Package org.apache.sling.jcr.base.util

Class AccessControlUtil

  • public class AccessControlUtil
extends java.lang.Object
    A simple utility class providing utilities with respect to access control over repositories.

    • Method Summary

      All Methods Static Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      static boolean addEntry​(javax.jcr.security.AccessControlList acl, java.security.Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow)
      Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
      static boolean addEntry​(javax.jcr.security.AccessControlList acl, java.security.Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, java.util.Map restrictions)
      Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
      static boolean addEntry​(javax.jcr.security.AccessControlList acl, java.security.Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, java.util.Map<java.lang.String,​javax.jcr.Value> restrictions, java.util.Map<java.lang.String,​javax.jcr.Value[]> mvRestrictions)
      Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
      static javax.jcr.security.AccessControlManager getAccessControlManager​(javax.jcr.Session session)
      Returns the AccessControlManager for the given session.
      static java.lang.String getPath​(javax.jcr.security.AccessControlList acl)
      Returns the path of the node AccessControlList acl has been created for.
      static PrincipalManager getPrincipalManager​(javax.jcr.Session session)
      Returns the PrincipalManager for the given session.
      static UserManager getUserManager​(javax.jcr.Session session)
      Returns the UserManager for the given session.
      static boolean isAllow​(javax.jcr.security.AccessControlEntry ace)
      Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
      static boolean isEmpty​(javax.jcr.security.AccessControlList acl)
      Returns true if AccessControlList acl does not yet define any entries.
      static void replaceAccessControlEntry​(javax.jcr.Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames)
      Deprecated.
      use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
      static void replaceAccessControlEntry​(javax.jcr.Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames, java.lang.String order)
      Replaces existing access control entries in the ACL for the specified principal and resourcePath.
      static void replaceAccessControlEntry​(javax.jcr.Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames, java.lang.String order, java.util.Map<java.lang.String,​javax.jcr.Value> restrictions, java.util.Map<java.lang.String,​javax.jcr.Value[]> mvRestrictions, java.util.Set<java.lang.String> removedRestrictionNames)
      Replaces existing access control entries in the ACL for the specified principal and resourcePath.
      static int size​(javax.jcr.security.AccessControlList acl)
      Returns the number of acl entries or 0 if the acl is empty.

      • Methods inherited from class java.lang.Object

        equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • AccessControlUtil

        public AccessControlUtil()

    • Method Detail

      • getAccessControlManager

        public static javax.jcr.security.AccessControlManager getAccessControlManager​(javax.jcr.Session session)
                                                                       throws javax.jcr.UnsupportedRepositoryOperationException,
                                                                              javax.jcr.RepositoryException
        Returns the AccessControlManager for the given session. If the session does not have a getAccessControlManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the AccessControlManager is returned or if the call fails, the respective exception is thrown.
        Parameters:
        session - The JCR Session whose AccessControlManager is to be returned. If the session is a pooled session, the session underlying the pooled session is actually used.
        Returns:
        The AccessControlManager of the session
        Throws:
        javax.jcr.UnsupportedRepositoryOperationException - If the session has no getAccessControlManager method or the exception thrown by the method.
        javax.jcr.RepositoryException - Forwarded from the getAccessControlManager method call.

      • getUserManager

        public static UserManager getUserManager​(javax.jcr.Session session)
                                  throws javax.jcr.AccessDeniedException,
                                         javax.jcr.UnsupportedRepositoryOperationException,
                                         javax.jcr.RepositoryException
        Returns the UserManager for the given session. If the session does not have a getUserManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the UserManager is returned or if the call fails, the respective exception is thrown.
        Parameters:
        session - The JCR Session whose UserManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
        Returns:
        The UserManager of the session.
        Throws:
        javax.jcr.AccessDeniedException - If this session is not allowed to access user data.
        javax.jcr.UnsupportedRepositoryOperationException - If the session has no getUserManager method or the exception thrown by the method.
        javax.jcr.RepositoryException - Forwarded from the getUserManager method call.

