Пример #1
0
 public void initializeCurrentRoles() {
   String realmid = getSiteRealmID();
   try {
     arole = m_realmService.getAuthzGroup(realmid);
   } catch (Exception e) {
     log.debug("Exception: OptionsBean.initializeCurrentRoles(), " + e.getMessage());
   }
   for (Iterator i = arole.getRoles().iterator(); i.hasNext(); ) {
     Role r = (Role) i.next();
     String rolename = r.getId();
     Configuration c = new Configuration();
     c.setId(num_role_id);
     c.setRoleId(rolename);
     c.setRealmid(getSiteRealmID());
     c.setSingular(rolename);
     c.setPlural(rolename + "s");
     c.setSingularNew(getConfigParam("role" + (num_role_id + 1) + "singular"));
     c.setPluralNew(getConfigParam("role" + (num_role_id + 1) + "plural"));
     renamedRoles.add(c);
     num_role_id++;
     num_roles_renamed++;
     if (isGroupAwareRoleInSettings(rolename)) {
       setGroupAwareRoleExist(true);
     }
   }
 }
  /**
   * Does this resource support public view? (Support for the conversion)
   *
   * @param ref The resource reference
   * @return true if this resource supports public view, false if not.
   */
  protected boolean getPubView(String ref) {
    // get the realm
    try {
      AuthzGroup realm = AuthzGroupService.getAuthzGroup(ref);

      // if the announcement realm has "pubview" role, then the announcement is publicly viewable
      Role pubview = realm.getRole("pubview");
      if (pubview != null) return true;

      // if the announcement realm has the anonymous role and the anonymous
      // role contains content.read then the announcement is publicly viewable.
      // (Because the AuthzGroupService converts pubview role (in a realm)
      // to just .anon role with content.read function)
      Role anon = realm.getRole(".anon");

      if (anon != null && anon.getAllowedFunctions().contains("content.read")) {
        return true;
      }

      return false;

      // Set anon = realm.getAnonRoles();
      // if (!anon.contains(pubview))
      // return false;
      //
      // Set auth = realm.getAuthRoles();
      // if (!auth.contains(pubview))
      // return false;
    } catch (GroupNotDefinedException e) {
      // if no realm, no pub view
      return false;
    }
  }
Пример #3
0
 private boolean isSiteMember(String uid) {
   AuthzGroup realm;
   try {
     realm = AuthzGroupService.getAuthzGroup("/site/" + getCurrentSiteId());
     return realm.getUsers().contains(uid);
   } catch (GroupNotDefinedException e) {
     LOG.error("IdUnusedException:", e);
   }
   return false;
 }
Пример #4
0
  private List getSiteMembers() {
    List siteMembers = new ArrayList();
    try {
      AuthzGroup realm = AuthzGroupService.getAuthzGroup("/site/" + getCurrentSiteId());
      siteMembers = new ArrayList(realm.getUsers());
    } catch (GroupNotDefinedException e) {
      LOG.error("GroupNotDefinedException:", e);
    }

    return siteMembers;
  }
Пример #5
0
  /**
   * Fetch the user role in the current site
   *
   * @throws IdUnusedException, SessionDataException
   * @return Role
   * @throws GroupNotDefinedException
   */
  private String getUserRole()
      throws IdUnusedException, SessionDataException, GroupNotDefinedException {
    AuthzGroup group;
    Role role;

    group = AuthzGroupService.getAuthzGroup("/site/" + getSiteId());
    if (group == null) {
      throw new SessionDataException("No current group");
    }

    role = group.getUserRole(this.getUserId());
    if (role == null) {
      throw new SessionDataException("No current role");
    }
    return role.getId();
  }
Пример #6
0
  public String getGroupAwareRole() {
    String gar = ServerConfigurationService.getString("mailtool.group.aware.role");
    String[] gartokens = gar.split(",");

    try {
      arole = m_realmService.getAuthzGroup(m_realmid);
    } catch (Exception e) {
      log.debug("Exception: OptionsBean.getEmailRoles(), " + e.getMessage());
    }
    for (Iterator i = arole.getRoles().iterator(); i.hasNext(); ) {
      Role r = (Role) i.next();
      String rolename = r.getId();
      for (int t = 0; t < gartokens.length; t++) {
        if (gartokens[t].trim().equals(rolename.trim())) return rolename;
      }
    }
    return groupAwareRoleDefault;
  }
Пример #7
0
 /** check if group-aware role exist in the site */
 public void checkifGroupAwareRoleExist() {
   String realmid = getSiteRealmID();
   try {
     arole = m_realmService.getAuthzGroup(realmid);
   } catch (Exception e) {
     log.debug("Exception: OptionsBean.checkifGroupAwareRoleExist(), " + e.getMessage());
   }
   for (Iterator i = arole.getRoles().iterator(); i.hasNext(); ) {
     Role r = (Role) i.next();
     String rolename = r.getId();
     if (isGroupAwareRoleInSettings(rolename)) {
       setGroupAwareRoleExist(true);
       break;
     } else if (getGroupAwareRole().equals(rolename)) {
       setGroupAwareRoleExist(true);
       break;
     }
   }
 }
  /**
   * build the context.
   *
   * @return The name of the template to use.
   */
  public static String buildHelperContext(
      VelocityPortlet portlet, Context context, RunData rundata, SessionState state) {
    // in state is the realm id
    context.put("thelp", rb);
    String realmId = (String) state.getAttribute(STATE_REALM_ID);

    // in state is the realm to use for roles - if not, use realmId
    String realmRolesId = (String) state.getAttribute(STATE_REALM_ROLES_ID);
    context.put("viewRealmId", realmRolesId);

    // get the realm locked for editing
    AuthzGroup edit = (AuthzGroup) state.getAttribute(STATE_REALM_EDIT);
    if (edit == null) {
      if (AuthzGroupService.allowUpdate(realmId)) {
        try {
          edit = AuthzGroupService.getAuthzGroup(realmId);
          state.setAttribute(STATE_REALM_EDIT, edit);
        } catch (GroupNotDefinedException e) {
          try {
            // we can create the realm
            edit = AuthzGroupService.addAuthzGroup(realmId);
            state.setAttribute(STATE_REALM_EDIT, edit);
          } catch (GroupIdInvalidException ee) {
            M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
            cleanupState(state);
            return null;
          } catch (GroupAlreadyDefinedException ee) {
            M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
            cleanupState(state);
            return null;
          } catch (AuthzPermissionException ee) {
            M_log.warn("PermissionsAction.buildHelperContext: addRealm: " + ee);
            cleanupState(state);
            return null;
          }
        }
      }

      // no permission
      else {
        M_log.warn("PermissionsAction.buildHelperContext: no permission: " + realmId);
        cleanupState(state);
        return null;
      }
    }

    AuthzGroup viewEdit = null;
    // check wither the current realm id is of site group type
    if (realmId.indexOf(SiteService.REFERENCE_ROOT) != -1) {
      String siteId = realmId.replaceAll(SiteService.REFERENCE_ROOT + "/", "");
      context.put("siteRef", realmId);

      if (state.getAttribute(STATE_GROUP_AWARE) != null
          && ((Boolean) state.getAttribute(STATE_GROUP_AWARE)).booleanValue()) {
        // only show groups for group-aware tools
        try {
          Site site = SiteService.getSite(siteId);
          Collection groups = site.getGroups();
          if (groups != null && !groups.isEmpty()) {
            Iterator iGroups = groups.iterator();
            for (; iGroups.hasNext(); ) {
              Group group = (Group) iGroups.next();
              // need to either have realm update permission on the group level or better at the
              // site level
              if (!AuthzGroupService.allowUpdate(group.getReference())) {
                iGroups.remove();
              }
            }
            context.put("groups", groups);
          }

