Examples with AccessControlPolicy javax.jcr.security.AccessControlPolicy used on opensource projects
Example 91 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project sling by apache.
the class AccessControlUtil method replaceAccessControlEntry.
/**
* Replaces existing access control entries in the ACL for the specified
* <code>principal</code> and <code>resourcePath</code>. Any existing granted
* or denied privileges which do not conflict with the specified privileges
* are maintained. Where conflicts exist, existing privileges are dropped.
* The end result will be at most two ACEs for the principal: one for grants
* and one for denies. Aggregate privileges are disaggregated before checking
* for conflicts.
* @param session
* @param resourcePath
* @param principal
* @param grantedPrivilegeNames
* @param deniedPrivilegeNames
* @param removedPrivilegeNames privileges which, if they exist, should be
* removed for this principal and resource
* @param order where the access control entry should go in the list.
* Value should be one of these:
* <table>
* <tr><td>null</td><td>If the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.</td></tr>
* <tr><td>first</td><td>Place the target ACE as the first amongst its siblings</td></tr>
* <tr><td>last</td><td>Place the target ACE as the last amongst its siblings</td></tr>
* <tr><td>before xyz</td><td>Place the target ACE immediately before the sibling whose name is xyz</td></tr>
* <tr><td>after xyz</td><td>Place the target ACE immediately after the sibling whose name is xyz</td></tr>
* <tr><td>numeric</td><td>Place the target ACE at the specified numeric index</td></tr>
* </table>
* @throws RepositoryException
*/
public static void replaceAccessControlEntry(Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order) throws RepositoryException {
AccessControlManager accessControlManager = getAccessControlManager(session);
Set<String> specifiedPrivilegeNames = new HashSet<String>();
Set<String> newGrantedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, grantedPrivilegeNames, specifiedPrivilegeNames);
Set<String> newDeniedPrivilegeNames = disaggregateToPrivilegeNames(accessControlManager, deniedPrivilegeNames, specifiedPrivilegeNames);
disaggregateToPrivilegeNames(accessControlManager, removedPrivilegeNames, specifiedPrivilegeNames);
// Get or create the ACL for the node.
AccessControlList acl = null;
AccessControlPolicy[] policies = accessControlManager.getPolicies(resourcePath);
for (AccessControlPolicy policy : policies) {
if (policy instanceof AccessControlList) {
acl = (AccessControlList) policy;
break;
}
}
if (acl == null) {
AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(resourcePath);
while (applicablePolicies.hasNext()) {
AccessControlPolicy policy = applicablePolicies.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
acl = (AccessControlList) policy;
break;
}
}
}
if (acl == null) {
throw new RepositoryException("Could not obtain ACL for resource " + resourcePath);
}
// Used only for logging.
Set<Privilege> oldGrants = null;
Set<Privilege> oldDenies = null;
if (log.isDebugEnabled()) {
oldGrants = new HashSet<Privilege>();
oldDenies = new HashSet<Privilege>();
}
// Combine all existing ACEs for the target principal.
AccessControlEntry[] accessControlEntries = acl.getAccessControlEntries();
for (int i = 0; i < accessControlEntries.length; i++) {
AccessControlEntry ace = accessControlEntries[i];
if (principal.equals(ace.getPrincipal())) {
if (log.isDebugEnabled()) {
log.debug("Found Existing ACE for principal {} on resource {}", new Object[] { principal.getName(), resourcePath });
}
if (order == null || order.length() == 0) {
//order not specified, so keep track of the original ACE position.
order = String.valueOf(i);
}
boolean isAllow = isAllow(ace);
Privilege[] privileges = ace.getPrivileges();
if (log.isDebugEnabled()) {
if (isAllow) {
oldGrants.addAll(Arrays.asList(privileges));
} else {
oldDenies.addAll(Arrays.asList(privileges));
}
}
for (Privilege privilege : privileges) {
Set<String> maintainedPrivileges = disaggregateToPrivilegeNames(privilege);
// break the existing privilege down; otherwise, maintain as is.
if (!maintainedPrivileges.removeAll(specifiedPrivilegeNames)) {
// No conflicts, so preserve the original.
maintainedPrivileges.clear();
maintainedPrivileges.add(privilege.getName());
}
if (!maintainedPrivileges.isEmpty()) {
if (isAllow) {
newGrantedPrivilegeNames.addAll(maintainedPrivileges);
} else {
newDeniedPrivilegeNames.addAll(maintainedPrivileges);
}
}
}
// Remove the old ACE.
acl.removeAccessControlEntry(ace);
}
}
//add a fresh ACE with the granted privileges
List<Privilege> grantedPrivilegeList = new ArrayList<Privilege>();
for (String name : newGrantedPrivilegeNames) {
Privilege privilege = accessControlManager.privilegeFromName(name);
grantedPrivilegeList.add(privilege);
}
if (grantedPrivilegeList.size() > 0) {
acl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));
}
//add a fresh ACE with the denied privileges
List<Privilege> deniedPrivilegeList = new ArrayList<Privilege>();
for (String name : newDeniedPrivilegeNames) {
Privilege privilege = accessControlManager.privilegeFromName(name);
deniedPrivilegeList.add(privilege);
}
if (deniedPrivilegeList.size() > 0) {
addEntry(acl, principal, deniedPrivilegeList.toArray(new Privilege[deniedPrivilegeList.size()]), false);
}
//order the ACL
reorderAccessControlEntries(acl, principal, order);
accessControlManager.setPolicy(resourcePath, acl);
if (log.isDebugEnabled()) {
List<String> oldGrantedNames = new ArrayList<String>(oldGrants.size());
for (Privilege privilege : oldGrants) {
oldGrantedNames.add(privilege.getName());
}
List<String> oldDeniedNames = new ArrayList<String>(oldDenies.size());
for (Privilege privilege : oldDenies) {
oldDeniedNames.add(privilege.getName());
}
log.debug("Updated ACE for principalName {} for resource {} from grants {}, denies {} to grants {}, denies {}", new Object[] { principal.getName(), resourcePath, oldGrantedNames, oldDeniedNames, newGrantedPrivilegeNames, newDeniedPrivilegeNames });
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
JackrabbitAccessControlList(org.apache.jackrabbit.api.security.JackrabbitAccessControlList)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
ArrayList(java.util.ArrayList)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
AccessControlPolicyIterator(javax.jcr.security.AccessControlPolicyIterator)
RepositoryException(javax.jcr.RepositoryException)
Privilege(javax.jcr.security.Privilege)
HashSet(java.util.HashSet)
Example 92 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project sling by apache.
