Examples with AccessControlManager javax.jcr.security.AccessControlManager used on opensource projects

Search in sources :

Example 91 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class AccessControlUtil method replaceAccessControlEntry.

/**
     * Replaces existing access control entries in the ACL for the specified
     * <code>principal</code> and <code>resourcePath</code>. Any existing granted
     * or denied privileges which do not conflict with the specified privileges
     * are maintained. Where conflicts exist, existing privileges are dropped.
     * The end result will be at most two ACEs for the principal: one for grants
     * and one for denies. Aggregate privileges are disaggregated before checking
     * for conflicts.
     * @param session
     * @param resourcePath
     * @param principal
     * @param grantedPrivilegeNames
     * @param deniedPrivilegeNames
     * @param removedPrivilegeNames privileges which, if they exist, should be
     * removed for this principal and resource
     * @param order where the access control entry should go in the list.
     *         Value should be one of these:
     *         <table>
     *          <tr><td>null</td><td>If the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.</td></tr>
     * 			<tr><td>first</td><td>Place the target ACE as the first amongst its siblings</td></tr>
	 *			<tr><td>last</td><td>Place the target ACE as the last amongst its siblings</td></tr>
	 * 			<tr><td>before xyz</td><td>Place the target ACE immediately before the sibling whose name is xyz</td></tr>
	 * 			<tr><td>after xyz</td><td>Place the target ACE immediately after the sibling whose name is xyz</td></tr>
	 * 			<tr><td>numeric</td><td>Place the target ACE at the specified numeric index</td></tr>
	 *         </table>
     * @throws RepositoryException
     */
public static void replaceAccessControlEntry(Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order) throws RepositoryException {
    AccessControlManager accessControlManager = getAccessControlManager(session);
    Set<String> specifiedPrivilegeNames = new HashSet<String>();
    Set<String> newGrantedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, grantedPrivilegeNames, specifiedPrivilegeNames);
    Set<String> newDeniedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, deniedPrivilegeNames, specifiedPrivilegeNames);
    disaggregateToPrivilegeNames(accessControlManager, removedPrivilegeNames, specifiedPrivilegeNames);
    // Get or create the ACL for the node.
    AccessControlList acl = null;
    AccessControlPolicy[] policies = accessControlManager.getPolicies(resourcePath);
    for (AccessControlPolicy policy : policies) {
        if (policy instanceof AccessControlList) {
            acl = (AccessControlList) policy;
            break;
        }
    }
    if (acl == null) {
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(resourcePath);
        while (applicablePolicies.hasNext()) {
            AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
            if (policy instanceof AccessControlList) {
                acl = (AccessControlList) policy;
                break;
            }
        }
    }
    if (acl == null) {
        throw new RepositoryException("Could not obtain ACL for resource " + resourcePath);
    }
    // Used only for logging.
    Set<Privilege> oldGrants = null;
    Set<Privilege> oldDenies = null;
    if (log.isDebugEnabled()) {
        oldGrants = new HashSet<Privilege>();
        oldDenies = new HashSet<Privilege>();
    }
    // Combine all existing ACEs for the target principal.
    AccessControlEntry[] accessControlEntries = acl.getAccessControlEntries();
    for (int i = 0; i < accessControlEntries.length; i++) {
        AccessControlEntry ace = accessControlEntries[i];
        if (principal.equals(ace.getPrincipal())) {
            if (log.isDebugEnabled()) {
                log.debug("Found Existing ACE for principal {} on resource {}", new Object[] { principal.getName(), resourcePath });
            }
            if (order == null || order.length() == 0) {
                //order not specified, so keep track of the original ACE position.
                order = String.valueOf(i);
            }
            boolean isAllow = isAllow(ace);
            Privilege[] privileges = ace.getPrivileges();
            if (log.isDebugEnabled()) {
                if (isAllow) {
                    oldGrants.addAll(Arrays.asList(privileges));
                } else {
                    oldDenies.addAll(Arrays.asList(privileges));
                }
            }
            for (Privilege privilege : privileges) {
                Set<String> maintainedPrivileges = disaggregateToPrivilegeNames(privilege);
                // break the existing privilege down; otherwise, maintain as is.
                if (!maintainedPrivileges.removeAll(specifiedPrivilegeNames)) {
                    // No conflicts, so preserve the original.
                    maintainedPrivileges.clear();
                    maintainedPrivileges.add(privilege.getName());
                }
                if (!maintainedPrivileges.isEmpty()) {
                    if (isAllow) {
                        newGrantedPrivilegeNames.addAll(maintainedPrivileges);
                    } else {
                        newDeniedPrivilegeNames.addAll(maintainedPrivileges);
                    }
                }
            }
            // Remove the old ACE.
            acl.removeAccessControlEntry(ace);
        }
    }
    //add a fresh ACE with the granted privileges
    List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
    for (String name : newGrantedPrivilegeNames) {
        Privilege privilege = accessControlManager.privilegeFromName(name);
        grantedPrivilegeList.add(privilege);
    }
    if (grantedPrivilegeList.size() > 0) {
        acl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
    }
    //add a fresh ACE with the denied privileges
    List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
    for (String name : newDeniedPrivilegeNames) {
        Privilege privilege = accessControlManager.privilegeFromName(name);
        deniedPrivilegeList.add(privilege);
    }
    if (deniedPrivilegeList.size() > 0) {
        addEntry(acl, principal, deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
    }
    //order the ACL
    reorderAccessControlEntries(acl, principal, order);
    accessControlManager.setPolicy(resourcePath, acl);
    if (log.isDebugEnabled()) {
        List<String> oldGrantedNames = new ArrayList<String>(oldGrants.size());
        for (Privilege privilege : oldGrants) {
            oldGrantedNames.add(privilege.getName());
        }
        List<String> oldDeniedNames = new ArrayList<String>(oldDenies.size());
        for (Privilege privilege : oldDenies) {
            oldDeniedNames.add(privilege.getName());
        }
        log.debug("Updated ACE for principalName {} for resource {} from grants {}, denies {} to grants {}, denies {}", new Object[] { principal.getName(), resourcePath, oldGrantedNames, oldDeniedNames, newGrantedPrivilegeNames, newDeniedPrivilegeNames });
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList) AccessControlList(javax.jcr.security.AccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) ArrayList(java.util.ArrayList) AccessControlEntry(javax.jcr.security.AccessControlEntry) AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator) RepositoryException(javax.jcr.RepositoryException) Privilege(javax.jcr.security.Privilege) HashSet(java.util.HashSet)

