Search in sources :

Example 16 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class NodeImpl method getOrCreateProperty.

/**
     * @param name
     * @param type
     * @param multiValued
     * @param exactTypeMatch
     * @param status
     * @return
     * @throws ConstraintViolationException if no applicable property definition
     *                                      could be found
     * @throws RepositoryException          if another error occurs
     */
protected synchronized PropertyImpl getOrCreateProperty(Name name, int type, boolean multiValued, boolean exactTypeMatch, BitSet status) throws ConstraintViolationException, RepositoryException {
    status.clear();
    if (isNew() && !hasProperty(name)) {
        // this is a new node and the property does not exist yet
        // -> no need to check item manager
        PropertyDefinitionImpl def = getApplicablePropertyDefinition(name, type, multiValued, exactTypeMatch);
        PropertyImpl prop = createChildProperty(name, type, def);
        status.set(CREATED);
        return prop;
    }
    /*
         * Please note, that this implementation does not win a price for beauty
         * or speed. It's never a good idea to use exceptions for semantical
         * control flow.
         * However, compared to the previous version, this one is thread save
         * and makes the test/get block atomic in respect to transactional
         * commits. the test/set can still fail.
         *
         * Old Version:

            NodeState thisState = (NodeState) state;
            if (thisState.hasPropertyName(name)) {
                /**
                 * the following call will throw ItemNotFoundException if the
                 * current session doesn't have read access
                 /
                return getProperty(name);
            }
            [...create block...]

        */
    PropertyId propId = new PropertyId(getNodeId(), name);
    try {
        return (PropertyImpl) itemMgr.getItem(propId);
    } catch (AccessDeniedException ade) {
        throw new ItemNotFoundException(name.toString());
    } catch (ItemNotFoundException e) {
        // does not exist yet or has been removed transiently:
        // find definition for the specified property and (re-)create property
        PropertyDefinitionImpl def = getApplicablePropertyDefinition(name, type, multiValued, exactTypeMatch);
        PropertyImpl prop;
        if (stateMgr.hasTransientItemStateInAttic(propId)) {
            // remove from attic
            try {
                stateMgr.disposeTransientItemStateInAttic(stateMgr.getAttic().getItemState(propId));
            } catch (ItemStateException ise) {
                // shouldn't happen because we checked if it is in the attic
                throw new RepositoryException(ise);
            }
            prop = (PropertyImpl) itemMgr.getItem(propId);
            PropertyState state = (PropertyState) prop.getOrCreateTransientItemState();
            state.setMultiValued(multiValued);
            state.setType(type);
            getNodeState().addPropertyName(name);
        } else {
            prop = createChildProperty(name, type, def);
        }
        status.set(CREATED);
        return prop;
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) PropertyDefinitionImpl(org.apache.jackrabbit.spi.commons.nodetype.PropertyDefinitionImpl) RepositoryException(javax.jcr.RepositoryException) PropertyId(org.apache.jackrabbit.core.id.PropertyId) ItemNotFoundException(javax.jcr.ItemNotFoundException) InvalidItemStateException(javax.jcr.InvalidItemStateException) ItemStateException(org.apache.jackrabbit.core.state.ItemStateException) PropertyState(org.apache.jackrabbit.core.state.PropertyState)

Example 17 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class NodeImpl method rename.

