Index: uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationSecurityContext.java
===================================================================
--- uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationSecurityContext.java	(revision 0)
+++ uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationSecurityContext.java	(revision 0)
@@ -0,0 +1,215 @@
+/* Copyright 2008 The JA-SIG Collaborative.  All rights reserved.
+ *  See license distributed with this file and
+ *  available online at http://www.uportal.org/license.html
+ */
+
+package org.jasig.portal.security.provider;
+
+import java.util.Enumeration;
+import java.util.Vector;
+
+import javax.naming.AuthenticationException;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+
+import org.jasig.portal.ldap.ILdapServer;
+import org.jasig.portal.ldap.LdapServices;
+import org.jasig.portal.security.IAdditionalDescriptor;
+import org.jasig.portal.security.IOpaqueCredentials;
+import org.jasig.portal.security.IPrincipal;
+import org.jasig.portal.security.ISecurityContext;
+import org.jasig.portal.security.ISecurityContextFactory;
+import org.jasig.portal.security.PortalSecurityException;
+import org.jasig.portal.security.provider.ChainingSecurityContext.ChainingPrincipal;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+class ImpersonationSecurityContext implements ISecurityContext {
+    
+	// Static Members.
+	private static final Vector EMPTY_VECTOR = new Vector();
+	
+	// Instance Members.
+	private boolean authenticated;
+	private PrincipalImpl principal = new PrincipalImpl();
+	private final OpaqueCredentialsImpl credentials = new OpaqueCredentialsImpl();
+	private final Log log = LogFactory.getLog(ImpersonationSecurityContext.class);
+
+	/*
+	 * Public API.
+	 */
+	
+	public int getAuthType() {
+		throw new UnsupportedOperationException();
+	}
+
+	public IPrincipal getPrincipal() {
+	    if (authenticated) {
+			// Odd  thing to do, but ChainingSecurityContext does it...
+	        return principal;
+	    } else {
+	        return null;
+	    }
+	}
+
+	public IPrincipal getPrincipalInstance() {
+		if (authenticated) {
+			// Odd  thing to do, but ChainingSecurityContext does it...
+			return new PrincipalImpl();
+		} else {
+		    return principal;
+		}
+	}
+
+	public IOpaqueCredentials getOpaqueCredentials() {
+	    if (authenticated) {
+	        return credentials;
+	    } else {
+			// Odd  thing to do, but ChainingSecurityContext does it...
+	        return null;
+	    }
+	}
+
+	public IOpaqueCredentials getOpaqueCredentialsInstance() {
+		if (authenticated) {
+			// Odd  thing to do, but ChainingSecurityContext does it...
+			return new OpaqueCredentialsImpl();
+		} else {
+			return credentials;
+		}
+	}
+		
+	public synchronized void authenticate() throws PortalSecurityException {
+
+		String ticket = principal.getTicket();
+		
+		if (log.isDebugEnabled()) {
+			log.debug("Attempting to authenticate() with the following ticket:  " + ticket);
+		}
+		
+		String username = ImpersonationFilter.getUsername(ticket);
+		
+		if (username != null) {
+			
+			// This is a valid impersonation request...
+			authenticated = true;
+			principal.setUsername(username);
+			
+			if (log.isDebugEnabled()) {
+				log.debug("Successfully impersonating the following user:  " + username);
+			}
+			
+		}
+
+	}
+		
+	public IAdditionalDescriptor getAdditionalDescriptor() {
+		return null;
+	}
+	
+	public boolean isAuthenticated() {
+		return principal != null;
+	}
+	
+	public ISecurityContext getSubContext(String ctx) throws PortalSecurityException {
+		return null;
+	}
+	
+	public Enumeration getSubContexts() {
+		return EMPTY_VECTOR.elements();
+	}
+	
+	public Enumeration getSubContextNames() {
+		return EMPTY_VECTOR.elements();
+	}
+	
+	public void addSubContext(String name, ISecurityContext ctx) throws PortalSecurityException {
+		throw new UnsupportedOperationException();
+	}
+	
+	/*
+	 * Nested Types.
+	 */
+	
+	public static final class Factory implements ISecurityContextFactory {
+		
+		/*
+		 * Public API.
+		 */
+
+		public ISecurityContext getSecurityContext() {
+			return new ImpersonationSecurityContext();
+		}
+
+	}
+	
+	private static final class PrincipalImpl implements IPrincipal {
+		
+		// Instance Members.
+		private String ticket = null;
+		private String username = null;
+
+		/*
+		 * Public API.
+		 */
+		
+		public String getUID() {
+			return username;
+		}
+				
+		public String getGlobalUID() {
+			return username;
+		}
+		
+		public String getFullName() {
+			return username;
+		}
+		
+		public void setUID(String UID) {
+			ticket = UID;
+		}
+		
+		public String getTicket() {
+			return ticket;
+		}
+
+		public void setUsername(String username) {
+			this.username = username;
+		}
+
+	}
+	
+	private static final class OpaqueCredentialsImpl implements IOpaqueCredentials {
+		
+		// Instance Members.
+		private String value;
+		
+		/*
+		 * Public API.
+		 */
+
+		public void setCredentials(byte[] credentials) {
+			value = new String(credentials);
+		}
+
+		public void setCredentials(String credentials) {
+			value = credentials;
+		}
+		
+		public String getValue() {
+			return value;
+		}
+
+	}
+
+	/*
+	 * Private Stuff
+	 */
+	
+	private ImpersonationSecurityContext() {}	
+
+}
Index: uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationFilter.java
===================================================================
--- uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationFilter.java	(revision 0)
+++ uportal-impl/src/main/java/org/jasig/portal/security/provider/ImpersonationFilter.java	(revision 0)
@@ -0,0 +1,289 @@
+/* Copyright 2008 The JA-SIG Collaborative.  All rights reserved.
+ *  See license distributed with this file and
+ *  available online at http://www.uportal.org/license.html
+ */
+
+package org.jasig.portal.security.provider;
+
+import java.io.InputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.jasig.portal.security.IAuthorizationPrincipal;
+import org.jasig.portal.security.IAuthorizationService;
+import org.jasig.portal.security.IPermission;
+import org.jasig.portal.security.IPerson;
+import org.jasig.portal.security.PersonManagerFactory;
+import org.jasig.portal.security.provider.AuthorizationImpl;
+
+import edu.emory.mathcs.backport.java.util.Arrays;
+
+public class ImpersonationFilter implements Filter {
+	
+	// Static Members.
+	private static final String REAL_USERNAME_KEY = ImpersonationFilter.class.getName() + ".realUsername";
+    private static Map<String,String> TICKETS = null;
+
+    // Instance Members.
+    private String principalToken = null;
+    private final Log log = LogFactory.getLog(this.getClass());
+    
+
+    /*
+	 * Public API.
+	 */
+
+    /**
+     * Pass this value as the 'impersonateUser' request parameter to exit 
+     * impersonation.
+     */
+    public static final String EXIT_SIGNAL = "EXIT_FRAGMENT_ADMINISTRATION";
+    
+    /**
+     * Provides the username associated with the specified <code>ticket</code> 
+     * or <code>null</code> if the ticket isn't recognized.
+     * 
+     * @param ticket A token provided as a <code>principalToken</code> by this 
+     * class to the <code>ImpersonationSecurityContext</code>
+     * @return A username to impersonate or <code>null</code>
+     */
+    public static String getUsername(String ticket) {
+    	
+    	// Assertions.
+    	if (ticket == null) {
+    		String msg = "Argument 'ticket' cannot be null.";
+    		throw new IllegalArgumentException(msg);
+    	}
+    	
+    	if (TICKETS == null) {
+    		// The filter is not deployed...
+    		String msg = "The TICKETS collection has not been initialized by " +
+    						"the init() method;  probably ImpersonationFilter " +
+    						"isn't defined properly in web.xml.";
+    		throw new IllegalStateException(msg);
+    	}
+    	
+    	return TICKETS.get(ticket);
+    	
+    }
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+    	
+    	// Prep the TICKETS collection...
+    	initTickets();
+    	
+    	// Figure out the principalToken...
+    	InputStream inpt = null;
+    	try {
+    		
+    		// Get properties into a workable interface...
+    		Map<String,String> sprops = new HashMap<String,String>();
+        	Properties p = new Properties();
+        	inpt = getClass().getResourceAsStream("/properties/security.properties");
+        	p.load(inpt);
+    		for (Map.Entry<Object,Object> y : p.entrySet()) {
+    			sprops.put((String) y.getKey(), (String) y.getValue());
+    		}
+    		
+    		// Find the name under which the factory is defined...
+    		String facName = null;
+        	for (Map.Entry<String,String> y : sprops.entrySet()) {
+        		if (y.getValue().equals(ImpersonationSecurityContext.Factory.class.getName())) {
+        			facName = y.getKey();
+        		}
+        	}
+        	
+        	if (log.isDebugEnabled()) {
+        		log.debug("Found the following factory name for " +
+        				"ImpersonationSecurityContext.Factory:  " + 
+        				facName);
+        	}
+        	
+        	// Find the best principalToken...