Example 92 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class DeleteAcesServlet method deleteAces.

/* (non-Javadoc)
	 * @see org.apache.sling.jcr.jackrabbit.accessmanager.DeleteAces#deleteAces(javax.jcr.Session, java.lang.String, java.lang.String[])
	 */
public void deleteAces(Session jcrSession, String resourcePath, String[] principalNamesToDelete) throws RepositoryException {
    if (principalNamesToDelete == null) {
        throw new RepositoryException("principalIds were not sumitted.");
    } else {
        if (jcrSession == null) {
            throw new RepositoryException("JCR Session not found");
        }
        if (resourcePath == null) {
            throw new ResourceNotFoundException("Resource path was not supplied.");
        }
        Item item = jcrSession.getItem(resourcePath);
        if (item != null) {
            resourcePath = item.getPath();
        } else {
            throw new ResourceNotFoundException("Resource is not a JCR Node");
        }
        //load the principalIds array into a set for quick lookup below
        Set<String> pidSet = new HashSet<String>();
        pidSet.addAll(Arrays.asList(principalNamesToDelete));
        try {
            AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(jcrSession);
            AccessControlList updatedAcl = getAccessControlList(accessControlManager, resourcePath, false);
            //keep track of the existing Aces for the target principal
            AccessControlEntry[] accessControlEntries = updatedAcl.getAccessControlEntries();
            List<AccessControlEntry> oldAces = new ArrayList<AccessControlEntry>();
            for (AccessControlEntry ace : accessControlEntries) {
                if (pidSet.contains(ace.getPrincipal().getName())) {
                    oldAces.add(ace);
                }
            }
            //remove the old aces
            if (!oldAces.isEmpty()) {
                for (AccessControlEntry ace : oldAces) {
                    updatedAcl.removeAccessControlEntry(ace);
                }
            }
            //apply the changed policy
            accessControlManager.setPolicy(resourcePath, updatedAcl);
        } catch (RepositoryException re) {
            throw new RepositoryException("Failed to delete access control.", re);
        }
    }
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) Item(javax.jcr.Item) ArrayList(java.util.ArrayList) AccessControlEntry(javax.jcr.security.AccessControlEntry) RepositoryException(javax.jcr.RepositoryException) ResourceNotFoundException(org.apache.sling.api.resource.ResourceNotFoundException) HashSet(java.util.HashSet)

