/**
* @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPolicies(Principal)
*/
@Override
public JackrabbitAccessControlPolicy[] getPolicies(Principal principal)
throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException,
RepositoryException {
checkInitialized();
if (editor == null) {
throw new UnsupportedRepositoryOperationException(
"Editing of access control policies is not supported.");
}
return editor.getPolicies(principal);
}
/**
* Set-up minimal permissions for the workspace:
*
* <ul>
* <li>'adminstrators' principal -> all privileges
* <li>'everyone' -> read privilege
* </ul>
*
* @param session to the workspace to set-up initial ACL to
* @param editor for the specified session.
* @throws RepositoryException If an error occurs.
*/
private static void initRootACL(SessionImpl session, AccessControlEditor editor)
throws RepositoryException {
try {
log.debug("Install initial ACL:...");
String rootPath = session.getRootNode().getPath();
AccessControlPolicy[] acls = editor.editAccessControlPolicies(rootPath);
if (acls.length > 0) {
ACLTemplate acl = (ACLTemplate) acls[0];
PrincipalManager pMgr = session.getPrincipalManager();
AccessControlManager acMgr = session.getAccessControlManager();
String pName = SecurityConstants.ADMINISTRATORS_NAME;
if (pMgr.hasPrincipal(pName)) {
Principal administrators = pMgr.getPrincipal(pName);
log.debug("... Privilege.ALL for administrators.");
Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_ALL)};
acl.addAccessControlEntry(administrators, privs);
} else {
log.info(
"Administrators principal group is missing -> omitting initialization of default permissions.");
}
Principal everyone = pMgr.getEveryone();
log.debug("... Privilege.READ for everyone.");
Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_READ)};
acl.addAccessControlEntry(everyone, privs);
editor.setPolicy(rootPath, acl);
session.save();
} else {
log.info(
"No applicable ACL available for the root node -> skip initialization of the root node's ACL.");
}
} catch (RepositoryException e) {
log.error(
"Failed to set-up minimal access control for root node of workspace "
+ session.getWorkspace().getName());
session.getRootNode().refresh(false);
}
}
/** @see javax.jcr.security.AccessControlManager#removePolicy(String, AccessControlPolicy) */
@Override
public void removePolicy(String absPath, AccessControlPolicy policy)
throws PathNotFoundException, AccessControlException, AccessDeniedException,
RepositoryException {
checkInitialized();
checkPermission(absPath, Permission.MODIFY_AC);
if (editor == null) {
throw new UnsupportedRepositoryOperationException(
"Removal of AccessControlPolicies is not supported.");
}
editor.removePolicy(absPath, policy);
}
/** @see javax.jcr.security.AccessControlManager#getPolicies(String) */
@Override
public AccessControlPolicy[] getPolicies(String absPath)
throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
checkPermission(absPath, Permission.READ_AC);
AccessControlPolicy[] policies;
if (editor != null) {
policies = editor.getPolicies(absPath);
} else {
policies = new AccessControlPolicy[0];
}
return policies;
}
/** @see javax.jcr.security.AccessControlManager#getApplicablePolicies(String) */
@Override
public AccessControlPolicyIterator getApplicablePolicies(String absPath)
throws PathNotFoundException, AccessDeniedException, RepositoryException {
checkInitialized();
checkPermission(absPath, Permission.READ_AC);
if (editor != null) {
try {
AccessControlPolicy[] applicable = editor.editAccessControlPolicies(absPath);
return new AccessControlPolicyIteratorAdapter(Arrays.asList(applicable));
} catch (AccessControlException e) {
log.debug("No applicable policy at " + absPath);
}
}
// no applicable policies -> return empty iterator.
return AccessControlPolicyIteratorAdapter.EMPTY;
}
