Classification enforecment refactor

* rename veto as permission pre-processor
  * add support for permission post-processors
  * add transaction cache to classification enforcement
  * add records management permission post processor to remove code from extended permission service 



git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/DEV/ROYTEST@110013 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

rm-server/config/alfresco/module/org_alfresco_module_rm/classified-content-context.xml

@@ -40,11 +40,14 @@
       </property>
    </bean>
     
-   <!-- Classification veto -->
+   <!-- Classification Permission Pre Processor -->
-   <bean id="classificationVeto" class="org.alfresco.module.org_alfresco_module_rm.classification.veto.ClassificationPermissionVeto" parent="parentPermissionVeto">
+   <bean id="classificationPermissionPreProcessor" 
+         class="org.alfresco.module.org_alfresco_module_rm.classification.permission.ClassificationPermissionPreProcessor" 
+         parent="parentPermissionPreProcessor">
       <property name="contentClassificationService" ref="contentClassificationService" />      
       <property name="transactionalResourceHelper" ref="rm.transactionalResourceHelper" />
       <property name="classificationServiceBootstrap" ref="classificationServiceBootstrap"/>
+      <property name="authenticationUtil" ref="rm.authenticationUtil" />
    </bean>
 
    <!-- Classification service DAO -->

rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml

@@ -96,19 +96,24 @@
       <property name="disableSharedCache" value="${system.cache.disableMutableSharedCaches}" />
    </bean>
    
-   <!-- Permission veto registry -->
+   <!-- Permission processor registry -->
-   <bean id="permissionVetoRegistry" class='org.alfresco.repo.security.permissions.veto.PermissionVetoRegistry'/>
+   <bean id="permissionProcessorRegistry" class='org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry'/>
    
-   <!-- Permission veto base bean -->
+   <!-- Permission pre-processor base bean -->
-   <bean id="parentPermissionVeto" init-method="init" abstract="true">
+   <bean id="parentPermissionPreProcessor" init-method="init" abstract="true">
-      <property name="permissionVetoRegistry" ref="permissionVetoRegistry"/>
+      <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
+   </bean>
+   
+   <!-- Permission post-processor base bean -->
+   <bean id="parentPermissionPostProcessor" init-method="init" abstract="true">
+      <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
    </bean>
    
    <!-- Extended permission service implementation bean -->
    <bean id="rm.permissionServiceImpl" abstract="true" class="org.alfresco.repo.security.permissions.impl.ExtendedPermissionServiceImpl">
       <property name="writersCache" ref="writersCache"/>	
       <property name="filePlanService" ref="filePlanService" />
-      <property name="permissionVetoRegistry" ref="permissionVetoRegistry"/>
+      <property name="permissionProcessorRegistry" ref="permissionProcessorRegistry"/>
       <property name="dynamicAuthorities">
          <list>
             <ref bean="ownerDynamicAuthority" />

rm-server/config/alfresco/module/org_alfresco_module_rm/module-context.xml

@@ -18,9 +18,8 @@
    <bean name="rm.alfrescoTransactionSupport" class="org.alfresco.module.org_alfresco_module_rm.util.AlfrescoTransactionSupport" />
 
    <!-- Import extended repository context -->
-
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/extended-repository-context.xml"/>
-
+   
    <!-- Bootstrap records management data -->
    <bean id="org_alfresco_module_rm_bootstrapData"
       class="org.alfresco.module.org_alfresco_module_rm.bootstrap.BootstrapImporterModuleComponent"
@@ -78,6 +77,12 @@
          </list>
       </property>
    </bean>
+   
+   <!-- Records management permission post processor -->
+   <bean id="recordsManagementPermissionPostProcessor" class="org.alfresco.module.org_alfresco_module_rm.permission.RecordsManagementPermissionPostProcessor" parent="parentPermissionPostProcessor">
+      <property name="nodeService" ref="nodeService"/>
+      <property name="permissionService" ref="permissionService"/>
+   </bean>
 