+        	String token = null;
+        	List<String> nameParts = new ArrayList(Arrays.asList(facName.split("\\.")));
+        	nameParts.add(0, "principalToken");
+        	
+        	while (token == null && nameParts.size() > 1) {
+        		
+        		// Prepare the next-best name to try...
+        		StringBuilder tryMe = new StringBuilder();
+        		for (String part : nameParts) {
+        			tryMe.append(part).append(".");
+        		}
+        		tryMe.setLength(tryMe.length() - 1);	// remove the last '.' character
+        		
+        		if (log.isDebugEnabled()) {
+        			log.debug("Looking for a factory name of '" + tryMe.toString() + "'");
+        		}
+        		
+        		// See if we have a match...
+        		if (sprops.containsKey(tryMe.toString())) {
+        			token = sprops.get(tryMe.toString());
+        		}
+        		
+        	}
+        	
+        	// Make sure we have principalToken by now...
+        	if (token == null) {
+        		String msg = "Unable to locate a principalToken that applies to " +
+        						"ImpersonationSecurityContext.Factory.";
+        		throw new RuntimeException(msg);
+        	}
+        	
+        	principalToken = token;
+        	
+    	} catch (Throwable t) {
+    		log.error("Falied to read security.properties", t);
+    		throw new ServletException("Falied to read security.properties", t);
+    	} finally {
+    		if (inpt != null) {
+    			try { inpt.close(); } catch (Throwable t) { throw new RuntimeException(t); }
+    		}
+    	}
+
+    }
+
+	public void destroy() { /* Nothing to do...*/ }
+	
+	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) 
+										throws IOException, ServletException {
+		
+		if (log.isDebugEnabled()) {
+			log.debug("Entering ImpersonationFilter.doFilter().");
+		}
+
+		// We need method-scoped references for these...
+		String ticket = null;
+		String preserveUsername = null;
+		
+		// Determine if the user is requesting impersonation...
+		String targetUser = req.getParameter("impersonateUser");
+		if (targetUser != null && targetUser.trim().length() != 0) {
+			
+			if (log.isDebugEnabled()) {
+				log.debug("A user is requesting impersonation of the '" 
+										+ targetUser + "' user.");
+			}
+			
+			if (!targetUser.equals(EXIT_SIGNAL)) {
+				
+				// The user is requesting to enter fragment administration...
+				boolean permitIt = false;	// Assume no until we prove otherwise...
+
+				/*
+				 * The role of this filter is to determine whether the requester should 
+				 * be permitted to become the user he's requesting to become.  This 
+				 * determination rests on 2 factors:
+				 *  - (1) Is the user authenticated?
+				 *  - (2) Is the user permitted to become the specified user?
+				 */
+				
+				// Obtain a reference to the IPerson, if present...
+				IPerson person = PersonManagerFactory.getPersonManagerInstance()
+									.getPerson((HttpServletRequest) req);
+				if (person != null && person.getSecurityContext().isAuthenticated()) {
+					
+					if (log.isDebugEnabled()) {
+						log.debug("User '" + person.getUserName() + "' is authenticated, and "
+											+ "is requesting impersonation of the '"  
+											+ targetUser + "' user.");
+					}
+
+					// Now we know the requester is authenticated, let's 
+					// make sure he's authorized to do what he's trying to do...
+					IAuthorizationService authServ = AuthorizationImpl.singleton();
+					IAuthorizationPrincipal principal = authServ.newPrincipal(person.getUserName(), IPerson.class);
+					IPermission[] grants = authServ.getAllPermissionsForPrincipal(principal, null, "IMPERSONATE", null);
+					for (IPermission p : grants) {
+						if (p.getType().equals(IPermission.PERMISSION_TYPE_GRANT) && targetUser.matches(p.getTarget())) {
+							permitIt = true;
+							break;
+						}
+					}
+					
+					if (log.isDebugEnabled()) {
+						log.debug("User '" + person.getUserName() + "' is " 
+								+ (permitIt? "" : "*NOT* ") + "authorized to " 
+								+ "impersonate the '" + targetUser + "' user.");
+					}
+					
+				}
+				
+				if (permitIt) {
+					preserveUsername = person.getUserName();
+					do {
+						ticket = this.toString() + "." + System.currentTimeMillis();
+					} while (TICKETS.containsKey(ticket));
+					TICKETS.put(ticket, targetUser);
+					req.setAttribute(principalToken, ticket);
+				}
+
+			} else {
+				
+				// The user is requesting to exit fragment administration...
