Package org.apache.sling.jcr.base.util

Class AccessControlUtil

java.lang.Object
org.apache.sling.jcr.base.util.AccessControlUtil
public class AccessControlUtil extends Object
A simple utility class providing utilities with respect to access control over repositories.

  • Constructor Summary

    Constructors
    Constructor
    Description
    AccessControlUtil()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static boolean
    addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow)
    Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
    static boolean
    addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, Map restrictions)
    Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
    static boolean
    addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions)
    Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
    static javax.jcr.security.AccessControlManager
    getAccessControlManager(javax.jcr.Session session)
    Returns the AccessControlManager for the given session.
    static String
    getPath(javax.jcr.security.AccessControlList acl)
    Returns the path of the node AccessControlList acl has been created for.
    static org.apache.jackrabbit.api.security.principal.PrincipalManager
    getPrincipalManager(javax.jcr.Session session)
    Returns the PrincipalManager for the given session.
    static org.apache.jackrabbit.api.security.user.UserManager
    getUserManager(javax.jcr.Session session)
    Returns the UserManager for the given session.
    static boolean
    isAllow(javax.jcr.security.AccessControlEntry ace)
    Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
    static boolean
    isEmpty(javax.jcr.security.AccessControlList acl)
    Returns true if AccessControlList acl does not yet define any entries.
    static void
    replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames)
    Deprecated.
    use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
    static void
    replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order)
    Replaces existing access control entries in the ACL for the specified principal and resourcePath.
    static void
    replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removedRestrictionNames)
    Replaces existing access control entries in the ACL for the specified principal and resourcePath.
    static int
    size(javax.jcr.security.AccessControlList acl)
    Returns the number of acl entries or 0 if the acl is empty.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • AccessControlUtil

      public AccessControlUtil()

  • Method Details

    • getAccessControlManager

      public static javax.jcr.security.AccessControlManager getAccessControlManager(javax.jcr.Session session) throws javax.jcr.UnsupportedRepositoryOperationException, javax.jcr.RepositoryException
      Returns the AccessControlManager for the given session. If the session does not have a getAccessControlManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the AccessControlManager is returned or if the call fails, the respective exception is thrown.
      Parameters:
      session - The JCR Session whose AccessControlManager is to be returned. If the session is a pooled session, the session underlying the pooled session is actually used.
      Returns:
      The AccessControlManager of the session
      Throws:
      javax.jcr.UnsupportedRepositoryOperationException - If the session has no getAccessControlManager method or the exception thrown by the method.
      javax.jcr.RepositoryException - Forwarded from the getAccessControlManager method call.

    • getUserManager

      public static org.apache.jackrabbit.api.security.user.UserManager getUserManager(javax.jcr.Session session) throws javax.jcr.AccessDeniedException, javax.jcr.UnsupportedRepositoryOperationException, javax.jcr.RepositoryException
      Returns the UserManager for the given session. If the session does not have a getUserManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the UserManager is returned or if the call fails, the respective exception is thrown.
      Parameters:
      session - The JCR Session whose UserManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
      Returns:
      The UserManager of the session.
      Throws:
      javax.jcr.AccessDeniedException - If this session is not allowed to access user data.
      javax.jcr.UnsupportedRepositoryOperationException - If the session has no getUserManager method or the exception thrown by the method.
      javax.jcr.RepositoryException - Forwarded from the getUserManager method call.

    • getPrincipalManager

      public static org.apache.jackrabbit.api.security.principal.PrincipalManager getPrincipalManager(javax.jcr.Session session) throws javax.jcr.AccessDeniedException, javax.jcr.UnsupportedRepositoryOperationException, javax.jcr.RepositoryException
      Returns the PrincipalManager for the given session. If the session does not have a PrincipalManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the PrincipalManager is returned or if the call fails, the respective exception is thrown.
      Parameters:
      session - The JCR Session whose PrincipalManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
      Returns:
      The PrincipalManager of the session.
      Throws:
      javax.jcr.AccessDeniedException - If the current user lacks sufficient privileges
      javax.jcr.UnsupportedRepositoryOperationException - If the session has no PrincipalManager method or the exception thrown by the method.
      javax.jcr.RepositoryException - Forwarded from the PrincipalManager method call.

    • getPath

      public static String getPath(javax.jcr.security.AccessControlList acl) throws javax.jcr.RepositoryException
      Returns the path of the node AccessControlList acl has been created for.
      Parameters:
      acl - The acl to get the path for
      Returns:
      the path for the acl
      Throws:
      javax.jcr.RepositoryException - Forwarded from the getPath method call.

