]> git.argeo.org Git - lgpl/argeo-commons.git/blob - org.argeo.core/src/org/argeo/jackrabbit/security/JackrabbitSecurityUtils.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge remote-tracking branch 'origin/master' into v2.x
[lgpl/argeo-commons.git] / org.argeo.core / src / org / argeo / jackrabbit / security / JackrabbitSecurityUtils.java
1 package org.argeo.jackrabbit.security;
2
3 import java.security.Principal;
4 import java.util.ArrayList;
5 import java.util.List;
6
7 import javax.jcr.RepositoryException;
8 import javax.jcr.Session;
9 import javax.jcr.security.Privilege;
10
11 import org.apache.commons.logging.Log;
12 import org.apache.commons.logging.LogFactory;
13 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
14 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
15 import org.argeo.jcr.JcrUtils;
16
17 /** Utilities around Jackrabbit security extensions. */
18 public class JackrabbitSecurityUtils {
19 private final static Log log = LogFactory.getLog(JackrabbitSecurityUtils.class);
20
21 /**
22 * Convenience method for denying a single privilege to a principal (user or
23 * role), typically jcr:all
24 */
25 public synchronized static void denyPrivilege(Session session, String path, String principal, String privilege)
26 throws RepositoryException {
27 List<Privilege> privileges = new ArrayList<Privilege>();
28 privileges.add(session.getAccessControlManager().privilegeFromName(privilege));
29 denyPrivileges(session, path, () -> principal, privileges);
30 }
31
32 /**
33 * Deny privileges on a path to a {@link Principal}. The path must already
34 * exist. Session is saved. Synchronized to prevent concurrent modifications of
35 * the same node.
36 */
37 public synchronized static Boolean denyPrivileges(Session session, String path, Principal principal,
38 List<Privilege> privs) throws RepositoryException {
39 // make sure the session is in line with the persisted state
40 session.refresh(false);
41 JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) session.getAccessControlManager();
42 JackrabbitAccessControlList acl = (JackrabbitAccessControlList) JcrUtils.getAccessControlList(acm, path);
43
44 // accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) {
45 // Principal currentPrincipal = ace.getPrincipal();
46 // if (currentPrincipal.getName().equals(principal.getName())) {
47 // Privilege[] currentPrivileges = ace.getPrivileges();
48 // if (currentPrivileges.length != privs.size())
49 // break accessControlEntries;
50 // for (int i = 0; i < currentPrivileges.length; i++) {
51 // Privilege currP = currentPrivileges[i];
52 // Privilege p = privs.get(i);
53 // if (!currP.getName().equals(p.getName())) {
54 // break accessControlEntries;
55 // }
56 // }
57 // return false;
58 // }
59 // }
60
61 Privilege[] privileges = privs.toArray(new Privilege[privs.size()]);
62 acl.addEntry(principal, privileges, false);
63 acm.setPolicy(path, acl);
64 if (log.isDebugEnabled()) {
65 StringBuffer privBuf = new StringBuffer();
66 for (Privilege priv : privs)
67 privBuf.append(priv.getName());
68 log.debug("Denied privileges " + privBuf + " to " + principal.getName() + " on " + path + " in '"
69 + session.getWorkspace().getName() + "'");
70 }
71 session.refresh(true);
72 session.save();
73 return true;
74 }
75
76 /** Singleton. */
77 private JackrabbitSecurityUtils() {
78
79 }
80 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi