View Javadoc
1   package org.argeo.jackrabbit.security;
2   
3   import java.security.Principal;
4   import java.util.ArrayList;
5   import java.util.List;
6   
7   import javax.jcr.RepositoryException;
8   import javax.jcr.Session;
9   import javax.jcr.security.Privilege;
10  
11  import org.apache.commons.logging.Log;
12  import org.apache.commons.logging.LogFactory;
13  import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
14  import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
15  import org.argeo.jcr.JcrUtils;
16  
17  /** Utilities around Jackrabbit security extensions. */
18  public class JackrabbitSecurityUtils {
19  	private final static Log log = LogFactory.getLog(JackrabbitSecurityUtils.class);
20  
21  	/**
22  	 * Convenience method for denying a single privilege to a principal (user or
23  	 * role), typically jcr:all
24  	 */
25  	public synchronized static void denyPrivilege(Session session, String path, String principal, String privilege)
26  			throws RepositoryException {
27  		List<Privilege> privileges = new ArrayList<Privilege>();
28  		privileges.add(session.getAccessControlManager().privilegeFromName(privilege));
29  		denyPrivileges(session, path, () -> principal, privileges);
30  	}
31  
32  	/**
33  	 * Deny privileges on a path to a {@link Principal}. The path must already
34  	 * exist. Session is saved. Synchronized to prevent concurrent modifications of
35  	 * the same node.
36  	 */
37  	public synchronized static Boolean denyPrivileges(Session session, String path, Principal principal,
38  			List<Privilege> privs) throws RepositoryException {
39  		// make sure the session is in line with the persisted state
40  		session.refresh(false);
41  		JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) session.getAccessControlManager();
42  		JackrabbitAccessControlList acl = (JackrabbitAccessControlList) JcrUtils.getAccessControlList(acm, path);
43  
44  //		accessControlEntries: for (AccessControlEntry ace : acl.getAccessControlEntries()) {
45  //			Principal currentPrincipal = ace.getPrincipal();
46  //			if (currentPrincipal.getName().equals(principal.getName())) {
47  //				Privilege[] currentPrivileges = ace.getPrivileges();
48  //				if (currentPrivileges.length != privs.size())
49  //					break accessControlEntries;
50  //				for (int i = 0; i < currentPrivileges.length; i++) {
51  //					Privilege currP = currentPrivileges[i];
52  //					Privilege p = privs.get(i);
53  //					if (!currP.getName().equals(p.getName())) {
54  //						break accessControlEntries;
55  //					}
56  //				}
57  //				return false;
58  //			}
59  //		}
60  
61  		Privilege[] privileges = privs.toArray(new Privilege[privs.size()]);
62  		acl.addEntry(principal, privileges, false);
63  		acm.setPolicy(path, acl);
64  		if (log.isDebugEnabled()) {
65  			StringBuffer privBuf = new StringBuffer();
66  			for (Privilege priv : privs)
67  				privBuf.append(priv.getName());
68  			log.debug("Denied privileges " + privBuf + " to " + principal.getName() + " on " + path + " in '"
69  					+ session.getWorkspace().getName() + "'");
70  		}
71  		session.refresh(true);
72  		session.save();
73  		return true;
74  	}
75  
76  	/** Singleton. */
77  	private JackrabbitSecurityUtils() {
78  
79  	}
80  }