    • isEmpty

      public static boolean isEmpty(javax.jcr.security.AccessControlList acl) throws javax.jcr.RepositoryException
      Returns true if AccessControlList acl does not yet define any entries.
      Parameters:
      acl - The acl to check
      Returns:
      true if the acl is empty, false otherwise
      Throws:
      javax.jcr.RepositoryException - Forwarded from the isEmpty method call.

    • size

      public static int size(javax.jcr.security.AccessControlList acl) throws javax.jcr.RepositoryException
      Returns the number of acl entries or 0 if the acl is empty.
      Parameters:
      acl - The acl to get the size of
      Returns:
      the size of the acl
      Throws:
      javax.jcr.RepositoryException - Forwarded from the size method call.

    • addEntry

      public static boolean addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow) throws javax.jcr.security.AccessControlException, javax.jcr.RepositoryException
      Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
      Parameters:
      acl - the list to add the new entry to
      principal - the principal for the user or group to add the entry for
      privileges - the set of privileges to grant or deny
      isAllow - try to grant the privileges or false to deny the privileges
      Returns:
      true if this policy was modified, false otherwise.
      Throws:
      javax.jcr.security.AccessControlException - If any of the given parameter is invalid or cannot be handled by the implementation.
      javax.jcr.RepositoryException - if any other error occurs.

    • addEntry

      public static boolean addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, Map restrictions) throws javax.jcr.UnsupportedRepositoryOperationException, javax.jcr.RepositoryException
      Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
      Parameters:
      acl - the list to add the new entry to
      principal - the principal for the user or group to add the entry for
      privileges - the set of privileges to grant or deny
      isAllow - try to grant the privileges or false to deny the privileges
      restrictions - (optional) additional restrictions to filter the scope of the added entry. The value of the map must be a Value or Value
      Returns:
      true if this policy was modified, false otherwise.
      Throws:
      javax.jcr.UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries
      javax.jcr.RepositoryException - if any other error occurs.

    • addEntry

      public static boolean addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions) throws javax.jcr.UnsupportedRepositoryOperationException, javax.jcr.RepositoryException
      Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
      Parameters:
      acl - the list to add the new entry to
      principal - the principal for the user or group to add the entry for
      privileges - the set of privileges to grant or deny
      isAllow - try to grant the privileges or false to deny the privileges
      restrictions - (optional) additional single-value restrictions to filter the scope of the added entry
      mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the added entry
      Returns:
      true if this policy was modified, false otherwise.
      Throws:
      javax.jcr.UnsupportedRepositoryOperationException - if the repository doesn't support adding access control entries
      javax.jcr.RepositoryException - if any other error occurs.

    • replaceAccessControlEntry

      @Deprecated public static void replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames) throws javax.jcr.RepositoryException
      Deprecated.
      use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
      Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
      Parameters:
      session - the JCR session of the user doing the work
      resourcePath - the path of the resource to replace the entry on
      principal - the principal for the user or group to add the entry for
      grantedPrivilegeNames - the names of the privileges to grant
      deniedPrivilegeNames - the names of the privileges to deny
      removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
      Throws:
      javax.jcr.RepositoryException - if any error occurs.

    • replaceAccessControlEntry

      public static void replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order) throws javax.jcr.RepositoryException
      Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
      Parameters:
      session - the JCR session of the user doing the work
      resourcePath - the path of the resource to replace the entry on
      principal - the principal for the user or group to add the entry for
      grantedPrivilegeNames - the names of the privileges to grant
      deniedPrivilegeNames - the names of the privileges to deny
      removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
      order - where the access control entry should go in the list. Value should be one of these:
      Values
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      Throws:
      javax.jcr.RepositoryException - if any error occurs.

    • replaceAccessControlEntry

      public static void replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removedRestrictionNames) throws javax.jcr.RepositoryException
      Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.
      Parameters:
      session - the JCR session of the user doing the work
      resourcePath - the path of the resource to replace the entry on
      principal - the principal for the user or group to add the entry for
      grantedPrivilegeNames - the names of the privileges to grant
      deniedPrivilegeNames - the names of the privileges to deny
      removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
      order - where the access control entry should go in the list. Value should be one of these:
      Values
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      restrictions - (optional) additional single-value restrictions to filter the scope of the replaced entry
      mvRestrictions - (optional) additional multi-value restrictions to filter the scope of the replaced entry
      removedRestrictionNames - optional set of restriction names that should be removed (if they already exist).
      Throws:
      javax.jcr.RepositoryException - if any error occurs.

    • isAllow

      public static boolean isAllow(javax.jcr.security.AccessControlEntry ace) throws javax.jcr.RepositoryException
      Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
      Parameters:
      ace - the access control entry to check
      Returns:
      true if the entry represents allowed rights of ralse otherwise
      Throws:
      javax.jcr.RepositoryException - Forwarded from the isAllow method call.