+				String realUsername = (String) ((HttpServletRequest) req).getSession(true).getAttribute(REAL_USERNAME_KEY);
+				
+				if (realUsername != null && realUsername.trim().length() != 0) {
+					
+					if (log.isDebugEnabled()) {
+						log.debug("User '" +realUsername + "' is exiting impersonation.");
+					}
+
+					do {
+						ticket = this.toString() + "." + System.currentTimeMillis();
+					} while (TICKETS.containsKey(ticket));
+					TICKETS.put(ticket, realUsername);
+					req.setAttribute(principalToken, ticket);
+
+				} else {
+					log.error("There was a request to exit impersonation, " +
+									"but the realUsername was missing.");
+				}
+				
+			}
+			
+		
+		}
+		
+		// Proceed to login...
+		chain.doFilter(req, res);
+		
+		// Do some cleanup items...
+		if (ticket != null) {
+			// Remove from the collection lest we introduce a memory leak...
+			TICKETS.remove(ticket);
+		}
+		if (preserveUsername != null) {
+			// We entered impersonation;  hold onto the real username to exit later...
+			((HttpServletRequest) req).getSession(true).setAttribute(REAL_USERNAME_KEY, preserveUsername);
+		}			
+				
+	}
+	
+	/*
+	 * Private Stuff.
+	 */
+	
+	private static synchronized void initTickets() {
+		if (TICKETS == null) {
+			TICKETS = Collections.synchronizedMap(new HashMap<String,String>());
+		}
+	}
+
+}
Index: uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin.channel
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin.channel	(revision 0)
+++ uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin.channel	(revision 0)
@@ -0,0 +1,35 @@
+
+<channel-definition script="classpath://org/jasig/portal/io/import-channel_v3-0.crn">
+  <title>Fragment Administration</title>
+  <name>Fragment Administration</name>
+  <fname>fragment-admin</fname>
+  <desc>Portlet for Fragment Administration in the header</desc>
+  <type>Portlet</type>
+  <class>org.jasig.portal.channels.portlet.CSpringPortletAdaptor</class>
+  <timeout>50000</timeout>
+  <hasedit>N</hasedit>
+  <hashelp>N</hashelp>
+  <hasabout>N</hasabout>
+  <secure>N</secure>
+  <locale>en_US</locale>
+  <categories>
+    <category>Applications</category>
+  </categories>
+  <groups>
+    <group>Portal Administrators</group>
+  </groups>
+  <parameters>
+    <parameter> 
+      <name>portletApplicationId</name>  
+      <value>/uPortal</value>  
+      <description/>  
+      <ovrd>N</ovrd> 
+    </parameter>
+    <parameter> 
+      <name>portletName</name>  
+      <value>FragmentAdministration</value>  
+      <description/>  
+      <ovrd>N</ovrd> 
+    </parameter>
+  </parameters>
+</channel-definition>
\ No newline at end of file
Index: uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin-exit.channel
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin-exit.channel	(revision 0)
+++ uportal-impl/src/main/resources/properties/db/entities/channel/fragment-admin-exit.channel	(revision 0)
@@ -0,0 +1,34 @@
+
+<channel-definition script="classpath://org/jasig/portal/io/import-channel_v3-0.crn">
+  <title>Exit Fragment Administration</title>
+  <name>Exit Fragment Administration</name>
+  <fname>fragment-admin-exit</fname>
+  <desc>Portlet to exit Fragment Administration that appears in the header</desc>
+  <type>Portlet</type>
+  <class>org.jasig.portal.channels.portlet.CSpringPortletAdaptor</class>
+  <timeout>50000</timeout>
+  <hasedit>N</hasedit>
+  <hashelp>N</hashelp>
+  <hasabout>N</hasabout>
+  <secure>N</secure>
+  <locale>en_US</locale>
+  <categories>
+  </categories>
+  <groups>
+    <group>Everyone</group>
+  </groups>
+  <parameters>
+    <parameter> 
+      <name>portletApplicationId</name>  
+      <value>/uPortal</value>  
+      <description/>  
+      <ovrd>N</ovrd> 
+    </parameter>
+    <parameter> 
+      <name>portletName</name>  
+      <value>ExitFragmentAdministration</value>  
+      <description/>  
+      <ovrd>N</ovrd> 
+    </parameter>
+  </parameters>
+</channel-definition>
\ No newline at end of file
Index: uportal-impl/src/main/resources/properties/db/entities/permission/Portal_Administrators-IMPERSONATE.permission
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/permission/Portal_Administrators-IMPERSONATE.permission	(revision 0)
+++ uportal-impl/src/main/resources/properties/db/entities/permission/Portal_Administrators-IMPERSONATE.permission	(revision 0)
@@ -0,0 +1,13 @@
+
+<permission script="classpath://org/jasig/portal/io/import-permission_v2-6.crn">
+  <owner>system</owner>
+  <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type>
+  <principal> 
+    <group>Portal Administrators</group> 
+  </principal>
+  <activity>IMPERSONATE</activity>
+  <target> 
+    <literal>.*</literal> 
+  </target>
+  <permission-type>GRANT</permission-type>
+</permission>
\ No newline at end of file
Index: uportal-impl/src/main/resources/properties/db/entities/layout/staff.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/staff.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/staff.layout	(working copy)
@@ -4,6 +4,7 @@
     <header unremovable="Y" immutable="Y" hidden="N" name="Header folder">
