Index: content/jcr_root/libs/commerce/src/core/src/main/java/com/adobe/cq/commerce/impl/AccessControlUtils.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- content/jcr_root/libs/commerce/src/core/src/main/java/com/adobe/cq/commerce/impl/AccessControlUtils.java (revision ) +++ content/jcr_root/libs/commerce/src/core/src/main/java/com/adobe/cq/commerce/impl/AccessControlUtils.java (revision ) @@ -0,0 +1,136 @@ +/************************************************************************* + * + * ADOBE CONFIDENTIAL + * __________________ + * + * Copyright 2012 Adobe Systems Incorporated + * All Rights Reserved. + * + * NOTICE: All information contained herein is, and remains + * the property of Adobe Systems Incorporated and its suppliers, + * if any. The intellectual and technical concepts contained + * herein are proprietary to Adobe Systems Incorporated and its + * suppliers and are protected by trade secret or copyright law. + * Dissemination of this information or reproduction of this material + * is strictly forbidden unless prior written permission is obtained + * from Adobe Systems Incorporated. + **************************************************************************/ + +package com.adobe.cq.commerce.impl; + +import java.security.Principal; + +import javax.jcr.AccessDeniedException; +import javax.jcr.RepositoryException; +import javax.jcr.security.AccessControlManager; +import javax.jcr.security.AccessControlPolicy; +import javax.jcr.security.AccessControlPolicyIterator; +import javax.jcr.security.Privilege; + +import org.apache.jackrabbit.api.JackrabbitSession; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; +import org.apache.sling.api.SlingException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * A utility class providing calls which grant/deny privileges to a node in a repository which + * supports resource-based access control lists. + */ + +public class AccessControlUtils { + + private final static Logger log = LoggerFactory.getLogger(AccessControlUtils.class); + + /** + * A utility method which adds an access control entry to a node's access control list. + * @param principal the principal to grant/deny privileges to + * @param privileges the privileges to grant or deny + * @param allow true to grant + * @param path the path to the node + * @param session the active session + * @return true if the node's ACL was modified + * @throws AccessDeniedException + */ + public static boolean applyACE(Principal principal, Privilege[] privileges, boolean allow, + String path, JackrabbitSession session) throws AccessDeniedException { + try { + if (session.itemExists(path)) { + // Find the first applicable or specified ACL: + JackrabbitAccessControlList acl = null; + + AccessControlManager acManager = session.getAccessControlManager(); + AccessControlPolicyIterator app = acManager.getApplicablePolicies(path); + while (app.hasNext()) { + AccessControlPolicy pol = app.nextAccessControlPolicy(); + if (pol instanceof JackrabbitAccessControlPolicy) { + acl = (JackrabbitAccessControlList) pol; + break; + } + } + if (acl == null) { + for (AccessControlPolicy pol : acManager.getPolicies(path)) { + if (pol instanceof JackrabbitAccessControlPolicy) { + acl = (JackrabbitAccessControlList) pol; + break; + } + } + } + + // Set a new ACE on it: + if (acl != null) { + acl.addEntry(principal, privileges, allow); + acManager.setPolicy(path, acl); + session.save(); + return true; + } + } + return false; + } catch (RepositoryException e) { + throw new SlingException(e.getMessage(), e); + } finally { + // revert all pending changes in case of exception + try { + session.refresh(false); + } catch (RepositoryException e) { + log.error("Failed to revert pending changes.", e); + } + } + } + + private static boolean applyAllToEveryone(boolean allow, String path, JackrabbitSession session) throws AccessDeniedException { + try { + Privilege[] all = new Privilege[] {session.getAccessControlManager().privilegeFromName(Privilege.JCR_ALL)}; + Principal everyone = session.getPrincipalManager().getEveryone(); + return applyACE(everyone, all, allow, path, session); + } catch (AccessDeniedException e) { + throw e; + } catch (Exception e) { + throw new SlingException(e.getMessage(), e); + } + } + + /** + * A utility method which adds a "grant jcr:all jcr:everyone" entry to a node. + * @param path the path to the node + * @param session the active session + * @return true if the node's access control list was modified + * @throws AccessDeniedException + */ + public static boolean grantAllToEveryone(String path, JackrabbitSession session) throws AccessDeniedException { + return applyAllToEveryone(true, path, session); + } + + /** + * A utility method which adds a "deny jcr:all jcr:everyone" entry to a node. + * @param path the path to the node + * @param session the active session + * @return true if the node's access control list was modified + * @throws AccessDeniedException + */ + public static boolean denyAllToEveryone(String path, JackrabbitSession session) throws AccessDeniedException { + return applyAllToEveryone(false, path, session); + } + +}