Examples with AccessControlPolicy javax.jcr.security.AccessControlPolicy used on opensource projects
Example 96 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class ACLEditor method getPolicies.
//------------------------------------------------< AccessControlEditor >---
/**
* @see AccessControlEditor#getPolicies(String)
*/
public AccessControlPolicy[] getPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
checkProtectsNode(nodePath);
NodeImpl acNode = getAcNode(nodePath);
if (isAccessControlled(acNode)) {
return new AccessControlPolicy[] { createTemplate(acNode) };
} else {
return new AccessControlPolicy[0];
}
}
Also used :
JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
Example 97 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class ACLEditor method editAccessControlPolicies.
/**
* @see AccessControlEditor#editAccessControlPolicies(String)
*/
public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
checkProtectsNode(nodePath);
if (Text.isDescendant(acRootPath, nodePath)) {
NodeImpl acNode = getAcNode(nodePath);
if (acNode == null) {
// check validity and create the ac node
Principal p = getPrincipal(nodePath);
if (p == null) {
throw new AccessControlException("Access control modification not allowed at " + nodePath);
}
acNode = createAcNode(nodePath);
}
if (!isAccessControlled(acNode)) {
return new AccessControlPolicy[] { createTemplate(acNode) };
}
// else: acl has already been set before -> use getPolicies instead
}
// or policy has been set before in which case getPolicies should be used instead.
return new AccessControlPolicy[0];
}
Also used :
JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
AccessControlException(javax.jcr.security.AccessControlException)
ItemBasedPrincipal(org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal)
Principal(java.security.Principal)
Example 98 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class ACLEditor method editAccessControlPolicies.
/**
* @see AccessControlEditor#editAccessControlPolicies(String)
*/
public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
checkProtectsNode(nodePath);
String mixin;
Name aclName;
NodeImpl controlledNode;
if (nodePath == null) {
controlledNode = (NodeImpl) session.getRootNode();
mixin = session.getJCRName(NT_REP_REPO_ACCESS_CONTROLLABLE);
aclName = N_REPO_POLICY;
} else {
controlledNode = getNode(nodePath);
mixin = session.getJCRName(NT_REP_ACCESS_CONTROLLABLE);
aclName = N_POLICY;
}
AccessControlPolicy acl = null;
NodeImpl aclNode = getAclNode(controlledNode, nodePath);
if (aclNode == null) {
// has colliding rep:policy or rep:repoPolicy child node set.
if (controlledNode.hasNode(aclName)) {
// policy child node without node being access controlled
log.warn("Colliding policy child without node being access controllable ({}).", nodePath);
} else {
PrivilegeManager privMgr = ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
if (controlledNode.isNodeType(mixin) || controlledNode.canAddMixin(mixin)) {
acl = new ACLTemplate(nodePath, session.getPrincipalManager(), privMgr, session.getValueFactory(), session, allowUnknownPrincipals);
} else {
log.warn("Node {} cannot be made access controllable.", nodePath);
}
}
}
return (acl != null) ? new AccessControlPolicy[] { acl } : new AccessControlPolicy[0];
}
Also used :
JackrabbitAccessControlPolicy(org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
PrivilegeManager(org.apache.jackrabbit.api.security.authorization.PrivilegeManager)
JackrabbitWorkspace(org.apache.jackrabbit.api.JackrabbitWorkspace)
Name(org.apache.jackrabbit.spi.Name)
Example 99 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class AccessControlImporter method addACE.
private void addACE(NodeInfo childInfo, List<PropInfo> propInfos) throws RepositoryException, UnsupportedRepositoryOperationException {
// node type may only be rep:GrantACE or rep:DenyACE
Name ntName = childInfo.getNodeTypeName();
if (!ACE_NODETYPES.contains(ntName)) {
throw new ConstraintViolationException("Cannot handle childInfo " + childInfo + "; expected a valid, applicable rep:ACE node definition.");
}
checkIdMixins(childInfo);
boolean isAllow = AccessControlConstants.NT_REP_GRANT_ACE.equals(ntName);
Principal principal = null;
Privilege[] privileges = null;
Map<String, TextValue> restrictions = new HashMap<String, TextValue>();
for (PropInfo pInfo : propInfos) {
Name name = pInfo.getName();
if (AccessControlConstants.P_PRINCIPAL_NAME.equals(name)) {
Value[] values = pInfo.getValues(PropertyType.STRING, resolver);
if (values == null || values.length != 1) {
throw new ConstraintViolationException("");
}
String pName = values[0].getString();
principal = session.getPrincipalManager().getPrincipal(pName);
if (principal == null) {
if (importBehavior == ImportBehavior.BEST_EFFORT) {
// create "fake" principal that is always accepted in ACLTemplate.checkValidEntry()
principal = new UnknownPrincipal(pName);
} else {
// create "fake" principal. this is checked again in ACLTemplate.checkValidEntry()
principal = new PrincipalImpl(pName);
}
}
} else if (AccessControlConstants.P_PRIVILEGES.equals(name)) {
Value[] values = pInfo.getValues(PropertyType.NAME, resolver);
privileges = new Privilege[values.length];
for (int i = 0; i < values.length; i++) {
privileges[i] = acMgr.privilegeFromName(values[i].getString());
