Package org.apache.sling.jcr.jackrabbit.accessmanager.post

Class ModifyAceServlet

java.lang.Object
javax.servlet.GenericServlet
org.apache.sling.api.servlets.SlingSafeMethodsServlet
org.apache.sling.api.servlets.SlingAllMethodsServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.AbstractAccessServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.AbstractAccessPostServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.ModifyAceServlet
All Implemented Interfaces:
Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig, ModifyAce
Direct Known Subclasses:
ModifyPrincipalAceServlet
public class ModifyAceServlet extends AbstractAccessPostServlet implements ModifyAce

Sling Post Servlet implementation for modifying the ACEs for a principal on a JCR resource.

Rest Service Description

Modify a principal's ACEs for the node identified as a resource by the request URL >resource<.modifyAce.html

Transport Details:

Methods

  • POST

Post Parameters

principalId
The principal of the ACEs to modify in the ACL specified by the path.
privilege@[privilege_name]
One or more privileges which will be applied to the ACE. Any permissions that are present in an existing ACE for the principal but not in the request are left untouched. The parameter value must be either 'allow', 'deny' or 'all'. For backward compatibility, 'granted' or 'denied' may also be used for the parameter value as an alias for 'allow' or 'deny'.
restriction@[restriction_name]
One or more restrictions which will be applied to the ACE. The value is the target value of the restriction to be set.
restriction@[restriction_name]@Delete
One or more restrictions which will be removed from the ACE
privilege@[privilege_name]@Delete
One param for each privilege to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from
restriction@[privilege_name]@[restriction_name]@Allow
restriction@[privilege_name]@[restriction_name]@Deny
One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The @Allow or @Deny suffix specifies whether to apply the restriction to the 'allow' or 'deny' privilege. The value is the target value of the restriction to be set.
restriction@[privilege_name]@[restriction_name]@Delete
One param for each restriction to delete. The parameter value must be either 'allow', 'deny' or 'all' to specify which state to delete from.

Response

200
Success.
404
The resource was not found.
500
Failure. HTML explains the failure.

Notes

The principalId is assumed to refer directly to an Authorizable, that comes direct from the UserManager. This can be a group or a user, but if its a group, denied permissions will not be added to the group. The group will only contain granted privileges.

See Also:

  • Constructor Details

    • ModifyAceServlet

      public ModifyAceServlet()

  • Method Details

    • handleOperation

      protected void handleOperation(SlingHttpServletRequest request, PostResponse response, List<Modification> changes) throws javax.jcr.RepositoryException
      Description copied from class: AbstractAccessPostServlet
      Extending Servlet should implement this operation to do the work
      Specified by:
      handleOperation in class AbstractAccessPostServlet
      Parameters:
      request - the sling http request to process
      response - the response
      changes - the changes to report
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • validateArgs

      @NotNull protected @NotNull Principal validateArgs(javax.jcr.Session jcrSession, String resourcePath, String principalId) throws javax.jcr.RepositoryException
      Verify that the user supplied arguments are valid
      Parameters:
      jcrSession - the JCR session
      resourcePath - the resource path
      principalId - the principal id
      Returns:
      the principal for the requested principalId
      Throws:
      javax.jcr.RepositoryException

    • buildRestrictionNameToDefinitionMap

      @NotNull protected @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> buildRestrictionNameToDefinitionMap(@NotNull @NotNull String resourcePath)
      Calculate a map of restriction names to the restriction definition
      Parameters:
      resourcePath - the path of the resource
      Returns:
      map of restriction names to definition

    • loadStoredAce

      @NotNull protected @NotNull Map<javax.jcr.security.Privilege,LocalPrivilege> loadStoredAce(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, @NotNull @NotNull String resourcePath, @NotNull @NotNull Principal forPrincipal, @NotNull @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> srMap) throws javax.jcr.RepositoryException
      Loads the state for the currently stored ACE for the specified principal. The state for any aggregate privilege is expanded to make it easier to merge changes.
      Parameters:
      acm - the access control manager
      resourcePath - the resource path
      forPrincipal - the principal to load the ace for
      srMap - map of restriction names to the restriction definition
      Returns:
      the privileges from the ace as a map where the key is the privilege and the value is the LocalPrivilege that encapsulates the state
      Throws:
      javax.jcr.RepositoryException

    • getJackrabbitAccessControlEntry

      @Nullable protected @Nullable org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry getJackrabbitAccessControlEntry(@NotNull @NotNull javax.jcr.security.AccessControlEntry entry, @NotNull @NotNull String resourcePath, @NotNull @NotNull Principal forPrincipal)

