X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=jcr%2Forg.argeo.cms.jcr%2Fsrc%2Forg%2Fargeo%2Fjackrabbit%2Fsecurity%2FJackrabbitSecurityUtils.java;fp=jcr%2Forg.argeo.cms.jcr%2Fsrc%2Forg%2Fargeo%2Fjackrabbit%2Fsecurity%2FJackrabbitSecurityUtils.java;h=f98cf99473a115f2a7561ded2d83d970be5897d5;hb=8282011b0e20e80704b209ad55fa9fb132e16280;hp=0000000000000000000000000000000000000000;hpb=633a8acd189cc22f06944d278879601189be1bc8;p=lgpl%2Fargeo-commons.git diff --git a/jcr/org.argeo.cms.jcr/src/org/argeo/jackrabbit/security/JackrabbitSecurityUtils.java b/jcr/org.argeo.cms.jcr/src/org/argeo/jackrabbit/security/JackrabbitSecurityUtils.java new file mode 100644 index 000000000..f98cf9947 --- /dev/null +++ b/jcr/org.argeo.cms.jcr/src/org/argeo/jackrabbit/security/JackrabbitSecurityUtils.java @@ -0,0 +1,79 @@ +package org.argeo.jackrabbit.security; + +import java.security.Principal; +import java.util.ArrayList; +import java.util.List; + +import javax.jcr.RepositoryException; +import javax.jcr.Session; +import javax.jcr.security.Privilege; + +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager; +import org.argeo.api.cms.CmsLog; +import org.argeo.jcr.JcrUtils; + +/** Utilities around Jackrabbit security extensions. */ +public class JackrabbitSecurityUtils { + private final static CmsLog log = CmsLog.getLog(JackrabbitSecurityUtils.class); + + /** + * Convenience method for denying a single privilege to a principal (user or + * role), typically jcr:all + */ + public synchronized static void denyPrivilege(Session session, String path, String principal, String privilege) + throws RepositoryException { + List privileges = new ArrayList(); + privileges.add(session.getAccessControlManager().privilegeFromName(privilege)); + denyPrivileges(session, path, () -> principal, privileges); + } + + /** + * Deny privileges on a path to a {@link Principal}. The path must already + * exist. Session is saved. Synchronized to prevent concurrent modifications of + * the same node. + */ + public synchronized static Boolean denyPrivileges(Session session, String path, Principal principal, + List privs) throws RepositoryException { + // make sure the session is in line with the persisted state + session.refresh(false); + JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) session.getAccessControlManager(); + JackrabbitAccessControlList acl = (JackrabbitAccessControlList) JcrUtils.getAccessControlList(acm, path); + +// accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) { +// Principal currentPrincipal = ace.getPrincipal(); +// if (currentPrincipal.getName().equals(principal.getName())) { +// Privilege[] currentPrivileges = ace.getPrivileges(); +// if (currentPrivileges.length != privs.size()) +// break accessControlEntries; +// for (int i = 0; i < currentPrivileges.length; i++) { +// Privilege currP = currentPrivileges[i]; +// Privilege p = privs.get(i); +// if (!currP.getName().equals(p.getName())) { +// break accessControlEntries; +// } +// } +// return false; +// } +// } + + Privilege[] privileges = privs.toArray(new Privilege[privs.size()]); + acl.addEntry(principal, privileges, false); + acm.setPolicy(path, acl); + if (log.isDebugEnabled()) { + StringBuffer privBuf = new StringBuffer(); + for (Privilege priv : privs) + privBuf.append(priv.getName()); + log.debug("Denied privileges " + privBuf + " to " + principal.getName() + " on " + path + " in '" + + session.getWorkspace().getName() + "'"); + } + session.refresh(true); + session.save(); + return true; + } + + /** Singleton. */ + private JackrabbitSecurityUtils() { + + } +}