Examples of org.jets3t.service.acl.AccessControlList

• org.jets3t.service.acl.AccessControlList
  Represents an Amazon S3 Access Control List (ACL), including the ACL's set of grantees and the permissions assigned to each grantee.

  @author James Murty

        public void startElement(String uri, String name, String qName, Attributes attrs) {
            if (name.equals("Owner")) {
                owner = new S3Owner();
            } else if (name.equals("AccessControlList")) {
                accessControlList = new AccessControlList();
                accessControlList.setOwner(owner);
                insideACL = true;
            } else if (name.equals("Grantee")) {
                if ("AmazonCustomerByEmail".equals(attrs.getValue("xsi:type"))) {
                    currentGrantee = new EmailAddressGrantee();

        S3Bucket publicBucket = new S3Bucket(awsCredentials.getAccessKey() + ".publicBucket");
        s3Service.createBucket(publicBucket);

        // Retrieve the bucket's ACL and modify it to grant public access,
        // ie READ access to the ALL_USERS group.
        AccessControlList bucketAcl = s3Service.getBucketAcl(publicBucket);
        bucketAcl.grantPermission(GroupGrantee.ALL_USERS, Permission.PERMISSION_READ);

        // Update the bucket's ACL. Now anyone can view the list of objects in this bucket.
        publicBucket.setAcl(bucketAcl);
        s3Service.putBucketAcl(publicBucket);
        System.out.println("View bucket's object listing here: http://s3.amazonaws.com/"
            + publicBucket.getName());

        // Now let's create an object that is public from scratch. Note that we will use the bucket's
        // public ACL object created above, this works fine. Although it is possible to create an
        // AccessControlList object from scratch, this is more involved as you need to set the
        // ACL's Owner information which is only readily available from an existing ACL.

        // Create a public object in S3. Anyone can download this object.
        S3Object publicObject = new S3Object(
            publicBucket, "publicObject.txt", "This object is public");
        publicObject.setAcl(bucketAcl);
        s3Service.putObject(publicBucket, publicObject);
        System.out.println("View public object contents here: http://s3.amazonaws.com/"
            + publicBucket.getName() + "/" + publicObject.getKey());

        // The ALL_USERS Group is particularly useful, but there are also other grantee types
        // that can be used with AccessControlList. Please see Amazon's S3 technical documentation
        // for a fuller discussion of these settings.

        AccessControlList acl = new AccessControlList();

        // Grant access by email address. Note that this only works email address of AWS S3 members.
        acl.grantPermission(new EmailAddressGrantee("someone@somewhere.com"),
            Permission.PERMISSION_FULL_CONTROL);

        // Grant control of ACL settings to a known AWS S3 member.
        acl.grantPermission(new CanonicalGrantee("AWS member's ID"),
            Permission.PERMISSION_READ_ACP);
        acl.grantPermission(new CanonicalGrantee("AWS member's ID"),
            Permission.PERMISSION_WRITE_ACP);


        /*
         * Temporarily make an Object available to anyone

    /**
     * Populates the local {@link #updatedAccessControlList} variable with ACL
     * details set by the user in the GUI elements.
     */
  private void updateAccessControlList() {
    updatedAccessControlList = new AccessControlList();
    updatedAccessControlList.setOwner(originalAccessControlList.getOwner());

    for (int i = 0; i < canonicalGranteeTable.getRowCount(); i++) {
      GranteeInterface grantee = canonicalGranteeTableModel.getGrantee(i);
      Permission permission = canonicalGranteeTableModel.getPermission(i);

     * @param args
     * @throws Exception
   */
  public static void main(String args[]) throws Exception {
    // TEST DATA
    AccessControlList acl = new AccessControlList();
    S3Owner owner = new S3Owner("1234567890", "Some Name");
    acl.setOwner(owner);

    GranteeInterface grantee = new CanonicalGrantee();
    grantee.setIdentifier("zzz");
    acl.grantPermission(grantee, Permission.PERMISSION_WRITE);

    grantee = new CanonicalGrantee();
    grantee.setIdentifier("abc");
        ((CanonicalGrantee)grantee).setDisplayName("jamesmurty");
    acl.grantPermission(grantee, Permission.PERMISSION_FULL_CONTROL);
    grantee = new CanonicalGrantee();
    grantee.setIdentifier("aaa");
    acl.grantPermission(grantee, Permission.PERMISSION_READ);
    grantee = GroupGrantee.ALL_USERS;
    acl.grantPermission(grantee, Permission.PERMISSION_READ);
    grantee = GroupGrantee.AUTHENTICATED_USERS;
    acl.grantPermission(grantee, Permission.PERMISSION_WRITE);
    grantee = new EmailAddressGrantee();
    grantee.setIdentifier("james@test.com");
    acl.grantPermission(grantee, Permission.PERMISSION_READ);
    grantee = new EmailAddressGrantee();
    grantee.setIdentifier("james@test2.com");
    acl.grantPermission(grantee, Permission.PERMISSION_FULL_CONTROL);