    • getMatchedRequestParameterNames

      @NotNull protected @NotNull Map<String,Matcher> getMatchedRequestParameterNames(@NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Pattern pattern)
      Helper to return a filtered list of parameter names that match the pattern
      Parameters:
      request - the current request
      pattern - the regex pattern to match
      Returns:
      map of parameter names to Matcher that match the pattern

    • processPostedPrivilegeDeleteParams

      protected void processPostedPrivilegeDeleteParams(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, @NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Map<javax.jcr.security.Privilege,LocalPrivilege> privilegeToLocalPrivilegesMap) throws javax.jcr.RepositoryException
      Merge into the privilegeToLocalPrivilegesMap the changes requested in privilege delete request parameters.
      Parameters:
      acm - the access control manager
      request - the current request
      privilegeToLocalPrivilegesMap - the map containing the declared LocalPrivilege items
      Throws:
      javax.jcr.RepositoryException

    • processPostedRestrictionDeleteParams

      protected void processPostedRestrictionDeleteParams(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, @NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> srMap, @NotNull @NotNull Map<javax.jcr.security.Privilege,LocalPrivilege> privilegeToLocalPrivilegesMap) throws javax.jcr.RepositoryException
      Merge into the privilegeToLocalPrivilegesMap the changes requested in restriction delete request parameters.
      Parameters:
      acm - the access control manager
      request - the current request
      srMap - map of restriction names to the restriction definition
      privilegeToLocalPrivilegesMap - the map containing the declared LocalPrivilege items
      Throws:
      javax.jcr.RepositoryException

    • postedRestrictionsForPrivilege

      protected Set<LocalRestriction> postedRestrictionsForPrivilege(@NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> srMap, @NotNull @NotNull javax.jcr.security.Privilege forPrivilege, @NotNull @NotNull org.apache.sling.jcr.jackrabbit.accessmanager.post.ModifyAceServlet.PrivilegeValues forAllowOrDeny, @NotNull @NotNull Set<LocalRestriction> generalRestrictions) throws javax.jcr.RepositoryException
      Populate the restrictions that that were posted and applicable to the requested privilege
      Parameters:
      request - the current request
      srMap - map of restriction names to the restriction definition
      forPrivilege - the privilege to load the restrictions for
      forAllowOrDeny - either ModifyAceServlet.PrivilegeValues.ALLOW or ModifyAceServlet.PrivilegeValues.DENY
      generalRestrictions - the general restrictions that are not for a specific privilege
      Throws:
      javax.jcr.RepositoryException

    • toLocalRestriction

      protected LocalRestriction toLocalRestriction(@NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> srMap, @NotNull @NotNull String restrictionName, @NotNull @NotNull String paramName) throws javax.jcr.RepositoryException
      Construct a LocalRestriction using data a request parameter
      Parameters:
      request - the current request
      srMap - map of restriction names to the restriction definition
      restrictionName - the name of the restriction
      paramName - the request parameter name that contains the restriction values
      Throws:
      javax.jcr.RepositoryException

    • processPostedPrivilegeAndRestrictionParams

      protected void processPostedPrivilegeAndRestrictionParams(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, @NotNull @NotNull SlingHttpServletRequest request, @NotNull @NotNull Map<String,org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition> srMap, @NotNull @NotNull Map<javax.jcr.security.Privilege,LocalPrivilege> privilegeToLocalPrivilegesMap, @NotNull @NotNull Map<javax.jcr.security.Privilege,Integer> privilegeLongestDepthMap) throws javax.jcr.RepositoryException
      Merge into the privilegeToLocalPrivilegesMap the changes requested in privilege and restriction request parameters.
      Parameters:
      acm - the access control manager
      request - the current request
      srMap - map of restriction names to the restriction definition
      privilegeToLocalPrivilegesMap - the map containing the declared LocalPrivilege items
      privilegeLongestDepthMap - the map of privileges to their longest depth
      Throws:
      javax.jcr.RepositoryException

    • applyPrivilegeAndRestrictions

      protected void applyPrivilegeAndRestrictions(@NotNull @NotNull Map<javax.jcr.security.Privilege,LocalPrivilege> privilegeToLocalPrivilegesMap, @NotNull @NotNull javax.jcr.security.Privilege p, boolean allow, @NotNull @NotNull Set<LocalRestriction> allowRestrictions, boolean deny, @NotNull @NotNull Set<LocalRestriction> denyRestrictions) throws javax.jcr.RepositoryException
      Apply the privilege and restrictions to the local privileges
      Parameters:
      privilegeToLocalPrivilegesMap - the map containing the declared LocalPrivilege items
      p - the privilege
      allow - true if the privilege is to be allowed
      allowRestrictions - restrictions (if any) for the allow
      deny - true if the privilege is to be denied
      denyRestrictions - restrictions (if any) for the deny
      Throws:
      javax.jcr.RepositoryException

