Examples with AccessControlList javax.jcr.security.AccessControlList used on opensource projects

Example 51 with AccessControlList

use of javax.jcr.security.AccessControlList in project pentaho-platform by pentaho.

the class PentahoACLProvider method updateRootAcl.

/**
 * Adds ACE so that everyone can read access control. This allows Jackrabbit's default collectAcls to work without
 * change. Otherwise, you have to be an admin to call acMgr.getEffectivePolicies.
 */
protected void updateRootAcl(SessionImpl systemSession, ACLEditor editor) throws RepositoryException {
    String rootPath = session.getRootNode().getPath();
    AccessControlPolicy[] acls = editor.getPolicies(rootPath);
    if (acls.length > 0) {
        PrincipalManager pMgr = systemSession.getPrincipalManager();
        AccessControlManager acMgr = session.getAccessControlManager();
        Principal everyone = pMgr.getEveryone();
        Privilege[] privs = new Privilege[] { acMgr.privilegeFromName(Privilege.JCR_READ), acMgr.privilegeFromName(Privilege.JCR_READ_ACCESS_CONTROL) };
        AccessControlList acList = (AccessControlList) acls[0];
        AccessControlEntry[] acEntries = acList.getAccessControlEntries();
        for (AccessControlEntry acEntry : acEntries) {
            if (acEntry.getPrincipal().equals(everyone)) {
                acList.removeAccessControlEntry(acEntry);
            }
        }
        acList.addAccessControlEntry(everyone, privs);
        editor.setPolicy(rootPath, acList);
        session.save();
    }
}

Example 52 with AccessControlList

use of javax.jcr.security.AccessControlList in project vorto by eclipse.

the class ModelPolicyManager method addPolicyEntry.

@Override
public void addPolicyEntry(ModelId modelId, PolicyEntry... newEntries) {
    doInSession(session -> {
        try {
            ModelIdHelper modelIdHelper = new ModelIdHelper(modelId);
            Node nodeToAddPolicy = session.getNode(modelIdHelper.getFullPath());
            AccessControlManager acm = session.getAccessControlManager();
            AccessControlList acl = getAccessControlList(nodeToAddPolicy, acm);
            final AccessControlList _acl = acl;
            // put all existing ACE that are in newEntries to existingEntries
            List<AccessControlEntry> existingEntries = putAllExistingACEFromNewEntriesToExistingEntries(acl, newEntries);
            // remove all existingEntries, entries that are in newEntries
            removeAllExistingEntries(_acl, existingEntries);
            // create ACE for every entry in newEntries
            createAceForEveryEntryInNewEntries(acm, _acl, newEntries);
            acm.setPolicy(nodeToAddPolicy.getPath(), _acl);
            session.save();
            return null;
        } catch (AccessDeniedException ex) {
            throw new NotAuthorizedException(modelId);
        }
    });
}

Example 53 with AccessControlList

use of javax.jcr.security.AccessControlList in project vorto by eclipse.

the class ModelPolicyManager method getPolicyEntries.

@Override
public Collection<PolicyEntry> getPolicyEntries(ModelId modelId) {
    return doInSession(session -> {
        try {
            ModelIdHelper modelIdHelper = new ModelIdHelper(modelId);
            Node nodeToGetPolicies = session.getNode(modelIdHelper.getFullPath());
            AccessControlManager acm = session.getAccessControlManager();
            AccessControlList acl = getAccessControlList(nodeToGetPolicies, acm);
            return convertAccessControlEntriesToPolicyEntries(acl);
        } catch (AccessDeniedException ex) {
            LOGGER.warn(String.format("No policy entry found for model ID [%s] with current user. Returning empty collection.", modelId));
            return Collections.emptyList();
        }
    });
}

Example 54 with AccessControlList

use of javax.jcr.security.AccessControlList in project vorto by eclipse.

the class ModelPolicyManager method removePolicyEntry.

@Override
public void removePolicyEntry(ModelId modelId, PolicyEntry entryToRemove) {
    entryToRemove.setPermission(null);
    this.addPolicyEntry(modelId, entryToRemove);
    if (this.getPolicyEntries(modelId).isEmpty()) {
        doInSession(session -> {
            try {
                ModelIdHelper modelIdHelper = new ModelIdHelper(modelId);
                Node nodeToRemovePolicy = session.getNode(modelIdHelper.getFullPath());
                AccessControlManager acm = session.getAccessControlManager();
                AccessControlList acl = getAccessControlList(nodeToRemovePolicy, acm);
                acm.removePolicy(nodeToRemovePolicy.getPath(), acl);
                session.save();
                return null;
            } catch (AccessDeniedException ex) {
                throw new NotAuthorizedException(modelId);
            }
        });
    }
}

Example 55 with AccessControlList

use of javax.jcr.security.AccessControlList in project jackrabbit-oak by apache.

the class AbstractCugTest method setupCugsAndAcls.

void setupCugsAndAcls() throws Exception {
    UserManager uMgr = getUserManager(root);
    Principal testGroupPrincipal = getTestGroupPrincipal();
    User testUser2 = uMgr.createUser(TEST_USER2_ID, TEST_USER2_ID);
    ((Group) uMgr.getAuthorizable(testGroupPrincipal)).addMember(testUser2);
    root.commit();
    User testUser = getTestUser();
    // add more child nodes
    NodeUtil n = new NodeUtil(root.getTree(SUPPORTED_PATH));
    n.addChild("a", NT_OAK_UNSTRUCTURED).addChild("b", NT_OAK_UNSTRUCTURED).addChild("c", NT_OAK_UNSTRUCTURED);
    n.addChild("aa", NT_OAK_UNSTRUCTURED).addChild("bb", NT_OAK_UNSTRUCTURED).addChild("cc", NT_OAK_UNSTRUCTURED);
    // create cugs
    // - /content/a     : allow testGroup, deny everyone
    // - /content/aa/bb : allow testGroup, deny everyone
    // - /content/a/b/c : allow everyone,  deny testGroup (isolated)
    // - /content2      : allow everyone,  deny testGroup (isolated)
    createCug("/content/a", testGroupPrincipal);
    createCug("/content/aa/bb", testGroupPrincipal);
    createCug("/content/a/b/c", EveryonePrincipal.getInstance());
    createCug("/content2", EveryonePrincipal.getInstance());
    // setup regular acl at /content:
    // - testUser  ; allow ; jcr:read
    // - testGroup ; allow ; jcr:read, jcr:write, jcr:readAccessControl
    AccessControlManager acMgr = getAccessControlManager(root);
    AccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, "/content");
    acl.addAccessControlEntry(testUser.getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_READ));
    acl.addAccessControlEntry(testGroupPrincipal, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.REP_WRITE, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
    acMgr.setPolicy("/content", acl);
    root.commit();
}