        } catch (Exception siteException) {
          M_log.warn(
              "PermissionsAction.buildHelperContext: getsite of realm id =  "
                  + realmId
                  + siteException);
        }
      }

      // get the realm locked for editing
      viewEdit = (AuthzGroup) state.getAttribute(STATE_VIEW_REALM_EDIT);
      if (viewEdit == null) {
        if (AuthzGroupService.allowUpdate(realmRolesId)
            || AuthzGroupService.allowUpdate(SiteService.siteReference(siteId))) {
          try {
            viewEdit = AuthzGroupService.getAuthzGroup(realmRolesId);
            state.setAttribute(STATE_VIEW_REALM_EDIT, viewEdit);
          } catch (GroupNotDefinedException e) {
            M_log.warn(
                "PermissionsAction.buildHelperContext: getRealm with id= "
                    + realmRolesId
                    + " : "
                    + e);
            cleanupState(state);
            return null;
          }
        }

        // no permission
        else {
          M_log.warn("PermissionsAction.buildHelperContext: no permission: " + realmId);
          cleanupState(state);
          return null;
        }
      }
    }

    // in state is the prefix for abilities to present
    String prefix = (String) state.getAttribute(STATE_PREFIX);

    // in state is the list of abilities we will present
    List functions = (List) state.getAttribute(STATE_ABILITIES);
    if (functions == null) {
      // get all functions prefixed with our prefix
      functions = FunctionManager.getRegisteredFunctions(prefix);
    }

    if (functions != null && !functions.isEmpty()) {
      List<String> nFunctions = new Vector<String>();
      if (!realmRolesId.equals(realmId)) {
        // editing groups within site, need to filter out those permissions only applicable to site
        // level
        for (Iterator iFunctions = functions.iterator(); iFunctions.hasNext(); ) {
          String function = (String) iFunctions.next();
          if (function.indexOf("all.groups") == -1) {
            nFunctions.add(function);
          }
        }
      } else {
        nFunctions.addAll(functions);
      }
      state.setAttribute(STATE_ABILITIES, nFunctions);
      context.put("abilities", nFunctions);

      // get function description from passed in HashMap
      // output permission descriptions
      Map<String, String> functionDescriptions =
          (Map<String, String>) state.getAttribute(STATE_PERMISSION_DESCRIPTIONS);
      if (functionDescriptions != null) {
        Set keySet = functionDescriptions.keySet();
        for (Object function : functions) {
          String desc = (String) function;
          String descKey = PermissionsHelper.PREFIX_PERMISSION_DESCRIPTION + function;
          if (keySet.contains(descKey)) {
            // use function description
            desc = (String) functionDescriptions.get(descKey);
          }

          functionDescriptions.put((String) function, desc);
        }
        context.put("functionDescriptions", functionDescriptions);
      }
    }

    // in state is the description of the edit
    String description = (String) state.getAttribute(STATE_DESCRIPTION);

    // the list of roles
    List roles = (List) state.getAttribute(STATE_ROLES);
    if (roles == null) {
      // get the roles from the edit, unless another is specified
      AuthzGroup roleRealm = viewEdit != null ? viewEdit : edit;
      if (realmRolesId != null) {
        try {
          roleRealm = AuthzGroupService.getAuthzGroup(realmRolesId);
        } catch (Exception e) {
          M_log.warn(
              "PermissionsHelperAction.buildHelperContext: getRolesRealm: "
                  + realmRolesId
                  + " : "
                  + e);
        }
      }
      roles = new Vector();
      roles.addAll(roleRealm.getRoles());
      Collections.sort(roles);
      state.setAttribute(STATE_ROLES, roles);
    }

    // the abilities not including this realm for each role
    Map rolesAbilities = (Map) state.getAttribute(STATE_ROLE_ABILITIES);
    if (rolesAbilities == null) {
      rolesAbilities = new Hashtable();
      state.setAttribute(STATE_ROLE_ABILITIES, rolesAbilities);

