Examples of org.apache.jackrabbit.api.security.JackrabbitAccessControlList

• org.apache.jackrabbit.api.security.JackrabbitAccessControlList
  JackrabbitAccessControlList is an extension of the AccessControlList. Similar to the latter any modifications made will not take effect, until it is {@link javax.jcr.security.AccessControlManager#setPolicy(String,AccessControlPolicy) written back} and {@link javax.jcr.Session#save() saved}.

    @CheckForNull
    private JackrabbitAccessControlList createACL(@Nullable String oakPath,
                                                  @Nonnull Tree accessControlledTree,
                                                  boolean isEffectivePolicy) throws RepositoryException {
        JackrabbitAccessControlList acl = null;
        String aclName = Util.getAclName(oakPath);
        if (accessControlledTree.exists() && Util.isAccessControlled(oakPath, accessControlledTree, ntMgr)) {
            Tree aclTree = accessControlledTree.getChild(aclName);
            if (aclTree.exists()) {
                List<ACE> entries = new ArrayList<ACE>();

    @Test
    public void testReorderAndRemoveAces() throws Exception {
        createPrincipals();

        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        for (int i = 0; i < 4; i++) {
            acl.addAccessControlEntry(principals.get(i), privilegesFromNames(JCR_READ));
        }
        acMgr.setPolicy(testPath, acl);
        root.commit();

        AccessControlEntry[] aces = acl.getAccessControlEntries();
        acl.removeAccessControlEntry(aces[0]);
        acl.removeAccessControlEntry(aces[2]);
        acl.orderBefore(aces[4], null);
        acl.orderBefore(aces[3], aces[1]);
        acMgr.setPolicy(testPath, acl);
        root.commit();

        Tree entry = getEntry(EveryonePrincipal.NAME, testPath, 1);
        assertEquals(1, entry.getProperty(REP_INDEX).getValue(Type.LONG).longValue());

    }

    @Test
    public void testImplicitAceRemoval() throws Exception {
        AccessControlManager acMgr = getAccessControlManager(root);
        JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, testPath);
        acl.addAccessControlEntry(getTestPrincipal(), privilegesFromNames(JCR_READ, REP_WRITE));
        acMgr.setPolicy(testPath, acl);

        acl = AccessControlUtils.getAccessControlList(acMgr, childPath);
        acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames(JCR_READ));
        acMgr.setPolicy(childPath, acl);
        root.commit();

        assertTrue(root.getTree(childPath + "/rep:policy").exists());

    protected void setupPermission(@Nullable String path,
                                   @Nonnull Principal principal,
                                   boolean isAllow,
                                   @Nonnull String... privilegeNames) throws Exception {
      AccessControlManager acMgr = getAccessControlManager(root);
      JackrabbitAccessControlList acl = checkNotNull(AccessControlUtils.getAccessControlList(acMgr, path));
        acl.addEntry(principal, AccessControlUtils.privilegesFromNames(acMgr, privilegeNames), isAllow);
       acMgr.setPolicy(path, acl);

        root.commit();
    }

        }
    }

    private static void changeReadPermission(Principal principal, Node n, boolean allowRead) throws RepositoryException, NotExecutableException {
        SessionImpl s = (SessionImpl) n.getSession();
        JackrabbitAccessControlList acl = null;
        AccessControlManager acMgr = s.getAccessControlManager();
        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(n.getPath());
        while (it.hasNext()) {
            AccessControlPolicy acp = it.nextAccessControlPolicy();
            if (acp instanceof JackrabbitAccessControlList) {
                acl = (JackrabbitAccessControlList) acp;
                break;
            }
        }
        if (acl == null) {
            AccessControlPolicy[] acps = acMgr.getPolicies(n.getPath());
            for (int i = 0; i < acps.length; i++) {
                if (acps[i] instanceof JackrabbitAccessControlList) {
                    acl = (JackrabbitAccessControlList) acps[i];
                    break;
                }
            }
        }

        if (acl != null) {
            acl.addEntry(principal, new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_READ)}, allowRead);
            acMgr.setPolicy(n.getPath(), acl);
            s.save();
        } else {
            // no JackrabbitAccessControlList found.
            throw new NotExecutableException();

    protected JackrabbitAccessControlList modifyPrivileges(String path, String privilege, boolean isAllow) throws NotExecutableException, RepositoryException {
        return modifyPrivileges(path, testUser.getPrincipal(), privilegesFromName(privilege), isAllow, getRestrictions(superuser, path));
    }

    private JackrabbitAccessControlList modifyPrivileges(String path, Principal principal, Privilege[] privileges, boolean isAllow, Map restrictions) throws NotExecutableException, RepositoryException {
        JackrabbitAccessControlList tmpl = getPolicy(acMgr, path, principal);
        tmpl.addEntry(principal, privileges, isAllow, restrictions);

        acMgr.setPolicy(tmpl.getPath(), tmpl);
        superuser.save();

        // remember for clean up during teardown
        toClear.add(tmpl.getPath());
        return tmpl;
    }