the class GetAclServlet method getAccessControlEntries.
@Override
protected AccessControlEntry[] getAccessControlEntries(Session session, String absPath) throws RepositoryException {
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
List<AccessControlEntry> allEntries = new ArrayList<AccessControlEntry>();
for (AccessControlPolicy accessControlPolicy : policies) {
if (accessControlPolicy instanceof AccessControlList) {
AccessControlEntry[] accessControlEntries = ((AccessControlList) accessControlPolicy).getAccessControlEntries();
for (AccessControlEntry accessControlEntry : accessControlEntries) {
allEntries.add(accessControlEntry);
}
}
}
return allEntries.toArray(new AccessControlEntry[allEntries.size()]);
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
ArrayList(java.util.ArrayList)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Example 93 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project sling by apache.
the class PrivilegesInfo method getDeclaredAccessControlEntries.
private AccessControlEntry[] getDeclaredAccessControlEntries(Session session, String absPath) throws RepositoryException {
AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
for (AccessControlPolicy accessControlPolicy : policies) {
if (accessControlPolicy instanceof AccessControlList) {
AccessControlEntry[] accessControlEntries = ((AccessControlList) accessControlPolicy).getAccessControlEntries();
return accessControlEntries;
}
}
return new AccessControlEntry[0];
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Example 94 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project sling by apache.
the class ResourceResolverTest method removeAce.
// ---------- internal
private void removeAce(Session adminSession, Principal principal, String absPath) throws Exception {
AccessControlManager accessControlManager = adminSession.getAccessControlManager();
AccessControlPolicy[] policies = accessControlManager.getPolicies(absPath);
for (AccessControlPolicy plc : policies) {
if (plc instanceof AccessControlList) {
boolean modified = false;
AccessControlList acl = ((AccessControlList) plc);
for (AccessControlEntry ace : acl.getAccessControlEntries()) {
if (principal.equals(ace.getPrincipal())) {
acl.removeAccessControlEntry(ace);
modified = true;
}
}
if (modified) {
accessControlManager.setPolicy(absPath, acl);
}
}
}
if (adminSession.hasPendingChanges()) {
adminSession.save();
}
}
Also used :
AccessControlManager(javax.jcr.security.AccessControlManager)
AccessControlList(javax.jcr.security.AccessControlList)
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
AccessControlEntry(javax.jcr.security.AccessControlEntry)
Example 95 with AccessControlPolicy
use of javax.jcr.security.AccessControlPolicy in project jackrabbit by apache.
the class AbstractEvaluationTest method tearDown.
@Override
protected void tearDown() throws Exception {
try {
for (String path : toClear) {
try {
AccessControlPolicy[] policies = acMgr.getPolicies(path);
for (AccessControlPolicy policy : policies) {
acMgr.removePolicy(path, policy);
}
superuser.save();
} catch (RepositoryException e) {
// log error and ignore
log.debug(e.getMessage());
}
}
if (testSession != null && testSession.isLive()) {
testSession.logout();
}
if (testGroup != null && testUser != null) {
if (testGroup.isDeclaredMember(testUser)) {
testGroup.removeMember(testUser);
}
testGroup.remove();
}
if (uid != null) {
Authorizable a = getUserManager(superuser).getAuthorizable(uid);
if (a != null) {
a.remove();
}
}
if (!getUserManager(superuser).isAutoSave() && superuser.hasPendingChanges()) {
superuser.save();
}
} finally {
super.tearDown();
}
}
Also used :
AccessControlPolicy(javax.jcr.security.AccessControlPolicy)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
RepositoryException(javax.jcr.RepositoryException)
Aggregations
AccessControlPolicy (javax.jcr.security.AccessControlPolicy)182
Test (org.junit.Test)67
JackrabbitAccessControlPolicy (org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy)66
AccessControlManager (javax.jcr.security.AccessControlManager)62
AccessControlPolicyIterator (javax.jcr.security.AccessControlPolicyIterator)52
JackrabbitAccessControlList (org.apache.jackrabbit.api.security.JackrabbitAccessControlList)52
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)49
AccessControlEntry (javax.jcr.security.AccessControlEntry)40
AccessControlList (javax.jcr.security.AccessControlList)32
JackrabbitAccessControlManager (org.apache.jackrabbit.api.security.JackrabbitAccessControlManager)32
NamedAccessControlPolicy (javax.jcr.security.NamedAccessControlPolicy)28
Privilege (javax.jcr.security.Privilege)28
Principal (java.security.Principal)24
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)23
NodeImpl (org.apache.jackrabbit.core.NodeImpl)18
TestACL (org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.TestACL)18
Node (javax.jcr.Node)17
JackrabbitAccessControlEntry (org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry)17
Root (org.apache.jackrabbit.oak.api.Root)14
NodeUtil (org.apache.jackrabbit.oak.util.NodeUtil)14