Example 93 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class GetAclServlet method getAccessControlEntries.

@Override
protected AccessControlEntry[] getAccessControlEntries(Session session, String absPath) throws RepositoryException {
    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
    AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
    List<AccessControlEntry> allEntries = new ArrayList<AccessControlEntry>();
    for (AccessControlPolicy accessControlPolicy : policies) {
        if (accessControlPolicy instanceof AccessControlList) {
            AccessControlEntry[] accessControlEntries = ((AccessControlList) accessControlPolicy).getAccessControlEntries();
            for (AccessControlEntry accessControlEntry : accessControlEntries) {
                allEntries.add(accessControlEntry);
            }
        }
    }
    return allEntries.toArray(new AccessControlEntry[allEntries.size()]);
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) ArrayList(java.util.ArrayList) AccessControlEntry(javax.jcr.security.AccessControlEntry)

Example 94 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class PrivilegesInfo method getSupportedPrivileges.

/**
	 * Returns the supported privileges for the specified path.
	 * 
	 * @param session the session for the current user
	 * @param absPath the path to get the privileges for
	 * @return array of Privileges
	 * @throws RepositoryException
	 */
public Privilege[] getSupportedPrivileges(Session session, String absPath) throws RepositoryException {
    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
    Privilege[] supportedPrivileges = accessControlManager.getSupportedPrivileges(absPath);
    return supportedPrivileges;
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) Privilege(javax.jcr.security.Privilege)

Example 95 with AccessControlManager

use of javax.jcr.security.AccessControlManager in project sling by apache.

the class PrivilegesInfo method getDeclaredAccessControlEntries.

private AccessControlEntry[] getDeclaredAccessControlEntries(Session session, String absPath) throws RepositoryException {
    AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
    AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
    for (AccessControlPolicy accessControlPolicy : policies) {
        if (accessControlPolicy instanceof AccessControlList) {
            AccessControlEntry[] accessControlEntries = ((AccessControlList) accessControlPolicy).getAccessControlEntries();
            return accessControlEntries;
        }
    }
    return new AccessControlEntry[0];
}
Also used : AccessControlManager(javax.jcr.security.AccessControlManager) AccessControlList(javax.jcr.security.AccessControlList) AccessControlPolicy(javax.jcr.security.AccessControlPolicy) AccessControlEntry(javax.jcr.security.AccessControlEntry)

Aggregations

AccessControlManager (javax.jcr.security.AccessControlManager)192 Privilege (javax.jcr.security.Privilege)82 JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)77 AccessControlPolicy (javax.jcr.security.AccessControlPolicy)62 Session (javax.jcr.Session)47 Test (org.junit.Test)45 AccessControlEntry (javax.jcr.security.AccessControlEntry)39 Node (javax.jcr.Node)33 AccessControlList (javax.jcr.security.AccessControlList)32 JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32 AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)23 Principal (java.security.Principal)22 Value (javax.jcr.Value)17 HashMap (java.util.HashMap)14 JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)14 Group (org.apache.jackrabbit.api.security.user.Group)14 ValueFactory (javax.jcr.ValueFactory)13 AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)13 NodeImpl (org.apache.jackrabbit.core.NodeImpl)13 NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)12
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial