Examples of org.apache.jackrabbit.api.security.user.Authorizable

• org.apache.jackrabbit.api.security.user.Authorizable
  The Authorizable is the common base interface for {@link User} and{@link Group}. It provides access to the Principals associated with an Authorizable (see below) and allow to access and modify additional properties such as e.g. full name, e-mail or address.

  Please note the difference between Authorizable and {@link java.security.Principal Principal}:
  An Authorizable is repository object that is neither associated with nor depending from a particular Session and thus independent of the login mechanisms creating Sessions.
  

  On the other hand Principals are representations of user identities. In other words: each Principal within the set associated with the Session's Subject upon login represents an identity for that user. An the set of Principals may differ between different login mechanisms.
  

  Consequently an one-to-many relationship exists between Authorizable and Principal (see also {@link #getPrincipal()}.

  The interfaces derived from Authorizable are defined as follows:

  • {@link User}: defined to be an Authorizable that can be authenticated (by using Credentials) and impersonated.
  • {@link Group}: defined to be a collection of other Authorizables.

  @see User @see Group

        if (everyonePrincipal.getName().equals(principalName)) {
            return everyonePrincipal;
        }
        try {
            Principal principal = new PrincipalImpl(principalName);
            Authorizable ath = userManager.getAuthorizable(principal);
            if (ath != null) {
                return ath.getPrincipal();
            }
        } catch (RepositoryException e) {
            log.error("Failed to access Authorizable for Principal " + principalName, e);
        }
        return null;

     * including inherited membership.
     */
    private Set<Principal> collectGroupMembership(Principal princ) {
        final Set<Principal> membership = new LinkedHashSet<Principal>();
            try {
                final Authorizable auth = userManager.getAuthorizable(princ);
                if (auth != null) {
                    addToCache(princ);
                    Iterator<Group> itr = auth.memberOf();
                    while (itr.hasNext()) {
                        Group group = itr.next();
                        Principal gp = group.getPrincipal();
                        addToCache(gp);
                        membership.add(gp);

           hierarchies (see {@link UserManagerImpl#getAuthorizable(NodeImpl)}.
           this prevents from importing user/group nodes somewhere in the
           content hierarchy which isn't possible when creating user/groups
           using the corresponding API calls  {@link UserManager#createUser} or
           {@link UserManager#createGroup} respectively. */
        Authorizable a = userManager.getAuthorizable(parent);
        if (a == null) {
            log.warn("Cannot handle protected PropInfo " + protectedPropInfo + ". Node " + parent + " doesn't represent a valid Authorizable.");
            return false;
        }

        // TODO: check if import should be aborted in case of nested authorizable.

        // assert that user manager is isn't in auto-save mode
        if (userManager.isAutoSave()) {
            userManager.autoSave(false);
        }
        try {
            Name propName = protectedPropInfo.getName();
            if (UserConstants.P_PRINCIPAL_NAME.equals(propName)) {
                // minimal validation that passed definition really matches the
                // protected rep:principalName property defined by rep:Authorizable.
                if (def.isMultiple() || !UserConstants.NT_REP_AUTHORIZABLE.equals(def.getDeclaringNodeType())) {
                    // some other unexpected property definition -> cannot handle
                    log.warn("Unexpected definition for property rep:principalName");
                    return false;
                }

                Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
                String princName = v.getString();
                userManager.setPrincipal(parent, new PrincipalImpl(princName));
                return true;
            } else if (UserConstants.P_PASSWORD.equals(propName)) {
                if (a.isGroup()) {
                    log.warn("Expected parent node of type rep:User.");
                    return false;
                }
                // minimal validation of the passed definition
                if (def.isMultiple() || !UserConstants.NT_REP_USER.equals(def.getDeclaringNodeType())) {
                    // some other unexpected property definition -> cannot handle
                    log.warn("Unexpected definition for property rep:password");
                    return false;
                }

                // expectation: pw must already be crypted.
                Value v = protectedPropInfo.getValues(PropertyType.STRING, resolver)[0];
                userManager.setProtectedProperty(parent, UserConstants.P_PASSWORD, v);

                return true;

            } else if (UserConstants.P_IMPERSONATORS.equals(propName)) {
                if (a.isGroup()) {
                    // unexpected parent type -> cannot handle
                    log.warn("Expected parent node of type rep:User.");
                    return false;
                }

                // minimal validation of the passed definition
                if (!def.isMultiple() || !UserConstants.MIX_REP_IMPERSONATABLE.equals(def.getDeclaringNodeType())) {
                    // some other unexpected property definition -> cannot handle
                    log.warn("Unexpected definition for property rep:impersonators");
                    return false;
                }

                // since impersonators may be imported later on, postpone processing
                // to the end.
                // see -> processRefeferences
                Value[] vs = protectedPropInfo.getValues(PropertyType.STRING, resolver);
                referenceTracker.processedReference(new Impersonators(a.getID(), vs));
                return true;

            } else if (UserConstants.P_MEMBERS.equals(propName)) {
                if (!a.isGroup()) {
                    // unexpected parent type -> cannot handle
                    log.warn("Expected parent node of type rep:Group.");
                    return false;
                }

                // minimal validation of the passed definition
                if (!def.isMultiple() || !UserConstants.NT_REP_GROUP.equals(def.getDeclaringNodeType())) {
                    // some other unexpected property definition -> cannot handle
                    log.warn("Unexpected definition for property rep:members");
                    return false;
                }

                // since group-members are references to user/groups that potentially
                // are to be imported later on -> postpone processing to the end.
                // see -> processRefeferences
                Value[] vs = protectedPropInfo.getValues(PropertyType.WEAKREFERENCE, resolver);
                NodeId[] ids = new NodeId[vs.length];
                for (int i = 0; i < vs.length; i++) {
                    ids[i] = new NodeId(vs[i].getString());
                }
                referenceTracker.processedReference(new Membership(a.getID(), ids));
                return true;

            } // else: cannot handle -> return false

            return false;

        try {
            List<Object> processed = new ArrayList();
            for (Iterator<Object> it = referenceTracker.getProcessedReferences(); it.hasNext();) {
                Object reference = it.next();
                if (reference instanceof Membership) {
                    Authorizable a = userManager.getAuthorizable(((Membership) reference).groupId);
                    if (a == null || !a.isGroup()) {
                        throw new RepositoryException(((Membership) reference).groupId + " does not represent a valid group.");
                    }

                    Group gr = (Group) a;
                    // 1. collect members to add and to remove.
                    Map<String, Authorizable> toRemove = new HashMap();
                    for (Iterator<Authorizable> aIt = gr.getDeclaredMembers(); it.hasNext();) {
                        Authorizable dm = aIt.next();
                        toRemove.put(dm.getID(), dm);
                    }

                    List<Authorizable> toAdd = new ArrayList();
                    List<Value> nonExisting = new ArrayList();

                    for (NodeId originalId : ((Membership) reference).ids) {

                        NodeId remapped = referenceTracker.getMappedId(originalId);
                        NodeId id = (remapped == null) ? originalId : remapped;

                        Authorizable authorz = null;
                        try {
                            NodeImpl n = ((SessionImpl) session).getNodeById(id);
                            authorz = userManager.getAuthorizable(n);
                        } catch (RepositoryException e) {
                            // no such node or failed to retrieve authorizable
                            // warning is logged below.
                        }
                        if (authorz != null) {
                            if (toRemove.remove(authorz.getID()) == null) {
                                toAdd.add(authorz);
                            } // else: no need to remove from rep:members
                        } else {
                            handleFailure("Ignoring new member of " + gr + ". No such authorizable (NodeID = " + id + ")");
                            if (importBehavior == ImportBehavior.BESTEFFORT) {
                                nonExisting.add(session.getValueFactory().createValue(id.toString(), PropertyType.WEAKREFERENCE));
                            }
                        }
                    }

                    // 2. adjust members of the group
                    for (Authorizable m : toRemove.values()) {
                        if (!gr.removeMember(m)) {
                            handleFailure("Failed remove existing member (" + m + ") from " + gr);
                        }
                    }
                    for (Authorizable m : toAdd) {
                        if (!gr.addMember(m)) {
                            handleFailure("Failed add member (" + m + ") to " + gr);
                        }
                    }

                    // handling non-existing members in case of best-effort
                    if (!nonExisting.isEmpty()) {
                        log.warn("Found " + nonExisting.size() + " entries of rep:members pointing to non-existing authorizables. Best-effort approach configured -> add to rep:members.");

                        NodeImpl groupNode = ((AuthorizableImpl) gr).getNode();
                        // build list of valid members set before ....
                        List<Value> memberValues = new ArrayList();
                        if (groupNode.hasProperty(UserConstants.P_MEMBERS)) {
                            Value[] vls = groupNode.getProperty(UserConstants.P_MEMBERS).getValues();
                            memberValues.addAll(Arrays.asList(vls));
                        }
                        // ... and the non-Existing onces.
                        memberValues.addAll(nonExisting);
                        // and use implementation specific method to set the
                        // value of rep:members properties which was not possible
                        // through the API
                        userManager.setProtectedProperty(groupNode, UserConstants.P_MEMBERS, memberValues.toArray(new Value[memberValues.size()]));
                    }

                    processed.add(reference);

                } else if (reference instanceof Impersonators) {
                    Authorizable a = userManager.getAuthorizable(((Impersonators) reference).userId);
                    if (a == null || a.isGroup()) {
                        throw new RepositoryException(((Impersonators) reference).userId + " does not represent a valid user.");
                    }

                    Impersonation imp = ((User) a).getImpersonation();

            // a) try short-cut that works in case of ID.equals(principalName) only.
            // b) execute query in case of pName mismatch or exc. however, query
            //    requires persisted user nodes (see known issue of UserImporter).
            String name = principal.getName();
            try {
                Authorizable a = internalGetAuthorizable(name);
                if (a != null && name.equals(a.getPrincipal().getName())) {
                    return a;
                }
            } catch (RepositoryException e) {
                // ignore and execute the query.
            }

     * @param n
     * @return An authorizable or <code>null</code>.
     * @throws RepositoryException
     */
    Authorizable getAuthorizable(NodeImpl n) throws RepositoryException {
        Authorizable authorz = null;
        if (n != null) {
            String path = n.getPath();
            if (n.isNodeType(NT_REP_USER) && Text.isDescendant(usersPath, path)) {
                authorz = createUser(n);
            } else if (n.isNodeType(NT_REP_GROUP) && Text.isDescendant(groupsPath, path)) {

        /**
         * @see Iterator#next()
         */
        public Authorizable next() {
            Authorizable authr = next;
            if (authr == null) {
                throw new NoSuchElementException();
            }
            next = seekNext();
            return authr;

        private Authorizable seekNext() {
            while (authNodeIter.hasNext()) {
                NodeImpl node = (NodeImpl) authNodeIter.nextNode();
                try {
                    if (!served.contains(node.getUUID())) {
                        Authorizable authr = getAuthorizable(node);
                        served.add(node.getUUID());
                        if (authr != null) {
                            return authr;
                        }
                    }

    }

    private static Principal initGroup(UserManager uMgr, String principalName) {
        Principal prnc = new PrincipalImpl(principalName);
        try {
            Authorizable auth = uMgr.getAuthorizable(prnc);
            if (auth == null) {
                auth = uMgr.createGroup(prnc);
            } else {
                if (!auth.isGroup()) {
                    log.warn("Cannot create group '" + principalName + "'; User with that principal already exists.");
                    auth = null;
                }
            }
            if (auth != null) {
                return auth.getPrincipal();
            }
        } catch (RepositoryException e) {
            // should never get here
            log.error("Error while initializing user/group administrators", e.getMessage());
        }

        User user = userMgr.createUser(p.getName(), pw);
        save(superuser);
        uID = user.getID();

        // make other user a group-administrator:
        Authorizable grAdmin = userMgr.getAuthorizable(UserConstants.GROUP_ADMIN_GROUP_NAME);
        if (grAdmin == null || !grAdmin.isGroup()) {
            throw new NotExecutableException("Cannot execute test. No group-administrator group found.");
        }
        groupAdmin = (Group) grAdmin;
        groupAdmin.addMember(user);
        save(superuser);