Package org.apache.sling.jcr.jackrabbit.accessmanager.post

Class ModifyPrincipalAceServlet

  • All Implemented Interfaces:
    Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig, ModifyAce, ModifyPrincipalAce
    public class ModifyPrincipalAceServlet
extends ModifyAceServlet
implements ModifyPrincipalAce

    Sling Post Servlet implementation for modifying the principalbased ACE for a principal on a JCR resource.

    Rest Service Description

    Modify a principal's ACEs for the node identified as a resource by the request URL >resource<.modifyPAce.html

    Transport Details:

    Methods

    • POST

    Post Parameters

    principalId
    The principal of the ACEs to modify in the ACL specified by the path.
    privilege@[privilege_name]
    One or more privileges which will be applied to the ACE. Any permissions that are present in an existing ACE for the principal but not in the request are left untouched. The parameter value must be either 'allow' or 'all'. For backward compatibility, 'granted' may also be used for the parameter value as an alias for 'allow'.
    restriction@[restriction_name]
    One or more restrictions which will be applied to the ACE. The value is the target value of the restriction to be set.
    restriction@[restriction_name]@Delete
    One or more restrictions which will be removed from the ACE
    privilege@[privilege_name]@Delete
    One param for each privilege to delete. The parameter value must be either 'allow' or 'all' to specify which state to delete from
    restriction@[privilege_name]@[restriction_name]@Allow
    restriction@[privilege_name]@[restriction_name]@Deny
    One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The @Allow suffix specifies whether to apply the restriction to the 'allow' privilege. The value is the target value of the restriction to be set.
    restriction@[privilege_name]@[restriction_name]@Delete
    One param for each restriction to delete. The parameter value must be either 'allow' or 'all' to specify which state to delete from.

    Response

    200
    Success.
    404
    The resource was not found.
    500
    Failure. HTML explains the failure.

    Notes

    The principalId is assumed to refer directly to an Authorizable, that comes direct from the UserManager. This can be a group or a user, but if its a group, denied permissions will not be added to the group. The group will only contain granted privileges.

    See Also:
    Serialized Form

    • Constructor Detail

      • ModifyPrincipalAceServlet

        public ModifyPrincipalAceServlet()

    • Method Detail

      • modifyPrincipalAce

        public void modifyPrincipalAce​(javax.jcr.Session jcrSession,
                               String resourcePath,
                               String principalId,
                               Map<String,​String> privileges,
                               boolean autoSave)
                        throws javax.jcr.RepositoryException
        Description copied from interface: ModifyPrincipalAce
        Add or modify the access control entry for the specified user or group.
        Specified by:
        modifyPrincipalAce in interface ModifyPrincipalAce
        Parameters:
        jcrSession - the JCR session of the user updating the user
        resourcePath - The absolute path of the resource to apply the ACE to (required)
        principalId - The name of the user/group to provision (required)
        privileges - Map of privileges to apply. (optional)
        autoSave - true to automatically save changes to the JCR session, false otherwise
        Throws:
        javax.jcr.RepositoryException - if any errors applying the changes

      • modifyPrincipalAce

        public void modifyPrincipalAce​(javax.jcr.Session jcrSession,
                               String resourcePath,
                               String principalId,
                               Map<String,​String> privileges,
                               Map<String,​javax.jcr.Value> restrictions,
                               Map<String,​javax.jcr.Value[]> mvRestrictions,
                               Set<String> removeRestrictionNames,
                               boolean autoSave)
                        throws javax.jcr.RepositoryException
        Description copied from interface: ModifyPrincipalAce
        Add or modify the access control entry for the specified user or group.
        Specified by:
        modifyPrincipalAce in interface ModifyPrincipalAce
        Parameters:
        jcrSession - the JCR session of the user updating the user
        resourcePath - The absolute path of the resource to apply the ACE to (required)
        principalId - The name of the user/group to provision (required)
        privileges - Map of privileges to apply. (optional)
        restrictions - Map of single-value restrictions to apply. (optional)
        mvRestrictions - Map of multi-value restrictions to apply. (optional)
        removeRestrictionNames - Set of existing restriction names to remove (optional)
        autoSave - true to automatically save changes to the JCR session, false otherwise
        Throws:
        javax.jcr.RepositoryException - if any errors applying the changes

