org.apache.sling.jcr.base.util
Class AccessControlUtil

java.lang.Object
  extended by org.apache.sling.jcr.base.util.AccessControlUtil

public class AccessControlUtil
extends Object

A simple utility class providing utilities with respect to access control over repositories.


Constructor Summary
AccessControlUtil()
           
 
Method Summary
static boolean addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow)
          Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.
static boolean addEntry(javax.jcr.security.AccessControlList acl, Principal principal, javax.jcr.security.Privilege[] privileges, boolean isAllow, Map restrictions)
          Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.
static javax.jcr.security.AccessControlManager getAccessControlManager(javax.jcr.Session session)
          Returns the AccessControlManager for the given session.
static String getPath(javax.jcr.security.AccessControlList acl)
          Returns the path of the node AccessControlList acl has been created for.
static org.apache.jackrabbit.api.security.principal.PrincipalManager getPrincipalManager(javax.jcr.Session session)
          Returns the PrincipalManager for the given session.
static org.apache.jackrabbit.api.security.user.UserManager getUserManager(javax.jcr.Session session)
          Returns the UserManager for the given session.
static boolean isAllow(javax.jcr.security.AccessControlEntry ace)
          Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.
static boolean isEmpty(javax.jcr.security.AccessControlList acl)
          Returns true if AccessControlList acl does not yet define any entries.
static void replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames)
          Deprecated. use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.
static void replaceAccessControlEntry(javax.jcr.Session session, String resourcePath, Principal principal, String[] grantedPrivilegeNames, String[] deniedPrivilegeNames, String[] removedPrivilegeNames, String order)
          Replaces existing access control entries in the ACL for the specified principal and resourcePath.
static int size(javax.jcr.security.AccessControlList acl)
          Returns the number of acl entries or 0 if the acl is empty.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccessControlUtil

public AccessControlUtil()
Method Detail

getAccessControlManager

public static javax.jcr.security.AccessControlManager getAccessControlManager(javax.jcr.Session session)
                                                                       throws javax.jcr.UnsupportedRepositoryOperationException,
                                                                              javax.jcr.RepositoryException
Returns the AccessControlManager for the given session. If the session does not have a getAccessControlManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the AccessControlManager is returned or if the call fails, the respective exception is thrown.

Parameters:
session - The JCR Session whose AccessControlManager is to be returned. If the session is a pooled session, the session underlying the pooled session is actually used.
Returns:
The AccessControlManager of the session
Throws:
javax.jcr.UnsupportedRepositoryOperationException - If the session has no getAccessControlManager method or the exception thrown by the method.
javax.jcr.RepositoryException - Forwarded from the getAccessControlManager method call.

getUserManager

public static org.apache.jackrabbit.api.security.user.UserManager getUserManager(javax.jcr.Session session)
                                                                          throws javax.jcr.AccessDeniedException,
                                                                                 javax.jcr.UnsupportedRepositoryOperationException,
                                                                                 javax.jcr.RepositoryException
Returns the UserManager for the given session. If the session does not have a getUserManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the UserManager is returned or if the call fails, the respective exception is thrown.

Parameters:
session - The JCR Session whose UserManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
Returns:
The UserManager of the session.
Throws:
javax.jcr.AccessDeniedException - If this session is not allowed to access user data.
javax.jcr.UnsupportedRepositoryOperationException - If the session has no getUserManager method or the exception thrown by the method.
javax.jcr.RepositoryException - Forwarded from the getUserManager method call.

getPrincipalManager

public static org.apache.jackrabbit.api.security.principal.PrincipalManager getPrincipalManager(javax.jcr.Session session)
                                                                                         throws javax.jcr.AccessDeniedException,
                                                                                                javax.jcr.UnsupportedRepositoryOperationException,
                                                                                                javax.jcr.RepositoryException
Returns the PrincipalManager for the given session. If the session does not have a PrincipalManager method, a UnsupportedRepositoryOperationException is thrown. Otherwise the PrincipalManager is returned or if the call fails, the respective exception is thrown.

