You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2009/02/26 19:05:36 UTC
svn commit: r748247 - in /jackrabbit/trunk/jackrabbit-core/src:
main/java/org/apache/jackrabbit/core/
main/java/org/apache/jackrabbit/core/security/
main/java/org/apache/jackrabbit/core/security/authorization/
main/java/org/apache/jackrabbit/core/secur...
Author: angela
Date: Thu Feb 26 18:05:35 2009
New Revision: 748247
URL: http://svn.apache.org/viewvc?rev=748247&view=rev
Log:
JCR-1588 JSR 283: Access Control
Added:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java (with props)
Modified:
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd
jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java
jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java Thu Feb 26 18:05:35 2009
@@ -318,8 +318,7 @@
/**
* Helper Method to bind the {@link Xid} associated with this {@link TransactionContext}
- * to the {@link #CURRENT_XID} ThreadLocal
- * @param methodName
+ * to the {@link #CURRENT_XID} ThreadLocal.
*/
private void bindCurrentXid() {
CURRENT_XID.set(xid);
@@ -327,8 +326,7 @@
/**
* Helper Method to clean the {@link Xid} associated with this {@link TransactionContext}
- * from the {@link #CURRENT_XID} ThreadLocal
- * @param methodName
+ * from the {@link #CURRENT_XID} ThreadLocal.
*/
private void cleanCurrentXid() {
CURRENT_XID.set(null);
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java Thu Feb 26 18:05:35 2009
@@ -23,6 +23,7 @@
import org.apache.jackrabbit.api.jsr283.security.Privilege;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -121,11 +122,13 @@
//-------------------------------------< JackrabbitAccessControlManager >---
/**
- * {@inheritDoc}
+ * @see JackrabbitAccessControlManager#getApplicablePolicies(java.security.Principal)
*/
- public AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
- log.debug("Implementation does not provide applicable policies -> returning empty array.");
- return new AccessControlPolicy[0];
+ public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+ checkInitialized();
+
+ log.debug("Implementation does not provide applicable policies -> returning empty array.");
+ return new JackrabbitAccessControlPolicy[0];
}
//--------------------------------------------------------------------------
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Thu Feb 26 18:05:35 2009
@@ -29,6 +29,7 @@
import org.apache.jackrabbit.core.security.authorization.Permission;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
@@ -372,7 +373,7 @@
/**
* @see JackrabbitAccessControlManager#getApplicablePolicies(Principal)
*/
- public AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+ public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
checkInitialized();
if (editor == null) {
throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java Thu Feb 26 18:05:35 2009
@@ -18,7 +18,7 @@
import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
import org.apache.jackrabbit.api.jsr283.security.AccessControlManager;
-import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
@@ -33,17 +33,18 @@
/**
* Returns the editable policies for the specified <code>principal</code>.
*
+ * @param principal
* @return array of policies for the specified <code>principal</code>. Note
* that the policy object returned must reveal the path of the node where
- * they can be applied later on.
+ * they can be applied later on using {@link AccessControlManager#setPolicy(String, org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy)}.
* @throws AccessDeniedException if the session lacks
* <code>MODIFY_ACCESS_CONTROL</code> privilege.
* @throws AccessControlException if the specified principal does not exist
- * or if same other access control related exception occurs.
- * @throws UnsupportedRepositoryOperationException if editing the policy
- * is not supported.
+ * or if another access control related exception occurs.
+ * @throws UnsupportedRepositoryOperationException if editing access control
+ * policies is not supported.
* @throws RepositoryException if another error occurs.
+ * @see org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy#getPath()
*/
- AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
-
+ JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java Thu Feb 26 18:05:35 2009
@@ -53,10 +53,6 @@
//----------------------------------------------------< node type names >---
/**
- * rep:AccessControl nodetype
- */
- Name NT_REP_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "AccessControl");
- /**
* rep:AccessControllable nodetype
*/
Name NT_REP_ACCESS_CONTROLLABLE = NF.create(Name.NS_REP_URI, "AccessControllable");
@@ -77,4 +73,15 @@
*/
Name NT_REP_DENY_ACE = NF.create(Name.NS_REP_URI, "DenyACE");
+ //----------------------------------< node types for principal based ac >---
+ /**
+ * rep:AccessControl nodetype
+ */
+ Name NT_REP_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "AccessControl");
+
+ /**
+ * rep:PrincipalAccessControl nodetype
+ */
+ Name NT_REP_PRINCIPAL_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "PrincipalAccessControl");
+
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java Thu Feb 26 18:05:35 2009
@@ -87,7 +87,7 @@
* if same other access control related exception occurs.
* @throws RepositoryException if another error occurs.
*/
- AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
+ JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
/**
* Stores the policy template to the respective node.