    <!-- Import RM model -->
    <import resource="classpath:alfresco/module/org_alfresco_module_rm/rm-model-context.xml"/>

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/permission/ClassificationPermissionPreProcessor.java

@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.classification.permission;
+
+import java.util.Map;
+import java.util.Set;
+
+import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
+import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
+import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
+import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
+import org.alfresco.repo.security.permissions.processor.impl.PermissionPreProcessorBaseImpl;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.util.Triple;
+
+/**
+ * Classification permission pre-processor implementation.
+ * 
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public class ClassificationPermissionPreProcessor extends PermissionPreProcessorBaseImpl 
+{
+	/** transaction resource keys */
+	private static final String KEY_PROCESSING = ClassificationPermissionPreProcessor.class.getName() + ".processing";
+	private static final String KEY_CACHE = ClassificationPermissionPreProcessor.class.getName() + ".cache";
+	
+	/** content classification service */
+	private ContentClassificationService contentClassificationService;
+
+	/** transaction resource helper */
+	private TransactionalResourceHelper transactionalResourceHelper;
+	
+	/** classificaiton service bootstrap */
+	private ClassificationServiceBootstrap classificationServiceBootstrap;
+	
+	/** authentication util */
+	private AuthenticationUtil authenticationUtil;
+	
+	/**
+	 * @param contentClassificationService	content classification service
+	 */
+	public void setContentClassificationService(ContentClassificationService contentClassificationService) 
+	{
+		this.contentClassificationService = contentClassificationService;
+	}
+	
+	/**
+	 * @param transactionalResourceHelper	transaction resource helper
+	 */
+	public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper) 
+	{
+		this.transactionalResourceHelper = transactionalResourceHelper;
+	}
+	
+	/**
+	 * @param classificationServiceBootstrap	classification service bootstrap
+	 */
+	public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) 
+	{
+		this.classificationServiceBootstrap = classificationServiceBootstrap;
+	}
+	
+	/**
+	 * @param authenticationUtil	authentication util
+	 */
+	public void setAuthenticationUtil(AuthenticationUtil authenticationUtil) 
+	{
+		this.authenticationUtil = authenticationUtil;
+	}
+	
+	/**
+	 * @see org.alfresco.repo.security.permissions.processor.PermissionPreProcessor#process(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
+	 */
+	@Override
+	public AccessStatus process(NodeRef nodeRef, String perm) 
+	{
+		AccessStatus result = AccessStatus.UNDETERMINED;
+		
+		// ensure the classification bootstrap has been initialised
+		if (classificationServiceBootstrap.isInitialised())
+		{						
+			// do not process a node that is already being processed
+			Set<Object> processing = transactionalResourceHelper.getSet(KEY_PROCESSING);
+			if (!processing.contains(nodeRef))
+			{
+				processing.add(nodeRef);
+				try
+				{
+					// create key
+					final String currentUser = authenticationUtil.getRunAsUser();
+					Triple<NodeRef, String, String> key = new Triple<NodeRef, String, String>(nodeRef, perm, currentUser);
+					
+					// get transaction cache (the purpose of this is prevent duplicate tests within the same transaction)
+					Map<Triple<NodeRef, String, String>, AccessStatus> cache = transactionalResourceHelper.getMap(KEY_CACHE);
+					if (!cache.containsKey(key))
+					{							
+						// determine whether the current user has clearance for the node
+						if (!contentClassificationService.hasClearance(nodeRef))
+						{
+							result = AccessStatus.DENIED;
+						}
+						
+						// cache value (in transaction)
+						cache.put(key, result);
+					}
+					else
+					{
+						result = cache.get(key);
+					}
+				}
+				finally
+				{
+					processing.remove(nodeRef);
+				}
+			}				
+		}
+		
+		return result;
+	}
+}

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/classification/veto/ClassificationPermissionVeto.java

