1 package org
.argeo
.jackrabbit
.security
;
3 import java
.security
.Principal
;
4 import java
.util
.ArrayList
;
7 import javax
.jcr
.RepositoryException
;
8 import javax
.jcr
.Session
;
9 import javax
.jcr
.security
.Privilege
;
11 import org
.apache
.jackrabbit
.api
.security
.JackrabbitAccessControlList
;
12 import org
.apache
.jackrabbit
.api
.security
.JackrabbitAccessControlManager
;
13 import org
.argeo
.api
.cms
.CmsLog
;
14 import org
.argeo
.jcr
.JcrUtils
;
16 /** Utilities around Jackrabbit security extensions. */
17 public class JackrabbitSecurityUtils
{
18 private final static CmsLog log
= CmsLog
.getLog(JackrabbitSecurityUtils
.class);
21 * Convenience method for denying a single privilege to a principal (user or
22 * role), typically jcr:all
24 public synchronized static void denyPrivilege(Session session
, String path
, String principal
, String privilege
)
25 throws RepositoryException
{
26 List
<Privilege
> privileges
= new ArrayList
<Privilege
>();
27 privileges
.add(session
.getAccessControlManager().privilegeFromName(privilege
));
28 denyPrivileges(session
, path
, () -> principal
, privileges
);
32 * Deny privileges on a path to a {@link Principal}. The path must already
33 * exist. Session is saved. Synchronized to prevent concurrent modifications of
36 public synchronized static Boolean
denyPrivileges(Session session
, String path
, Principal principal
,
37 List
<Privilege
> privs
) throws RepositoryException
{
38 // make sure the session is in line with the persisted state
39 session
.refresh(false);
40 JackrabbitAccessControlManager acm
= (JackrabbitAccessControlManager
) session
.getAccessControlManager();
41 JackrabbitAccessControlList acl
= (JackrabbitAccessControlList
) JcrUtils
.getAccessControlList(acm
, path
);
43 // accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) {
44 // Principal currentPrincipal = ace.getPrincipal();
45 // if (currentPrincipal.getName().equals(principal.getName())) {
46 // Privilege[] currentPrivileges = ace.getPrivileges();
47 // if (currentPrivileges.length != privs.size())
48 // break accessControlEntries;
49 // for (int i = 0; i < currentPrivileges.length; i++) {
50 // Privilege currP = currentPrivileges[i];
51 // Privilege p = privs.get(i);
52 // if (!currP.getName().equals(p.getName())) {
53 // break accessControlEntries;
60 Privilege
[] privileges
= privs
.toArray(new Privilege
[privs
.size()]);
61 acl
.addEntry(principal
, privileges
, false);
62 acm
.setPolicy(path
, acl
);
63 if (log
.isDebugEnabled()) {
64 StringBuffer privBuf
= new StringBuffer();
65 for (Privilege priv
: privs
)
66 privBuf
.append(priv
.getName());
67 log
.debug("Denied privileges " + privBuf
+ " to " + principal
.getName() + " on " + path
+ " in '"
68 + session
.getWorkspace().getName() + "'");
70 session
.refresh(true);
76 private JackrabbitSecurityUtils() {