Package org.apache.sling.jcr.jackrabbit.accessmanager.post

Class ModifyPrincipalAceServlet

java.lang.Object
javax.servlet.GenericServlet
org.apache.sling.api.servlets.SlingSafeMethodsServlet
org.apache.sling.api.servlets.SlingAllMethodsServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.AbstractAccessServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.AbstractAccessPostServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.ModifyAceServlet
org.apache.sling.jcr.jackrabbit.accessmanager.post.ModifyPrincipalAceServlet
All Implemented Interfaces:
Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig, ModifyAce, ModifyPrincipalAce
public class ModifyPrincipalAceServlet extends ModifyAceServlet implements ModifyPrincipalAce

Sling Post Servlet implementation for modifying the principalbased ACE for a principal on a JCR resource.

Rest Service Description

Modify a principal's ACEs for the node identified as a resource by the request URL >resource<.modifyPAce.html

Transport Details:

Methods

  • POST

Post Parameters

principalId
The principal of the ACEs to modify in the ACL specified by the path.
privilege@[privilege_name]
One or more privileges which will be applied to the ACE. Any permissions that are present in an existing ACE for the principal but not in the request are left untouched. The parameter value must be either 'allow' or 'all'. For backward compatibility, 'granted' may also be used for the parameter value as an alias for 'allow'.
restriction@[restriction_name]
One or more restrictions which will be applied to the ACE. The value is the target value of the restriction to be set.
restriction@[restriction_name]@Delete
One or more restrictions which will be removed from the ACE
privilege@[privilege_name]@Delete
One param for each privilege to delete. The parameter value must be either 'allow' or 'all' to specify which state to delete from
restriction@[privilege_name]@[restriction_name]@Allow
restriction@[privilege_name]@[restriction_name]@Deny
One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The @Allow suffix specifies whether to apply the restriction to the 'allow' privilege. The value is the target value of the restriction to be set.
restriction@[privilege_name]@[restriction_name]@Delete
One param for each restriction to delete. The parameter value must be either 'allow' or 'all' to specify which state to delete from.

Response

200
Success.
404
The resource was not found.
500
Failure. HTML explains the failure.

Notes

The principalId is assumed to refer directly to an Authorizable, that comes direct from the UserManager. This can be a group or a user, but if its a group, denied permissions will not be added to the group. The group will only contain granted privileges.

See Also:

  • Constructor Details

    • ModifyPrincipalAceServlet

      public ModifyPrincipalAceServlet()

  • Method Details

    • allowNonExistingPaths

      protected boolean allowNonExistingPaths()
      Description copied from class: AbstractAccessPostServlet
      Returns whether this operation can operate on paths that do not exist yet
      Overrides:
      allowNonExistingPaths in class AbstractAccessPostServlet
      Returns:
      true if the resourcePath must exist, false otherwise

    • modifyPrincipalAce

      public void modifyPrincipalAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyPrincipalAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyPrincipalAce in interface ModifyPrincipalAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyPrincipalAce

      public void modifyPrincipalAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Map<String,String> privileges, Map<String,javax.jcr.Value> restrictions, Map<String,javax.jcr.Value[]> mvRestrictions, Set<String> removeRestrictionNames, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyPrincipalAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyPrincipalAce in interface ModifyPrincipalAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      privileges - Map of privileges to apply. (optional)
      restrictions - Map of single-value restrictions to apply. (optional)
      mvRestrictions - Map of multi-value restrictions to apply. (optional)
      removeRestrictionNames - Set of existing restriction names to remove (optional)
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • modifyPrincipalAce

      public void modifyPrincipalAce(javax.jcr.Session jcrSession, String resourcePath, String principalId, Collection<LocalPrivilege> localPrivileges, boolean autoSave) throws javax.jcr.RepositoryException
      Description copied from interface: ModifyPrincipalAce
      Add or modify the access control entry for the specified user or group.
      Specified by:
      modifyPrincipalAce in interface ModifyPrincipalAce
      Parameters:
      jcrSession - the JCR session of the user updating the user
      resourcePath - The absolute path of the resource to apply the ACE to (required)
      principalId - The name of the user/group to provision (required)
      localPrivileges - collection of privileges to apply.
      autoSave - true to automatically save changes to the JCR session, false otherwise
      Throws:
      javax.jcr.RepositoryException - if any errors applying the changes

    • getAcl

      protected org.apache.jackrabbit.api.security.JackrabbitAccessControlList getAcl(@NotNull @NotNull javax.jcr.security.AccessControlManager acm, String resourcePath, Principal principal) throws javax.jcr.RepositoryException
      Override to ensure that we get the policy that implements PrincipalAccessControlList
      Overrides:
      getAcl in class ModifyAceServlet
      Parameters:
      acm - the access control manager
      resourcePath - the resource path
      principal - the principal for principalbased ACL
      Returns:
      the found ACL object
      Throws:
      javax.jcr.RepositoryException

    • removeAces

      protected String removeAces(@NotNull @NotNull String resourcePath, @Nullable @Nullable String order, @NotNull @NotNull Principal principal, @NotNull @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl) throws javax.jcr.RepositoryException
      Override to ensure that we only remove the entries that have an effectivePath that matches the current resourcePath
      Overrides:
      removeAces in class ModifyAceServlet
      order - the requested order (may be null)
      principal - the principal whose aces should be removed
      acl - the access control list to update
      Returns:
      the original order if it was supplied, otherwise the order of the first ACE
      Throws:
      javax.jcr.RepositoryException

    • addAces

      protected void addAces(@NotNull @NotNull String resourcePath, @NotNull @NotNull Principal principal, @NotNull @NotNull Map<Set<LocalRestriction>,List<LocalPrivilege>> restrictionsToLocalPrivilegesMap, boolean isAllow, @NotNull @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl, Map<javax.jcr.security.Privilege,Integer> privilegeLongestDepthMap) throws javax.jcr.RepositoryException
      Override to ensure we do not add enty that denies privileges which is not allowed in a principal ACE
      Overrides:
      addAces in class ModifyAceServlet
      Parameters:
      resourcePath - the path of the resource
      principal - the principal whose aces should be added
      restrictionsToLocalPrivilegesMap - the map containing the restrictions mapped to the LocalPrivlege items with those resrictions
      isAllow - true for 'allow' ACE, false for 'deny' ACE
      acl - the access control list to update
      Throws:
      javax.jcr.RepositoryException

    • getJackrabbitAccessControlEntry

      @Nullable protected @Nullable org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry getJackrabbitAccessControlEntry(@NotNull @NotNull javax.jcr.security.AccessControlEntry entry, @NotNull @NotNull String resourcePath, @NotNull @NotNull Principal forPrincipal)
      Override to ensure that we only return the entries that have an effectivePath that matches the current resourcePath
      Overrides:
      getJackrabbitAccessControlEntry in class ModifyAceServlet