Parameters:
session - The JCR Session whose PrincipalManager is to be returned. If the session is not a JackrabbitSession uses reflection to retrive the manager from the repository.
Returns:
The PrincipalManager of the session.
Throws:
javax.jcr.AccessDeniedException
javax.jcr.UnsupportedRepositoryOperationException - If the session has no PrincipalManager method or the exception thrown by the method.
javax.jcr.RepositoryException - Forwarded from the PrincipalManager method call.

getPath

public static String getPath(javax.jcr.security.AccessControlList acl)
                      throws javax.jcr.RepositoryException
Returns the path of the node AccessControlList acl has been created for.

Throws:
javax.jcr.RepositoryException

isEmpty

public static boolean isEmpty(javax.jcr.security.AccessControlList acl)
                       throws javax.jcr.RepositoryException
Returns true if AccessControlList acl does not yet define any entries.

Throws:
javax.jcr.RepositoryException

size

public static int size(javax.jcr.security.AccessControlList acl)
                throws javax.jcr.RepositoryException
Returns the number of acl entries or 0 if the acl is empty.

Throws:
javax.jcr.RepositoryException

addEntry

public static boolean addEntry(javax.jcr.security.AccessControlList acl,
                               Principal principal,
                               javax.jcr.security.Privilege[] privileges,
                               boolean isAllow)
                        throws javax.jcr.security.AccessControlException,
                               javax.jcr.RepositoryException
Same as addEntry(AccessControlList, Principal, Privilege[], boolean, Map) using some implementation specific restrictions.

Throws:
javax.jcr.security.AccessControlException
javax.jcr.RepositoryException

addEntry

public static boolean addEntry(javax.jcr.security.AccessControlList acl,
                               Principal principal,
                               javax.jcr.security.Privilege[] privileges,
                               boolean isAllow,
                               Map restrictions)
                        throws javax.jcr.UnsupportedRepositoryOperationException,
                               javax.jcr.RepositoryException
Adds an access control entry to the acl consisting of the specified principal, the specified privileges, the isAllow flag and an optional map containing additional restrictions.

This method returns true if this policy was modified, false otherwise.

Throws:
javax.jcr.UnsupportedRepositoryOperationException
javax.jcr.RepositoryException

replaceAccessControlEntry

public static void replaceAccessControlEntry(javax.jcr.Session session,
                                             String resourcePath,
                                             Principal principal,
                                             String[] grantedPrivilegeNames,
                                             String[] deniedPrivilegeNames,
                                             String[] removedPrivilegeNames)
                                      throws javax.jcr.RepositoryException
Deprecated. use @link replaceAccessControlEntry(Session, String, Principal, String[], String[], String[], String) instead.

Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:
session -
resourcePath -
principal -
grantedPrivilegeNames -
deniedPrivilegeNames -
removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
Throws:
javax.jcr.RepositoryException

replaceAccessControlEntry

public static void replaceAccessControlEntry(javax.jcr.Session session,
                                             String resourcePath,
                                             Principal principal,
                                             String[] grantedPrivilegeNames,
                                             String[] deniedPrivilegeNames,
                                             String[] removedPrivilegeNames,
                                             String order)
                                      throws javax.jcr.RepositoryException
Replaces existing access control entries in the ACL for the specified principal and resourcePath. Any existing granted or denied privileges which do not conflict with the specified privileges are maintained. Where conflicts exist, existing privileges are dropped. The end result will be at most two ACEs for the principal: one for grants and one for denies. Aggregate privileges are disaggregated before checking for conflicts.

Parameters:
session -
resourcePath -
principal -
grantedPrivilegeNames -
deniedPrivilegeNames -
removedPrivilegeNames - privileges which, if they exist, should be removed for this principal and resource
order - where the access control entry should go in the list. Value should be one of these:
nullIf the ACE for the principal doesn't exist add at the end, otherwise leave the ACE at it's current position.
firstPlace the target ACE as the first amongst its siblings
lastPlace the target ACE as the last amongst its siblings
before xyzPlace the target ACE immediately before the sibling whose name is xyz
after xyzPlace the target ACE immediately after the sibling whose name is xyz
numericPlace the target ACE at the specified numeric index
Throws:
javax.jcr.RepositoryException

isAllow

public static boolean isAllow(javax.jcr.security.AccessControlEntry ace)
                       throws javax.jcr.RepositoryException
Returns true if the AccessControlEntry represents 'allowed' rights or false it it represents 'denied' rights.

Throws:
javax.jcr.RepositoryException


Copyright © 2007-2011 The Apache Software Foundation. All Rights Reserved.