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="Main Staff Tab">
       <column unremovable="N" immutable="N" hidden="N" name="Column 1">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/demo.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/demo.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/demo.layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="Demos">
       <column unremovable="N" immutable="N" hidden="N" name="Column 1">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/student.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/student.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/student.layout	(working copy)
@@ -4,6 +4,7 @@
     <header unremovable="Y" immutable="Y" hidden="N" name="Header folder">
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="Main Student Tab">
       <column unremovable="N" immutable="N" hidden="N" name="Column 1">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/faculty.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/faculty.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/faculty.layout	(working copy)
@@ -4,6 +4,7 @@
     <header unremovable="Y" immutable="Y" hidden="N" name="Header folder">
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="Main Faculty Tab">
       <column unremovable="N" immutable="N" hidden="N" name="Column 1">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/guest.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/guest.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/guest.layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="uPortal News">
       <column unremovable="N" immutable="N" hidden="N" name="Column 1">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/admin.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/admin.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/admin.layout	(working copy)
@@ -4,6 +4,7 @@
     <header unremovable="Y" immutable="Y" hidden="N" name="Header folder">
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
+      <channel fname="fragment-admin"/>
     </header>
     <tab unremovable="N" immutable="N" hidden="N" name="Admin Tools">
       <column unremovable="N" immutable="N" hidden="N" name="Column">
Index: uportal-impl/src/main/resources/properties/db/entities/layout/defaultTemplateUser.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/defaultTemplateUser.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/defaultTemplateUser.layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/db/entities/layout/fragmentTemplate.layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/layout/fragmentTemplate.layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/layout/fragmentTemplate.layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin-exit"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/db/entities/fragment-layout/welcome-lo.fragment-layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/fragment-layout/welcome-lo.fragment-layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/fragment-layout/welcome-lo.fragment-layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin-exit"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/db/entities/fragment-layout/news-lo.fragment-layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/fragment-layout/news-lo.fragment-layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/fragment-layout/news-lo.fragment-layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin-exit"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/db/entities/fragment-layout/ent-lo.fragment-layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/fragment-layout/ent-lo.fragment-layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/fragment-layout/ent-lo.fragment-layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin-exit"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/db/entities/fragment-layout/guest-lo.fragment-layout
===================================================================
--- uportal-impl/src/main/resources/properties/db/entities/fragment-layout/guest-lo.fragment-layout	(revision 43997)
+++ uportal-impl/src/main/resources/properties/db/entities/fragment-layout/guest-lo.fragment-layout	(working copy)
@@ -5,6 +5,7 @@
       <channel fname="header"/>
       <channel fname="portal/login/general"/>
       <channel fname="session-locales-selector"/>
+      <channel fname="fragment-admin-exit"/>
     </header>
     <footer unremovable="N" immutable="N" hidden="N" name="Footer folder">
       <channel fname="footer"/>
Index: uportal-impl/src/main/resources/properties/security.properties
===================================================================
--- uportal-impl/src/main/resources/properties/security.properties	(revision 43997)
+++ uportal-impl/src/main/resources/properties/security.properties	(working copy)
@@ -53,10 +53,12 @@
 root=org.jasig.portal.security.provider.UnionSecurityContextFactory
 root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
 root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
+root.impersonation=org.jasig.portal.security.provider.ImpersonationSecurityContext$Factory
 
