]> git.argeo.org Git - lgpl/argeo-commons.git/blob - security/JackrabbitSecurityUtils.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Prepare next development cycle
[lgpl/argeo-commons.git] / security / JackrabbitSecurityUtils.java
1 package org.argeo.jackrabbit.security;
2
3 import java.security.Principal;
4 import java.util.ArrayList;
5 import java.util.List;
6
7 import javax.jcr.RepositoryException;
8 import javax.jcr.Session;
9 import javax.jcr.security.Privilege;
10
11 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
12 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
13 import org.argeo.api.cms.CmsLog;
14 import org.argeo.jcr.JcrUtils;
15
16 /** Utilities around Jackrabbit security extensions. */
17 public class JackrabbitSecurityUtils {
18 private final static CmsLog log = CmsLog.getLog(JackrabbitSecurityUtils.class);
19
20 /**
21 * Convenience method for denying a single privilege to a principal (user or
22 * role), typically jcr:all
23 */
24 public synchronized static void denyPrivilege(Session session, String path, String principal, String privilege)
25 throws RepositoryException {
26 List<Privilege> privileges = new ArrayList<Privilege>();
27 privileges.add(session.getAccessControlManager().privilegeFromName(privilege));
28 denyPrivileges(session, path, () -> principal, privileges);
29 }
30
31 /**
32 * Deny privileges on a path to a {@link Principal}. The path must already
33 * exist. Session is saved. Synchronized to prevent concurrent modifications of
34 * the same node.
35 */
36 public synchronized static Boolean denyPrivileges(Session session, String path, Principal principal,
37 List<Privilege> privs) throws RepositoryException {
38 // make sure the session is in line with the persisted state
39 session.refresh(false);
40 JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) session.getAccessControlManager();
41 JackrabbitAccessControlList acl = (JackrabbitAccessControlList) JcrUtils.getAccessControlList(acm, path);
42
43 // accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) {
44 // Principal currentPrincipal = ace.getPrincipal();
45 // if (currentPrincipal.getName().equals(principal.getName())) {
46 // Privilege[] currentPrivileges = ace.getPrivileges();
47 // if (currentPrivileges.length != privs.size())
48 // break accessControlEntries;
49 // for (int i = 0; i < currentPrivileges.length; i++) {
50 // Privilege currP = currentPrivileges[i];
51 // Privilege p = privs.get(i);
52 // if (!currP.getName().equals(p.getName())) {
53 // break accessControlEntries;
54 // }
55 // }
56 // return false;
57 // }
58 // }
59
60 Privilege[] privileges = privs.toArray(new Privilege[privs.size()]);
61 acl.addEntry(principal, privileges, false);
62 acm.setPolicy(path, acl);
63 if (log.isDebugEnabled()) {
64 StringBuffer privBuf = new StringBuffer();
65 for (Privilege priv : privs)
66 privBuf.append(priv.getName());
67 log.debug("Denied privileges " + privBuf + " to " + principal.getName() + " on " + path + " in '"
68 + session.getWorkspace().getName() + "'");
69 }
70 session.refresh(true);
71 session.save();
72 return true;
73 }
74
75 /** Singleton. */
76 private JackrabbitSecurityUtils() {
77
78 }
79 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi