Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (revision 1845407) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java (revision ) @@ -16,8 +16,6 @@ */ package org.apache.jackrabbit.oak.security.authorization.accesscontrol; -import static com.google.common.base.Preconditions.checkNotNull; - import java.security.Principal; import java.text.ParseException; import java.util.ArrayList; @@ -29,7 +27,6 @@ import java.util.List; import java.util.Map; import java.util.Set; - import javax.jcr.AccessDeniedException; import javax.jcr.RepositoryException; import javax.jcr.UnsupportedRepositoryOperationException; @@ -70,6 +67,7 @@ import org.apache.jackrabbit.oak.namepath.NamePathMapper; import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder; import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager; +import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil; import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider; import org.apache.jackrabbit.oak.spi.query.QueryConstants; @@ -88,7 +86,6 @@ import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.xml.ImportBehavior; -import org.apache.jackrabbit.oak.plugins.tree.TreeUtil; import org.apache.jackrabbit.util.ISO9075; import org.apache.jackrabbit.util.Text; import org.jetbrains.annotations.NotNull; @@ -96,6 +93,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static com.google.common.base.Preconditions.checkNotNull; + /** * Default implementation of the {@code JackrabbitAccessControlManager} interface. * This implementation covers both editing access control content by path and @@ -592,12 +591,7 @@ @NotNull private Principal getPrincipal(@NotNull Tree aceTree) { String principalName = checkNotNull(TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME)); - Principal principal = principalManager.getPrincipal(principalName); - if (principal == null) { - log.debug("Unknown principal " + principalName); - principal = new PrincipalImpl(principalName); - } - return principal; + return new PrincipalImpl(principalName); } private String getNodePath(ACE principalBasedAce) throws RepositoryException { Index: oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (revision 1845407) +++ oak-jcr/src/test/java/org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.java (revision ) @@ -325,7 +325,7 @@ assertEquals(1, entries.length); AccessControlEntry entry = entries[0]; - assertEquals(EveryonePrincipal.getInstance(), entry.getPrincipal()); + assertEquals(EveryonePrincipal.getInstance().getName(), entry.getPrincipal().getName()); List privs = Arrays.asList(entry.getPrivileges()); assertEquals(1, privs.size()); assertEquals(acMgr.privilegeFromName(Privilege.JCR_WRITE), entry.getPrivileges()[0]); Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (revision 1845407) +++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/Util.java (revision ) @@ -55,18 +55,22 @@ if (name == null || name.isEmpty()) { throw new AccessControlException("Invalid principal " + name); } + + if (importBehavior == ImportBehavior.BESTEFFORT) { + return true; + } else { - if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) { - switch (importBehavior) { - case ImportBehavior.ABORT: - throw new AccessControlException("Unknown principal " + name); - case ImportBehavior.IGNORE: - return false; + if (!(principal instanceof PrincipalImpl) && !principalManager.hasPrincipal(name)) { + switch (importBehavior) { + case ImportBehavior.ABORT: + throw new AccessControlException("Unknown principal " + name); + case ImportBehavior.IGNORE: + return false; - case ImportBehavior.BESTEFFORT: - return true; - default: throw new IllegalArgumentException("Invalid import behavior " + importBehavior); + default: + throw new IllegalArgumentException("Invalid import behavior " + importBehavior); - } - } - return true; + } + } + return true; + } } public static void checkValidPrincipals(@Nullable Set principals,