      • getPrincipalManager

        public static PrincipalManager getPrincipalManager​(javax.jcr.Session session)
                                            throws javax.jcr.AccessDeniedException,
                                                   javax.jcr.UnsupportedRepositoryOperationException,
                                                   javax.jcr.RepositoryException
        Returns the PrincipalManager for the given session. If the session does not have a PrincipalManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the PrincipalManager is returned or if the call fails, the respective exception is thrown.
        Parameters:
        session - The JCR Session whose PrincipalManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
        Returns:
        The PrincipalManager of the session.
        Throws:
        javax.jcr.AccessDeniedException - If the current user lacks sufficient privileges
        javax.jcr.UnsupportedRepositoryOperationException - If the session has no PrincipalManager method or the exception thrown by the method.
        javax.jcr.RepositoryException - Forwarded from the PrincipalManager method call.

      • getPath

        public static java.lang.String getPath​(javax.jcr.security.AccessControlList acl)
                                throws javax.jcr.RepositoryException
        Returns the path of the node AccessControlList acl has been created for.
        Parameters:
        acl - The acl to get the path for
        Returns:
        the path for the acl
        Throws:
        javax.jcr.RepositoryException - Forwarded from the getPath method call.

      • isEmpty

        public static boolean isEmpty​(javax.jcr.security.AccessControlList acl)
                       throws javax.jcr.RepositoryException
        Returns true if AccessControlList acl does not yet define any entries.
        Parameters:
        acl - The acl to check
        Returns:
        true if the acl is empty, false otherwise
        Throws:
        javax.jcr.RepositoryException - Forwarded from the isEmpty method call.

      • size

        public static int size​(javax.jcr.security.AccessControlList acl)
                throws javax.jcr.RepositoryException
        Returns the number of acl entries or 0 if the acl is empty.
        Parameters:
        acl - The acl to get the size of
        Returns:
        the size of the acl
        Throws:
        javax.jcr.RepositoryException - Forwarded from the size method call.

      • addEntry

        public static boolean addEntry​(javax.jcr.security.AccessControlList acl,
                               java.security.Principal principal,
                               javax.jcr.security.Privilege[] privileges,
                               boolean isAllow)
                        throws javax.jcr.security.AccessControlException,
                               javax.jcr.RepositoryException
        Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
        Parameters:
        acl - the list to add the new entry to
        principal - the principal for the user or group to add the entry for
        privileges - the set of privileges to grant or deny
        isAllow - try to grant the privileges or false to deny the privileges
        Returns:
        true if this policy was modified, false otherwise.
        Throws:
        javax.jcr.security.AccessControlException - If any of the given parameter is invalid or cannot be handled by the implementation.
        javax.jcr.RepositoryException - if any other error occurs.

      • addEntry

        public static boolean addEntry​(javax.jcr.security.AccessControlList acl,
                               java.security.Principal principal,
                               javax.jcr.security.Privilege[] privileges,
                               boolean isAllow,
                               java.util.Map restrictions)
                        throws javax.jcr.UnsupportedRepositoryOperationException,
                               javax.jcr.RepositoryException
        Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
        Parameters:
        acl - the list to add the new entry to
        principal - the principal for the user or group to add the entry for
        privileges - the set of privileges to grant or deny
        isAllow - try to grant the privileges or false to deny the privileges
        restrictions - (optional) additional restrictions to filter the scope of the added entry. The value of the map must be a Value or Value
        Returns:
        true if this policy was modified, false otherwise.
        Throws:
        javax.jcr.UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries
        javax.jcr.RepositoryException - if any other error occurs.

