Package org.apache.sling.jcr.base.util

Class AccessControlUtil

java.lang.Object

org.apache.sling.jcr.base.util.AccessControlUtil

public class AccessControlUtil
extends java.lang.Object

A simple utility class providing utilities with respect to access control over repositories.

Constructor Summary

Constructors

Constructor	Description
AccessControlUtil()

Method Summary

Modifier and Type	Method	Description
static boolean	addEntry(AccessControlList acl, java.security.Principal principal, Privilege[] privileges, boolean isAllow)	Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
static boolean	addEntry(AccessControlList acl, java.security.Principal principal, Privilege[] privileges, boolean isAllow, java.util.Map restrictions)	Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
static boolean	addEntry(AccessControlList acl, java.security.Principal principal, Privilege[] privileges, boolean isAllow, java.util.Map<java.lang.String,Value> restrictions, java.util.Map<java.lang.String,Value[]> mvRestrictions)	Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
static AccessControlManager	getAccessControlManager(Session session)	Returns the AccessControlManager for the given session.
static java.lang.String	getPath(AccessControlList acl)	Returns the path of the node AccessControlList acl has been created for.
static PrincipalManager	getPrincipalManager(Session session)	Returns the PrincipalManager for the given session.
static UserManager	getUserManager(Session session)	Returns the UserManager for the given session.
static boolean	isAllow(AccessControlEntry ace)	Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
static boolean	isEmpty(AccessControlList acl)	Returns true if AccessControlList acl does not yet define any entries.
static void	replaceAccessControlEntry(Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames)	Deprecated. use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
static void	replaceAccessControlEntry(Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames, java.lang.String order)	Replaces existing access control entries in the ACL for the specified principal and resourcePath.
static void	replaceAccessControlEntry(Session session, java.lang.String resourcePath, java.security.Principal principal, java.lang.String[] grantedPrivilegeNames, java.lang.String[] deniedPrivilegeNames, java.lang.String[] removedPrivilegeNames, java.lang.String order, java.util.Map<java.lang.String,Value> restrictions, java.util.Map<java.lang.String,Value[]> mvRestrictions, java.util.Set<java.lang.String> removedRestrictionNames)	Replaces existing access control entries in the ACL for the specified principal and resourcePath.
static int	size(AccessControlList acl)	Returns the number of acl entries or 0 if the acl is empty.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AccessControlUtil

public AccessControlUtil()

Method Detail

getAccessControlManager

public static AccessControlManager getAccessControlManager(Session session)
                                                    throws UnsupportedRepositoryOperationException,
                                                           RepositoryException

Returns the AccessControlManager for the given session. If the session does not have a getAccessControlManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the AccessControlManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose AccessControlManager is to be returned. If the session is a pooled session, the session underlying the pooled session is actually used.

Returns:

The AccessControlManager of the session

Throws:

UnsupportedRepositoryOperationException - If the session has no getAccessControlManager method or the exception thrown by the method.

RepositoryException - Forwarded from the getAccessControlManager method call.

getUserManager

public static UserManager getUserManager(Session session)
                                  throws AccessDeniedException,
                                         UnsupportedRepositoryOperationException,
                                         RepositoryException

Returns the UserManager for the given session. If the session does not have a getUserManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the UserManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose UserManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.

Returns:

The UserManager of the session.

Throws:

AccessDeniedException - If this session is not allowed to access user data.

UnsupportedRepositoryOperationException - If the session has no getUserManager method or the exception thrown by the method.

RepositoryException - Forwarded from the getUserManager method call.

getPrincipalManager

public static PrincipalManager getPrincipalManager(Session session)
                                            throws AccessDeniedException,
                                                   UnsupportedRepositoryOperationException,
                                                   RepositoryException

Returns the PrincipalManager for the given session. If the session does not have a PrincipalManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the PrincipalManager is returned or if the call fails, the respective exception is thrown.

Parameters:

session - The JCR Session whose PrincipalManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.

Returns:

The PrincipalManager of the session.

Throws:

AccessDeniedException - If the current user lacks sufficient privileges

UnsupportedRepositoryOperationException - If the session has no PrincipalManager method or the exception thrown by the method.

RepositoryException - Forwarded from the PrincipalManager method call.

getPath

public static java.lang.String getPath(AccessControlList acl)
                                throws RepositoryException

Returns the path of the node AccessControlList acl has been created for.

Parameters:

acl - The acl to get the path for

Returns:

the path for the acl

Throws:

RepositoryException - Forwarded from the getPath method call.

isEmpty

public static boolean isEmpty(AccessControlList acl)
                       throws RepositoryException

Returns true if AccessControlList acl does not yet define any entries.

Parameters:

acl - The acl to check

Returns:

true if the acl is empty, false otherwise

Throws:

RepositoryException - Forwarded from the isEmpty method call.

size

public static int size(AccessControlList acl)
                throws RepositoryException

Returns the number of acl entries or 0 if the acl is empty.

