You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2008/04/03 10:15:04 UTC
svn commit: r644215 [1/3] - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/security/
main/java/org/apache/jackrabbit/core/security/authorization/
main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java...
Author: angela
Date: Thu Apr 3 01:15:01 2008
New Revision: 644215
URL: http://svn.apache.org/viewvc?rev=644215&view=rev
Log:
security: work in progress
- change ACEditor to take jcr path
- extract common, abstract policy entry impl
- add more tests
- add JackrabbitAccessControlManager for policy editing
- various minor changes, fixes, improvements
Added:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java (with props)
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java (with props)
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java (with props)
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java (with props)
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java (with props)
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPatternTest.java (with props)
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImplTest.java (with props)
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImplTest.java (with props)
Removed:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/GlobPattern.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/ACLImpl.java
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/TestAll.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AbstractAccessControlTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AccessControlDiscoveryTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AccessControlPolicyIteratorTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAdministratorTest.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java Thu Apr 3 01:15:01 2008
@@ -26,7 +26,6 @@
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
-import org.apache.jackrabbit.spi.Path;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
@@ -37,7 +36,7 @@
/**
* <code>AbstractAccessControlManager</code>...
*/
-public abstract class AbstractAccessControlManager implements AccessControlManager {
+public abstract class AbstractAccessControlManager implements JackrabbitAccessControlManager {
private static Logger log = LoggerFactory.getLogger(AbstractAccessControlManager.class);
@@ -50,7 +49,7 @@
*/
public Privilege[] getSupportedPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
checkInitialized();
- getValidNodePath(absPath);
+ checkValidNodePath(absPath);
// return all known privileges everywhere.
return PrivilegeRegistry.getRegisteredPrivileges();
@@ -65,7 +64,7 @@
*/
public AccessControlPolicy getPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
log.debug("Implementation does not provide applicable policies -> getPolicy() always returns null.");
return null;
@@ -80,7 +79,7 @@
*/
public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
log.debug("Implementation does not provide applicable policies -> returning empty iterator.");
return AccessControlPolicyIteratorAdapter.EMPTY;
@@ -93,7 +92,7 @@
*/
public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
throw new AccessControlException("AccessControlPolicy " + policy.getName() + " cannot be applied.");
}
@@ -105,7 +104,7 @@
*/
public AccessControlPolicy removePolicy(String absPath) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
throw new AccessControlException("No AccessControlPolicy has been set through this API -> Cannot be removed.");
}
@@ -118,7 +117,7 @@
*/
public AccessControlEntry[] getAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
return new AccessControlEntry[0];
}
@@ -130,7 +129,7 @@
*/
public AccessControlEntry addAccessControlEntry(String absPath, Principal principal, Privilege[] privileges) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
throw new UnsupportedRepositoryOperationException("Adding access control entry is not supported by this AccessControlManager (" + getClass().getName()+ ").");
}
@@ -142,7 +141,7 @@
*/
public void removeAccessControlEntry(String absPath, AccessControlEntry ace) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
throw new AccessControlException("Invalid access control entry, that has not been applied through this API.");
}
@@ -166,7 +165,7 @@
* of if the session does not have the privilege to READ it.
* @throws RepositoryException
*/
- protected abstract void checkPrivileges(Path absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException;
+ protected abstract void checkPrivileges(String absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException;
/**
* Build a qualified path from the specified <code>absPath</code> and test
@@ -178,6 +177,6 @@
* @throws RepositoryException If the given <code>absPath</code> is not
* absolute or if some other error occurs.
*/
- protected abstract Path getValidNodePath(String absPath) throws PathNotFoundException, RepositoryException;
+ protected abstract void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException;
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Thu Apr 3 01:15:01 2008
@@ -73,7 +73,6 @@
* How access control policies are matched to a particular item is defined by
* the <code>AccessControlProvider</code> set to this AccessManager.
*
- * @version $Rev$, $Date$
* @see AccessManager
* @see AccessControlManager
*/
@@ -240,14 +239,14 @@
*/
public boolean hasPrivileges(String absPath, Privilege[] privileges) throws PathNotFoundException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
+ checkValidNodePath(absPath);
if (privileges == null || privileges.length == 0) {
// null or empty privilege array -> return true
log.debug("No privileges defined for hasPrivilege test.");
return true;
} else {
int privs = PrivilegeRegistry.getBits(privileges);
- return internalHasPrivileges(path, privs);
+ return internalHasPrivileges(absPath, privs);
}
}
@@ -256,8 +255,8 @@
*/
public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- int privs = compiledPermissions.getPrivileges(path);
+ checkValidNodePath(absPath);
+ int privs = compiledPermissions.getPrivileges(resolver.getQPath(absPath));
return (privs == 0) ? new Privilege[0] : PrivilegeRegistry.getPrivileges(privs);
}
@@ -266,12 +265,11 @@
*/
public AccessControlPolicy getPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
AccessControlPolicy policy = null;
if (editor != null) {
- policy = editor.getPolicyTemplate(getNodeId(path));
+ policy = editor.getPolicyTemplate(absPath);
}
return policy;
}
@@ -281,11 +279,10 @@
*/
public AccessControlPolicy getEffectivePolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
// TODO: acProvider may not retrieve the correct policy in case of transient modifications
- return acProvider.getPolicy(getNodeId(path));
+ return acProvider.getPolicy(getNodeId(absPath));
}
/**
@@ -293,11 +290,10 @@
*/
public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
if (editor != null) {
- PolicyTemplate applicable = editor.editPolicyTemplate(getNodeId(path));
+ PolicyTemplate applicable = editor.editPolicyTemplate(absPath);
if (applicable != null) {
return new AccessControlPolicyIteratorAdapter(Collections.singletonList(applicable));
}
@@ -312,12 +308,11 @@
public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
if (policy instanceof PolicyTemplate) {
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
if (editor == null) {
throw new UnsupportedRepositoryOperationException("Modification of AccessControlPolicies is not supported. ");
}
- editor.setPolicyTemplate(getNodeId(path), (PolicyTemplate) policy);
+ editor.setPolicyTemplate(absPath, (PolicyTemplate) policy);
} else {
throw new AccessControlException("Access control policy '" + policy + "' not applicable");
}
@@ -328,12 +323,11 @@
*/
public AccessControlPolicy removePolicy(String absPath) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