    JFrame f = new JFrame("Cockpit");
    S3Bucket bucket = new S3Bucket();
    bucket.setName("SomeReallyLongAndWackyBucketNamePath.HereItIs");

    AccessControlList updatedACL = acl;
    while ((updatedACL = AccessControlDialog.showDialog(f, new S3Bucket[] {bucket}, updatedACL, null)) != null) {
      System.out.println(updatedACL.toXml());
    }

    f.dispose();
  }

                    dialog.setVisible(true);

                    // Update ACL setting.
                    S3Object minimalObject = new S3Object(object.getKey());

                    AccessControlList newAcl = (dialog.isPublicAclSet()
                        ? AccessControlList.REST_CANNED_PUBLIC_READ
                        : AccessControlList.REST_CANNED_PRIVATE);

                    if (newAcl != null) {
                        if (AccessControlList.REST_CANNED_PRIVATE.equals(newAcl)) {

     * @throws S3ServiceException
     */
    private AccessControlList convertAccessControlTypes(AccessControlPolicy policy)
        throws S3ServiceException
    {
        AccessControlList acl = new AccessControlList();
        acl.setOwner(convertOwner(policy.getOwner()));

        Grant[] grants = policy.getAccessControlList();
        for (int i = 0; i < grants.length; i++) {
            Grant grant = (Grant) grants[i];
            org.jets3t.service.acl.Permission permission =
                org.jets3t.service.acl.Permission.parsePermission(grant.getPermission().toString());

            Grantee grantee = grant.getGrantee();
            if (grantee instanceof Group) {
                GroupGrantee jets3tGrantee = new GroupGrantee();
                jets3tGrantee.setIdentifier(((Group)grantee).getURI());
                acl.grantPermission(jets3tGrantee, permission);
            } else if (grantee instanceof CanonicalUser) {
                CanonicalUser canonicalUser = (CanonicalUser) grantee;
                CanonicalGrantee jets3tGrantee = new CanonicalGrantee();
                jets3tGrantee.setIdentifier(canonicalUser.getID());
                jets3tGrantee.setDisplayName(canonicalUser.getDisplayName());
                acl.grantPermission(jets3tGrantee, permission);
            } else if (grantee instanceof AmazonCustomerByEmail) {
                AmazonCustomerByEmail customerByEmail = (AmazonCustomerByEmail) grantee;
                EmailAddressGrantee jets3tGrantee = new EmailAddressGrantee();
                jets3tGrantee.setIdentifier(customerByEmail.getEmailAddress());
                acl.grantPermission(jets3tGrantee, permission);
            } else {
                throw new S3ServiceException("Unrecognised grantee type: " + grantee.getClass());
            }
        }
        return acl;

            // Display grants table.
            grantsTable.setVisible(true);
            while (grantsTableModel.getRowCount() > 0) {
                grantsTableModel.removeRow(0);
            }
            AccessControlList acl = bucket.getAcl();
            Iterator iter = acl.getGrants().iterator();
            while (iter.hasNext()) {
                GrantAndPermission gap = (GrantAndPermission) iter.next();
                grantsTableModel.addRow(new Object[] {
                    gap.getGrantee().getIdentifier(), gap.getPermission().toString()});
            }

        public void startElement(String uri, String name, String qName, Attributes attrs) {
            if (name.equals("Owner")) {
                owner = new S3Owner();
            } else if (name.equals("AccessControlList")) {
                accessControlList = new AccessControlList();
                accessControlList.setOwner(owner);
                insideACL = true;
            } else if (name.equals("Grantee")) {
                if ("AmazonCustomerByEmail".equals(attrs.getValue("xsi:type"))) {
                    currentGrantee = new EmailAddressGrantee();

          }
            boolean isSetLoggingGroupWrite = false;
            boolean isSetLoggingGroupReadACP = false;
            String groupIdentifier = GroupGrantee.LOG_DELIVERY.getIdentifier();

            AccessControlList logBucketACL = getBucketAcl(status.getTargetBucketName());