        // give 'testUser' READ_AC|MODIFY_AC privileges at 'path'
        Privilege[] privileges = privilegesFromNames(new String[] {
                Privilege.JCR_READ_ACCESS_CONTROL,
                Privilege.JCR_MODIFY_ACCESS_CONTROL
        });
        JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(superuser, path));
        /*
         testuser must
         - still have the inherited READ permission.
         - must have permission to view AC items at 'path' (and below)
         - must have permission to modify AC items at 'path'

         testuser must not have
         - permission to view AC items outside of the tree defined by path.
        */

        // make sure the 'rep:policy' node has been created.
        assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));

        Session testSession = getTestSession();
        AccessControlManager testAcMgr = getTestACManager();
        // test: MODIFY_AC granted at 'path'
        assertTrue(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_MODIFY_ACCESS_CONTROL)));

        PrivilegeRegistry privilegeRegistry = new PrivilegeRegistry(sImpl);
        return new ACLTemplate(path, princicipalMgr, privilegeRegistry, sImpl.getValueFactory());
    }

    public void testMultipleEntryEffect() throws RepositoryException, NotExecutableException {
        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
        pt.addEntry(testPrincipal, privileges, true, Collections.EMPTY_MAP);

        // new entry extends privs.
        privileges = privilegesFromNames(new String[] {
                Privilege.JCR_READ,
                Privilege.JCR_ADD_CHILD_NODES});
        assertTrue(pt.addEntry(testPrincipal,
                privileges,
                true, Collections.EMPTY_MAP));

        // net-effect: only a single allow-entry with both privileges
        assertTrue(pt.size() == 1);
        assertSamePrivileges(privileges, pt.getAccessControlEntries()[0].getPrivileges());

        // adding just ADD_CHILD_NODES -> must not remove READ priv
        Privilege[] achPrivs = privilegesFromName(Privilege.JCR_ADD_CHILD_NODES);
        assertFalse(pt.addEntry(testPrincipal, achPrivs, true, Collections.EMPTY_MAP));
        // net-effect: only a single allow-entry with add_child_nodes + read priv
        assertTrue(pt.size() == 1);
        assertSamePrivileges(privileges, pt.getAccessControlEntries()[0].getPrivileges());

        // revoke the 'READ' privilege
        privileges = privilegesFromName(Privilege.JCR_READ);
        assertTrue(pt.addEntry(testPrincipal, privileges, false, Collections.EMPTY_MAP));
        // net-effect: 2 entries one allowing ADD_CHILD_NODES, the other denying READ
        assertTrue(pt.size() == 2);
        assertSamePrivileges(privilegesFromName(Privilege.JCR_ADD_CHILD_NODES),
                pt.getAccessControlEntries()[0].getPrivileges());
        assertSamePrivileges(privilegesFromName(Privilege.JCR_READ),
                pt.getAccessControlEntries()[1].getPrivileges());

        // remove the deny-READ entry
        pt.removeAccessControlEntry(pt.getAccessControlEntries()[1]);
        assertTrue(pt.size() == 1);
        assertSamePrivileges(privilegesFromName(Privilege.JCR_ADD_CHILD_NODES),
                pt.getAccessControlEntries()[0].getPrivileges());

        // remove the allow-ADD_CHILD_NODES entry
        pt.removeAccessControlEntry(pt.getAccessControlEntries()[0]);
        assertTrue(pt.isEmpty());
    }

        assertTrue(pt.isEmpty());
    }

    public void testMultipleEntryEffect2() throws RepositoryException, NotExecutableException {
        Privilege[] privileges = privilegesFromName(PrivilegeRegistry.REP_WRITE);
        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
        pt.addAccessControlEntry(testPrincipal, privileges);

        // add deny entry for mod_props
        Privilege[] privileges2 = privilegesFromName(Privilege.JCR_MODIFY_PROPERTIES);
        assertTrue(pt.addEntry(testPrincipal, privileges2, false, null));

        // net-effect: 2 entries with the allow entry being adjusted
        assertTrue(pt.size() == 2);
        AccessControlEntry[] entries = pt.getAccessControlEntries();
        for (int i = 0; i < entries.length; i++) {
            ACLTemplate.Entry entry = (ACLTemplate.Entry) entries[i];
            int privs = entry.getPrivilegeBits();
            if (entry.isAllow()) {
                int bits = PrivilegeRegistry.getBits(privileges) ^ PrivilegeRegistry.getBits(privileges2);

        AccessControlManager testAcMgr = getTestACManager();
        checkReadOnly(path);

        // re-grant READ in order to have an ACL-node
        Privilege[] privileges = privilegesFromName(Privilege.JCR_READ);
        JackrabbitAccessControlList tmpl = givePrivileges(path, privileges, getRestrictions(superuser, path));
        // make sure the 'rep:policy' node has been created.
        assertTrue(superuser.itemExists(tmpl.getPath() + "/rep:policy"));

        Session testSession = getTestSession();
        /*
         Testuser must still have READ-only access only and must not be
         allowed to view the acl-node that has been created.
        */
        assertFalse(testAcMgr.hasPrivileges(path, privilegesFromName(Privilege.JCR_READ_ACCESS_CONTROL)));
        assertFalse(testSession.itemExists(path + "/rep:policy"));

        Node n = testSession.getNode(tmpl.getPath());
        assertFalse(n.hasNode("rep:policy"));
        try {
            n.getNode("rep:policy");
            fail("Accessing the rep:policy node must throw PathNotFoundException.");
        } catch (PathNotFoundException e) {