@@ -1,68 +0,0 @@
-/**
- * 
- */
-package org.alfresco.module.org_alfresco_module_rm.classification.veto;
-
-import java.util.Set;
-
-import org.alfresco.module.org_alfresco_module_rm.classification.ClassificationServiceBootstrap;
-import org.alfresco.module.org_alfresco_module_rm.classification.ContentClassificationService;
-import org.alfresco.module.org_alfresco_module_rm.util.TransactionalResourceHelper;
-import org.alfresco.repo.security.permissions.veto.PermissionVetoBaseImpl;
-import org.alfresco.service.cmr.repository.NodeRef;
-
-/**
- * @author Roy Wetherall
- * @since 3.0.a
- */
-public class ClassificationPermissionVeto extends PermissionVetoBaseImpl 
-{
-	private ContentClassificationService contentClassificationService;
-
-	private TransactionalResourceHelper transactionalResourceHelper;
-	
-	private ClassificationServiceBootstrap classificationServiceBootstrap;
-	
-	public void setContentClassificationService(ContentClassificationService contentClassificationService) 
-	{
-		this.contentClassificationService = contentClassificationService;
-	}
-	
-	public void setTransactionalResourceHelper(TransactionalResourceHelper transactionalResourceHelper) 
-	{
-		this.transactionalResourceHelper = transactionalResourceHelper;
-	}
-	
-	public void setClassificationServiceBootstrap(ClassificationServiceBootstrap classificationServiceBootstrap) 
-	{
-		this.classificationServiceBootstrap = classificationServiceBootstrap;
-	}
-	
-	/**
-	 * @see org.alfresco.repo.security.permissions.veto.PermissionVeto#isVetoed(org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
-	 */
-	@Override
-	public boolean isVetoed(NodeRef nodeRef, String perm) 
-	{
-		boolean result = false;
-		
-		if (classificationServiceBootstrap.isInitialised())
-		{
-			Set<Object> processing = transactionalResourceHelper.getSet(ClassificationPermissionVeto.class.getName());
-			if (!processing.contains(nodeRef))
-			{
-				processing.add(nodeRef);
-				try
-				{
-					result = !contentClassificationService.hasClearance(nodeRef);
-				}
-				finally
-				{
-					processing.remove(nodeRef);
-				}
-			}
-		}
-		
-		return result;
-	}
-}

rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.module.org_alfresco_module_rm.permission;
+
+import org.alfresco.module.org_alfresco_module_rm.capability.RMPermissionModel;
+import org.alfresco.module.org_alfresco_module_rm.model.RecordsManagementModel;
+import org.alfresco.repo.security.permissions.processor.impl.PermissionPostProcessorBaseImpl;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.repository.NodeService;
+import org.alfresco.service.cmr.security.AccessStatus;
+import org.alfresco.service.cmr.security.PermissionService;
+
+/**
+ * Records management permission post processor.
+ * 
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public class RecordsManagementPermissionPostProcessor extends PermissionPostProcessorBaseImpl 
+{
+	/** node service */
+	private NodeService nodeService;
+	public void setNodeService(NodeService nodeService) {this.nodeService=nodeService;}
+	
+	/** permission service */
+	private PermissionService permissionService;
+	public void setPermissionService(PermissionService permissionService) {this.permissionService=permissionService;}
+	
+	/**
+	 * @see org.alfresco.repo.security.permissions.processor.PermissionPostProcessor#process(org.alfresco.service.cmr.security.AccessStatus, org.alfresco.service.cmr.repository.NodeRef, java.lang.String)
+	 */
+	@Override
+	public AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm) 
+	{
+		AccessStatus result = accessStatus;
+		if (AccessStatus.DENIED.equals(accessStatus) &&
+            nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
+		{        
+			// if read denied on rm artifact
+	        if (PermissionService.READ.equals(perm))
+	        {
+	        	// check for read record
+	            result = permissionService.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
+	        }
+	        // if write deinied on rm artificat
+	        else if (PermissionService.WRITE.equals(perm))
+	        {
+	        	// check for file record
+	        	result = permissionService.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
+	        }
+		}
+		
+		return result;
+	
+	}
+
+}