            Iterator grantIter = logBucketACL.getGrants().iterator();
            while (grantIter.hasNext()) {
                GrantAndPermission gap = (GrantAndPermission) grantIter.next();

                if (groupIdentifier.equals(gap.getGrantee().getIdentifier())) {
                    // Found a Group Grantee.
                    if (gap.getPermission().equals(Permission.PERMISSION_WRITE)) {
                        isSetLoggingGroupWrite = true;
                        if (log.isDebugEnabled()) {
                          log.debug("Target bucket '" + status.getTargetBucketName() + "' has ACL "
                              + "permission " + Permission.PERMISSION_WRITE + " for group " +
                              groupIdentifier);
                        }
                    } else if (gap.getPermission().equals(Permission.PERMISSION_READ_ACP)) {
                        isSetLoggingGroupReadACP = true;
                        if (log.isDebugEnabled()) {
                          log.debug("Target bucket '" + status.getTargetBucketName() + "' has ACL "
                              + "permission " + Permission.PERMISSION_READ_ACP + " for group " +
                              groupIdentifier);
                        }
                    }
                }
            }

            // Update target bucket's ACL if necessary.
            if (!isSetLoggingGroupWrite || !isSetLoggingGroupReadACP) {
              if (log.isWarnEnabled()) {
                  log.warn("Target logging bucket '" + status.getTargetBucketName()
                      + "' does not have the necessary ACL settings, updating ACL now");
              }

                logBucketACL.grantPermission(GroupGrantee.LOG_DELIVERY, Permission.PERMISSION_WRITE);
                logBucketACL.grantPermission(GroupGrantee.LOG_DELIVERY, Permission.PERMISSION_READ_ACP);
                putBucketAcl(status.getTargetBucketName(), logBucketACL);
            } else {
              if (log.isDebugEnabled()) {
                  log.debug("Target logging bucket '" + status.getTargetBucketName()
                      + "' has the necessary ACL settings");

        URL url = new URL(s3Url + "/" + bucketName + "/" + RestUtils.encodeUrlString(privateKey));
        assertEquals("Expected denied access (403) error", 403, ((HttpURLConnection) url
            .openConnection()).getResponseCode());

        // Get ACL details for private object so we can determine the bucket owner.
        AccessControlList bucketACL = s3Service.getBucketAcl(bucket);
        S3Owner bucketOwner = bucketACL.getOwner();

        // Create a public object.
        String publicKey = "Public Object #1";
        object = new S3Object(bucket, publicKey, "Public object sample text");
        AccessControlList acl = new AccessControlList();
        acl.setOwner(bucketOwner);
        acl.grantPermission(GroupGrantee.ALL_USERS, Permission.PERMISSION_READ);
        object.setAcl(acl);
        s3Service.putObject(bucket, object);
        url = new URL(s3Url + "/" + bucketName + "/" + RestUtils.encodeUrlString(publicKey));
        assertEquals("Expected access (200)",
                200, ((HttpURLConnection)url.openConnection()).getResponseCode());

        // Update ACL to make private object public.
        AccessControlList privateToPublicACL = s3Service.getObjectAcl(bucket, privateKey);
        privateToPublicACL.grantPermission(GroupGrantee.ALL_USERS, Permission.PERMISSION_READ);
        object.setKey(privateKey);
        object.setAcl(privateToPublicACL);
        s3Service.putObjectAcl(bucket, object);
        url = new URL(s3Url + "/" + bucketName + "/" + RestUtils.encodeUrlString(privateKey));
        assertEquals("Expected access (200)", 200, ((HttpURLConnection) url.openConnection())
            .getResponseCode());

        // Create a non-standard uncanned public object.
        String publicKey2 = "Public Object #2";
        object = new S3Object(publicKey2);
        object.setAcl(privateToPublicACL); // This ACL has ALL_USERS READ permission set above.
        s3Service.putObject(bucket, object);
        url = new URL(s3Url + "/" + bucketName + "/" + RestUtils.encodeUrlString(publicKey2));
        assertEquals("Expected access (200)", 200, ((HttpURLConnection) url.openConnection())
            .getResponseCode());

        // Update ACL to make public object private.
        AccessControlList publicToPrivateACL = s3Service.getObjectAcl(bucket, publicKey);
        publicToPrivateACL.revokeAllPermissions(GroupGrantee.ALL_USERS);
        object.setKey(publicKey);
        object.setAcl(publicToPrivateACL);
        s3Service.putObjectAcl(bucket, object);
        url = new URL(s3Url + "/" + bucketName + "/" + RestUtils.encodeUrlString(publicKey));
        assertEquals("Expected denied access (403) error", 403, ((HttpURLConnection) url