if (editor == null) {
throw new UnsupportedRepositoryOperationException("Removal of AccessControlPolicies is not supported.");
}
- return editor.removePolicyTemplate(getNodeId(path));
+ return editor.removePolicyTemplate(absPath);
}
/**
@@ -341,12 +335,11 @@
*/
public AccessControlEntry[] getAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
AccessControlEntry[] entries = new AccessControlEntry[0];
if (editor != null) {
- entries = editor.getAccessControlEntries(getNodeId(path));
+ entries = editor.getAccessControlEntries(absPath);
}
return entries;
}
@@ -356,10 +349,9 @@
*/
public AccessControlEntry[] getEffectiveAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.READ_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
- return acProvider.getAccessControlEntries(getNodeId(path));
+ return acProvider.getAccessControlEntries(getNodeId(absPath));
}
/**
@@ -367,14 +359,12 @@
*/
public AccessControlEntry addAccessControlEntry(String absPath, Principal principal, Privilege[] privileges) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
if (editor == null) {
throw new UnsupportedRepositoryOperationException("Adding access control entries is not supported.");
} else {
- NodeId id = getNodeId(path);
- return editor.addAccessControlEntry(id, principal, privileges);
+ return editor.addAccessControlEntry(absPath, principal, privileges);
}
}
@@ -383,17 +373,37 @@
*/
public void removeAccessControlEntry(String absPath, AccessControlEntry ace) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
checkInitialized();
- Path path = getValidNodePath(absPath);
- checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
if (editor == null) {
throw new UnsupportedRepositoryOperationException("Removal of access control entries is not supported.");
}
- NodeId id = getNodeId(path);
- if (!editor.removeAccessControlEntry(id, ace)) {
+ if (!editor.removeAccessControlEntry(absPath, ace)) {
throw new AccessControlException("AccessControlEntry " + ace + " has not been assigned though this API.");
}
}
+ //-------------------------------------< JackrabbitAccessControlManager >---
+ /**
+ * @see JackrabbitAccessControlManager#editPolicy(String)
+ */
+ public PolicyTemplate editPolicy(String absPath) throws AccessDeniedException, AccessControlException, RepositoryException {
+ checkInitialized();
+ checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
+ if (editor == null) {
+ throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
+ }
+
+ return editor.editPolicyTemplate(absPath);
+ }
+
+ public PolicyTemplate editPolicy(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+ checkInitialized();
+ if (editor == null) {
+ throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
+ }
+ return editor.editPolicyTemplate(principal);
+ }
+
//---------------------------------------< AbstractAccessControlManager >---
/**
* @see AbstractAccessControlManager#checkInitialized()
@@ -405,38 +415,45 @@
}
/**
- * @see AbstractAccessControlManager#getValidNodePath(String)
+ * @see AbstractAccessControlManager#checkValidNodePath(String)
*/
- protected Path getValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
+ protected void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
Path p = resolver.getQPath(absPath);
if (!p.isAbsolute()) {
throw new RepositoryException("Absolute path expected.");
}
- if (hierMgr.resolveNodePath(p) != null) {
- return p;
- } else {
+ if (hierMgr.resolveNodePath(p) == null) {
throw new PathNotFoundException("No such node " + absPath);
}
}
/**
- * @see AbstractAccessControlManager#checkPrivileges(Path, int)
+ * @see AbstractAccessControlManager#checkPrivileges(String, int)
*/
- protected void checkPrivileges(Path absPath, int privileges) throws AccessDeniedException, RepositoryException {
+ protected void checkPrivileges(String absPath, int privileges) throws AccessDeniedException, RepositoryException {
+ checkValidNodePath(absPath);
if (!internalHasPrivileges(absPath, privileges)) {
- throw new AccessDeniedException("No privilege " + privileges + " at " + resolver.getJCRPath(absPath));
+ throw new AccessDeniedException("No privilege " + privileges + " at " + absPath);
}
}
//------------------------------------------------------------< private >---
- private boolean internalHasPrivileges(Path path, int privileges) throws RepositoryException {
- return (compiledPermissions.getPrivileges(path) | ~privileges) == -1;
+ /**
+ *
+ * @param absPath
+ * @param privileges
+ * @return
+ * @throws RepositoryException
+ */
+ private boolean internalHasPrivileges(String absPath, int privileges) throws RepositoryException {
+ Path p = resolver.getQPath(absPath);
+ return (compiledPermissions.getPrivileges(p) | ~privileges) == -1;
}
- private NodeId getNodeId(Path absPath) throws RepositoryException {
- NodeId id = hierMgr.resolveNodePath(absPath);
+ private NodeId getNodeId(String absPath) throws RepositoryException {
+ NodeId id = hierMgr.resolveNodePath(resolver.getQPath(absPath));
if (id == null) {
- throw new PathNotFoundException(resolver.getJCRPath(absPath));
+ throw new PathNotFoundException(absPath);
}
return id;
}
Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java Thu Apr 3 01:15:01 2008
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security;
+
+import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlManager;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.RepositoryException;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import java.security.Principal;
+
+/**
+ * <code>JackrabbitAccessControlManager</code>...
+ */
+public interface JackrabbitAccessControlManager extends AccessControlManager {
+
+ /**
+ * Returns a policy template for the existing node at <code>absPath</code>.
+ *
+ * @return policy template for the node at <code>absPath</code>.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
+ * @throws AccessDeniedException if the session lacks
+ * <code>MODIFY_ACCESS_CONTROL</code> privilege for the <code>absPath</code>
+ * node.
+ * @throws AccessControlException if this implementation does not allow to
+ * edit the policy at <code>absPath</code> of if same other access
+ * control related exception occurs.
+ * @throws UnsupportedRepositoryOperationException if editing the policy
+ * is not supported.
+ * @throws RepositoryException if another error occurs.
+ */
+ PolicyTemplate editPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
+
+ /**
+ * Returns a policy template for the specified <code>principal.</code>
+ *
+ * @return policy template for the specified <code>principal</code>.
+ * @throws AccessDeniedException if the session lacks
+ * <code>MODIFY_ACCESS_CONTROL</code> privilege.
+ * @throws AccessControlException if the specified principal does not exist,
+ * if this implementation does provide policy tempates for principals or
+ * if same other access control related exception occurs.
+ * @throws UnsupportedRepositoryOperationException if editing the policy
+ * is not supported.
+ * @throws RepositoryException if another error occurs.
+ */
+ PolicyTemplate editPolicy(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
+
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java Thu Apr 3 01:15:01 2008
@@ -19,17 +19,21 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.jackrabbit.core.NodeId;
+import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.core.security.SystemPrincipal;
import org.apache.jackrabbit.spi.Path;
+import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.observation.ObservationManager;
import java.util.Iterator;
import java.util.Set;
+import java.util.Map;
import java.security.Principal;
/**
@@ -42,7 +46,14 @@
private final String policyName;
private final String policyDesc;
- protected boolean initialized;
+ /**
+ * Returns the system session this provider has been created for.
