jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r644215 [1/3] - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/security/ main/java/org/apache/jackrabbit/core/security/authorization/ main/java/org/apache/jackrabbit/core/security/authorization/acl/ main/java...
Date Thu, 03 Apr 2008 08:15:04 GMT
Author: angela
Date: Thu Apr  3 01:15:01 2008
New Revision: 644215

URL: http://svn.apache.org/viewvc?rev=644215&view=rev
Log:
security: work in progress

- change ACEditor to take jcr path
- extract common, abstract policy entry impl
- add more tests
- add JackrabbitAccessControlManager for policy editing
- various minor changes, fixes, improvements

Added:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPattern.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntryTest.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyTemplateTest.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/GlobPatternTest.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImplTest.java   (with props)
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImplTest.java   (with props)
Removed:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/GlobPattern.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/ACLImpl.java
Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyEntryImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/PolicyTemplateImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/AccessManagerTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/TestAll.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImplTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplateTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/TestAll.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AbstractAccessControlTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AccessControlDiscoveryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/jsr283/security/AccessControlPolicyIteratorTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/GroupAdministratorTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAdministratorTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java Thu Apr  3 01:15:01 2008
@@ -26,7 +26,6 @@
 import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
-import org.apache.jackrabbit.spi.Path;
 
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
@@ -37,7 +36,7 @@
 /**
  * <code>AbstractAccessControlManager</code>...
  */
-public abstract class AbstractAccessControlManager implements AccessControlManager {
+public abstract class AbstractAccessControlManager implements JackrabbitAccessControlManager {
 
     private static Logger log = LoggerFactory.getLogger(AbstractAccessControlManager.class);
 
@@ -50,7 +49,7 @@
      */
     public Privilege[] getSupportedPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
         checkInitialized();
-        getValidNodePath(absPath);
+        checkValidNodePath(absPath);
 
         // return all known privileges everywhere.
         return PrivilegeRegistry.getRegisteredPrivileges();
@@ -65,7 +64,7 @@
      */
     public AccessControlPolicy getPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         log.debug("Implementation does not provide applicable policies -> getPolicy() always returns null.");
         return null;
@@ -80,7 +79,7 @@
      */
     public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         log.debug("Implementation does not provide applicable policies -> returning empty iterator.");
         return AccessControlPolicyIteratorAdapter.EMPTY;
@@ -93,7 +92,7 @@
      */
     public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
 
         throw new AccessControlException("AccessControlPolicy " + policy.getName() + " cannot be applied.");
     }
@@ -105,7 +104,7 @@
      */
     public AccessControlPolicy removePolicy(String absPath) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
 
         throw new AccessControlException("No AccessControlPolicy has been set through this API -> Cannot be removed.");
     }
@@ -118,7 +117,7 @@
      */
     public AccessControlEntry[] getAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         return new AccessControlEntry[0];
     }
@@ -130,7 +129,7 @@
      */
     public AccessControlEntry addAccessControlEntry(String absPath, Principal principal, Privilege[] privileges) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
 
         throw new UnsupportedRepositoryOperationException("Adding access control entry is not supported by this AccessControlManager (" + getClass().getName()+ ").");
     }
@@ -142,7 +141,7 @@
      */
     public void removeAccessControlEntry(String absPath, AccessControlEntry ace) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        checkPrivileges(getValidNodePath(absPath), PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
 
         throw new AccessControlException("Invalid access control entry, that has not been applied through this API.");
     }
@@ -166,7 +165,7 @@
      * of if the session does not have the privilege to READ it.
      * @throws RepositoryException
      */
-    protected abstract void checkPrivileges(Path absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException;
+    protected abstract void checkPrivileges(String absPath, int privileges) throws AccessDeniedException, PathNotFoundException, RepositoryException;
 
     /**
      * Build a qualified path from the specified <code>absPath</code> and test
@@ -178,6 +177,6 @@
      * @throws RepositoryException If the given <code>absPath</code> is not
      * absolute or if some other error occurs.
      */
-    protected abstract Path getValidNodePath(String absPath) throws PathNotFoundException, RepositoryException;
+    protected abstract void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException;
 
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Thu Apr  3 01:15:01 2008
@@ -73,7 +73,6 @@
  * How access control policies are matched to a particular item is defined by
  * the <code>AccessControlProvider</code> set to this AccessManager.
  *
- * @version $Rev$, $Date$
  * @see AccessManager
  * @see AccessControlManager
  */
@@ -240,14 +239,14 @@
      */
     public boolean hasPrivileges(String absPath, Privilege[] privileges) throws PathNotFoundException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
+        checkValidNodePath(absPath);
         if (privileges == null || privileges.length == 0) {
             // null or empty privilege array -> return true
             log.debug("No privileges defined for hasPrivilege test.");
             return true;
         } else {
             int privs = PrivilegeRegistry.getBits(privileges);
-            return internalHasPrivileges(path, privs);
+            return internalHasPrivileges(absPath, privs);
         }
     }
 