      • addEntry

        public static boolean addEntry​(javax.jcr.security.AccessControlList acl,
                               java.security.Principal principal,
                               javax.jcr.security.Privilege[] privileges,
                               boolean isAllow,
                               java.util.Map<java.lang.String,​javax.jcr.Value> restrictions,
                               java.util.Map<java.lang.String,​javax.jcr.Value[]> mvRestrictions)
                        throws javax.jcr.UnsupportedRepositoryOperationException,
                               javax.jcr.RepositoryException
        Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
        Parameters:
        acl - the list to add the new entry to
        principal - the principal for the user or group to add the entry for
        privileges - the set of privileges to grant or deny
        isAllow - try to grant the privileges or false to deny the privileges
        restrictions - (optional) additional single-value restrictions to filter the scope of the added entry
        mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the added entry
        Returns:
        true if this policy was modified, false otherwise.
        Throws:
        javax.jcr.UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries
        javax.jcr.RepositoryException - if any other error occurs.

      • replaceAccessControlEntry

        @Deprecated
public static void replaceAccessControlEntry​(javax.jcr.Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames)
                                      throws javax.jcr.RepositoryException
        Deprecated.
        use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
        Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
        Parameters:
        session - the JCR session of the user doing the work
        resourcePath - the path of the resource to replace the entry on
        principal - the principal for the user or group to add the entry for
        grantedPrivilegeNames - the names of the privileges to grant
        deniedPrivilegeNames - the names of the privileges to deny
        removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
        Throws:
        javax.jcr.RepositoryException - if any error occurs.

      • replaceAccessControlEntry

        public static void replaceAccessControlEntry​(javax.jcr.Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames,
                                             java.lang.String order)
                                      throws javax.jcr.RepositoryException
        Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
        Parameters:
        session - the JCR session of the user doing the work
        resourcePath - the path of the resource to replace the entry on
        principal - the principal for the user or group to add the entry for
        grantedPrivilegeNames - the names of the privileges to grant
        deniedPrivilegeNames - the names of the privileges to deny
        removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
        order - where the access control entry should go in the list. Value should be one of these:
        Values
        nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
        firstPlace the target ACE as the first amongst its siblings
        lastPlace the target ACE as the last amongst its siblings
        before xyzPlace the target ACE immediately before the sibling whose name is xyz
        after xyzPlace the target ACE immediately after the sibling whose name is xyz
        numericPlace the target ACE at the specified numeric index
        Throws:
        javax.jcr.RepositoryException - if any error occurs.

      • replaceAccessControlEntry

        public static void replaceAccessControlEntry​(javax.jcr.Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames,
                                             java.lang.String order,
                                             java.util.Map<java.lang.String,​javax.jcr.Value> restrictions,
                                             java.util.Map<java.lang.String,​javax.jcr.Value[]> mvRestrictions,
                                             java.util.Set<java.lang.String> removedRestrictionNames)
                                      throws javax.jcr.RepositoryException
        Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
        Parameters:
        session - the JCR session of the user doing the work
        resourcePath - the path of the resource to replace the entry on
        principal - the principal for the user or group to add the entry for
        grantedPrivilegeNames - the names of the privileges to grant
        deniedPrivilegeNames - the names of the privileges to deny
        removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
        order - where the access control entry should go in the list. Value should be one of these:
        Values
        nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
        firstPlace the target ACE as the first amongst its siblings
        lastPlace the target ACE as the last amongst its siblings
        before xyzPlace the target ACE immediately before the sibling whose name is xyz
        after xyzPlace the target ACE immediately after the sibling whose name is xyz
        numericPlace the target ACE at the specified numeric index
        restrictions - (optional) additional single-value restrictions to filter the scope of the replaced entry
        mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the replaced entry
        removedRestrictionNames - optional set of restriction names that should be removed (if they already exist).
        Throws:
        javax.jcr.RepositoryException - if any error occurs.

      • isAllow

        public static boolean isAllow​(javax.jcr.security.AccessControlEntry ace)
                       throws javax.jcr.RepositoryException
        Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
        Parameters:
        ace - the access control entry to check
        Returns:
        true if the entry represents allowed rights of ralse otherwise
        Throws:
        javax.jcr.RepositoryException - Forwarded from the isAllow method call.