+ */
+ protected SessionImpl session;
+ protected ObservationManager observationMgr;
+ protected NamePathResolver resolver;
+
+ private boolean initialized;
protected AbstractAccessControlProvider() {
this(AbstractAccessControlProvider.class.getName() + ": default Policy", null);
@@ -101,6 +112,29 @@
}
//----------------------------------------------< AccessControlProvider >---
+ /**
+ * Tests if the given <code>systemSession</code> is a SessionImpl and
+ * retrieves the observation manager. The it sets the internal 'initialized'
+ * field to true.
+ *
+ * @throws RepositoryException If the specified session is not a
+ * <code>SessionImpl</code> or if retrieving the observation manager fails.
+ * @see AccessControlProvider#init(Session, Map)
+ */
+ public void init(Session systemSession, Map options) throws RepositoryException {
+ if (initialized) {
+ throw new IllegalStateException("already initialized");
+ }
+ if (!(systemSession instanceof SessionImpl)) {
+ throw new RepositoryException("SessionImpl (system session) expected.");
+ }
+ session = (SessionImpl) systemSession;
+ observationMgr = systemSession.getWorkspace().getObservationManager();
+ resolver = (SessionImpl) systemSession;
+
+ initialized = true;
+ }
+
/**
* @see AccessControlProvider#close()
*/
Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java Thu Apr 3 01:15:01 2008
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
+
+import java.security.Principal;
+
+/**
+ * Simple, immutable implementation of the
+ * {@link org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry}
+ * and the {@link PolicyEntry} interfaces.
+ */
+public abstract class AbstractPolicyEntry implements PolicyEntry {
+
+ private static Logger log = LoggerFactory.getLogger(AbstractPolicyEntry.class);
+
+ /**
+ * Privileges contained in this entry
+ */
+ private final int privileges;
+
+ /**
+ * if the actions contained are allowed or denied
+ */
+ private final boolean allow;
+
+ /**
+ * the Principal of this entry
+ */
+ private final Principal principal;
+
+ /**
+ * Hash code being calculated on demand.
+ */
+ private int hashCode = -1;
+
+ /**
+ * Construct an access control entry for the given principal, privileges and
+ * a polarity (deny or allow)
+ *
+ * @param principal
+ * @param privileges
+ * @param allow
+ */
+ protected AbstractPolicyEntry(Principal principal, int privileges, boolean allow) {
+ this.principal = principal;
+ this.privileges = privileges;
+ this.allow = allow;
+ }
+
+ /**
+ * Build the hash code.
+ *
+ * @return the hash code.
+ */
+ protected int buildHashCode() {
+ int h = 17;
+ h = 37 * h + principal.getName().hashCode();
+ h = 37 * h + privileges;
+ h = 37 * h + Boolean.valueOf(allow).hashCode();
+ return h;
+ }
+
+ //-------------------------------------------------< AccessControlEntry >---
+ /**
+ * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrincipal()
+ */
+ public Principal getPrincipal() {
+ return principal;
+ }
+
+ /**
+ * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrivileges()
+ */
+ public Privilege[] getPrivileges() {
+ return PrivilegeRegistry.getPrivileges(privileges);
+ }
+
+ //--------------------------------------------------------< PolicyEntry >---
+ /**
+ * @see PolicyEntry#isAllow()
+ */
+ public boolean isAllow() {
+ return allow;
+ }
+
+ /**
+ * @see PolicyEntry#getPrivilegeBits()
+ */
+ public int getPrivilegeBits() {
+ return privileges;
+ }
+
+ //-------------------------------------------------------------< Object >---
+ /**
+ * @see Object#hashCode()
+ */
+ public int hashCode() {
+ if (hashCode == -1) {
+ hashCode = buildHashCode();
+ }
+ return hashCode;
+ }
+
+ /**
+ * Returns true if the principal, the allow-flag and all privileges are
+ * equal / the same.
+ *
+ * @param obj
+ * @return
+ * @see Object#equals(Object)
+ */
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+
+ if (obj instanceof AbstractPolicyEntry) {
+ AbstractPolicyEntry tmpl = (AbstractPolicyEntry) obj;
+ return principal.getName().equals(tmpl.principal.getName()) &&
+ allow == tmpl.allow &&
+ privileges == tmpl.privileges;
+ }
+ return false;
+ }
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java Thu Apr 3 01:15:01 2008
@@ -22,7 +22,9 @@
import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
import javax.jcr.RepositoryException;
-import javax.jcr.ItemNotFoundException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.AccessDeniedException;
import java.security.Principal;
/**
@@ -44,20 +46,22 @@
* the scope of the PolicyTemplate it limited to the Node itself and does
* not take inherited elements into account.
*
- * @param id the id of the Node to retrievethe PolicyTemplate for.
+ * @param nodePath Absolute path to an existing node object.
* @return the PolicyTemplate or <code>null</code> no policy has been
* applied to the node before.
- * @throws AccessControlException If the Node identified by the given id does
- * not allow ACL modifications.
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @throws AccessControlException If the Node identified by the given
+ * <code>nodePath</code> does not allow access control modifications (e.g.
+ * the node itself stores the access control information for its parent).
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
* @throws RepositoryException if an error occurs
*/
- PolicyTemplate getPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ PolicyTemplate getPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
/**
- * Retrieves an editable policy template for the Node identified by the given
+ * Retrieves the policy template for the Node identified by the given
* <code>NodeId</code>. If the node does not yet have an policy set an
- * new (empty) template is created (see also {@link #getPolicyTemplate(NodeId)}.<br>
+ * new (empty) template is created (see also {@link #getPolicyTemplate(String)}.<br>
* The PolicyTemplate returned is detached from the underlying
* <code>AccessControlProvider</code> and is only an external
* representation. Modification will therefore not take effect, until it is
@@ -67,98 +71,120 @@
* the scope of the PolicyTemplate it limited to the Node itself and does
* never not take inherited elements into account.
*
- * @param id the id of the Node to retrieve (or create) the PolicyTemplate for.
- * @return the PolicyTemplate
- * @throws AccessControlException If the Node identified by the given id does
- * not allow ACL modifications.
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @param nodePath Absolute path to an existing node object.