@@ -256,8 +255,8 @@
      */
     public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        int privs = compiledPermissions.getPrivileges(path);
+        checkValidNodePath(absPath);
+        int privs = compiledPermissions.getPrivileges(resolver.getQPath(absPath));
         return (privs == 0) ? new Privilege[0] : PrivilegeRegistry.getPrivileges(privs);
     }
 
@@ -266,12 +265,11 @@
      */
     public AccessControlPolicy getPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         AccessControlPolicy policy = null;
         if (editor != null) {
-            policy = editor.getPolicyTemplate(getNodeId(path));
+            policy = editor.getPolicyTemplate(absPath);
         }
         return policy;
     }
@@ -281,11 +279,10 @@
      */
     public AccessControlPolicy getEffectivePolicy(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         // TODO: acProvider may not retrieve the correct policy in case of transient modifications
-        return acProvider.getPolicy(getNodeId(path));
+        return acProvider.getPolicy(getNodeId(absPath));
     }
 
     /**
@@ -293,11 +290,10 @@
      */
     public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         if (editor != null) {
-            PolicyTemplate applicable = editor.editPolicyTemplate(getNodeId(path));
+            PolicyTemplate applicable = editor.editPolicyTemplate(absPath);
             if (applicable != null) {
                 return new AccessControlPolicyIteratorAdapter(Collections.singletonList(applicable));
             }
@@ -312,12 +308,11 @@
     public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
         if (policy instanceof PolicyTemplate) {
-            Path path = getValidNodePath(absPath);
-            checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+            checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
             if (editor == null) {
                 throw new UnsupportedRepositoryOperationException("Modification of AccessControlPolicies is not supported. ");
             }
-            editor.setPolicyTemplate(getNodeId(path), (PolicyTemplate) policy);
+            editor.setPolicyTemplate(absPath, (PolicyTemplate) policy);
         } else {
             throw new AccessControlException("Access control policy '" + policy + "' not applicable");
         }
@@ -328,12 +323,11 @@
      */
     public AccessControlPolicy removePolicy(String absPath) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
         if (editor == null) {
             throw new UnsupportedRepositoryOperationException("Removal of AccessControlPolicies is not supported.");
         }
-        return editor.removePolicyTemplate(getNodeId(path));
+        return editor.removePolicyTemplate(absPath);
     }
 
     /**
@@ -341,12 +335,11 @@
      */
     public AccessControlEntry[] getAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
         AccessControlEntry[] entries = new AccessControlEntry[0];
         if (editor != null) {
-            entries = editor.getAccessControlEntries(getNodeId(path));
+            entries = editor.getAccessControlEntries(absPath);
         }
         return entries;
     }
@@ -356,10 +349,9 @@
      */
     public AccessControlEntry[] getEffectiveAccessControlEntries(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.READ_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.READ_AC);
 
-        return acProvider.getAccessControlEntries(getNodeId(path));
+        return acProvider.getAccessControlEntries(getNodeId(absPath));
     }
 
     /**
@@ -367,14 +359,12 @@
      */
     public AccessControlEntry addAccessControlEntry(String absPath, Principal principal, Privilege[] privileges) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
 
         if (editor == null) {
             throw new UnsupportedRepositoryOperationException("Adding access control entries is not supported.");
         } else {
-            NodeId id = getNodeId(path);
-            return editor.addAccessControlEntry(id, principal, privileges);
+            return editor.addAccessControlEntry(absPath, principal, privileges);
         }
     }
 
@@ -383,17 +373,37 @@
      */
     public void removeAccessControlEntry(String absPath, AccessControlEntry ace) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
         checkInitialized();
-        Path path = getValidNodePath(absPath);
-        checkPrivileges(path, PrivilegeRegistry.MODIFY_AC);
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
         if (editor == null) {
             throw new UnsupportedRepositoryOperationException("Removal of access control entries is not supported.");
         }
-        NodeId id = getNodeId(path);
-        if (!editor.removeAccessControlEntry(id, ace)) {
+        if (!editor.removeAccessControlEntry(absPath, ace)) {
             throw new AccessControlException("AccessControlEntry " + ace + " has not been assigned though this API.");
         }
     }
 