Parameters:

acl - The acl to get the size of

Returns:

the size of the acl

Throws:

RepositoryException - Forwarded from the size method call.

addEntry

public static boolean addEntry(AccessControlList acl,
                               java.security.Principal principal,
                               Privilege[] privileges,
                               boolean isAllow)
                        throws AccessControlException,
                               RepositoryException

Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.

Parameters:

acl - the list to add the new entry to

principal - the principal for the user or group to add the entry for

privileges - the set of privileges to grant or deny

isAllow - try to grant the privileges or false to deny the privileges

Returns:

true if this policy was modified, false otherwise.

Throws:

AccessControlException - If any of the given parameter is invalid or cannot be handled by the implementation.

RepositoryException - if any other error occurs.

addEntry

public static boolean addEntry(AccessControlList acl,
                               java.security.Principal principal,
                               Privilege[] privileges,
                               boolean isAllow,
                               java.util.Map restrictions)
                        throws UnsupportedRepositoryOperationException,
                               RepositoryException

Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.

Parameters:

acl - the list to add the new entry to

principal - the principal for the user or group to add the entry for

privileges - the set of privileges to grant or deny

isAllow - try to grant the privileges or false to deny the privileges

restrictions - (optional) additional restrictions to filter the scope of the added entry. The value of the map must be a Value or Value

Returns:

true if this policy was modified, false otherwise.

Throws:

UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries

RepositoryException - if any other error occurs.

addEntry

public static boolean addEntry(AccessControlList acl,
                               java.security.Principal principal,
                               Privilege[] privileges,
                               boolean isAllow,
                               java.util.Map<java.lang.String,Value> restrictions,
                               java.util.Map<java.lang.String,Value[]> mvRestrictions)
                        throws UnsupportedRepositoryOperationException,
                               RepositoryException

Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.

Parameters:

acl - the list to add the new entry to

principal - the principal for the user or group to add the entry for

privileges - the set of privileges to grant or deny

isAllow - try to grant the privileges or false to deny the privileges

restrictions - (optional) additional single-value restrictions to filter the scope of the added entry

mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the added entry

Returns:

true if this policy was modified, false otherwise.

Throws:

UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries

RepositoryException - if any other error occurs.

replaceAccessControlEntry

@Deprecated
public static void replaceAccessControlEntry(Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames)
                                      throws RepositoryException

Deprecated.

use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:

session - the JCR session of the user doing the work

resourcePath - the path of the resource to replace the entry on

principal - the principal for the user or group to add the entry for

grantedPrivilegeNames - the names of the privileges to grant

deniedPrivilegeNames - the names of the privileges to deny

removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource

Throws:

RepositoryException - if any error occurs.

replaceAccessControlEntry

public static void replaceAccessControlEntry(Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames,
                                             java.lang.String order)
                                      throws RepositoryException

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:

session - the JCR session of the user doing the work

resourcePath - the path of the resource to replace the entry on

principal - the principal for the user or group to add the entry for

grantedPrivilegeNames - the names of the privileges to grant

deniedPrivilegeNames - the names of the privileges to deny

removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource

order - where the access control entry should go in the list. Value should be one of these:

Values

null	If the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
first	Place the target ACE as the first amongst its siblings
last	Place the target ACE as the last amongst its siblings
before xyz	Place the target ACE immediately before the sibling whose name is xyz
after xyz	Place the target ACE immediately after the sibling whose name is xyz
numeric	Place the target ACE at the specified numeric index

Throws:

RepositoryException - if any error occurs.

replaceAccessControlEntry

public static void replaceAccessControlEntry(Session session,
                                             java.lang.String resourcePath,
                                             java.security.Principal principal,
                                             java.lang.String[] grantedPrivilegeNames,
                                             java.lang.String[] deniedPrivilegeNames,
                                             java.lang.String[] removedPrivilegeNames,
                                             java.lang.String order,
                                             java.util.Map<java.lang.String,Value> restrictions,
                                             java.util.Map<java.lang.String,Value[]> mvRestrictions,
                                             java.util.Set<java.lang.String> removedRestrictionNames)
                                      throws RepositoryException

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:

session - the JCR session of the user doing the work

resourcePath - the path of the resource to replace the entry on

principal - the principal for the user or group to add the entry for

grantedPrivilegeNames - the names of the privileges to grant

deniedPrivilegeNames - the names of the privileges to deny

removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource

order - where the access control entry should go in the list. Value should be one of these:

Values

null	If the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
first	Place the target ACE as the first amongst its siblings
last	Place the target ACE as the last amongst its siblings
before xyz	Place the target ACE immediately before the sibling whose name is xyz
after xyz	Place the target ACE immediately after the sibling whose name is xyz
numeric	Place the target ACE at the specified numeric index

restrictions - (optional) additional single-value restrictions to filter the scope of the replaced entry

mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the replaced entry

removedRestrictionNames - optional set of restriction names that should be removed (if they already exist).

Throws:

RepositoryException - if any error occurs.

isAllow

public static boolean isAllow(AccessControlEntry ace)
                       throws RepositoryException

Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.

Parameters:

ace - the access control entry to check

Returns:

true if the entry represents allowed rights of ralse otherwise

Throws:

RepositoryException - Forwarded from the isAllow method call.