      // get this resource's role Realms,those that refine the role definitions, but not it's own
      Reference ref =
          EntityManager.newReference(viewEdit != null ? viewEdit.getId() : edit.getId());
      Collection realms = ref.getAuthzGroups();
      realms.remove(ref.getReference());

      for (Iterator iRoles = roles.iterator(); iRoles.hasNext(); ) {
        Role role = (Role) iRoles.next();
        Set locks = AuthzGroupService.getAllowedFunctions(role.getId(), realms);
        rolesAbilities.put(role.getId(), locks);
      }
    }

    context.put("realm", viewEdit != null ? viewEdit : edit);
    context.put("prefix", prefix);
    context.put("description", description);
    if (roles.size() > 0) {
      context.put("roles", roles);
    }
    context.put("rolesAbilities", rolesAbilities);

    // make sure observers are disabled
    VelocityPortletPaneledAction.disableObservers(state);

    return TEMPLATE_MAIN;
  }
Пример #9
0
  public List /* EmailGroup */ getEmailGroupsByType(String roletypefilter) {
    List /* EmailGroup */ thegroups = new ArrayList();
    List emailroles = this.getEmailRoles();
    for (Iterator i = emailroles.iterator(); i.hasNext(); ) {
      EmailRole emailrole = (EmailRole) i.next();
      if (emailrole.roletype.equals("role") && roletypefilter.equals("role")) {
        String realmid = emailrole.getRealmid();
        AuthzGroup therealm = null;
        try {
          therealm = m_realmService.getAuthzGroup(realmid);
        } catch (GroupNotDefinedException e1) {
          log.debug("GroupNotDefinedException: Mailtool.getEmailGroups() #1, ", e1);
          return thegroups;
        } catch (Exception e2) {
          log.debug("Exception: Mailtool.getEmailGroups() #1, " + e2.getMessage());
          return thegroups;
        }
        Set users = therealm.getUsersHasRole(emailrole.getRoleid());
        List /* EmailUser */ mailusers = new ArrayList();
        for (Iterator j = users.iterator(); j.hasNext(); ) {
          String userid = (String) j.next();
          try {
            User theuser = m_userDirectoryService.getUser(userid);
            String firstname_for_display = "";
            String lastname_for_display = "";
            if (theuser.getFirstName().trim().equals("")) {
              if (theuser.getEmail().trim().equals("") && theuser.getLastName().trim().equals(""))
                firstname_for_display = theuser.getDisplayId(); // fix for SAK-7539
              else firstname_for_display = theuser.getEmail(); // fix for SAK-7356
            } else {
              firstname_for_display = theuser.getFirstName();
            }
            lastname_for_display = theuser.getLastName();
            EmailUser emailuser =
                new EmailUser(
                    theuser.getId(),
                    firstname_for_display,
                    lastname_for_display,
                    theuser.getEmail());
            mailusers.add(emailuser);
          } catch (Exception e) {
            log.debug("Exception: OptionsBean.getEmailGroupsByType() #2, " + e.getMessage());
          }
        }
        Collections.sort(mailusers);
        EmailGroup thegroup = new EmailGroup(emailrole, mailusers);
        thegroups.add(thegroup);
      } else if (emailrole.roletype.equals("group") && roletypefilter.equals("group")) {
        String sid = getSiteID();
        Site currentSite = null;
        try {
          currentSite = siteService.getSite(sid);
        } catch (IdUnusedException e1) {
          log.debug("IdUnusedException: Mailtool.getEmailGroups() #3, ", e1);
          return thegroups;
        } catch (Exception e2) {
          log.debug("Exception: Mailtool.getEmailGroups() #3, " + e2.getMessage());
          return thegroups;
        }
        Collection groups = currentSite.getGroups();
        Group agroup = null;
        for (Iterator groupIterator = groups.iterator(); groupIterator.hasNext(); ) {
          agroup = (Group) groupIterator.next();
          String groupname = agroup.getTitle();
          if (emailrole.getRoleid().equals(groupname)) break;
        }
        Set users2 = agroup.getUsersHasRole(groupAwareRoleFound);
        List mailusers2 = new ArrayList();
        for (Iterator k = users2.iterator(); k.hasNext(); ) {
          String userid2 = (String) k.next();
          try {
            User theuser2 = m_userDirectoryService.getUser(userid2);
            String firstname_for_display = "";
            String lastname_for_display = "";
            if (theuser2.getFirstName().trim().equals("")) {
              if (theuser2.getEmail().trim().equals("") && theuser2.getLastName().trim().equals(""))
                firstname_for_display = theuser2.getDisplayId(); // fix for SAK-7539
              else firstname_for_display = theuser2.getEmail(); // fix for SAK-7356
            } else {
              firstname_for_display = theuser2.getFirstName();
            }