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java Thu Feb 26 18:05:35 2009
@@ -74,7 +74,9 @@
* Returns the effective policies for the node at the given absPath.
*
* @param absPath an absolute path.
- * @return The effective policies that apply at <code>absPath</code>.
+ * @return The effective policies that apply at <code>absPath</code> or
+ * an empty array if the implementation cannot determine the effective
+ * policy at the given path.
* @throws ItemNotFoundException If no Node with the specified
* <code>absPath</code> exists.
* @throws RepositoryException If another error occurs.
@@ -87,8 +89,8 @@
* or <code>null</code> if the implementation does not support editing
* of access control policies.
*
- * @param session
- * @return the ACL editor or <code>null</code>
+ * @param session The editing session.
+ * @return the ACL editor or <code>null</code>.
* @throws RepositoryException If an error occurs.
*/
AccessControlEditor getEditor(Session session) throws RepositoryException;
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java Thu Feb 26 18:05:35 2009
@@ -31,14 +31,26 @@
* {@link org.apache.jackrabbit.api.jsr283.security.AccessControlManager#setPolicy(String, AccessControlPolicy)
* written back} and {@link javax.jcr.Session#save() saved}.
*/
-public interface JackrabbitAccessControlList extends AccessControlList {
+public interface JackrabbitAccessControlList extends JackrabbitAccessControlPolicy, AccessControlList {
/**
- * Returns the path of the node this policy has been created for.
- *
- * @return the path of the node this policy has been created for.
+ * Returns the names of the supported restrictions or an empty array
+ * if no restrictions are respected.
+ *
+ * @return the names of the supported restrictions or an empty array.
+ * @see #addEntry(Principal, Privilege[], boolean, Map)
+ */
+ String[] getRestrictionNames();
+
+ /**
+ * Return the expected {@link javax.jcr.PropertyType property type} of the
+ * restriction with the specified <code>restrictionName</code>.
+ *
+ * @param restrictionName Any of the restriction names retrieved from
+ * {@link #getRestrictionNames()}.
+ * @return expected {@link javax.jcr.PropertyType property type}.
*/
- String getPath();
+ int getRestrictionType(String restrictionName);
/**
* Returns <code>true</code> if this policy does not yet define any
Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java?rev=748247&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java Thu Feb 26 18:05:35 2009
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlList;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+import java.util.Map;
+
+/**
+ * <code>JackrabbitAccessControlPolicy</code> is an extension of the
+ * <code>AccessControlPolicy</code> that exposes the path of the Node to
+ * which it can be applied using {@link org.apache.jackrabbit.api.jsr283.security.AccessControlManager#setPolicy(String, org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy)}.
+ */
+public interface JackrabbitAccessControlPolicy extends AccessControlPolicy {
+
+ /**
+ * Returns the path of the node this policy has been created for.
+ *
+ * @return the path of the node this policy has been created for.
+ */
+ String getPath();
+}
\ No newline at end of file
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
------------------------------------------------------------------------------
svn:keywords = author date id revision url
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java Thu Feb 26 18:05:35 2009
@@ -30,6 +30,7 @@
import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.NameException;
import org.apache.jackrabbit.spi.commons.conversion.NameParser;
@@ -112,26 +113,31 @@
public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
checkProtectsNode(nodePath);
- AccessControlPolicy acl;
- NodeImpl aclNode = getAclNode(nodePath);
+ AccessControlPolicy acl = null;
+ NodeImpl controlledNode = getNode(nodePath);
+ NodeImpl aclNode = getAclNode(controlledNode);
if (aclNode == null) {
- // create an empty acl
- acl = new ACLTemplate(nodePath, session.getPrincipalManager(), privilegeRegistry);
+ // create an empty acl unless the node is protected or cannot have
+ // rep:AccessControllable mixin set (e.g. due to a lock)
+ String mixin = session.getJCRName(NT_REP_ACCESS_CONTROLLABLE);
+ if (controlledNode.isNodeType(mixin) || controlledNode.canAddMixin(mixin)) {
+ acl = new ACLTemplate(nodePath, session.getPrincipalManager(), privilegeRegistry);
+ }
} else {
acl = getACL(aclNode);
}
- return new AccessControlPolicy[] {acl};
+ return (acl != null) ? new AccessControlPolicy[] {acl} : new AccessControlPolicy[0];
}
/**
* @see AccessControlEditor#editAccessControlPolicies(Principal)
*/
- public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
+ public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
throw new AccessControlException("Unknown principal.");
}
// TODO: impl. missing
- return new AccessControlPolicy[0];
+ return new JackrabbitAccessControlPolicy[0];
}
/**
@@ -237,8 +243,8 @@
}
/**
- * Returns the rep:Policy node below the Node identified by the given
- * id or <code>null</code> if the node is not mix:AccessControllable
+ * Returns the rep:Policy node below the Node identified at the given
+ * path or <code>null</code> if the node is not mix:AccessControllable
* or if no policy node exists.
