AccessControlUtil (The Adobe AEM Quickstart and Web Application.)

java.lang.Object
- org.apache.sling.jcr.base.util.AccessControlUtil

```
public class AccessControlUtil
extends java.lang.Object
```
A simple utility class providing utilities with respect to access control over repositories.

Constructor Summary

Constructors
Constructor and Description

AccessControlUtil()

Constructors
Constructor and Description
`AccessControlUtil()`

Method Summary

All Methods Static Methods Concrete Methods Deprecated Methods
Modifier and Type	Method and Description
`static boolean`	`addEntry(AccessControlList acl, java.security.Principal principal, Privilege[] privileges, boolean isAllow)` Same as `addEntry(AccessControlList, Principal, Privilege[], boolean, Map)` using some implementation specific restrictions.
`static boolean`	`addEntry(AccessControlList acl, java.security.Principal principal, Privilege[] privileges, boolean isAllow, java.util.Map restrictions)` Adds an access control entry to the acl consisting of the specified `principal`, the specified `privileges`, the `isAllow` flag and an optional map containing additional restrictions.
`static AccessControlManager`	`getAccessControlManager(Session session)` Returns the `AccessControlManager` for the given `session`.
`static java.lang.String`	`getPath(AccessControlList acl)` Returns the path of the node `AccessControlList` acl has been created for.
`static PrincipalManager`	`getPrincipalManager(Session session)` Returns the `PrincipalManager` for the given `session`.
`static UserManager`	`getUserManager(Session session)` Returns the `UserManager` for the given `session`.
`static boolean`	`isAllow(AccessControlEntry ace)` Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
`static boolean`	`isEmpty(AccessControlList acl)` Returns `true` if `AccessControlList` acl does not yet define any entries.
`static void`	`replaceAccessControlEntry(Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames)` Deprecated. use @link `replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String)` instead.
`static void`	`replaceAccessControlEntry(Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames, java.lang.String order)` Replaces existing access control entries in the ACL for the specified `principal` and `resourcePath`.
`static int`	`size(AccessControlList acl)` Returns the number of acl entries or 0 if the acl is empty.

Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- AccessControlUtil
```
public AccessControlUtil()
```

Method Detail

getAccessControlManager
```
public static AccessControlManager getAccessControlManager(Session session)
                                                    throws UnsupportedRepositoryOperationException,
                                                           RepositoryException
```
Returns the AccessControlManager for the given session. If the session does not have a getAccessControlManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the AccessControlManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose AccessControlManager is to be returned. If the session is a pooled session, the session underlying the pooled session is actually used.

Returns:

The AccessControlManager of the session

Throws:

UnsupportedRepositoryOperationException - If the session has no getAccessControlManager method or the exception thrown by the method.

RepositoryException - Forwarded from the getAccessControlManager method call.

getUserManager
```
public static UserManager getUserManager(Session session)
                                  throws AccessDeniedException,
                                         UnsupportedRepositoryOperationException,
                                         RepositoryException
```
Returns the UserManager for the given session. If the session does not have a getUserManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the UserManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose UserManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.

Returns:

The UserManager of the session.

Throws:

AccessDeniedException - If this session is not allowed to access user data.

UnsupportedRepositoryOperationException - If the session has no getUserManager method or the exception thrown by the method.

RepositoryException - Forwarded from the getUserManager method call.

getPrincipalManager
```
public static PrincipalManager getPrincipalManager(Session session)
                                            throws AccessDeniedException,
                                                   UnsupportedRepositoryOperationException,
                                                   RepositoryException
```
Returns the PrincipalManager for the given session. If the session does not have a PrincipalManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the PrincipalManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose PrincipalManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.

Returns:

The PrincipalManager of the session.

Throws:

AccessDeniedException

UnsupportedRepositoryOperationException - If the session has no PrincipalManager method or the exception thrown by the method.

RepositoryException - Forwarded from the PrincipalManager method call.

getPath

public static java.lang.String getPath(AccessControlList acl)
                                throws RepositoryException

Returns the path of the node AccessControlList acl has been created for.

Throws:: RepositoryException

isEmpty

public static boolean isEmpty(AccessControlList acl)
                       throws RepositoryException

Returns true if AccessControlList acl does not yet define any entries.

Throws:: RepositoryException

size

public static int size(AccessControlList acl)
                throws RepositoryException

Returns the number of acl entries or 0 if the acl is empty.

Throws:: RepositoryException

addEntry

public static boolean addEntry(AccessControlList acl,
                               java.security.Principal principal,
                               Privilege[] privileges,
                               boolean isAllow)
                        throws AccessControlException,
                               RepositoryException

Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.

Throws:: AccessControlException; RepositoryException

addEntry

public static boolean addEntry(AccessControlList acl,
                               java.security.Principal principal,
                               Privilege[] privileges,
                               boolean isAllow,
                               java.util.Map restrictions)
                        throws UnsupportedRepositoryOperationException,
                               RepositoryException

Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.

This method returns true if this policy was modified, false otherwise.

Throws:: UnsupportedRepositoryOperationException; RepositoryException

replaceAccessControlEntry
```
@Deprecated
public static void replaceAccessControlEntry(Session session,
                                                         java.lang.String resourcePath,
                                                         java.security.Principal principal,
                                                         java.lang.String[] grantedPrivilegeNames,
                                                         java.lang.String[] deniedPrivilegeNames,
                                                         java.lang.String[] removedPrivilegeNames)
                                                  throws RepositoryException
```
Deprecated. use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:

session -

resourcePath -

principal -

grantedPrivilegeNames -

deniedPrivilegeNames -

removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource

Throws:

RepositoryException

replaceAccessControlEntry

public static void replaceAccessControlEntry(Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames,
                                             java.lang.String order)
                                      throws RepositoryException

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:

session -

resourcePath -

principal -

grantedPrivilegeNames -

deniedPrivilegeNames -

removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource

order - where the access control entry should go in the list. Value should be one of these:

null	If the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
first	Place the target ACE as the first amongst its siblings
last	Place the target ACE as the last amongst its siblings
before xyz	Place the target ACE immediately before the sibling whose name is xyz
after xyz	Place the target ACE immediately after the sibling whose name is xyz
numeric	Place the target ACE at the specified numeric index

Throws:

RepositoryException

isAllow
```
public static boolean isAllow(AccessControlEntry ace)
                       throws RepositoryException
```
Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.

Throws:

RepositoryException

Class AccessControlUtil

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

AccessControlUtil

Method Detail

getAccessControlManager

getUserManager

getPrincipalManager

getPath

isEmpty

size

addEntry

addEntry

replaceAccessControlEntry

replaceAccessControlEntry

isAllow