rm-server/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionService.java

@@ -30,5 +30,11 @@ import org.alfresco.service.cmr.security.PermissionService;
  */
 public interface ExtendedPermissionService extends PermissionService
 {
+	/**
+	 * Get a set of all the authorities that have write access.
+	 * 
+	 * @param  aclId							acl id
+	 * @return {@link Set}<{@link String}>		set of authorities with write access
+	 */
     Set<String> getWriters(Long aclId);
 }

rm-server/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java

@@ -35,8 +35,9 @@ import org.alfresco.module.org_alfresco_module_rm.security.ExtendedWriterDynamic
 import org.alfresco.repo.cache.SimpleCache;
 import org.alfresco.repo.security.permissions.AccessControlEntry;
 import org.alfresco.repo.security.permissions.AccessControlList;
-import org.alfresco.repo.security.permissions.veto.PermissionVeto;
+import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
-import org.alfresco.repo.security.permissions.veto.PermissionVetoRegistry;
+import org.alfresco.repo.security.permissions.processor.PermissionPreProcessor;
+import org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
 import org.alfresco.service.cmr.security.AuthorityType;
@@ -53,7 +54,7 @@ import org.springframework.context.ApplicationEvent;
  * @author Roy Wetherall
  */
 public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
-                                     implements ExtendedPermissionService
+                                           implements ExtendedPermissionService
 {
 	/** Writers simple cache */
     protected SimpleCache<Serializable, Set<String>> writersCache;
@@ -61,8 +62,8 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
     /** File plan service */
     private FilePlanService filePlanService;
     
-    /** Permission veto registry */
+    /** Permission processor registry */
-    private PermissionVetoRegistry permissionVetoRegistry;
+    private PermissionProcessorRegistry permissionProcessorRegistry;
 
     /**
      * Gets the file plan service
@@ -84,9 +85,14 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
         this.filePlanService = filePlanService;
     }
     
-    public void setPermissionVetoRegistry(PermissionVetoRegistry permissionVetoRegistry) 
+    /**
+     * Sets the permission processor registry
+     * 
+     * @param permissionProcessorRegistry	the permissions processor registry
+     */
+    public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) 
     {
-		this.permissionVetoRegistry = permissionVetoRegistry;
+		this.permissionProcessorRegistry = permissionProcessorRegistry;
 	}
 
     /**
@@ -130,34 +136,34 @@ public class ExtendedPermissionServiceImpl extends PermissionServiceImpl
     @Override
     public AccessStatus hasPermission(NodeRef nodeRef, String perm)
     {
-    	// check permission vetos
+    	AccessStatus result = AccessStatus.UNDETERMINED;
-    	List<PermissionVeto> permissionVetos = permissionVetoRegistry.getPermissionVetos();
+    	
-    	for (PermissionVeto permissionVeto : permissionVetos) 
+    	// permission pre-processors
+    	List<PermissionPreProcessor> preProcessors = permissionProcessorRegistry.getPermissionPreProcessors();
+    	for (PermissionPreProcessor preProcessor : preProcessors) 
     	{
-    		if (permissionVeto.isVetoed(nodeRef, perm))
+    		// pre process permission
+    		result = preProcessor.process(nodeRef, perm);
+    		
+    		// veto if denied
+    		if (AccessStatus.DENIED.equals(result))
     		{
-    			// TODO add logging so veto cause can be diagnosed
+    			return result;
-    			
-    			// veto access to node    			
-    			return AccessStatus.DENIED;
     		}
 		}
     	
