Examples of org.apache.jackrabbit.api.security.JackrabbitAccessControlList

• org.apache.jackrabbit.api.security.JackrabbitAccessControlList
  JackrabbitAccessControlList is an extension of the AccessControlList. Similar to the latter any modifications made will not take effect, until it is {@link javax.jcr.security.AccessControlManager#setPolicy(String,AccessControlPolicy) written back} and {@link javax.jcr.Session#save() saved}.

    }

    @Test
    public void testImplicitAceRemoval() throws Exception {
        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        acl.addAccessControlEntry(getTestPrincipal(), privilegesFromNames(JCR_READ, REP_WRITE));
        acMgr.setPolicy(testPath, acl);

        acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
        acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
        acMgr.setPolicy(childPath, acl);
        root.commit();

        assertTrue(root.getTree(childPath + "/rep:policy").exists());

    @Test
    public void testNumPermissions() throws Exception {

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        acl.addAccessControlEntry(getTestPrincipal(), privilegesFromNames(JCR_READ, REP_WRITE));
        acMgr.setPolicy(testPath, acl);
        root.commit();

        assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
        assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));

        acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
        acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
        acMgr.setPolicy(childPath, acl);
        root.commit();

        assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
        assertEquals(2, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));

        acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
        acMgr.setPolicy(testPath, acl);
        root.commit();

        assertEquals(0, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
        assertEquals(2, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));

        acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
        acl.removeAccessControlEntry(acl.getAccessControlEntries()[0]);
        acMgr.setPolicy(childPath, acl);
        root.commit();

        assertEquals(0, PermissionUtil.getNumPermissions(getPrincipalRoot(testPrincipalName)));
        assertEquals(1, PermissionUtil.getNumPermissions(getPrincipalRoot(EveryonePrincipal.NAME)));

    @Override
    public void before() throws Exception {
        super.before();

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList  acl = AccessControlUtils.getAccessControlList(acMgr, "/");
        if (acl != null) {
            acl.addEntry(getTestUser().getPrincipal(), privilegesFromNames(PrivilegeConstants.JCR_ALL), true);
        }
        acMgr.setPolicy("/", acl);
        root.commit();
        testSession = createTestSession();
        testRoot = testSession.getLatestRoot();

        try {
            if (testSession != null) {
                testSession.close();
            }
            AccessControlManager acMgr = getAccessControlManager(root);
            JackrabbitAccessControlList  acl = AccessControlUtils.getAccessControlList(acMgr, "/");
            if (acl != null) {
                for (AccessControlEntry ace : acl.getAccessControlEntries()) {
                    if (getTestUser().getPrincipal().equals(ace.getPrincipal())) {
                        acl.removeAccessControlEntry(ace);
                    }
                }
            }
            acMgr.setPolicy("/", acl);
            root.commit();

        NodeUtil rootNode = new NodeUtil(root.getTree("/"), namePathMapper);
        NodeUtil testNode = rootNode.addChild("testPath", JcrConstants.NT_UNSTRUCTURED);
        testNode.addChild("childNode", JcrConstants.NT_UNSTRUCTURED);

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        acl.addAccessControlEntry(testPrincipal, privilegesFromNames(JCR_ADD_CHILD_NODES));
        acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
        acMgr.setPolicy(testPath, acl);
        root.commit();

        testPrincipalName = testPrincipal.getName();
        bitsProvider = new PrivilegeBitsProvider(root);

    @Test
    public void testReorderAddAndRemoveAces2() throws Exception {
        createPrincipals();

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        for (int i = 0; i < 4; i++) {
            acl.addAccessControlEntry(principals.get(i), privilegesFromNames(JCR_READ));
        }
        acMgr.setPolicy(testPath, acl);
        root.commit();

        AccessControlEntry[] aces = acl.getAccessControlEntries();
        acl.removeAccessControlEntry(aces[0]);
        acl.removeAccessControlEntry(aces[2]);
        acl.orderBefore(aces[4], aces[3]);
        acl.addAccessControlEntry(principals.get(4), privilegesFromNames(JCR_READ));
        acl.addAccessControlEntry(principals.get(5), privilegesFromNames(JCR_READ));
        acMgr.setPolicy(testPath, acl);
        root.commit();