+    //-------------------------------------< JackrabbitAccessControlManager >---
+    /**
+     * @see JackrabbitAccessControlManager#editPolicy(String)
+     */
+    public PolicyTemplate editPolicy(String absPath) throws AccessDeniedException, AccessControlException, RepositoryException {
+        checkInitialized();
+        checkPrivileges(absPath, PrivilegeRegistry.MODIFY_AC);
+        if (editor == null) {
+            throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
+        }
+
+        return editor.editPolicyTemplate(absPath);
+    }
+
+    public PolicyTemplate editPolicy(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+        checkInitialized();
+        if (editor == null) {
+            throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
+        }
+        return editor.editPolicyTemplate(principal);
+    }
+
     //---------------------------------------< AbstractAccessControlManager >---
     /**
      * @see AbstractAccessControlManager#checkInitialized()
@@ -405,38 +415,45 @@
     }
 
     /**
-     * @see AbstractAccessControlManager#getValidNodePath(String)
+     * @see AbstractAccessControlManager#checkValidNodePath(String)
      */
-    protected Path getValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
+    protected void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException {
         Path p = resolver.getQPath(absPath);
         if (!p.isAbsolute()) {
             throw new RepositoryException("Absolute path expected.");
         }
-        if (hierMgr.resolveNodePath(p) != null) {
-            return p;
-        } else {
+        if (hierMgr.resolveNodePath(p) == null) {
             throw new PathNotFoundException("No such node " + absPath);
         }
     }
 
     /**
-     * @see AbstractAccessControlManager#checkPrivileges(Path, int)
+     * @see AbstractAccessControlManager#checkPrivileges(String, int)
      */
-    protected void checkPrivileges(Path absPath, int privileges) throws AccessDeniedException, RepositoryException {
+    protected void checkPrivileges(String absPath, int privileges) throws AccessDeniedException, RepositoryException {
+        checkValidNodePath(absPath);
         if (!internalHasPrivileges(absPath, privileges)) {
-            throw new AccessDeniedException("No privilege " + privileges + " at " + resolver.getJCRPath(absPath));
+            throw new AccessDeniedException("No privilege " + privileges + " at " + absPath);
         }
     }
 
     //------------------------------------------------------------< private >---
-    private boolean internalHasPrivileges(Path path, int privileges) throws RepositoryException {
-        return (compiledPermissions.getPrivileges(path) | ~privileges) == -1;
+    /**
+     *
+     * @param absPath
+     * @param privileges
+     * @return
+     * @throws RepositoryException
+     */
+    private boolean internalHasPrivileges(String absPath, int privileges) throws RepositoryException {
+        Path p = resolver.getQPath(absPath);
+        return (compiledPermissions.getPrivileges(p) | ~privileges) == -1;
     }
 
-    private NodeId getNodeId(Path absPath) throws RepositoryException {
-        NodeId id = hierMgr.resolveNodePath(absPath);
+    private NodeId getNodeId(String absPath) throws RepositoryException {
+        NodeId id = hierMgr.resolveNodePath(resolver.getQPath(absPath));
         if (id == null) {
-            throw new PathNotFoundException(resolver.getJCRPath(absPath));
+            throw new PathNotFoundException(absPath);
         }
         return id;
     }

Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java Thu Apr  3 01:15:01 2008
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security;
+
+import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlManager;
+import org.apache.jackrabbit.core.security.jsr283.security.AccessControlException;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.RepositoryException;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import java.security.Principal;
+
+/**
+ * <code>JackrabbitAccessControlManager</code>...
+ */
+public interface JackrabbitAccessControlManager extends AccessControlManager {
+
+    /**
+     * Returns a policy template for the existing node at <code>absPath</code>.
+     * 
+     * @return policy template for the node at <code>absPath</code>.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
+     * @throws AccessDeniedException if the session lacks
+     * <code>MODIFY_ACCESS_CONTROL</code> privilege for the <code>absPath</code>
+     * node.
+     * @throws AccessControlException if this implementation does not allow to
+     * edit the policy at <code>absPath</code> of if same other access
+     * control related exception occurs.
+     * @throws UnsupportedRepositoryOperationException if editing the policy
+     * is not supported.
+     * @throws RepositoryException if another error occurs.
+     */
+    PolicyTemplate editPolicy(String absPath) throws PathNotFoundException, AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
+
+    /**
+     * Returns a policy template for the specified <code>principal.</code>
+     *
+     * @return policy template for the specified <code>principal</code>.
+     * @throws AccessDeniedException if the session lacks
+     * <code>MODIFY_ACCESS_CONTROL</code> privilege.
+     * @throws AccessControlException if the specified principal does not exist,
+     * if this implementation does provide policy tempates for principals or
+     * if same other access control related exception occurs.
+     * @throws UnsupportedRepositoryOperationException if editing the policy
+     * is not supported.
+     * @throws RepositoryException if another error occurs.
+     */
+    PolicyTemplate editPolicy(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
+
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java Thu Apr  3 01:15:01 2008
@@ -19,17 +19,21 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.jackrabbit.core.NodeId;
+import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.jsr283.security.AccessControlPolicy;
 import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.core.security.SystemPrincipal;
 import org.apache.jackrabbit.spi.Path;
+import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
 
 import javax.jcr.ItemNotFoundException;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.observation.ObservationManager;
 import java.util.Iterator;
 import java.util.Set;
+import java.util.Map;
 import java.security.Principal;
 