 ## Answers what tokens are examined in the request for each context during authentication.
 ## A subcontext only needs to set its tokens if it differs from those of the root context.
 principalToken.root=userName
+principalToken.root.impersonation=ticket
 credentialToken.root=password
 credentialToken.root.cas=ticket
 
Index: uportal-war/src/main/resources/layout/theme/universality/universality.xsl
===================================================================
--- uportal-war/src/main/resources/layout/theme/universality/universality.xsl	(revision 43997)
+++ uportal-war/src/main/resources/layout/theme/universality/universality.xsl	(working copy)
@@ -609,6 +609,11 @@
     <xsl:call-template name="web.search"/>
     <!-- Web Search -->
     
+    <!-- Fragment Administration -->
+    <xsl:copy-of select="//channel[@fname = 'fragment-admin']"/>
+    <xsl:copy-of select="//channel[@fname = 'fragment-admin-exit']"/>
+    <!-- Login Channel -->
+
     <!-- Quicklinks -->
     <xsl:call-template name="quicklinks"/>
     <!-- Quicklinks -->
Index: uportal-war/src/main/webapp/WEB-INF/FragmentAdministration-portlet.xml
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/FragmentAdministration-portlet.xml	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/FragmentAdministration-portlet.xml	(revision 0)
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+
+<!--
+ | Contains the bean definitions and relationships that are avalable
+ | to the spring WebApplicationContext
+ +-->
+<beans>
+
+    <bean id="settings" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="CernunnosPortlet.ACTION_PREFIX"><value>/WEB-INF/actions/FragmentAdministration/</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PREFIX"><value>/WEB-INF/views/FragmentAdministration/</value></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+
+    <!--
+     | Use a bean with id of 'settings' to configure CernunnosPortlet properties.
+     +-->
+    <!-- Example 'settings' bean shown below (no need to specify)...
+    <bean id="settings" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="CernunnosPortlet.ACTION_PARAMETER"><value>action</value></entry>
+                <entry key="CernunnosPortlet.ACTION_PREFIX"><value>/WEB-INF/actions/</value></entry>
+                <entry key="CernunnosPortlet.ACTION_SUFFIX"><value>.crn</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PARAMETER"><value>view</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PREFIX"><value>/WEB-INF/views/</value></entry>
+                <entry key="CernunnosPortlet.VIEW_SUFFIX"><value>.crn</value></entry>
+                <entry key="CernunnosPortlet.DEFAULT_VIEW"><value>index</value></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+    -->
+
+    <!--
+     | Use a bean with id of 'requestAttributes' to pre-load the Cernunnos context for every Task invocation.
+     +-->
+    <!-- This example illustrates how you can provide a javax.sql.DataSource to your scripts...
+    <bean id="requestAttributes" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="SqlAttributes.DATA_SOURCE"><ref bean="dataSource"/></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+
+    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+        <property name="driverClassName"><value>@jdbc.portal.driver@</value></property>
+        <property name="url"><value>@jdbc.portal.url@</value></property>
+        <property name="username"><value>@jdbc.portal.username@</value></property>
+        <property name="password"><value>@jdbc.portal.password@</value></property>
+    </bean>
+    -->
+
+</beans>
Index: uportal-war/src/main/webapp/WEB-INF/portlet.xml
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/portlet.xml	(revision 43997)
+++ uportal-war/src/main/webapp/WEB-INF/portlet.xml	(working copy)
@@ -43,4 +43,47 @@
             <title>Attribute Swapper Portlet</title>
         </portlet-info>
     </portlet>
+    
+  <portlet> 
+    <portlet-name>ExitFragmentAdministration</portlet-name>  
+    <portlet-class>org.danann.cernunnos.runtime.web.CernunnosPortlet</portlet-class>
+    <expiration-cache>-1</expiration-cache>
+    <supports> 
+      <mime-type>text/html</mime-type>  
+      <portlet-mode>view</portlet-mode> 
+    </supports>  
+    <portlet-info> 
+      <title>ExitFragmentAdministration</title> 
+    </portlet-info> 
+    <portlet-preferences> 
+      <preference> 
+        <name>loginUrl</name>  
+        <value>Login</value> 
+      </preference> 
+    </portlet-preferences> 
+  </portlet>
+  
+  <portlet> 
+    <portlet-name>FragmentAdministration</portlet-name>  
+    <portlet-class>org.danann.cernunnos.runtime.web.CernunnosPortlet</portlet-class>
+    <expiration-cache>-1</expiration-cache>
+    <supports> 
+      <mime-type>text/html</mime-type>  
+      <portlet-mode>view</portlet-mode> 
+    </supports>  
+    <portlet-info> 
+      <title>FragmentAdministration</title> 
+    </portlet-info>  
+    <portlet-preferences> 
+      <preference> 
+        <name>loginUrl</name>  
+        <value>Login</value> 
+      </preference> 
+    </portlet-preferences> 
+  </portlet>
+  
+  <user-attribute> 
+    <name>username</name> 
+  </user-attribute> 
+
 </portlet-app>
\ No newline at end of file
Index: uportal-war/src/main/webapp/WEB-INF/ExitFragmentAdministration-portlet.xml
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/ExitFragmentAdministration-portlet.xml	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/ExitFragmentAdministration-portlet.xml	(revision 0)
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
+
+<!--
+ | Contains the bean definitions and relationships that are avalable
+ | to the spring WebApplicationContext
+ +-->
+<beans>
+
+    <bean id="settings" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="CernunnosPortlet.ACTION_PREFIX"><value>/WEB-INF/actions/ExitFragmentAdministration/</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PREFIX"><value>/WEB-INF/views/ExitFragmentAdministration/</value></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+
+    <!--
+     | Use a bean with id of 'settings' to configure CernunnosPortlet properties.