            lastname_for_display = theuser2.getLastName();

            EmailUser emailuser2 =
                new EmailUser(
                    theuser2.getId(),
                    firstname_for_display,
                    lastname_for_display,
                    theuser2.getEmail());

            mailusers2.add(emailuser2);
          } catch (Exception e) {
            log.debug("Exception: OptionsBean.getEmailGroupsByType() #3-1, " + e.getMessage());
          }
        }
        Collections.sort(mailusers2);
        EmailGroup thegroup2 = new EmailGroup(emailrole, mailusers2);
        thegroups.add(thegroup2);
      } // else
      else if (emailrole.roletype.equals("section") && roletypefilter.equals("section")) {
        String sid = getSiteID();
        Site currentSite = null;
        try {
          currentSite = siteService.getSite(sid);
        } catch (IdUnusedException e1) {
          log.debug("IdUnusedException: Mailtool.getEmailGroups() #4, ", e1);
          return thegroups;
        } catch (Exception e2) {
          log.debug("Exception: Mailtool.getEmailGroups() #4, " + e2.getMessage());
          return thegroups;
        }

        Collection groups = currentSite.getGroups();
        Group agroup = null;
        for (Iterator groupIterator = groups.iterator(); groupIterator.hasNext(); ) {
          agroup = (Group) groupIterator.next();
          String groupname = agroup.getTitle();
          if (emailrole.getRoleid().equals(groupname)) break;
        }
        Set users2 = agroup.getUsersHasRole(groupAwareRoleFound);
        List mailusers2 = new ArrayList();
        for (Iterator k = users2.iterator(); k.hasNext(); ) {
          String userid2 = (String) k.next();
          try {
            User theuser2 = m_userDirectoryService.getUser(userid2);
            String firstname_for_display = "";
            String lastname_for_display = "";
            if (theuser2.getFirstName().trim().equals("")) {
              if (theuser2.getEmail().trim().equals("") && theuser2.getLastName().trim().equals(""))
                firstname_for_display = theuser2.getDisplayId(); // fix for SAK-7539
              else firstname_for_display = theuser2.getEmail(); // fix for SAK-7356
            } else {
              firstname_for_display = theuser2.getFirstName();
            }
            lastname_for_display = theuser2.getLastName();
            EmailUser emailuser2 =
                new EmailUser(
                    theuser2.getId(),
                    firstname_for_display,
                    lastname_for_display,
                    theuser2.getEmail());
            mailusers2.add(emailuser2);
          } catch (Exception e) {
            log.debug("Exception: OptionsBean.getEmailGroupsByType() #4-1, " + e.getMessage());
          }
        }
        Collections.sort(mailusers2);
        EmailGroup thegroup2 = new EmailGroup(emailrole, mailusers2);
        thegroups.add(thegroup2);
      } // else
      else if (emailrole.roletype.equals("role_groupaware")
          && roletypefilter.equals("role_groupaware")) {
        String realmid = emailrole.getRealmid();