+ * @return policy template
+ * @throws AccessControlException If the Node identified by the given
+ * <code>nodePath</code> does not allow access control modifications.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
* @throws RepositoryException if an error occurs
*/
- PolicyTemplate editPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ PolicyTemplate editPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
+
+ /**
+ * Returns a policy template for the given <code>principal</code>.
+ *
+ * @return policy template for the specified <code>principal.</code>.
+ * @throws AccessControlException if the specified principal does not exist,
+ * if this implementation does provide policy tempates for principals or
+ * if same other access control related exception occurs.
+ * @throws RepositoryException if another error occurs.
+ */
+ PolicyTemplate editPolicyTemplate(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
/**
* Stores the policy template to the respective node.
*
- * @param id the id of the node to write the template for. Note, that a
- * {@link javax.jcr.Session#save()} is required to persist the changes. Upon
- * 'setPolicyTemplate' the modifications are applied in the transient space only.
+ * @param nodePath Absolute path to an existing node object.
* @param template the <code>PolicyTemplate</code> to store.
* @throws AccessControlException If the PolicyTemplate is <code>null</code> or
- * if it is not applicable to the Node identified by the given id.
- * @throws ItemNotFoundException if no node exists for the given id.
+ * if it is not applicable to the Node identified by the given
+ * <code>nodePath</code>.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
* @throws RepositoryException if an other error occurs.
*/
- void setPolicyTemplate(NodeId id, PolicyTemplate template) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ void setPolicyTemplate(String nodePath, PolicyTemplate template) throws AccessControlException, PathNotFoundException, RepositoryException;
/**
* Removes the template from the respective node.
*
- * @param id the id of the node to remove the acl from.
+ * @param nodePath Absolute path to an existing node object.
* @return the PolicyTemplate that has been remove or <code>null</code>
* if there was no policy to remove.
- * @throws AccessControlException If the Node identified by the given id
- * does not allow policy modifications.
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @throws AccessControlException If the Node identified by the given
+ * <code>nodePath</code> does not allow policy modifications.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
* @throws RepositoryException if an other error occurs
*/
- PolicyTemplate removePolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ PolicyTemplate removePolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
/**
* Returns the access control entries present with the node
* identified by <code>id</code>, that have
- * been added using {@link #addAccessControlEntry(NodeId,Principal,Privilege[])}.
+ * been added using {@link #addAccessControlEntry(String,Principal,Privilege[])}.
* The implementation may return other entries, if they can be removed
- * using {@link #removeAccessControlEntry(NodeId,AccessControlEntry)}.
+ * using {@link #removeAccessControlEntry(String,AccessControlEntry)}.
*
- * @param id
+ * @param nodePath Absolute path to an existing node object.
* @return the (granting) access control entries present with the node
* identified by <code>id</code>.
* @throws AccessControlException
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
+ * @throws UnsupportedRepositoryOperationException if only simple access
+ * control is supported.
* @throws RepositoryException
*/
- AccessControlEntry[] getAccessControlEntries(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ AccessControlEntry[] getAccessControlEntries(String nodePath) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
/**
* Adds an access control entry to the node identified by
* <code>id</code>. An implementation that always keeps entries with an
* existing <code>AccessControlPolicy</code> may choose to treat this
- * method as short-cut for {@link #editPolicyTemplate(NodeId)} and
+ * method as short-cut for {@link #editPolicyTemplate(String)} and
* subsequent template modification.
* Note, that in addition an implementation may only allow granting
* ACEs as specified by JSR 283.
*
- * @param id
+ * @param nodePath Absolute path to an existing node object.
* @param principal
* @param privileges
* @return The entry that results from adding the specified
* privileges for the specified principal.
- * @throws AccessControlException If the Node identified by the given id
+ * @throws AccessControlException If the Node identified by the given nodePath.
* does not allow access control modifications, if the principal does not
* exist or if any of the specified privileges is unknown.
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
+ * @throws UnsupportedRepositoryOperationException if only simple access
+ * control is supported.
* @throws RepositoryException if an other error occurs
*/
- AccessControlEntry addAccessControlEntry(NodeId id, Principal principal, Privilege[] privileges) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ AccessControlEntry addAccessControlEntry(String nodePath, Principal principal, Privilege[] privileges) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
/**
* Removes the access control entry represented by the given
* <code>template</code> from the node identified by
* <code>id</code>. An implementation that always keeps entries with an
* existing <code>AccessControlPolicy</code> may choose to treat this
- * method as short-cut for {@link #getPolicyTemplate(NodeId)} and
+ * method as short-cut for {@link #getPolicyTemplate(String)} and
* subsequent template modification.
* Note that only <code>PolicyEntry</code>s accessible through
- * {@link #getAccessControlEntries(NodeId)} can be removed by this call.
+ * {@link #getAccessControlEntries(String)} can be removed by this call.
*
- * @param id
- * @param entry
+ * @param nodePath Absolute path to an existing node object.
+ * @param entry The access control entry to be removed.
* @return true if entry was contained could be successfully removed.
* @throws AccessControlException If an access control specific exception
* occurs (e.g. invalid entry implementation, entry cannot be removed
* by this call, etc.).
- * @throws ItemNotFoundException if no node exists for the given id.
+ * @throws PathNotFoundException if no node exists for the given
+ * <code>nodePath</code>.
+ * @throws UnsupportedRepositoryOperationException if only simple access
+ * control is supported.
* @throws RepositoryException if another error occurs.
*/
- boolean removeAccessControlEntry(NodeId id, AccessControlEntry entry) throws AccessControlException, ItemNotFoundException, RepositoryException;
+ boolean removeAccessControlEntry(String nodePath, AccessControlEntry entry) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java Thu Apr 3 01:15:01 2008
@@ -31,6 +31,12 @@
*/
boolean isAllow();
+ /**
+ * @return the int representation of the privileges defined for this entry.
+ * @see #getPrivileges()
+ */
+ int getPrivilegeBits();
+
// TODO: eventually add
// String getNodePath();
// String getGlob();
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java Thu Apr 3 01:15:01 2008
@@ -31,6 +31,13 @@
public interface PolicyTemplate extends AccessControlPolicy {
/**
+ * Returns the path of the node this template has been created for.
+ *
+ * @return the path of the node this template has been created for.
+ */
+ String getPath();
+
+ /**
* Returns <code>true</code> if this template does not yet define any
* entries.
*
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java Thu Apr 3 01:15:01 2008
@@ -16,40 +16,14 @@
*/
package org.apache.jackrabbit.core.security.authorization.acl;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
-import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
-import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
+import org.apache.jackrabbit.core.security.authorization.AbstractPolicyEntry;
import java.security.Principal;
/**
- * Simple, immutable implementation of the
- * {@link org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry}
- * and the {@link PolicyEntry} interfaces.