        Tree entry = getEntry(principals.get(2).getName(), testPath, 1);
        assertIndex(1, entry);

    @Test
    public void testReorderAndRemoveAces() throws Exception {
        createPrincipals();

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        for (int i = 0; i < 4; i++) {
            acl.addAccessControlEntry(principals.get(i), privilegesFromNames(JCR_READ));
        }
        acMgr.setPolicy(testPath, acl);
        root.commit();

        AccessControlEntry[] aces = acl.getAccessControlEntries();
        acl.removeAccessControlEntry(aces[0]);
        acl.removeAccessControlEntry(aces[2]);
        acl.orderBefore(aces[4], null);
        acl.orderBefore(aces[3], aces[1]);
        acMgr.setPolicy(testPath, acl);
        root.commit();

        Tree entry = getEntry(EveryonePrincipal.NAME, testPath, 1);
        assertIndex(1, entry);

     */
    public void onCreate(Authorizable authorizable, Session session) throws RepositoryException {
        Node aNode;
        String path = authorizable.getPath();

        JackrabbitAccessControlList acl = null;
        AccessControlManager acMgr = session.getAccessControlManager();
        for (AccessControlPolicyIterator it = acMgr.getApplicablePolicies(path); it.hasNext();) {
            AccessControlPolicy plc = it.nextAccessControlPolicy();
            if (plc instanceof JackrabbitAccessControlList) {
                acl = (JackrabbitAccessControlList) plc;
                break;
            }
        }

        if (acl == null) {
            log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
        } else {
            // setup acl according to configuration.
            Principal principal = new UnknownPrincipal(authorizable.getPrincipal().getName());
            boolean modified = false;
            if (authorizable.isGroup()) {
                // new authorizable is a Group
                if (groupPrivilegeNames.length > 0) {
                    modified = acl.addAccessControlEntry(principal, getPrivileges(groupPrivilegeNames, acMgr));
                }
            } else {
                // new authorizable is a User
                if (userPrivilegeNames.length > 0) {
                    modified = acl.addAccessControlEntry(principal, getPrivileges(userPrivilegeNames, acMgr));
                }
            }
            if (modified) {
                acMgr.setPolicy(path, acl);
            }

            return false;
        }
    }

    private JackrabbitAccessControlList getACL(String path) throws RepositoryException, AccessDeniedException {
        JackrabbitAccessControlList acl = null;
        for (AccessControlPolicy p: acMgr.getPolicies(path)) {
            if (p instanceof JackrabbitAccessControlList) {
                acl = (JackrabbitAccessControlList) p;
                // don't know if this check is needed
                if (path.equals(acl.getPath())) {
                    break;
                }
                acl = null;
            }
        }
        if (acl != null) {
            // clear all existing entries
            for (AccessControlEntry ace: acl.getAccessControlEntries()) {
                acl.removeAccessControlEntry(ace);
            }
        }
        return acl;
    }

                policies.addAll(Arrays.asList(jacMgr.getPolicies(principal)));
                policies.addAll(Arrays.asList(jacMgr.getApplicablePolicies(principal)));
            }
            for (AccessControlPolicy policy : policies) {
                if (policy instanceof JackrabbitAccessControlList) {
                    JackrabbitAccessControlList acl = (JackrabbitAccessControlList) policy;
                    Map<String, Value> restr = new HashMap<String, Value>();
                    for (String restName : acl.getRestrictionNames()) {
                        TextValue txtVal = restrictions.remove(restName);
                        if (txtVal != null) {
                            restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
                        }
                    }
                    if (!restrictions.isEmpty()) {
                        throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
                    }
                    acl.addEntry(principal, privileges, isAllow, restr);
                    acMgr.setPolicy(acl.getPath(), acl);
                    return;
                }
            }
        } else {
            Map<String, Value> restr = new HashMap<String, Value>();
            for (String restName : acl.getRestrictionNames()) {
                TextValue txtVal = restrictions.remove(restName);
                if (txtVal != null) {
                    restr.put(restName, txtVal.getValue(acl.getRestrictionType(restName), resolver));
                }
            }
            if (!restrictions.isEmpty()) {
                throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
            }
            acl.addEntry(principal, privileges, isAllow, restr);
            return;
        }


        // could not apply the ACE. No suitable ACL found.