*
* @param nodePath
@@ -247,10 +253,22 @@
* @throws RepositoryException
*/
private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException {
+ NodeImpl controlledNode = getNode(nodePath);
+ return getAclNode(controlledNode);
+ }
+
+ /**
+ * Returns the rep:Policy node below the given Node or <code>null</code>
+ * if the node is not mix:AccessControllable or if no policy node exists.
+ *
+ * @param controlledNode
+ * @return node or <code>null</code>
+ * @throws RepositoryException
+ */
+ private NodeImpl getAclNode(NodeImpl controlledNode) throws RepositoryException {
NodeImpl aclNode = null;
- NodeImpl protectedNode = getNode(nodePath);
- if (ACLProvider.isAccessControlled(protectedNode)) {
- aclNode = protectedNode.getNode(N_POLICY);
+ if (ACLProvider.isAccessControlled(controlledNode)) {
+ aclNode = controlledNode.getNode(N_POLICY);
}
return aclNode;
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Feb 26 18:05:35 2009
@@ -305,7 +305,6 @@
} catch (RepositoryException e) {
log.error("Failed to set-up minimal access control for root node of workspace " + session.getWorkspace().getName());
session.getRootNode().refresh(false);
- throw e;
}
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Thu Feb 26 18:05:35 2009
@@ -37,6 +37,7 @@
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
+import javax.jcr.PropertyType;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
@@ -96,8 +97,7 @@
*/
ACLTemplate(NodeImpl aclNode, PrivilegeRegistry privilegeRegistry) throws RepositoryException {
if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
- throw new IllegalArgumentException("Node must be of type: " +
- AccessControlConstants.NT_REP_ACL);
+ throw new IllegalArgumentException("Node must be of type 'rep:ACL'");
}
SessionImpl sImpl = (SessionImpl) aclNode.getSession();
path = aclNode.getParent().getPath();
@@ -333,6 +333,25 @@
}
/**
+ * Returns an empty String array.
+ *
+ * @see JackrabbitAccessControlList#getRestrictionType(String)
+ */
+ public String[] getRestrictionNames() {
+ return new String[0];
+ }
+
+ /**
+ * Always returns {@link PropertyType#UNDEFINED} as no restrictions are
+ * supported.
+ *
+ * @see JackrabbitAccessControlList#getRestrictionType(String)
+ */
+ public int getRestrictionType(String restrictionName) {
+ return PropertyType.UNDEFINED;
+ }
+
+ /**
* @see JackrabbitAccessControlList#isEmpty()
*/
public boolean isEmpty() {
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java Thu Feb 26 18:05:35 2009
@@ -19,6 +19,7 @@
import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -76,7 +77,7 @@
/**
* @see AccessControlEditor#editAccessControlPolicies(Principal)
*/
- public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
+ public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
List templates = new ArrayList();
for (int i = 0; i < editors.length; i++) {
try {
@@ -86,7 +87,7 @@
// ignore.
}
}
- return (AccessControlPolicy[]) templates.toArray(new AccessControlPolicy[templates.size()]);
+ return (JackrabbitAccessControlPolicy[]) templates.toArray(new JackrabbitAccessControlPolicy[templates.size()]);
}
/**
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java Thu Feb 26 18:05:35 2009
@@ -21,7 +21,6 @@
import org.apache.jackrabbit.api.jsr283.security.Privilege;
import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.ProtectedItemModifier;
import org.apache.jackrabbit.core.SessionImpl;
@@ -29,6 +28,7 @@
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.core.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Name;
@@ -114,22 +114,25 @@
NodeImpl acNode = getAcNode(nodePath);
if (acNode == null) {
// check validity and create the ac node
- getPrincipal(nodePath);
+ Principal p = getPrincipal(nodePath);
+ if (p == null) {
+ throw new AccessControlException("Access control modification not allowed at " + nodePath);
+ }
acNode = createAcNode(nodePath);
}
return new AccessControlPolicy[] {createTemplate(acNode)};
- } else {
- // nodePath not below rep:accesscontrol -> not editable
- return new AccessControlPolicy[0];
}
+
+ // nodePath not below rep:accesscontrol -> not editable
+ return new AccessControlPolicy[0];
}
/**
* @see AccessControlEditor#editAccessControlPolicies(Principal)
*/
- public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
+ public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
- throw new AccessControlException("Unknown principal.");
+ throw new AccessControlException("Cannot edit access control: " + principal.getName() +" isn't a known principal.");
}
String nPath = getPathToAcNode(principal);
NodeImpl acNode;
@@ -138,7 +141,7 @@
} else {
acNode = (NodeImpl) session.getNode(nPath);
}
- return new AccessControlPolicy[] {createTemplate(acNode)};
+ return new JackrabbitAccessControlPolicy[] {createTemplate(acNode)};
}
/**
@@ -242,14 +245,16 @@
NodeImpl node = (NodeImpl) session.getRootNode();
for (int i = 0; i < segms.length; i++) {
Name nName = session.getQName(segms[i]);
+ Name ntName = (i < segms.length-1) ? NT_REP_ACCESS_CONTROL : NT_REP_PRINCIPAL_ACCESS_CONTROL;
if (node.hasNode(nName)) {
- node = node.getNode(nName);
- if (!node.isNodeType(NT_REP_ACCESS_CONTROL)) {
+ NodeImpl n = node.getNode(nName);
+ if (!n.isNodeType(ntName)) {
// should never get here.