//-------------------------------------------------------< JackrabbitNode >
/**
     * {@inheritDoc}
     */
public void rename(String newName) throws RepositoryException {
    // check if this is the root node
    if (getDepth() == 0) {
        throw new RepositoryException("Cannot rename the root node");
    }
    Name qName;
    try {
        qName = sessionContext.getQName(newName);
    } catch (NameException e) {
        throw new RepositoryException("invalid node name: " + newName, e);
    }
    NodeImpl parent = (NodeImpl) getParent();
    // check for name collisions
    NodeImpl existing = null;
    try {
        existing = parent.getNode(qName);
        // check same-name sibling setting of existing node
        if (!existing.getDefinition().allowsSameNameSiblings()) {
            throw new ItemExistsException("Same name siblings are not allowed: " + existing);
        }
    } catch (AccessDeniedException ade) {
        // FIXME by throwing ItemExistsException we're disclosing too much information
        throw new ItemExistsException();
    } catch (ItemNotFoundException infe) {
    // no name collision, fall through
    }
    // verify that parent node
    // - is checked-out
    // - is not protected neither by node type constraints nor by retention/hold
    int options = ItemValidator.CHECK_CHECKED_OUT | ItemValidator.CHECK_LOCK | ItemValidator.CHECK_CONSTRAINTS | ItemValidator.CHECK_HOLD | ItemValidator.CHECK_RETENTION;
    sessionContext.getItemValidator().checkRemove(parent, options, Permission.NONE);
    sessionContext.getItemValidator().checkModify(parent, options, Permission.NONE);
    // check constraints
    // get applicable definition of renamed target node
    NodeTypeImpl nt = (NodeTypeImpl) getPrimaryNodeType();
    org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl newTargetDef;
    try {
        newTargetDef = parent.getApplicableChildNodeDefinition(qName, nt.getQName());
    } catch (RepositoryException re) {
        String msg = safeGetJCRPath() + ": no definition found in parent node's node type for renamed node";
        log.debug(msg);
        throw new ConstraintViolationException(msg, re);
    }
    // necessarily have identical definitions
    if (existing != null && !newTargetDef.allowsSameNameSiblings()) {
        throw new ItemExistsException("Same name siblings not allowed: " + existing);
    }
    // check permissions:
    // 1. on the parent node the session must have permission to manipulate the child-entries
    AccessManager acMgr = sessionContext.getAccessManager();
    if (!acMgr.isGranted(parent.getPrimaryPath(), qName, Permission.MODIFY_CHILD_NODE_COLLECTION)) {
        String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
        log.debug(msg);
        throw new AccessDeniedException(msg);
    }
    //    the primary node type on this node itself.
    if (!nt.getName().equals(newTargetDef.getName()) && !(acMgr.isGranted(getPrimaryPath(), Permission.NODE_TYPE_MNGMT))) {
        String msg = "Not allowed to rename node " + safeGetJCRPath() + " to " + newName;
        log.debug(msg);
        throw new AccessDeniedException(msg);
    }
    // change definition
    onRedefine(newTargetDef.unwrap());
    // delegate to parent
    parent.renameChildNode(getNodeId(), qName, true);
}
Also used : AccessManager(org.apache.jackrabbit.core.security.AccessManager) AccessDeniedException(javax.jcr.AccessDeniedException) NodeDefinitionImpl(org.apache.jackrabbit.spi.commons.nodetype.NodeDefinitionImpl) NodeTypeImpl(org.apache.jackrabbit.core.nodetype.NodeTypeImpl) RepositoryException(javax.jcr.RepositoryException) Name(org.apache.jackrabbit.spi.Name) NameException(org.apache.jackrabbit.spi.commons.conversion.NameException) ItemExistsException(javax.jcr.ItemExistsException) ConstraintViolationException(javax.jcr.nodetype.ConstraintViolationException) ItemNotFoundException(javax.jcr.ItemNotFoundException)

Example 18 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class ACLProvider method getEffectivePolicies.

