改进PageAuthorizationService，让后面的grant覆盖前面的。改进日志的输出。

webx/turbine/src/main/java/com/alibaba/citrus/turbine/auth/impl/AuthMatch.java

@@ -30,10 +30,19 @@ public AuthGrant[] getGrants() {
 
     @Override
     public String toString() {
+        return toString(-1);
+    }
+
+    public String toString(int matchedGrantIndex) {
         MapBuilder mb = new MapBuilder();
 
         mb.append("pattern", pattern);
-        mb.append("grants", grants);
+
+        if (matchedGrantIndex < 0 || matchedGrantIndex >= grants.length) {
+            mb.append("grants", grants);
+        } else {
+            mb.append("grants[" + matchedGrantIndex + "]", grants[matchedGrantIndex]);
+        }
 
         return new ToStringBuilder().append("Match").append(mb).toString();
     }

webx/turbine/src/main/java/com/alibaba/citrus/turbine/auth/impl/PageAuthorizationServiceImpl.java

@@ -130,7 +130,10 @@ private Boolean isActionAllowed(MatchResult[] results, String target, String use
         for (MatchResult result : results) {
             AuthMatch match = result.match;
 
-            for (AuthGrant grant : match.getGrants()) {
+            // 倒序检查grant，后面的覆盖前面的。
+            for (int i = match.getGrants().length - 1; i >= 0; i--) {
+                AuthGrant grant = match.getGrants()[i];
+
                 // 判断user或role是否匹配
                 boolean userMatch = grant.isUserMatched(userName);
                 boolean roleMatch = grant.areRolesMatched(roleNames);
@@ -148,16 +151,16 @@ private Boolean isActionAllowed(MatchResult[] results, String target, String use
                                 getLogger()
                                         .trace("Access Partially Permitted: target=\"{}\", user=\"{}\", roles={}, action=\"{}\"\n{}",
                                                 new Object[] { target, userName, ObjectUtil.toString(roleNames),
-                                                        action, match });
+                                                        action, match.toString(i) });
                             }
 
                             return TRUE;
                         } else {
                             if (getLogger().isWarnEnabled()) {
-                                getLogger()
-                                        .warn("Access Denied: target=\"{}\", user=\"{}\", roles={}, action=\"{}\"\n{}",
-                                                new Object[] { target, userName, ObjectUtil.toString(roleNames),
-                                                        action, match });
+                                getLogger().warn(
+                                        "Access Denied: target=\"{}\", user=\"{}\", roles={}, action=\"{}\"\n{}",
+                                        new Object[] { target, userName, ObjectUtil.toString(roleNames), action,
+                                                match.toString(i) });
                             }
 
                             return FALSE;

webx/turbine/src/test/config/page-auth.xml

@@ -32,6 +32,10 @@
             <grant user="*">
                 <allow>read</allow>
             </grant>
+            <grant user="anonymous">
+                <!-- 被后面的覆盖 -->
+                <deny>write</deny>
+            </grant>
             <grant user="anonymous">
                 <allow>write</allow>
             </grant>

webx/turbine/src/test/java/com/alibaba/citrus/turbine/auth/PageAuthorizationServiceTests.java

@@ -30,7 +30,8 @@ public void init() throws Exception {
                 match("/user/public", //
                         // grants
                         grant(null, "*", "action", null), // 
-                        grant("*", null, "read", null), // 
+                        grant("*", null, "read", null), //
+                        grant("anonymous", null, null, "write"), // 这句将被下面一行覆盖
                         grant("anonymous", null, "write", null)), //
                 match("/**/*.vm", grant(null, "*", "*", null)) //
         });