- *
- * @see PolicyEntry
+ * <code>ACEImpl</code>
*/
-class ACEImpl implements PolicyEntry {
-
- /**
- * Privileges contained in this entry
- */
- private final int privileges;
-
- /**
- * if the actions contained are allowed or denied
- */
- private final boolean allow;
-
- /**
- * the Principal of this entry
- */
- private final Principal principal;
-
- /**
- * Hash code being calculated on demand.
- */
- private final int hashCode;
+class ACEImpl extends AbstractPolicyEntry {
/**
* Construct an access control entry for the given principal, privileges and
@@ -60,76 +34,6 @@
* @param allow
*/
ACEImpl(Principal principal, int privileges, boolean allow) {
- this.principal = principal;
- this.privileges = privileges;
- this.allow = allow;
-
- int h = 17;
- h = 37 * h + principal.getName().hashCode();
- h = 37 * h + privileges;
- h = 37 * h + Boolean.valueOf(allow).hashCode();
- hashCode = h;
- }
-
- /**
- * @return the int representation of the privileges defined for this entry.
- * @see #getPrivileges()
- */
- int getPrivilegeBits() {
- return privileges;
- }
-
- //-------------------------------------------------< AccessControlEntry >---
- /**
- * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrincipal()
- */
- public Principal getPrincipal() {
- return principal;
- }
-
- /**
- * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrivileges()
- */
- public Privilege[] getPrivileges() {
- return PrivilegeRegistry.getPrivileges(privileges);
- }
-
- //--------------------------------------------------------< PolicyEntry >---
- /**
- * @see PolicyEntry#isAllow()
- */
- public boolean isAllow() {
- return allow;
- }
-
- //-------------------------------------------------------------< Object >---
- /**
- * @see Object#hashCode()
- */
- public int hashCode() {
- return hashCode;
- }
-
- /**
- * Returns true if the principal, the allow-flag and all privileges are
- * equal / the same.
- *
- * @param obj
- * @return
- * @see Object#equals(Object)
- */
- public boolean equals(Object obj) {
- if (obj == this) {
- return true;
- }
-
- if (obj instanceof ACEImpl) {
- ACEImpl tmpl = (ACEImpl) obj;
- // TODO: check again if comparing principal-name is sufficient
- return principal.getName().equals(tmpl.principal.getName()) &&
- allow == tmpl.allow &&
- privileges == tmpl.privileges;
- }
- return false;
+ super(principal, privileges, allow);
}
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java Thu Apr 3 01:15:01 2008
@@ -17,7 +17,6 @@
package org.apache.jackrabbit.core.security.authorization.acl;
import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.NodeId;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SecurityItemModifier;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
@@ -38,9 +37,10 @@
import javax.jcr.Session;
import javax.jcr.RepositoryException;
import javax.jcr.Node;
-import javax.jcr.ItemNotFoundException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.AccessDeniedException;
import java.security.Principal;
import java.util.List;
import java.util.ArrayList;
@@ -60,7 +60,7 @@
*/
private static final String DEFAULT_PERMISSION_NAME = "permission";
- private final SessionImpl session;
+ protected final SessionImpl session;
private final PrincipalManager principalManager;
protected ACLEditor(Session editingSession) throws RepositoryException {
@@ -74,13 +74,14 @@
//------------------------------------------------< AccessControlEditor >---
/**
- * @see AccessControlEditor#getPolicyTemplate(NodeId)
+ * @see AccessControlEditor#getPolicyTemplate(String)
+ * @param nodePath
*/
- public PolicyTemplate getPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate getPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
PolicyTemplate tmpl = null;
- NodeImpl aclNode = getAclNode(id);
+ NodeImpl aclNode = getAclNode(nodePath);
if (aclNode != null) {
tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
}
@@ -88,15 +89,16 @@
}
/**
- * @see AccessControlEditor#editPolicyTemplate(NodeId)
+ * @see AccessControlEditor#editPolicyTemplate(String)
+ * @param nodePath
*/
- public PolicyTemplate editPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate editPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ checkProtectsNode(nodePath);
PolicyTemplate tmpl;
- NodeImpl aclNode = getAclNode(id);
+ NodeImpl aclNode = getAclNode(nodePath);
if (aclNode == null) {
- tmpl = new ACLTemplate();
+ tmpl = new ACLTemplate(nodePath);
} else {
tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
}
@@ -104,12 +106,19 @@
}
/**
- * @see AccessControlEditor#setPolicyTemplate(NodeId, PolicyTemplate)
+ * @see AccessControlEditor#editPolicyTemplate(Principal)
*/
- public void setPolicyTemplate(NodeId id, PolicyTemplate template) throws RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate editPolicyTemplate(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
+ throw new AccessControlException("Unable to edit policy for principal " + principal.getName());
+ }
+
+ /**
+ * @see AccessControlEditor#setPolicyTemplate(String,PolicyTemplate)
+ */
+ public void setPolicyTemplate(String nodePath, PolicyTemplate template) throws RepositoryException {
+ checkProtectsNode(nodePath);
- NodeImpl aclNode = getAclNode(id);
+ NodeImpl aclNode = getAclNode(nodePath);
/* in order to assert that the parent (ac-controlled node) gets modified
an existing ACL node is removed first and the recreated.
this also asserts that all ACEs are cleared without having to
@@ -119,7 +128,7 @@
removeSecurityItem(aclNode);
}
// now (re) create it
- aclNode = createAclNode(id);
+ aclNode = createAclNode(nodePath);
PolicyEntry[] entries = template.getEntries();
for (int i = 0; i < entries.length; i++) {
@@ -141,13 +150,13 @@
}
/**
- * @see AccessControlEditor#removePolicyTemplate(NodeId)
+ * @see AccessControlEditor#removePolicyTemplate(String)
*/
- public PolicyTemplate removePolicyTemplate(NodeId id) throws AccessControlException, RepositoryException {
- checkProtectsNode(id);
+ public PolicyTemplate removePolicyTemplate(String nodePath) throws AccessControlException, RepositoryException {
+ checkProtectsNode(nodePath);
PolicyTemplate tmpl = null;
- NodeImpl aclNode = getAclNode(id);
+ NodeImpl aclNode = getAclNode(nodePath);
if (aclNode != null) {
// need to build the template in order to have a return value.
tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
@@ -157,10 +166,10 @@
}
/**
- * @see AccessControlEditor#getAccessControlEntries(NodeId)
+ * @see AccessControlEditor#getAccessControlEntries(String)
*/
- public AccessControlEntry[] getAccessControlEntries(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
- PolicyTemplate pt = getPolicyTemplate(id);
+ public AccessControlEntry[] getAccessControlEntries(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+ PolicyTemplate pt = getPolicyTemplate(nodePath);
if (pt == null) {
return new AccessControlEntry[0];
} else {
@@ -176,15 +185,15 @@
}
/**
- * @see AccessControlEditor#addAccessControlEntry(NodeId,Principal,Privilege[])
+ * @see AccessControlEditor#addAccessControlEntry(String,Principal,Privilege[])
*/
- public AccessControlEntry addAccessControlEntry(NodeId id, Principal principal, Privilege[] privileges) throws AccessControlException, ItemNotFoundException, RepositoryException {
+ public AccessControlEntry addAccessControlEntry(String nodePath, Principal principal, Privilege[] privileges) throws AccessControlException, PathNotFoundException, RepositoryException {
// JSR 283 requires that the principal is known TODO: check again.
if (!principalManager.hasPrincipal(principal.getName())) {
throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
}
- ACLTemplate pt = (ACLTemplate) editPolicyTemplate(id);
+ ACLTemplate pt = (ACLTemplate) editPolicyTemplate(nodePath);
// TODO: check again. maybe these 'grant-ACE' should be stored/evaluated separated
int privs = PrivilegeRegistry.getBits(privileges);
/*
@@ -202,7 +211,7 @@
}
pt.setEntry(new ACEImpl(principal, privs, true));
- setPolicyTemplate(id, pt);
+ setPolicyTemplate(nodePath, pt);
ACEImpl[] tmpls = pt.getEntries(principal);
for (int i = 0; i < tmpls.length; i++) {
if (tmpls[i].isAllow()) {
@@ -215,17 +224,17 @@
/**
- * @see AccessControlEditor#removeAccessControlEntry(NodeId,AccessControlEntry)
+ * @see AccessControlEditor#removeAccessControlEntry(String,AccessControlEntry)
*/
- public boolean removeAccessControlEntry(NodeId id, AccessControlEntry entry) throws AccessControlException, ItemNotFoundException, RepositoryException {
+ public boolean removeAccessControlEntry(String nodePath, AccessControlEntry entry) throws AccessControlException, PathNotFoundException, RepositoryException {
if (!(entry instanceof ACEImpl)) {
throw new AccessControlException("Unknown AccessControlEntry implementation.");
}
// TODO: check again. maybe these 'grant-ACE' should be removed separated
- PolicyTemplate pt = editPolicyTemplate(id);
+ PolicyTemplate pt = editPolicyTemplate(nodePath);
boolean removed = pt.removeEntry((ACEImpl) entry);
if (removed) {
- setPolicyTemplate(id, pt);
+ setPolicyTemplate(nodePath, pt);
}
return removed;
}
@@ -236,31 +245,42 @@
* defining content. It this case setting or modifying an AC-policy is
* obviously not possible.
*
- * @param id
+ * @param nodePath
* @throws AccessControlException If the given id identifies a Node that
* represents a ACL or ACE item.
* @throws RepositoryException
*/
- private void checkProtectsNode(NodeId id) throws RepositoryException {
- NodeImpl node = session.getNodeById(id);
+ private void checkProtectsNode(String nodePath) throws RepositoryException {
+ NodeImpl node = getNode(nodePath);
if (ACLProvider.protectsNode(node)) {
- throw new AccessControlException("Node " + id + " defines ACL or ACE itself.");
+ throw new AccessControlException("Node " + nodePath + " defines ACL or ACE itself.");
}
}
/**
+ *
+ * @param path
+ * @return
+ * @throws PathNotFoundException
+ * @throws RepositoryException
+ */
+ private NodeImpl getNode(String path) throws PathNotFoundException, RepositoryException {
+ return (NodeImpl) session.getNode(path);
+ }
+
+ /**
* Returns the rep:Policy node below the Node identified by the given
* id or <code>null</code> if the node is not mix:AccessControllable
* or if no policy node exists.
*
- * @param id
+ * @param nodePath
* @return node or <code>null</code>
- * @throws ItemNotFoundException
+ * @throws PathNotFoundException
* @throws RepositoryException
*/
- private NodeImpl getAclNode(NodeId id) throws ItemNotFoundException, RepositoryException {
+ private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException {
NodeImpl aclNode = null;
- NodeImpl protectedNode = session.getNodeById(id);
+ NodeImpl protectedNode = getNode(nodePath);
if (ACLProvider.isAccessControlled(protectedNode)) {
aclNode = protectedNode.getNode(N_POLICY);
}
@@ -269,12 +289,12 @@
/**
*
- * @param id
+ * @param nodePath
* @return
* @throws RepositoryException
*/
- private NodeImpl createAclNode(NodeId id) throws RepositoryException {
- NodeImpl protectedNode = session.getNodeById(id);
+ private NodeImpl createAclNode(String nodePath) throws RepositoryException {
+ NodeImpl protectedNode = getNode(nodePath);
if (!protectedNode.isNodeType(NT_REP_ACCESS_CONTROLLABLE)) {
protectedNode.addMixin(NT_REP_ACCESS_CONTROLLABLE);
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Apr 3 01:15:01 2008
@@ -19,9 +19,9 @@
import org.apache.jackrabbit.core.NodeId;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.PropertyImpl;
-import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
@@ -50,7 +50,6 @@
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import javax.jcr.observation.EventListener;
-import javax.jcr.observation.ObservationManager;
import javax.jcr.query.Query;
import javax.jcr.query.QueryManager;
import java.security.Principal;
@@ -91,49 +90,32 @@
*/
private static final Logger log = LoggerFactory.getLogger(ACLProvider.class);
- /**
- * the system session that accesses the workspace
- */
- private SessionImpl systemSession;
-
private AccessControlEditor systemEditor;
- private ObservationManager obsMgr;
-
/**
* The node id of the root node
*/
private NodeId rootNodeId;
- private String jcrRepPolicy;
+ private String policyNodeName;
//----------------------------------------------< AccessControlProvider >---
/**
* @see AccessControlProvider#init(Session, Map)
*/
public void init(Session systemSession, Map options) throws RepositoryException {
- if (initialized) {
- throw new IllegalStateException("already initialized");
- }
- if (!(systemSession instanceof SessionImpl)) {
- throw new RepositoryException("SessionImpl (system session) expected.");
- }
+ super.init(systemSession, options);
// make sure the workspace of the given systemSession has a
// minimal protection on the root node.