/**
     * @see org.apache.jackrabbit.core.security.authorization.AccessControlProvider#getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
     */
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException {
    if (absPath == null) {
        // TODO: JCR-2774
        log.warn("TODO: JCR-2774 - Repository level permissions.");
        return new AccessControlPolicy[0];
    }
    String jcrPath = session.getJCRPath(absPath);
    String pName = ISO9075.encode(session.getJCRName(ACLTemplate.P_NODE_PATH));
    int ancestorCnt = absPath.getAncestorCount();
    // search all ACEs whose rep:nodePath property equals the specified
    // absPath or any of it's ancestors
    StringBuilder stmt = new StringBuilder("/jcr:root");
    stmt.append(acRoot.getPath());
    stmt.append("//element(*,");
    stmt.append(session.getJCRName(NT_REP_ACE));
    stmt.append(")[");
    for (int i = 0; i <= ancestorCnt; i++) {
        String path = Text.getRelativeParent(jcrPath, i);
        if (i > 0) {
            stmt.append(" or ");
        }
        stmt.append("@");
        stmt.append(pName);
        stmt.append("='");
        stmt.append(path.replaceAll("'", "''"));
        stmt.append("'");
    }
    stmt.append("]");
    QueryResult result;
    try {
        QueryManager qm = session.getWorkspace().getQueryManager();
        Query q = qm.createQuery(stmt.toString(), Query.XPATH);
        result = q.execute();
    } catch (RepositoryException e) {
        log.error("Unexpected error while searching effective policies. {}", e.getMessage());
        throw new UnsupportedOperationException("Retrieve effective policies at absPath '" + jcrPath + "' not supported.", e);
    }
    /**
         * Loop over query results and verify that
         * - the corresponding ACE really takes effect on the specified absPath.
         * - the corresponding ACL can be read by the editing session.
         */
    Set<AccessControlPolicy> acls = new LinkedHashSet<AccessControlPolicy>();
    for (NodeIterator it = result.getNodes(); it.hasNext(); ) {
        Node aceNode = it.nextNode();
        String accessControlledNodePath = Text.getRelativeParent(aceNode.getPath(), 2);
        Path acPath = session.getQPath(accessControlledNodePath);
        AccessControlPolicy[] policies = editor.getPolicies(accessControlledNodePath);
        if (policies.length > 0) {
            ACLTemplate acl = (ACLTemplate) policies[0];
            for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                ACLTemplate.Entry entry = (ACLTemplate.Entry) ace;
                if (entry.matches(jcrPath)) {
                    if (permissions.grants(acPath, Permission.READ_AC)) {
                        acls.add(new UnmodifiableAccessControlList(acl));
                        break;
                    } else {
                        throw new AccessDeniedException("Access denied at " + accessControlledNodePath);
                    }
                }
            }
        }
    }
    return acls.toArray(new AccessControlPolicy[acls.size()]);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) NodeIterator(javax.jcr.NodeIterator) Path(org.apache.jackrabbit.spi.Path) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessDeniedException(javax.jcr.AccessDeniedException) Query(javax.jcr.query.Query) Node(javax.jcr.Node) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) QueryResult(javax.jcr.query.QueryResult) AccessControlEntry(javax.jcr.security.AccessControlEntry) QueryManager(javax.jcr.query.QueryManager) UnmodifiableAccessControlList(org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList)

Example 19 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit by apache.

the class RSessionAccessControlTest method testWorkspaceMoveNode.

public void testWorkspaceMoveNode() throws Exception {
    Node n = (Node) readOnlySession.getItem(testNodePath);
    String destPath = testRootNode.getPath() + "/" + nodeName2;
    try {
        readOnlySession.getWorkspace().move(n.getPath(), destPath);
        fail("A read only session must not be allowed to move a node");
    } catch (AccessDeniedException e) {
        // expected
        log.debug(e.getMessage());
    }
}
Also used : AccessDeniedException(javax.jcr.AccessDeniedException) Node(javax.jcr.Node)

Example 20 with AccessDeniedException

use of javax.jcr.AccessDeniedException in project jackrabbit-oak by apache.

the class AccessControlManagerImplTest method testHasRepoPrivilegesNoAccessToPrincipals.

@Test
public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
    AbstractAccessControlManager testAcMgr = getTestAccessControlManager();
    // the test-session doesn't have sufficient permissions to read privilege set for admin session.
    try {
        testAcMgr.getPrivileges(null, getPrincipals(adminSession));
        fail("testSession doesn't have sufficient permission to read access control information");
    } catch (AccessDeniedException e) {
    // success
    }
}
Also used : AbstractAccessControlManager(org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager) AccessDeniedException(javax.jcr.AccessDeniedException) AbstractSecurityTest(org.apache.jackrabbit.oak.AbstractSecurityTest) Test(org.junit.Test)

Aggregations

AccessDeniedException (javax.jcr.AccessDeniedException)189 Node (javax.jcr.Node)80 Test (org.junit.Test)68 Session (javax.jcr.Session)33 RepositoryException (javax.jcr.RepositoryException)23 Privilege (javax.jcr.security.Privilege)22 UserManager (org.apache.jackrabbit.api.security.user.UserManager)19 Workspace (javax.jcr.Workspace)18 Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)15 ItemNotFoundException (javax.jcr.ItemNotFoundException)13 PathNotFoundException (javax.jcr.PathNotFoundException)13 Path (org.apache.jackrabbit.spi.Path)13 Principal (java.security.Principal)11 User (org.apache.jackrabbit.api.security.user.User)11 NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)10 AccessControlManager (javax.jcr.security.AccessControlManager)9 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)9 Property (javax.jcr.Property)8 JackrabbitWorkspace (org.apache.jackrabbit.api.JackrabbitWorkspace)8 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)7