- throw new RepositoryException("Internal error: Unexpected nodetype " + node.getPrimaryNodeType().getName() + " below /rep:accessControl");
+ throw new RepositoryException("Error while creating access control node: Expected nodetype " + session.getJCRName(ntName) + " below /rep:accessControl, was " + node.getPrimaryNodeType().getName() + " instead");
}
+ node = n;
} else {
- node = addNode(node, nName, NT_REP_ACCESS_CONTROL);
+ node = addNode(node, nName, ntName);
}
}
return node;
@@ -310,12 +315,17 @@
}
private Principal getPrincipal(String pathToACNode) throws RepositoryException {
- String name = Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
+ String name = getPrincipalName(pathToACNode);
PrincipalManager pMgr = session.getPrincipalManager();
- if (!pMgr.hasPrincipal(name)) {
- throw new AccessControlException("Unknown principal.");
+ if (pMgr.hasPrincipal(name)) {
+ return pMgr.getPrincipal(name);
+ } else {
+ return null;
}
- return pMgr.getPrincipal(name);
+ }
+
+ private static String getPrincipalName(String pathToACNode) {
+ return Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
}
/**
@@ -325,7 +335,7 @@
* @throws RepositoryException
*/
private static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
- return node != null && node.isNodeType(NT_REP_ACCESS_CONTROL) && node.hasNode(N_POLICY);
+ return node != null && node.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL) && node.hasNode(N_POLICY);
}
/**
@@ -334,22 +344,17 @@
* @return
* @throws RepositoryException
*/
- private static AccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
- if (!acNode.isNodeType(NT_REP_ACCESS_CONTROL)) {
- throw new RepositoryException("Expected node of type rep:AccessControl.");
+ private JackrabbitAccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
+ if (!acNode.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL)) {
+ String msg = "Unable to edit Access Control at "+ acNode.getPath()+ ". Expected node of type rep:PrinicipalAccessControl, was " + acNode.getPrimaryNodeType().getName();
+ log.debug(msg);
+ throw new AccessControlException(msg);
}
- Principal principal = null;
- String principalName = Text.unescapeIllegalJcrChars(acNode.getName());
- PrincipalManager pMgr = ((SessionImpl) acNode.getSession()).getPrincipalManager();
- if (pMgr.hasPrincipal(principalName)) {
- try {
- principal = pMgr.getPrincipal(principalName);
- } catch (NoSuchPrincipalException e) {
- // should not get here.
- }
- }
+ Principal principal = getPrincipal(acNode.getPath());
if (principal == null) {
+ // use fall back in order to be able to get/remove the policy
+ String principalName = getPrincipalName(acNode.getPath());
log.warn("Principal with name " + principalName + " unknown to PrincipalManager.");
principal = new PrincipalImpl(principalName);
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java Thu Feb 26 18:05:35 2009
@@ -163,7 +163,6 @@
} catch (RepositoryException e) {
log.error("Failed to set-up minimal access control for root node of workspace " + session.getWorkspace().getName());
session.getRootNode().refresh(false);
- throw e;
}
}
}
@@ -173,6 +172,15 @@
*/
public AccessControlPolicy[] getEffectivePolicies(Path absPath)
throws ItemNotFoundException, RepositoryException {
+ /*
+ TODO review
+ since the per-node effect of the policies is defined by the
+ rep:nodePath restriction, returning the principal-based
+ policy at 'absPath' probably doesn't reveal what the caller expects.
+ Maybe it would be better not to return an empty array as
+ {@link AccessControlManager#getEffectivePolicies(String)
+ is defined to express a best-effor estimate only.