        AuthzGroup therealm = null;
        try {
          therealm = m_realmService.getAuthzGroup(realmid);
        } catch (GroupNotDefinedException e1) {
          log.debug("GroupNotDefinedException: Mailtool.getEmailGroupsByType() #5, ", e1);
          return thegroups;
        } catch (Exception e2) {
          log.debug("Exception: Mailtool.getEmailGroupsByType() #5, " + e2.getMessage());
          return thegroups;
        }
        Set users = therealm.getUsersHasRole(emailrole.getRoleid());
        List /* EmailUser */ mailusers = new ArrayList();
        for (Iterator j = users.iterator(); j.hasNext(); ) {
          String userid = (String) j.next();
          try {
            User theuser = m_userDirectoryService.getUser(userid);
            String firstname_for_display = "";
            String lastname_for_display = "";
            if (theuser.getFirstName().trim().equals("")) {
              if (theuser.getEmail().trim().equals("") && theuser.getLastName().trim().equals(""))
                firstname_for_display = theuser.getDisplayId(); // fix for SAK-7539
              else firstname_for_display = theuser.getEmail(); // fix for SAK-7356
            } else {
              firstname_for_display = theuser.getFirstName();
            }
            lastname_for_display = theuser.getLastName();
            EmailUser emailuser =
                new EmailUser(
                    theuser.getId(),
                    firstname_for_display,
                    lastname_for_display,
                    theuser.getEmail());
            mailusers.add(emailuser);
          } catch (Exception e) {
            log.debug("Exception: OptionsBean.getEmailGroupsByType() #5-1, " + e.getMessage());
          }
        }
        Collections.sort(mailusers);
        EmailGroup thegroup = new EmailGroup(emailrole, mailusers);
        thegroups.add(thegroup);
      } // else
    }
    return thegroups;
  }
Пример #10
0
  public List /* EmailRole */ getEmailRoles() {
    List /* EmailRole */ theroles = new ArrayList();
    List allgroups = new ArrayList();
    List allsections = new ArrayList();
    for (int i = 1; i < (NUMBER_ROLES + 1); i++) {
      String rolerealm = this.getConfigParam("role" + i + "realmid");
      String rolename = this.getConfigParam("role" + i + "id");
      String rolesingular = this.getConfigParam("role" + i + "singular");
      String roleplural = this.getConfigParam("role" + i + "plural");

      if ((rolerealm != null && rolerealm != "")
          && (rolename != null && rolename != "")
          && (rolesingular != null && rolesingular != "")
          && (roleplural != null && roleplural != "")) {
        EmailRole emailrole = null;
        //				if (isGroupAwareRoleInSettings(rolename)){
        if (getGroupAwareRole().equals(rolename)) {
          emailrole =
              new EmailRole(rolerealm, rolename, rolesingular, roleplural, "role_groupaware");
          num_groupawarerole++;
        } else emailrole = new EmailRole(rolerealm, rolename, rolesingular, roleplural, "role");
        theroles.add(emailrole);
        already_configured = true;
      }
    } // for
    if (already_configured == false) {
      try {
        arole = m_realmService.getAuthzGroup(m_realmid);
      } catch (Exception e) {
        log.debug("Exception: OptionsBean.getEmailRoles()1, " + e.getMessage());
      }
      for (Iterator i = arole.getRoles().iterator(); i.hasNext(); ) {
        Role r = (Role) i.next();
        String rolename = r.getId();
        String singular = "";
        String plural = "";