+     +-->
+    <!-- Example 'settings' bean shown below (no need to specify)...
+    <bean id="settings" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="CernunnosPortlet.ACTION_PARAMETER"><value>action</value></entry>
+                <entry key="CernunnosPortlet.ACTION_PREFIX"><value>/WEB-INF/actions/</value></entry>
+                <entry key="CernunnosPortlet.ACTION_SUFFIX"><value>.crn</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PARAMETER"><value>view</value></entry>
+                <entry key="CernunnosPortlet.VIEW_PREFIX"><value>/WEB-INF/views/</value></entry>
+                <entry key="CernunnosPortlet.VIEW_SUFFIX"><value>.crn</value></entry>
+                <entry key="CernunnosPortlet.DEFAULT_VIEW"><value>index</value></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+    -->
+
+    <!--
+     | Use a bean with id of 'requestAttributes' to pre-load the Cernunnos context for every Task invocation.
+     +-->
+    <!-- This example illustrates how you can provide a javax.sql.DataSource to your scripts...
+    <bean id="requestAttributes" class="java.util.HashMap">
+        <constructor-arg>
+            <map>
+                <entry key="SqlAttributes.DATA_SOURCE"><ref bean="dataSource"/></entry>
+            </map>
+        </constructor-arg>
+    </bean>
+
+    <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
+        <property name="driverClassName"><value>@jdbc.portal.driver@</value></property>
+        <property name="url"><value>@jdbc.portal.url@</value></property>
+        <property name="username"><value>@jdbc.portal.username@</value></property>
+        <property name="password"><value>@jdbc.portal.password@</value></property>
+    </bean>
+    -->
+
+</beans>
Index: uportal-war/src/main/webapp/WEB-INF/web.xml
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/web.xml	(revision 43997)
+++ uportal-war/src/main/webapp/WEB-INF/web.xml	(working copy)
@@ -104,6 +104,11 @@
         <filter-class>edu.yale.its.tp.cas.client.filter.StaticCasReceiptCacherFilter</filter-class>
     </filter>
     
+    <filter>
+        <filter-name>Impersonation Filter</filter-name>
+        <filter-class>org.jasig.portal.security.provider.ImpersonationFilter</filter-class>
+    </filter>
+    
     <filter-mapping>
         <filter-name>CAS Validate Filter</filter-name>
         <url-pattern>/Login</url-pattern>
@@ -114,6 +119,11 @@
         <url-pattern>/Login</url-pattern>
     </filter-mapping>
 
+    <filter-mapping>
+        <filter-name>Impersonation Filter</filter-name>
+        <url-pattern>/Login</url-pattern>
+    </filter-mapping>
+
     <servlet>
         <servlet-name>uPortal</servlet-name>
         <servlet-class>org.jasig.portal.PortalSessionManager</servlet-class>
Index: uportal-war/src/main/webapp/WEB-INF/jsp/ExitFragmentAdministration/index.jsp
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/jsp/ExitFragmentAdministration/index.jsp	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/jsp/ExitFragmentAdministration/index.jsp	(revision 0)
@@ -0,0 +1,18 @@
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="portlet" uri="http://java.sun.com/portlet"%>
+
+<portlet:defineObjects/>
+
+<div class="block" id="fragAdminContainer">
+    <div class="block-inner">
+        <div class="block-content">
+
+        <form name="fragmentAdminExitForm" action="${loginUrl}">
+            <input type="hidden" value="EXIT_FRAGMENT_ADMINISTRATION" name="impersonateUser"/>
+            <label for="exitFragment">You are currently logged in as <strong><c:out value="${USERNAME}"/></strong> for DLM fragment administration</label>
+            <input id="exitFragment" type="Button" value="Exit Fragment" onclick="document.fragmentAdminExitForm.submit()"/>
+        </form>
+                    
+        </div>
+    </div>
+</div>
Index: uportal-war/src/main/webapp/WEB-INF/jsp/FragmentAdministration/index.jsp
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/jsp/FragmentAdministration/index.jsp	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/jsp/FragmentAdministration/index.jsp	(revision 0)
@@ -0,0 +1,21 @@