- SessionImpl sImpl = (SessionImpl) systemSession;
- NodeImpl root = (NodeImpl) sImpl.getRootNode();
+ NodeImpl root = (NodeImpl) session.getRootNode();
rootNodeId = root.getNodeId();
- jcrRepPolicy = "/" + sImpl.getJCRName(N_POLICY);
- systemEditor = new ACLEditor(sImpl);
+ policyNodeName = resolver.getJCRName(N_POLICY);
+ systemEditor = new ACLEditor(systemSession);
if (!isAccessControlled(root)) {
- initRootACL(sImpl, rootNodeId);
+ initRootACL(session, systemEditor);
}
-
- this.systemSession = sImpl;
- obsMgr = sImpl.getWorkspace().getObservationManager();
- initialized = true;
}
/**
@@ -246,12 +228,12 @@
*/
private ACLImpl getACL(NodeId nodeId, Set principalNameFilter) throws ItemNotFoundException, RepositoryException {
// -> build the acl for the Node identified by 'id'
- NodeImpl node = systemSession.getNodeById(nodeId);
+ NodeImpl node = session.getNodeById(nodeId);
ACLImpl acl;
// check for special ACL building item
if (protectsNode(node)) {
NodeImpl parentNode;
- if (node.isNodeType(ACLEditor.NT_REP_ACL)) {
+ if (node.isNodeType(NT_REP_ACL)) {
parentNode = (NodeImpl) node.getParent();
} else {
parentNode = (NodeImpl) node.getParent().getParent();
@@ -299,7 +281,7 @@
ACLImpl acl;
if (isAccessControlled(node)) {
// build acl from access controlled node
- NodeImpl aclNode = node.getNode(ACLEditor.N_POLICY);
+ NodeImpl aclNode = node.getNode(N_POLICY);
PolicyTemplate tmpl = new ACLTemplate(aclNode, principalNameFilter);
List localEntries = Arrays.asList(tmpl.getEntries());
@@ -328,10 +310,11 @@
* @param session to the workspace to set-up inital ACL to
* @throws RepositoryException
*/
- private void initRootACL(SessionImpl session, NodeId rootId) throws RepositoryException {
+ private static void initRootACL(JackrabbitSession session, AccessControlEditor editor) throws RepositoryException {
try {
log.info("Install initial ACL:...");
- PolicyTemplate tmpl = systemEditor.editPolicyTemplate(rootId);
+ String rootPath = session.getRootNode().getPath();
+ PolicyTemplate tmpl = editor.editPolicyTemplate(rootPath);
PrincipalManager pMgr = session.getPrincipalManager();
log.info("... Privilege.ALL for administrators.");
@@ -352,7 +335,7 @@
entr = new ACEImpl(everyone, PrivilegeRegistry.READ, true);
tmpl.setEntry(entr);
- systemEditor.setPolicyTemplate(rootId, tmpl);
+ editor.setPolicyTemplate(rootPath, tmpl);
session.save();
log.info("... done.");
@@ -366,9 +349,9 @@
/**
* Test if the given node is access controlled. The node is access
* controlled if it is of nodetype
- * {@link ACLEditor#NT_REP_ACCESS_CONTROLLABLE "rep:AccessControllable"}
+ * {@link AccessControlConstants#NT_REP_ACCESS_CONTROLLABLE "rep:AccessControllable"}
* and if it has a child node named
- * {@link ACLEditor#N_POLICY "rep:ACL"}.
+ * {@link AccessControlConstants#N_POLICY "rep:ACL"}.
*
* @param node
* @return <code>true</code> if the node is access controlled;
@@ -376,7 +359,7 @@
* @throws RepositoryException
*/
static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
- return node.isNodeType(ACLEditor.NT_REP_ACCESS_CONTROLLABLE) && node.hasNode(ACLEditor.N_POLICY);
+ return node.isNodeType(NT_REP_ACCESS_CONTROLLABLE) && node.hasNode(N_POLICY);
}
/**
@@ -387,7 +370,7 @@
* @throws RepositoryException
*/
static boolean protectsNode(NodeImpl node) throws RepositoryException {
- return node.isNodeType(ACLEditor.NT_REP_ACL) || node.isNodeType(ACLEditor.NT_REP_ACE);
+ return node.isNodeType(NT_REP_ACL) || node.isNodeType(NT_REP_ACE);
}
//------------------------------------------------< CompiledPermissions >---
@@ -423,10 +406,10 @@
*/
int events = Event.PROPERTY_CHANGED | Event.NODE_ADDED | Event.NODE_REMOVED;
String[] ntNames = new String[] {
- systemSession.getJCRName(NT_REP_ACE),
- systemSession.getJCRName(NT_REP_ACL)
+ resolver.getJCRName(NT_REP_ACE),
+ resolver.getJCRName(NT_REP_ACL)
};
- obsMgr.addEventListener(this, events, systemSession.getRootNode().getPath(), true, null, ntNames, true);
+ observationMgr.addEventListener(this, events, session.getRootNode().getPath(), true, null, ntNames, true);
}
/**
@@ -438,10 +421,10 @@
*/
private boolean readAllowedEveryWhere(Set principalnames) {
try {
- QueryManager qm = systemSession.getWorkspace().getQueryManager();
+ QueryManager qm = session.getWorkspace().getQueryManager();
StringBuffer stmt = new StringBuffer("/jcr:root");
stmt.append("//element(*,");
- stmt.append(systemSession.getJCRName(NT_REP_DENY_ACE));
+ stmt.append(resolver.getJCRName(NT_REP_DENY_ACE));
stmt.append(")[");
// where the rep:principalName property exactly matches any of
@@ -450,7 +433,7 @@
Iterator itr = principalnames.iterator();
while (itr.hasNext()) {
stmt.append("@");
- String pName = systemSession.getJCRName(P_PRINCIPAL_NAME);
+ String pName = resolver.getJCRName(P_PRINCIPAL_NAME);
stmt.append(ISO9075.encode(pName));
stmt.append("='").append(itr.next().toString()).append("'");
if (++i < principalnames.size()) {
@@ -459,7 +442,7 @@
}
// AND rep:privileges contains the READ privilege
stmt.append(" and jcr:like(@");
- String pName = systemSession.getJCRName(P_PRIVILEGES);
+ String pName = resolver.getJCRName(P_PRIVILEGES);
stmt.append(ISO9075.encode(pName));
stmt.append(",'%").append(Privilege.READ).append("%')");
stmt.append("]");
@@ -490,17 +473,30 @@
*/
protected Result buildResult(Path absPath) throws RepositoryException {
boolean existingNode = false;
- NodeId nid;
- String jcrPath = systemSession.getJCRPath(absPath);
- if (systemSession.nodeExists(jcrPath)) {
- nid = systemSession.getHierarchyManager().resolveNodePath(absPath);
+ NodeId nid = null;
+ String jcrPath = resolver.getJCRPath(absPath);
+
+ if (session.nodeExists(jcrPath)) {
+ nid = session.getHierarchyManager().resolveNodePath(absPath);
existingNode = true;
} else {
// path points to existing prop or non-existing item (node or prop).