      • modifyPrincipalAce

        public void modifyPrincipalAce​(javax.jcr.Session jcrSession,
                               String resourcePath,
                               String principalId,
                               Collection<LocalPrivilege> localPrivileges,
                               boolean autoSave)
                        throws javax.jcr.RepositoryException
        Description copied from interface: ModifyPrincipalAce
        Add or modify the access control entry for the specified user or group.
        Specified by:
        modifyPrincipalAce in interface ModifyPrincipalAce
        Parameters:
        jcrSession - the JCR session of the user updating the user
        resourcePath - The absolute path of the resource to apply the ACE to (required)
        principalId - The name of the user/group to provision (required)
        localPrivileges - collection of privileges to apply.
        autoSave - true to automatically save changes to the JCR session, false otherwise
        Throws:
        javax.jcr.RepositoryException - if any errors applying the changes

      • getAcl

        protected org.apache.jackrabbit.api.security.JackrabbitAccessControlList getAcl​(@NotNull
                                                                                @NotNull javax.jcr.security.AccessControlManager acm,
                                                                                String resourcePath,
                                                                                Principal principal)
                                                                         throws javax.jcr.RepositoryException
        Override to ensure that we get the policy that implements PrincipalAccessControlList
        Overrides:
        getAcl in class ModifyAceServlet
        Parameters:
        acm - the access control manager
        resourcePath - the resource path
        principal - the principal for principalbased ACL
        Returns:
        the found ACL object
        Throws:
        javax.jcr.RepositoryException

      • removeAces

        protected String removeAces​(@NotNull
                            @NotNull String resourcePath,
                            @Nullable
                            @Nullable String order,
                            @NotNull
                            @NotNull Principal principal,
                            @NotNull
                            @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl)
                     throws javax.jcr.RepositoryException
        Override to ensure that we only remove the entries that have an effectivePath that matches the current resourcePath
        Overrides:
        removeAces in class ModifyAceServlet
        order - the requested order (may be null)
        principal - the principal whose aces should be removed
        acl - the access control list to update
        Returns:
        the original order if it was supplied, otherwise the order of the first ACE
        Throws:
        javax.jcr.RepositoryException

      • addAces

        protected void addAces​(@NotNull
                       @NotNull String resourcePath,
                       @NotNull
                       @NotNull Principal principal,
                       @NotNull
                       @NotNull Map<Set<LocalRestriction>,​List<LocalPrivilege>> restrictionsToLocalPrivilegesMap,
                       boolean isAllow,
                       @NotNull
                       @NotNull org.apache.jackrabbit.api.security.JackrabbitAccessControlList acl,
                       Map<javax.jcr.security.Privilege,​Integer> privilegeLongestDepthMap)
                throws javax.jcr.RepositoryException
        Override to ensure we do not add enty that denies privileges which is not allowed in a principal ACE
        Overrides:
        addAces in class ModifyAceServlet
        Parameters:
        resourcePath - the path of the resource
        principal - the principal whose aces should be added
        restrictionsToLocalPrivilegesMap - the map containing the restrictions mapped to the LocalPrivlege items with those resrictions
        isAllow - true for 'allow' ACE, false for 'deny' ACE
        acl - the access control list to update
        Throws:
        javax.jcr.RepositoryException

      • getJackrabbitAccessControlEntry

        @Nullable
protected @Nullable org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry getJackrabbitAccessControlEntry​(@NotNull
                                                                                                                    @NotNull javax.jcr.security.AccessControlEntry entry,
                                                                                                                    @NotNull
                                                                                                                    @NotNull String resourcePath,
                                                                                                                    @NotNull
                                                                                                                    @NotNull Principal forPrincipal)
        Override to ensure that we only return the entries that have an effectivePath that matches the current resourcePath
        Overrides:
        getJackrabbitAccessControlEntry in class ModifyAceServlet