}
} else {
TextValue[] txtVls = pInfo.getTextValues();
for (TextValue txtV : txtVls) {
restrictions.put(resolver.getJCRName(name), txtV);
}
}
}
if (principalbased) {
// try to access policies
List<AccessControlPolicy> policies = new ArrayList<AccessControlPolicy>();
if (acMgr instanceof JackrabbitAccessControlManager) {
JackrabbitAccessControlManager jacMgr = (JackrabbitAccessControlManager) acMgr;
policies.addAll(Arrays.asList(jacMgr.getPolicies(principal)));
policies.addAll(Arrays.asList(jacMgr.getApplicablePolicies(principal)));
}
for (AccessControlPolicy policy : policies) {
if (policy instanceof JackrabbitAccessControlList) {
JackrabbitAccessControlList acl = (JackrabbitAccessControlList) policy;
Map<String, Value> restr = new HashMap<String, Value>();
for (String restName : acl.getRestrictionNames()) {
TextValue txtVal = restrictions.remove(restName);
if (txtVal != null) {
restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
}
}
if (!restrictions.isEmpty()) {
throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
}
acl.addEntry(principal, privileges, isAllow, restr);
acMgr.setPolicy(acl.getPath(), acl);
return;
}
}
} else {
Map<String, Value> restr = new HashMap<String, Value>();
for (String restName : acl.getRestrictionNames()) {
TextValue txtVal = restrictions.remove(restName);
if (txtVal != null) {
restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
}
}
if (!restrictions.isEmpty()) {
throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
}
acl.addEntry(principal, privileges, isAllow, restr);
return;
}
// could not apply the ACE. No suitable ACL found.
throw new ConstraintViolationException("Cannot handle childInfo " + childInfo + "; No policy found to apply the ACE.");
}
Also used :
JackrabbitAccessControlManager(org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Name(org.apache.jackrabbit.spi.Name)
UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal)
Value(javax.jcr.Value)
ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException)
Privilege(javax.jcr.security.Privilege)
UnknownPrincipal(org.apache.jackrabbit.core.security.principal.UnknownPrincipal)
Principal(java.security.Principal)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
Example 100 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class AcReadWriteTest method testRetrievePrivilegesOnAcNodes.
public void testRetrievePrivilegesOnAcNodes() throws NotExecutableException, RepositoryException {
/* precondition:
testuser must have READ-only permission on test-node and below
*/
checkReadOnly(path);
// give 'testUser' jcr:readAccessControl privileges at 'path'
Privilege[] privileges = privilegesFromNames(new String[] { Privilege.JCR_READ_ACCESS_CONTROL });
JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(superuser, path));
/*
testuser must be allowed to read ac-content at target node.
*/
Session testSession = getTestSession();
AccessControlManager testAcMgr = getTestACManager();
assertTrue(testAcMgr.hasPrivileges(path, privileges));
AccessControlPolicy[] policies = testAcMgr.getPolicies(path);
assertEquals(1, policies.length);
assertTrue(policies[0] instanceof JackrabbitAccessControlList);
String aclNodePath = null;
Node n = superuser.getNode(path);
for (NodeIterator itr = n.getNodes(); itr.hasNext(); ) {
Node child = itr.nextNode();
if (child.isNodeType("rep:Policy")) {
aclNodePath = child.getPath();
}
}
if (aclNodePath == null) {
fail("Expected node at " + path + " to have an ACL child node.");
}
assertTrue(testAcMgr.hasPrivileges(aclNodePath, privileges));
assertTrue(testSession.hasPermission(aclNodePath, Session.ACTION_READ));
for (NodeIterator aceNodes = superuser.getNode(aclNodePath).getNodes(); aceNodes.hasNext(); ) {
String aceNodePath = aceNodes.nextNode().getPath();
assertTrue(testAcMgr.hasPrivileges(aceNodePath, privileges));
assertTrue(testSession.hasPermission(aceNodePath, Session.ACTION_READ));
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
NodeIterator(javax.jcr.NodeIterator)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
Node(javax.jcr.Node)
Privilege(javax.jcr.security.Privilege)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
Session(javax.jcr.Session)
Aggregations
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)182
Test (org.junit.Test)67
JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)66
AccessControlManager (javax.jcr.security.AccessControlManager)62
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)52
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)52
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)49
AccessControlEntry (javax.jcr.security.AccessControlEntry)40
AccessControlList (javax.jcr.security.AccessControlList)32
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32
NamedAccessControlPolicy (javax.jcr.security.NamedAccessControlPolicy)28
Privilege (javax.jcr.security.Privilege)28
Principal (java.security.Principal)24
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)23
NodeImpl (org.apache.jackrabbit.core.NodeImpl)18
TestACL (org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL)18
Node (javax.jcr.Node)17
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)17
Root (org.apache.jackrabbit.oak.api.Root)14
NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)14