+ */
AccessControlPolicy[] tmpls = editor.getPolicies(session.getJCRPath(absPath));
AccessControlPolicy[] effectives = new AccessControlPolicy[tmpls.length];
for (int i = 0; i < tmpls.length; i++) {
Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java Thu Feb 26 18:05:35 2009
@@ -33,7 +33,6 @@
import org.slf4j.LoggerFactory;
import javax.jcr.Item;
-import javax.jcr.NamespaceException;
import javax.jcr.NodeIterator;
import javax.jcr.Property;
import javax.jcr.PropertyType;
@@ -43,11 +42,11 @@
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
/**
* Implementation of the {@link JackrabbitAccessControlList} interface that
@@ -124,7 +123,7 @@
restrictions.put(prop.getName(), prop.getValue());
}
// finally add the entry
- Entry entry = new Entry(principal, privileges, isAllow, restrictions);
+ AccessControlEntry entry = createEntry(principal, privileges, isAllow, restrictions);
entries.add(entry);
} else {
log.warn("ACE must be of nodetype rep:ACE -> ignored child-node " + aceNode.getPath());
@@ -133,6 +132,34 @@
} // else: no-node at all or no acl-node present.
}
+ AccessControlEntry createEntry(Principal princ, Privilege[] privileges, boolean allow, Map restrictions) throws RepositoryException {
+ if (!principal.equals(princ)) {
+ throw new AccessControlException("Invalid principal. Expected: " + principal);
+ }
+ if (!allow && principal instanceof Group) {
+ throw new AccessControlException("For group principals permissions can only be added but not denied.");
+ }
+
+ Set rNames = restrictions.keySet();
+ if (!rNames.contains(jcrNodePathName)) {
+ throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
+ }
+
+ // make sure the nodePath restriction is of type PATH
+ Value v = (Value) restrictions.get(jcrNodePathName);
+ if (v.getType() != PropertyType.PATH) {
+ v = V_FACTORY.createValue(v.getString(), PropertyType.PATH);
+ restrictions.put(jcrNodePathName, v);
+ }
+ // ... and glob is of type STRING.
+ v = (Value) restrictions.get(jcrGlobName);
+ if (v != null && v.getType() != PropertyType.STRING) {
+ v = V_FACTORY.createValue(v.getString(), PropertyType.STRING);
+ restrictions.put(jcrGlobName, v);
+ }
+ return new Entry(princ, privileges, allow, restrictions);
+ }
+
//-----------------------------------------------------< JackrabbitAccessControlList >---
/**
* @see JackrabbitAccessControlList#getPath()
@@ -142,6 +169,26 @@
}
/**
+ * @see JackrabbitAccessControlList#getRestrictionNames()
+ */
+ public String[] getRestrictionNames() {
+ return new String[] {jcrNodePathName, jcrGlobName};
+ }
+
+ /**
+ * @see JackrabbitAccessControlList#getRestrictionType(String)
+ */
+ public int getRestrictionType(String restrictionName) {
+ if (jcrNodePathName.equals(restrictionName)) {
+ return PropertyType.PATH;
+ } else if (jcrGlobName.equals(restrictionName)) {
+ return PropertyType.STRING;
+ } else {
+ return PropertyType.UNDEFINED;
+ }
+ }
+
+ /**
* @see JackrabbitAccessControlList#isEmpty()
*/
public boolean isEmpty() {
@@ -181,7 +228,7 @@
restrictions = Collections.singletonMap(jcrNodePathName,
V_FACTORY.createValue(getPath(), PropertyType.PATH));
}
- Entry entry = new Entry(principal, privileges, isAllow, restrictions);
+ AccessControlEntry entry = createEntry(principal, privileges, isAllow, restrictions);
if (entries.contains(entry)) {
log.debug("Entry is already contained in policy -> no modification.");
return false;
@@ -198,7 +245,7 @@
*/
public AccessControlEntry[] getAccessControlEntries()
throws RepositoryException {
- return (Entry[]) entries.toArray(new Entry[entries.size()]);
+ return (AccessControlEntry[]) entries.toArray(new AccessControlEntry[entries.size()]);
}
/**
@@ -271,12 +318,12 @@
*/
private final GlobPattern pattern;
- Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
+ private Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
throws AccessControlException, RepositoryException {
super(principal, privileges, allow, restrictions);
- checkValidEntry();
// TODO: review again
+ Value np = getRestriction(jcrNodePathName);
nodePath = getRestriction(jcrNodePathName).getString();
Value glob = getRestriction(jcrGlobName);
if (glob != null) {
@@ -288,20 +335,6 @@
}
}
- private void checkValidEntry() throws AccessControlException, NamespaceException {
- if (!principal.equals(getPrincipal())) {
- throw new AccessControlException("Invalid principal. Expected: " + principal);
- }
- if (!isAllow() && getPrincipal() instanceof Group) {
- throw new AccessControlException("For group principals permissions can only be added but not denied.");
- }
-
- String[] rNames = getRestrictionNames();
- if (!Arrays.asList(rNames).contains(jcrNodePathName)) {
- throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
- }
- }
-
boolean matches(String jcrPath) throws RepositoryException {
return pattern.matches(jcrPath);
}
Modified: jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd Thu Feb 26 18:05:35 2009
@@ -197,9 +197,21 @@
[rep:DenyACE] > rep:ACE
-[rep:AccessControl] > nt:base, rep:AccessControllable
+// -----------------------------------------------------------------------------
+// Principal based AC
+// -----------------------------------------------------------------------------
+
+[rep:AccessControl] > nt:base
+ * (rep:AccessControl) protected ignore
-
+ + * (rep:PrincipalAccessControl) protected ignore
+
+[rep:PrincipalAccessControl] > rep:AccessControl
+ + rep:policy (rep:Policy) protected ignore
+
+// -----------------------------------------------------------------------------
+// User Management
+// -----------------------------------------------------------------------------
+
[rep:Authorizable] > nt:base, mix:referenceable abstract
+ * (rep:Authorizable) = rep:Authorizable protected version