- nid = systemSession.getHierarchyManager().resolveNodePath(absPath.getAncestor(1));
+ // -> find the nearest persisted node
+ Path parentPath = absPath.getAncestor(1);
+ while (nid == null) {
+ nid = session.getHierarchyManager().resolveNodePath(parentPath);
+ if (parentPath.getDepth() == 1) {
+ // root-node reached
+ break;
+ } else {
+ parentPath = parentPath.getAncestor(1);
+ }
+ }
}
+
if (nid == null) {
- throw new ItemNotFoundException("No item exists at " + absPath + " nor at its direct ancestor.");
+ // should never get here
+ throw new ItemNotFoundException("Item out of hierarchy.");
}
// build the ACL for the specified principals at path or at the
@@ -508,14 +504,14 @@
ACLImpl acl = getACL(nid, principalNames);
// privileges to expose
- int privileges = (existingNode) ? acl.getPrivileges() : PrivilegeRegistry.NO_PRIVILEGE;
+ int privileges = acl.getPrivileges();
// calculate the permissions
int permissions;
- if (existingNode || systemSession.propertyExists(jcrPath)) {
- permissions = acl.getPermissions(systemSession.getItem(jcrPath));
+ if (existingNode || session.propertyExists(jcrPath)) {
+ permissions = acl.getPermissions(session.getItem(jcrPath));
} else {
- String name = systemSession.getJCRName(absPath.getNameElement().getName());
+ String name = resolver.getJCRName(absPath.getNameElement().getName());
permissions = acl.getPermissions(name);
}
return new Result(permissions, privileges);
@@ -527,7 +523,7 @@
*/
public void close() {
try {
- obsMgr.removeEventListener(this);
+ observationMgr.removeEventListener(this);
} catch (RepositoryException e) {
log.error("Internal error: ", e.getMessage());
}
@@ -545,7 +541,7 @@
// common check
if (permissions == Permission.READ && readAllowed &&
/* easy check if path doesn't point to AC-content */
- systemSession.getJCRPath(absPath).indexOf(jcrRepPolicy) == -1) {
+ resolver.getJCRPath(absPath).indexOf(policyNodeName) == -1) {
return true;
}
return super.grants(absPath, permissions);
@@ -573,7 +569,7 @@
case Event.NODE_ADDED:
// test if the new ACE-nodes affects the permission
// of any of the 'principals'.
- NodeImpl n = (NodeImpl) systemSession.getNode(path);
+ NodeImpl n = (NodeImpl) session.getNode(path);
String pName = n.getProperty(P_PRINCIPAL_NAME).getString();
if (principalNames.contains(pName)) {
// new ACE entry for the principals -> clear cache
@@ -598,7 +594,7 @@
// test if the changed ACE_prop affects the permission
// of any of the 'principals' (most interesting are
// changed privileges.
- PropertyImpl p = (PropertyImpl) systemSession.getProperty(path);
+ PropertyImpl p = (PropertyImpl) session.getProperty(path);
if (P_PRIVILEGES.equals(p.getQName())) {
// test if principal-name sibling-prop matches
pName = ((NodeImpl) p.getParent()).getProperty(P_PRINCIPAL_NAME).toString();
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Thu Apr 3 01:15:01 2008
@@ -20,6 +20,7 @@
import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
@@ -49,7 +50,8 @@
private static final Logger log = LoggerFactory.getLogger(ACLTemplate.class);
- private final String name;
+ private final String path;
+ private final String name = ACLImpl.POLICY_NAME;
private final String description;
/**
@@ -62,8 +64,8 @@
/**
* Construct a new empty {@link PolicyTemplate}.
*/
- ACLTemplate() {
- name = ACLImpl.POLICY_NAME;
+ ACLTemplate(String path) {
+ this.path = path;
description = null;
}
@@ -83,10 +85,11 @@
* the principals in the set will be retrieved.
*/
ACLTemplate(NodeImpl aclNode, Set principalNames) throws RepositoryException {
- if (aclNode == null || !aclNode.isNodeType(ACLEditor.NT_REP_ACL)) {
- throw new IllegalArgumentException("Node must be of type: " + ACLEditor.NT_REP_ACL);
+ if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
+ throw new IllegalArgumentException("Node must be of type: " +
+ AccessControlConstants.NT_REP_ACL);
}
- name = ACLImpl.POLICY_NAME;
+ path = aclNode.getPath();
description = null;
loadEntries(aclNode, principalNames);
}
@@ -211,13 +214,13 @@
NodeIterator itr = aclNode.getNodes();
while (itr.hasNext()) {
NodeImpl aceNode = (NodeImpl) itr.nextNode();
- String principalName = aceNode.getProperty(ACLEditor.P_PRINCIPAL_NAME).getString();
+ String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
// only process aceNode if no filter is present of if the filter
// contains the principal-name defined with the ace-Node
String key = (filter == null || filter.isEmpty()) ? noFilter : principalName;
if (princToEntries.containsKey(key)) {
Principal princ = pMgr.getPrincipal(principalName);
- Value[] privValues = aceNode.getProperty(ACLEditor.P_PRIVILEGES).getValues();
+ Value[] privValues = aceNode.getProperty(AccessControlConstants.P_PRIVILEGES).getValues();
String[] privNames = new String[privValues.length];
for (int i = 0; i < privValues.length; i++) {
privNames[i] = privValues[i].getString();
@@ -226,7 +229,7 @@
ACEImpl ace = new ACEImpl(
princ,
PrivilegeRegistry.getBits(privNames),
- aceNode.isNodeType(ACLEditor.NT_REP_GRANT_ACE));
+ aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE));
// add it to the proper list (e.g. separated by principals)
((List) princToEntries.get(key)).add(ace);
}
@@ -261,6 +264,13 @@
}
//-----------------------------------------------------< PolicyTemplate >---
+ /**
+ * @see PolicyTemplate#getPath()
+ */
+ public String getPath() {
+ return path;
+ }
+
/**
* @see PolicyTemplate#isEmpty()
*/