    • getAcl

      protected org.apache.jackrabbit.api.security.JackrabbitAccessControlList getAcl(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, String resourcePath, Principal principal) throws javax.jcr.RepositoryException
      Lookup the ACL for the given resource
      Parameters:
      acm - the access control manager
      resourcePath - the resource path
      principal - the principal for principalbased ACL
      Returns:
      the found ACL object
      Throws:
      javax.jcr.RepositoryException

    • removeAces

      protected String removeAces(@NotNull @NotNull String resourcePath, @Nullable @Nullable String order, @NotNull @NotNull Principal principal, @NotNull @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl) throws javax.jcr.RepositoryException
      Remove all of the ACEs for the specified principal from the ACL
      Parameters:
      order - the requested order (may be null)
      principal - the principal whose aces should be removed
      acl - the access control list to update
      Returns:
      the original order if it was supplied, otherwise the order of the first ACE
      Throws:
      javax.jcr.RepositoryException

    • addAces

      protected void addAces(@NotNull @NotNull String resourcePath, @NotNull @NotNull Principal principal, @NotNull @NotNull Map<Set<LocalRestriction>,List<LocalPrivilege>> restrictionsToLocalPrivilegesMap, boolean isAllow, @NotNull @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl, Map<javax.jcr.security.Privilege,Integer> privilegeLongestDepthMap) throws javax.jcr.RepositoryException
      Add ACEs for the specified principal to the ACL. One ACE is added for each unique restriction set.
      Parameters:
      resourcePath - the path of the resource
      principal - the principal whose aces should be added
      restrictionsToLocalPrivilegesMap - the map containing the restrictions mapped to the LocalPrivlege items with those resrictions
      isAllow - true for 'allow' ACE, false for 'deny' ACE
      acl - the access control list to update
      Throws:
      javax.jcr.RepositoryException

    • modifyAce

      public void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, String order, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyAce in interface ModifyAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      order - where the access control entry should go in the list.
      The value should be one of these:
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyAce

      public void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, String order) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyAce
      Add or modify the access control entry for the specified user or group. This is equivalent to ModifyAce.modifyAce(Session, String, String, Map, String, boolean) with the autoSave parameter value equal to true.
      Specified by:
      modifyAce in interface ModifyAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      order - where the access control entry should go in the list.
      The value should be one of these:
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyAce

      public void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, String order, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removeRestrictionNames) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyAce
      Add or modify the access control entry for the specified user or group. This is equivalent to ModifyAce.modifyAce(Session, String, String, Map, String, Map, Map, Set, boolean) with the autoSave parameter value equal to true.
      Specified by:
      modifyAce in interface ModifyAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      order - where the access control entry should go in the list.
      The value should be one of these:
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      restrictions - Map of single-value restrictions to apply. (optional)
      mvRestrictions - Map of multi-value restrictions to apply. (optional)
      removeRestrictionNames - Set of existing restriction names to remove (optional)
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyAce

      public void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, String order, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removeRestrictionNames, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyAce in interface ModifyAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      order - where the access control entry should go in the list.
      The value should be one of these:
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      restrictions - Map of single-value restrictions to apply. (optional)
      mvRestrictions - Map of multi-value restrictions to apply. (optional)
      removeRestrictionNames - Set of existing restriction names to remove (optional)
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyAce

      protected void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, String order, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removeRestrictionNames, boolean autoSave, List<Modification> changes) throws javax.jcr.RepositoryException
      Throws:
      javax.jcr.RepositoryException

    • modifyAce

      public void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Collection<LocalPrivilege> localPrivileges, String order, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyAce in interface ModifyAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      localPrivileges - collection of privileges to apply.
      order - where the access control entry should go in the list.
      The value should be one of these:
      nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
      firstPlace the target ACE as the first amongst its siblings
      lastPlace the target ACE as the last amongst its siblings
      before xyzPlace the target ACE immediately before the sibling whose name is xyz
      after xyzPlace the target ACE immediately after the sibling whose name is xyz
      numericPlace the target ACE at the specified numeric index
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyAce

      protected void modifyAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Collection<LocalPrivilege> localPrivileges, String order, boolean autoSave, List<Modification> changes) throws javax.jcr.RepositoryException
      Throws:
      javax.jcr.RepositoryException