+ * (rep:AuthorizableFolder) = rep:AuthorizableFolder protected version
Modified: jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml Thu Feb 26 18:05:35 2009
@@ -450,13 +450,28 @@
<nodeType name="rep:AccessControl" isMixin="false" hasOrderableChildNodes="false" primaryItemName="">
<supertypes>
<supertype>nt:base</supertype>
- <supertype>rep:AccessControllable</supertype>
</supertypes>
<childNodeDefinition name="*" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
<requiredPrimaryTypes>
<requiredPrimaryType>rep:AccessControl</requiredPrimaryType>
</requiredPrimaryTypes>
</childNodeDefinition>
+ <childNodeDefinition name="*" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
+ <requiredPrimaryTypes>
+ <requiredPrimaryType>rep:PrincipalAccessControl</requiredPrimaryType>
+ </requiredPrimaryTypes>
+ </childNodeDefinition>
+ </nodeType>
+
+ <nodeType name="rep:PrincipalAccessControl" isMixin="false" hasOrderableChildNodes="false" primaryItemName="">
+ <supertypes>
+ <supertype>rep:AccessControl</supertype>
+ </supertypes>
+ <childNodeDefinition name="rep:policy" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
+ <requiredPrimaryTypes>
+ <requiredPrimaryType>rep:Policy</requiredPrimaryType>
+ </requiredPrimaryTypes>
+ </childNodeDefinition>
</nodeType>
<nodeType name="rep:Authorizable" isMixin="false" hasOrderableChildNodes="false" primaryItemName="" abstract="true">
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Thu Feb 26 18:05:35 2009
@@ -73,7 +73,7 @@
}
public void testGetPath() throws RepositoryException {
- JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
assertEquals(getTestPath(), pt.getPath());
}
@@ -84,7 +84,7 @@
} else {
throw new NotExecutableException();
}
- JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
try {
pt.addAccessControlEntry(unknownPrincipal, privilegesFromName(Privilege.JCR_READ));
fail("Adding an ACE with an unknown principal should fail");
@@ -94,7 +94,7 @@
}
public void testAddInvalidEntry2() throws RepositoryException {
- JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
try {
pt.addAccessControlEntry(testPrincipal, new Privilege[0]);
fail("Adding an ACE with invalid privileges should fail");
@@ -104,7 +104,7 @@
}
public void testRemoveInvalidEntry() throws RepositoryException {
- JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
try {
pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
public boolean isAllow() {
@@ -138,7 +138,7 @@
}
public void testRemoveInvalidEntry2() throws RepositoryException {
- JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+ JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
try {
pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
public boolean isAllow() {
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java Thu Feb 26 18:05:35 2009
@@ -201,7 +201,7 @@
};
createEntry(null, privs, true);
fail("Principal must not be null");
- } catch (IllegalArgumentException e) {
+ } catch (Exception e) {
// success
}
}
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java Thu Feb 26 18:05:35 2009
@@ -28,6 +28,7 @@
import javax.jcr.Node;
import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
@@ -79,6 +80,18 @@
}
}
+ public void testGetRestrictionNames() {
+ assertNotNull(templ.getRestrictionNames());
+ }
+
+ public void testGetRestrictionType() {
+ String[] names = templ.getRestrictionNames();
+ for (int i = 0; i < names.length; i++) {
+ int type = templ.getRestrictionType(names[i]);
+ assertTrue(type > PropertyType.UNDEFINED);
+ }
+ }
+
public void testIsEmpty() throws RepositoryException {
if (templ.isEmpty()) {
assertEquals(0, templ.getAccessControlEntries().length);
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -23,12 +23,14 @@
import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlList;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.test.NotExecutableException;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.Node;
import java.util.Collections;
import java.util.Map;
import java.security.Principal;
@@ -170,4 +172,16 @@
assertFalse(getTestSession().hasPermission(policyPath, org.apache.jackrabbit.api.jsr283.Session.ACTION_REMOVE));
assertTrue(testAcMgr.hasPrivileges(policyPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
}
+
+ public void testApplicablePolicies() throws RepositoryException {
+ AccessControlPolicyIterator it = acMgr.getApplicablePolicies(childNPath);
+ assertTrue(it.hasNext());
+
+ // the same should be true, if the rep:AccessControllable mixin has
+ // been manually added
+ Node n = (Node) superuser.getItem(childNPath);
+ n.addMixin(((SessionImpl) superuser).getJCRName(AccessControlConstants.NT_REP_ACCESS_CONTROLLABLE));
+ it = acMgr.getApplicablePolicies(childNPath);
+ assertTrue(it.hasNext());
+ }
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -30,6 +30,7 @@
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
import java.security.Principal;
import java.util.Map;
import java.util.HashMap;
@@ -96,7 +97,7 @@
private Map getPrincipalBasedRestrictions(String path) throws RepositoryException, NotExecutableException {
if (superuser instanceof SessionImpl) {
Map restr = new HashMap();
- restr.put("rep:nodePath", path);
+ restr.put("rep:nodePath", superuser.getValueFactory().createValue(path, PropertyType.PATH));
return restr;
} else {
throw new NotExecutableException();
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java Thu Feb 26 18:05:35 2009
@@ -19,8 +19,12 @@
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplateTest;
import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlList;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
+import java.util.List;
+import java.util.Arrays;
/**
* <code>ACLTemplateTest</code>...