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="portlet" uri="http://java.sun.com/portlet"%>
+
+<portlet:defineObjects/>
+
+<div class="block">
+    <div class="block-inner">
+        
+        <h2 class="block-title">Fragment Administration</h2>
+        <form name="fragmentAdminForm" action="${loginUrl}">
+            <select id="fragmentOwner" name="impersonateUser" title="Choose a fragment to edit">
+                <option value="NONE"> -- fragments -- </option>
+                <c:forEach items="${FRAGMENTS}" var="item">
+                    <option value="${item.key}">${item.value}</option>
+                </c:forEach>
+            </select>
+            <input type="Button" value="GO" onclick="if (document.fragmentAdminForm.fragmentOwner.options[document.fragmentAdminForm.fragmentOwner.selectedIndex].value != 'NONE') document.fragmentAdminForm.submit()"/>
+        </form>
+                    
+    </div>
+</div>
Index: uportal-war/src/main/webapp/WEB-INF/views/ExitFragmentAdministration/index.crn
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/views/ExitFragmentAdministration/index.crn	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/views/ExitFragmentAdministration/index.crn	(revision 0)
@@ -0,0 +1,7 @@
+<with>
+    <attribute key="loginUrl">${jexl(WebAttributes.REQUEST.getPreferences().getValue('loginUrl', 'Login'))}</attribute>
+    <attribute key="USERNAME">${jexl(WebAttributes.REQUEST.getAttribute('${const(javax.portlet.PortletRequest.USER_INFO)}').get('username'))}</attribute>
+    <subtasks>
+        <request-dispatcher resource="/WEB-INF/jsp/ExitFragmentAdministration/index.jsp"/>
+    </subtasks>
+</with>
Index: uportal-war/src/main/webapp/WEB-INF/views/FragmentAdministration/index.crn
===================================================================
--- uportal-war/src/main/webapp/WEB-INF/views/FragmentAdministration/index.crn	(revision 0)
+++ uportal-war/src/main/webapp/WEB-INF/views/FragmentAdministration/index.crn	(revision 0)
@@ -0,0 +1,37 @@
+<with>
+    <attribute key="loginUrl">${jexl(WebAttributes.REQUEST.getPreferences().getValue('loginUrl', 'Login'))}</attribute>
+    <attribute key="DLM_XML_PATH">${groovy(org.jasig.portal.LoginServlet.class.getResource('/properties/dlm.xml').toExternalForm())}</attribute>
+    <subtasks>
+        <with>
+            <attribute key="Attributes.NODE">${doc(${DLM_XML_PATH})}</attribute>
+            <attribute key="USERNAME">${jexl(WebAttributes.REQUEST.getAttribute('${const(javax.portlet.PortletRequest.USER_INFO)}').get('username'))}</attribute>
+            <attribute key="PERMISSIONS">${groovy([])}</attribute>
+            <subtasks>
+                <groovy>
+                    <script>
+                        def authServ = org.jasig.portal.security.provider.AuthorizationImpl.singleton();
+                        def principal = authServ.newPrincipal('${USERNAME}', org.jasig.portal.security.IPerson.class);
+                        def grants = authServ.getAllPermissionsForPrincipal(principal, null, 'IMPERSONATE', null);
+                        for (g in grants) {
+                            PERMISSIONS.add(g);
+                        }
+                    </script>
+                </groovy>
+                <with-attribute key="FRAGMENTS" value="${groovy(new TreeMap())}">
+                    <node-iterator xpath="dlm:fragment">
+                        <groovy>
+                            <script>
+                                for (p in PERMISSIONS) {
+                                    if (p.getType().equals(org.jasig.portal.security.IPermission.PERMISSION_TYPE_GRANT) &amp;&amp; '${valueOf(@ownerID)}'.matches(p.getTarget())) {
+                                        FRAGMENTS.put('${valueOf(@ownerID)}', '${valueOf(@name)}');
+                                    }
+                                }
+                            </script>
+                        </groovy>
+                    </node-iterator>
+                    <request-dispatcher resource="/WEB-INF/jsp/FragmentAdministration/index.jsp"/>
+                </with-attribute>
+            </subtasks>
+        </with>
+    </subtasks>
+</with>