'm suggesting we shouldn't support a container free version since we don't have a use case. But perhaps you know someone who is using this method?

[Erdem A Memisyazici]

I do know of a few services which utilize this method. One app made by STL and a few services @ the Grad School. I suspect they would be pleasantly surprised at the improvements.

[Daniel Fisher]

Fair enough. I'll merge this request.