@@ -37,4 +41,21 @@
throws RepositoryException {
return new ACLTemplate(testPrincipal, testPath, (SessionImpl) superuser);
}
+
+ public void testGetRestrictionNames() throws RepositoryException {
+ List names = Arrays.asList(createEmptyTemplate(getTestPath()).getRestrictionNames());
+
+ assertEquals(2, names.size());
+ NameResolver resolver = (NameResolver) superuser;
+ assertTrue(names.contains(resolver.getJCRName(ACLTemplate.P_NODE_PATH)));
+ assertTrue(names.contains(resolver.getJCRName(ACLTemplate.P_GLOB)));
+ }
+
+ public void testGetRestrictionTypes() throws RepositoryException {
+ JackrabbitAccessControlList acl = createEmptyTemplate(getTestPath());
+
+ NameResolver resolver = (NameResolver) superuser;
+ assertEquals(PropertyType.PATH, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_NODE_PATH)));
+ assertEquals(PropertyType.STRING, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_GLOB)));
+ }
}
\ No newline at end of file
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java Thu Feb 26 18:05:35 2009
@@ -22,7 +22,9 @@
import org.apache.jackrabbit.core.security.authorization.AbstractEntryTest;
import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.value.StringValue;
+import org.apache.jackrabbit.value.BooleanValue;
import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
@@ -43,23 +45,34 @@
private Map restrictions;
private ACLTemplate acl;
+ private String nodePath;
+ private String glob;
+
protected void setUp() throws Exception {
super.setUp();
+ if (superuser instanceof NameResolver) {
+ NameResolver resolver = (NameResolver) superuser;
+ nodePath = resolver.getJCRName(ACLTemplate.P_NODE_PATH);
+ glob = resolver.getJCRName(ACLTemplate.P_GLOB);
+ } else {
+ throw new NotExecutableException();
+ }
+
restrictions = new HashMap(2);
- restrictions.put("rep:nodePath", superuser.getValueFactory().createValue("/a/b/c/d", PropertyType.PATH));
- restrictions.put("rep:glob", superuser.getValueFactory().createValue("*"));
+ restrictions.put(nodePath, superuser.getValueFactory().createValue("/a/b/c/d", PropertyType.PATH));
+ restrictions.put(glob, superuser.getValueFactory().createValue("*"));
acl = new ACLTemplate(testPrincipal, testPath, (SessionImpl) superuser);
}
protected JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow)
throws RepositoryException {
- return acl.new Entry(principal, privileges, isAllow, restrictions);
+ return (JackrabbitAccessControlEntry) acl.createEntry(principal, privileges, isAllow, restrictions);
}
private JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map restrictions)
throws RepositoryException {
- return acl.new Entry(principal, privileges, isAllow, restrictions);
+ return (JackrabbitAccessControlEntry) acl.createEntry(principal, privileges, isAllow, restrictions);
}
public void testNodePathMustNotBeNull() throws RepositoryException, NotExecutableException {
@@ -75,39 +88,68 @@
public void testGetNodePath() throws RepositoryException, NotExecutableException {
Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true);
- assertEquals(restrictions.get("rep:nodePath"), pe.getRestriction("rep:nodePath"));
+
+ assertEquals(restrictions.get(nodePath), pe.getRestriction(nodePath));
+ assertEquals(PropertyType.PATH, pe.getRestriction(nodePath).getType());
}
public void testGetGlob() throws RepositoryException, NotExecutableException {
Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true);
- assertEquals(restrictions.get("rep:glob"), pe.getRestriction("rep:glob"));
+
+ assertEquals(restrictions.get(glob), pe.getRestriction(glob));
+ assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
Map restr = new HashMap();
- restr.put("rep:nodePath", restrictions.get("rep:nodePath"));
+ restr.put(nodePath, restrictions.get(nodePath));
pe = createEntry(testPrincipal, privs, true, restr);
- assertNull(pe.getRestriction("rep:glob"));
+ assertNull(pe.getRestriction(glob));
restr = new HashMap();
- restr.put("rep:nodePath", restrictions.get("rep:nodePath"));
- restr.put("rep:glob", new StringValue(""));
+ restr.put(nodePath, restrictions.get(nodePath));
+ restr.put(glob, new StringValue(""));
pe = createEntry(testPrincipal, privs, true, restr);
- assertEquals("", pe.getRestriction("rep:glob").getString());
+ assertEquals("", pe.getRestriction(glob).getString());
+
+ restr = new HashMap();
+ restr.put(nodePath, restrictions.get(nodePath));
+ restr.put(glob, new BooleanValue(true));
+ assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
+ }
+
+ public void testTypeConversion() throws RepositoryException, NotExecutableException {
+ // ACLTemplate impl tries to convert the property types if the don't
+ // match the required ones.
+ Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
+
+ Map restr = new HashMap();
+ restr.put(nodePath, new StringValue("/a/b/c/d"));
+ JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true, restr);
+
+ assertEquals("/a/b/c/d", pe.getRestriction(nodePath).getString());
+ assertEquals(PropertyType.PATH, pe.getRestriction(nodePath).getType());
+
+ restr = new HashMap();
+ restr.put(nodePath, restrictions.get(nodePath));
+ restr.put(glob, new BooleanValue(true));
+ pe = createEntry(testPrincipal, privs, true, restr);
+
+ assertEquals(true, pe.getRestriction(glob).getBoolean());
+ assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
}
public void testMatches() throws RepositoryException {
Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_ALL)};
ACLTemplate.Entry ace = (ACLTemplate.Entry) createEntry(testPrincipal, privs, true);
- // TODO: review again
- String nodePath = ((Value) restrictions.get("rep:nodePath")).getString();
+ String nPath = ((Value) restrictions.get(nodePath)).getString();
List toMatch = new ArrayList();
- toMatch.add(nodePath + "/any");
- toMatch.add(nodePath + "/anyother");
- toMatch.add(nodePath + "/f/g/h");
- toMatch.add(nodePath);
+ toMatch.add(nPath + "/any");
+ toMatch.add(nPath + "/anyother");
+ toMatch.add(nPath + "/f/g/h");
+ toMatch.add(nPath);
for (Iterator it = toMatch.iterator(); it.hasNext();) {
String str = it.next().toString();
assertTrue("Restrictions should match " + str, ace.matches(str));
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java Thu Feb 26 18:05:35 2009
@@ -26,6 +26,7 @@
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
+import javax.jcr.PropertyType;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
@@ -52,7 +53,7 @@
static Map getRestrictions(Session s, String path) throws RepositoryException, NotExecutableException {
if (s instanceof SessionImpl) {
Map restr = new HashMap();
- restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), path);
+ restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), s.getValueFactory().createValue(path, PropertyType.PATH));
return restr;
} else {
throw new NotExecutableException();
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java Thu Feb 26 18:05:35 2009
@@ -30,8 +30,6 @@
import javax.jcr.Node;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
-import javax.jcr.Property;
-import javax.jcr.version.Version;
import java.security.Principal;
import java.util.Map;
Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -33,7 +33,6 @@
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import java.security.Principal;
-import java.util.HashMap;
import java.util.Map;
/**
@@ -64,13 +63,7 @@
}
protected Map getRestrictions(Session s, String path) throws RepositoryException, NotExecutableException {
- if (s instanceof SessionImpl) {
- Map restr = new HashMap();
- restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), path);
- return restr;
- } else {
- throw new NotExecutableException();
- }
+ return EvaluationUtil.getRestrictions(s, path);
}
@@ -79,7 +72,7 @@
// testuser is not allowed to READ the protected property jcr:created.
Map restr = getRestrictions(superuser, path);
- restr.put(ACLTemplate.P_GLOB, GlobPattern.create("/afolder/jcr:created"));
+ restr.put(((SessionImpl) superuser).getJCRName(ACLTemplate.P_GLOB), superuser.getValueFactory().createValue("/afolder/jcr:created"));
withdrawPrivileges(path, testUser.getPrincipal(), privilegesFromName(Privilege.JCR_READ), restr);
// still: adding a nt:folder node should be possible