-        AccessStatus acs = super.hasPermission(nodeRef, perm);
+    	// evaluate permission
-        if (AccessStatus.DENIED.equals(acs) &&
+        result = super.hasPermission(nodeRef, perm);
-            PermissionService.READ.equals(perm) &&
+        
-            nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
+        // permission post-processors
+        List<PermissionPostProcessor> postProcessors = permissionProcessorRegistry.getPermissionPostProcessors();
+        for (PermissionPostProcessor postProcessor : postProcessors) 
         {
-            return super.hasPermission(nodeRef, RMPermissionModel.READ_RECORDS);
+        	// post process permission
-        }
+        	result = postProcessor.process(result, nodeRef, perm);
-        else if (AccessStatus.DENIED.equals(acs) &&
+		}        
-                 PermissionService.WRITE.equals(perm) &&
+        
-                 nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT))
+        return result;
-        {
-            return super.hasPermission(nodeRef, RMPermissionModel.FILE_RECORDS);
-        }
-
-        return acs;
     }
 
     /**

rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionPostProcessor.java

@@ -16,33 +16,28 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  */
-package org.alfresco.repo.security.permissions.veto;
+package org.alfresco.repo.security.permissions.processor;
+
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+
 
-import java.util.ArrayList;
-import java.util.List;
 
 /**
+ * Permission Post Processor.
+ * 
  * @author Roy Wetherall
  * @since 3.0.a
  */
-public class PermissionVetoRegistry 
+public interface PermissionPostProcessor
 {
-	/** list of vetos to apply */
-	private List<PermissionVeto> permissionVetos = new ArrayList<PermissionVeto>();
-	
 	/**
-	 * @param permissionVeto permission veto
+	 * Process permission.
+	 * 
+	 * @param  accessStatus			current access status
+	 * @param  nodeRef				node reference
+	 * @param  perm					permission
+	 * @return {@link AccessStatus}
 	 */
-	public void addPermissionVeto(PermissionVeto permissionVeto)
+	AccessStatus process(AccessStatus accessStatus, NodeRef nodeRef, String perm);		
-	{
-		permissionVetos.add(permissionVeto);
-	}
-	
-	/**
-	 * @return {@link List}<{@link PermissionVeto}>	list of permission vetos
-	 */
-	public List<PermissionVeto> getPermissionVetos()
-	{
-		return permissionVetos;
-	}	
 }

rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionPreProcessor.java

@@ -16,21 +16,28 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  */
-package org.alfresco.repo.security.permissions.veto;
+package org.alfresco.repo.security.permissions.processor;
 
 import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
+
 
 /**
+ * Permission Veto Interface
+ * 
  * @author Roy Wetherall
  * @since 3.0.a
  */
-public interface PermissionVeto 
+public interface PermissionPreProcessor
 {
 	/**
+	 * Process permission.
 	 * 
-	 * @param nodeRef
+	 * @param  accessStatus			current access status
-	 * @param perm
+	 * @param  nodeRef				node reference
-	 * @return
+	 * @param  perm					permission
+	 * @return {@link AccessStatus}
 	 */
-	boolean isVetoed(NodeRef nodeRef, String perm);
+	AccessStatus process(NodeRef nodeRef, String perm);
+
 }

rm-server/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.processor;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Permission Processor Registry
+ * 
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public class PermissionProcessorRegistry 
+{
+	/** permission pre-processors */
+	private List<PermissionPreProcessor> permissionPreProcessors = new ArrayList<PermissionPreProcessor>();
+	
+	/** permission post-processors */
+	private List<PermissionPostProcessor> permissionPostProcessors = new ArrayList<PermissionPostProcessor>();
+	
+	/**
+	 * Add a permission pre-processor.
+	 * 
+	 * @param permissionPreProcessor permission pre-processor
+	 */
+	public void addPermissionPreProcessor(PermissionPreProcessor permissionPreProcessor)
+	{
+		permissionPreProcessors.add(permissionPreProcessor);
+	}
+	
+	/**
+	 * Add a permission post-processor.
+	 * 
+	 * @param permissionPostProcessor	permission post-processor
+	 */
+	public void addPermissionPostProcessor(PermissionPostProcessor permissionPostProcessor)
+	{
+		permissionPostProcessors.add(permissionPostProcessor);
+	}
+	
+	/**
+	 * Get a list of the registered permission pre-processors.
+	 * 
+	 * @return {@link List}<{@link PermissionPreProcessor}>	list of permission pre-processors
+	 */
+	public List<PermissionPreProcessor> getPermissionPreProcessors()
+	{
+		return permissionPreProcessors;
+	}	
+	
+	/**
+	 * Get a list of the registered permission post-processors.
+	 * 
+	 * @return <{@link List}>{@link PermissionPreProcessor} list of permission post-processors
+	 */
+	public List<PermissionPostProcessor> getPermissionPostProcessors() 
+	{
+		return permissionPostProcessors;
+	}
+}

rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPostProcessorBaseImpl.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.processor.impl;
+
+import org.alfresco.repo.security.permissions.processor.PermissionPostProcessor;
+
+/**
+ * Permission post processor base implementation.
+ * <p>
+ * Helper class that can be extended when providing a custom permission
+ * post processor implementation.
+ * 
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+public abstract class PermissionPostProcessorBaseImpl extends PermissionProcessorBaseImpl
+													  implements PermissionPostProcessor 
+{
+	/**
+	 * Init method to add this permission extensions to the registry
+	 */
+	public void init()
+	{
+		getPermissionProcessorRegistry().addPermissionPostProcessor(this);
+	}
+}

rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPreProcessorBaseImpl.java

@@ -16,30 +16,27 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
  */
-package org.alfresco.repo.security.permissions.veto;
+package org.alfresco.repo.security.permissions.processor.impl;
+
+import org.alfresco.repo.security.permissions.processor.PermissionPreProcessor;
 
 /**
+ * Permission pre-processor base implementation.
+ * <p>
+ * Helper class that can be extended when providing a custom permission
+ * pre-processor implementation.
+ * 
  * @author Roy Wetherall
  * @since 3.0.a
  */
-public abstract class PermissionVetoBaseImpl implements PermissionVeto 
+public abstract class PermissionPreProcessorBaseImpl extends PermissionProcessorBaseImpl
+													 implements PermissionPreProcessor 
 {
-	/** permission veto refistry */
-	private PermissionVetoRegistry permissionVetoRegistry;
-	
 	/**
-	 * @param permissionVetoRegistry	permission veto registry
+	 * Init method to add this permission extensions to the registry
-	 */
-	public void setPermissionVetoRegistry(PermissionVetoRegistry permissionVetoRegistry) 
-	{
-		this.permissionVetoRegistry = permissionVetoRegistry;
-	}
-	
-	/**
-	 * Init method to add this permission veto to the registry
 	 */
 	public void init()
 	{
-		permissionVetoRegistry.addPermissionVeto(this);
+		getPermissionProcessorRegistry().addPermissionPreProcessor(this);
 	}
 }

rm-server/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionProcessorBaseImpl.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2005-2015 Alfresco Software Limited.
+ *
+ * This file is part of Alfresco
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.alfresco.repo.security.permissions.processor.impl;
+
+import org.alfresco.repo.security.permissions.processor.PermissionProcessorRegistry;
+
+/**
+ * Commonality found in both pre and post permission processor implementations.
+ * 
+ * @author Roy Wetherall
+ * @since 3.0.a
+ */
+/*package*/ abstract class PermissionProcessorBaseImpl 
+{
+	/** permission processor registry */
+	private PermissionProcessorRegistry permissionProcessorRegistry;
+	
+	/**
+	 * @param PermissionProcessorRegistry	permission processor registry
+	 */
+	public void setPermissionProcessorRegistry(PermissionProcessorRegistry permissionProcessorRegistry) 
+	{
+		this.permissionProcessorRegistry = permissionProcessorRegistry;
+	}
+	
+	/**
+	 * @return {@link PermissionProcessorRegistry}	permission processor registry
+	 */
+	protected PermissionProcessorRegistry getPermissionProcessorRegistry() 
+	{
+		return permissionProcessorRegistry;
+	}
+}