        if (rolename.equals("maintain")) {
          singular = rolename;
          plural = rolename + "ers";
        } else if (rolename.equals("access")) {
          singular = rolename;
          plural = rolename + " users";
        } else {
          singular = rolename;
          plural = rolename + "s";
        }
        EmailRole emailrole = null;
        //					if (isGroupAwareRoleInSettings(rolename)){
        if (getGroupAwareRole().equals(rolename)) {
          emailrole =
              new EmailRole("/site/" + m_siteid, rolename, singular, plural, "role_groupaware");
          num_groupawarerole++;
        } else emailrole = new EmailRole("/site/" + m_siteid, rolename, singular, plural, "role");
        theroles.add(emailrole);
      }
    }
    // adding groups as roles
    try {
      currentSite = siteService.getSite(m_siteid);
    } catch (Exception e) {
      log.debug("Exception: OptionsBean.getEmailRoles()2, " + e.getMessage());
      // If currentSite is Null then will be NPE, prefer to return early.
      return theroles;
    }
    Collection groups = currentSite.getGroups();
    for (Iterator groupIterator = groups.iterator(); groupIterator.hasNext(); ) {
      Group currentGroup = (Group) groupIterator.next();
      String groupname = currentGroup.getTitle();
      String groupid = currentGroup.getProviderGroupId(); // ???????????????????????????????
      // EmailRole emailrole2=new EmailRole("/site/"+siteid, groupname, groupname, groupname);
      EmailRole emailrole2 = null;
      if (currentGroup.getProperties().getProperty("sections_category") != null) {
        emailrole2 = new EmailRole(groupid, groupname, groupname, groupname, "section");
        allsections.add(emailrole2);
        num_sections++;
      } else {
        emailrole2 = new EmailRole(groupid, groupname, groupname, groupname, "group");
        allgroups.add(emailrole2);
        num_groups++;
      }
    }
    theroles.addAll(allgroups); // for sorted list in side-by-side view & scrolling list view
    theroles.addAll(allsections); // for sorted list ...
    return theroles;
  }
Пример #11
0
  /**
   * Access (find if needed) the azg from the AuthzGroupService that implements my grouping.
   *
   * @return My azg.
   */
  protected AuthzGroup getAzg() {
    if (m_azg == null) {
      try {
        m_azg = AuthzGroupService.getAuthzGroup(getReference());
      } catch (GroupNotDefinedException e) {
        try {
          // create the group's azg, but don't store it yet (that happens if save is called)
          // use a template, but assign no user any maintain role

          // find the template for the new azg
          String groupAzgTemplate = siteService.groupAzgTemplate(m_site);
          AuthzGroup template = null;
          try {
            template = AuthzGroupService.getAuthzGroup(groupAzgTemplate);
          } catch (Exception e1) {
            try {
              // if the template is not defined, try the fall back template
              template = AuthzGroupService.getAuthzGroup("!group.template");
            } catch (Exception e2) {
            }
          }

          m_azg = AuthzGroupService.newAuthzGroup(getReference(), template, null);
          m_azgChanged = true;

          if (m_site != null) {
            try {
              // remove all roles that is not in parent site realm
              Set<Role> parentSiteRoles = m_site.getRoles();
              for (Iterator<Role> i = m_azg.getRoles().iterator(); i.hasNext(); ) {
                Role role = (Role) i.next();
                if (!parentSiteRoles.contains(role)) {
                  m_azg.removeRole(role.getId());
                }
              }
              // add all new roles from parent site realm
              Set<Role> currentRoles = m_azg.getRoles();
              for (Iterator<Role> j = parentSiteRoles.iterator(); j.hasNext(); ) {
                Role role = (Role) j.next();
                if (currentRoles == null || !currentRoles.contains(role)) {
                  String roleId = role.getId();
                  try {
                    m_azg.addRole(roleId, role);
                  } catch (RoleAlreadyDefinedException rException) {
                    M_log.warn(
                        "getAzg: role id "
                            + roleId
                            + " already used in group "
                            + m_azg.getReference()
                            + rException.getMessage());
                  }
                }
              }
            } catch (Exception e1) {
              M_log.warn(
                  "getAzg: cannot access realm of " + m_site.getReference() + e1.getMessage());
            }
          }
        } catch (Throwable t) {
          M_log.warn("getAzg: " + t);
        }
      }
    }

    return m_azg;
  }