1 package org
.argeo
.jackrabbit
.security
;
3 import java
.security
.Principal
;
4 import java
.util
.ArrayList
;
7 import javax
.jcr
.RepositoryException
;
8 import javax
.jcr
.Session
;
9 import javax
.jcr
.security
.Privilege
;
11 import org
.apache
.commons
.logging
.Log
;
12 import org
.apache
.commons
.logging
.LogFactory
;
13 import org
.apache
.jackrabbit
.api
.security
.JackrabbitAccessControlList
;
14 import org
.apache
.jackrabbit
.api
.security
.JackrabbitAccessControlManager
;
15 import org
.argeo
.jcr
.JcrUtils
;
17 /** Utilities around Jackrabbit security extensions. */
18 public class JackrabbitSecurityUtils
{
19 private final static Log log
= LogFactory
.getLog(JackrabbitSecurityUtils
.class);
22 * Convenience method for denying a single privilege to a principal (user or
23 * role), typically jcr:all
25 public synchronized static void denyPrivilege(Session session
, String path
, String principal
, String privilege
)
26 throws RepositoryException
{
27 List
<Privilege
> privileges
= new ArrayList
<Privilege
>();
28 privileges
.add(session
.getAccessControlManager().privilegeFromName(privilege
));
29 denyPrivileges(session
, path
, () -> principal
, privileges
);
33 * Deny privileges on a path to a {@link Principal}. The path must already
34 * exist. Session is saved. Synchronized to prevent concurrent modifications of
37 public synchronized static Boolean
denyPrivileges(Session session
, String path
, Principal principal
,
38 List
<Privilege
> privs
) throws RepositoryException
{
39 // make sure the session is in line with the persisted state
40 session
.refresh(false);
41 JackrabbitAccessControlManager acm
= (JackrabbitAccessControlManager
) session
.getAccessControlManager();
42 JackrabbitAccessControlList acl
= (JackrabbitAccessControlList
) JcrUtils
.getAccessControlList(acm
, path
);
44 // accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) {
45 // Principal currentPrincipal = ace.getPrincipal();
46 // if (currentPrincipal.getName().equals(principal.getName())) {
47 // Privilege[] currentPrivileges = ace.getPrivileges();
48 // if (currentPrivileges.length != privs.size())
49 // break accessControlEntries;
50 // for (int i = 0; i < currentPrivileges.length; i++) {
51 // Privilege currP = currentPrivileges[i];
52 // Privilege p = privs.get(i);
53 // if (!currP.getName().equals(p.getName())) {
54 // break accessControlEntries;
61 Privilege
[] privileges
= privs
.toArray(new Privilege
[privs
.size()]);
62 acl
.addEntry(principal
, privileges
, false);
63 acm
.setPolicy(path
, acl
);
64 if (log
.isDebugEnabled()) {
65 StringBuffer privBuf
= new StringBuffer();
66 for (Privilege priv
: privs
)
67 privBuf
.append(priv
.getName());
68 log
.debug("Denied privileges " + privBuf
+ " to " + principal
.getName() + " on " + path
+ " in '"
69 + session
.getWorkspace().getName() + "'");
71 session
.refresh(true);
77 private JackrabbitSecurityUtils() {