 /**
@@ -42,7 +46,14 @@
     private final String policyName;
     private final String policyDesc;
 
-    protected boolean initialized;
+    /**
+     * Returns the system session this provider has been created for.
+     */
+    protected SessionImpl session;
+    protected ObservationManager observationMgr;
+    protected NamePathResolver resolver;
+
+    private boolean initialized;
 
     protected AbstractAccessControlProvider() {
         this(AbstractAccessControlProvider.class.getName() + ": default Policy", null);
@@ -101,6 +112,29 @@
     }
 
     //----------------------------------------------< AccessControlProvider >---
+    /**
+     * Tests if the given <code>systemSession</code> is a SessionImpl and
+     * retrieves the observation manager. The it sets the internal 'initialized'
+     * field to true.
+     *
+     * @throws RepositoryException If the specified session is not a
+     * <code>SessionImpl</code> or if retrieving the observation manager fails.
+     * @see AccessControlProvider#init(Session, Map)
+     */
+    public void init(Session systemSession, Map options) throws RepositoryException {
+        if (initialized) {
+            throw new IllegalStateException("already initialized");
+        }
+        if (!(systemSession instanceof SessionImpl)) {
+            throw new RepositoryException("SessionImpl (system session) expected.");
+        }
+        session = (SessionImpl) systemSession;
+        observationMgr = systemSession.getWorkspace().getObservationManager();
+        resolver = (SessionImpl) systemSession;
+
+        initialized = true;
+    }
+
     /**
      * @see AccessControlProvider#close()
      */

Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java?rev=644215&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java Thu Apr  3 01:15:01 2008
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
+
+import java.security.Principal;
+
+/**
+ * Simple, immutable implementation of the
+ * {@link org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry}
+ * and the {@link PolicyEntry} interfaces.
+ */
+public abstract class AbstractPolicyEntry implements PolicyEntry {
+
+    private static Logger log = LoggerFactory.getLogger(AbstractPolicyEntry.class);
+
+    /**
+     * Privileges contained in this entry
+     */
+    private final int privileges;
+
+    /**
+     * if the actions contained are allowed or denied
+     */
+    private final boolean allow;
+
+    /**
+     * the Principal of this entry
+     */
+    private final Principal principal;
+
+    /**
+     * Hash code being calculated on demand.
+     */
+    private int hashCode = -1;
+
+    /**
+     * Construct an access control entry for the given principal, privileges and
+     * a polarity (deny or allow)
+     *
+     * @param principal
+     * @param privileges
+     * @param allow
+     */
+    protected AbstractPolicyEntry(Principal principal, int privileges, boolean allow) {
+        this.principal = principal;
+        this.privileges = privileges;
+        this.allow = allow;
+    }
+
+    /**
+     * Build the hash code.
+     *
+     * @return the hash code.
+     */
+    protected int buildHashCode() {
+        int h = 17;
+        h = 37 * h + principal.getName().hashCode();
+        h = 37 * h + privileges;
+        h = 37 * h + Boolean.valueOf(allow).hashCode();
+        return h;
+    }
+
+    //-------------------------------------------------< AccessControlEntry >---
+    /**
+     * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrincipal()
+     */
+    public Principal getPrincipal() {
+        return principal;
+    }
+
+    /**
+     * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrivileges()
+     */
+    public Privilege[] getPrivileges() {
+        return PrivilegeRegistry.getPrivileges(privileges);
+    }
+
+    //--------------------------------------------------------< PolicyEntry >---
+    /**
+     * @see PolicyEntry#isAllow()
+     */
+    public boolean isAllow() {
+        return allow;
+    }
+
+    /**
+     * @see PolicyEntry#getPrivilegeBits()
+     */
+    public int getPrivilegeBits() {
+        return privileges;
+    }
+
+    //-------------------------------------------------------------< Object >---
+    /**
+     * @see Object#hashCode()
+     */
+    public int hashCode() {
+        if (hashCode == -1) {
+            hashCode = buildHashCode();
+        }
+        return hashCode;
+    }
+
+    /**
+     * Returns true if the principal, the allow-flag and all privileges are
+     * equal / the same.
+     *
+     * @param obj
+     * @return
+     * @see Object#equals(Object)
+     */
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+
+        if (obj instanceof AbstractPolicyEntry) {
+            AbstractPolicyEntry tmpl = (AbstractPolicyEntry) obj;
+            return principal.getName().equals(tmpl.principal.getName()) &&
+                   allow == tmpl.allow &&
+                   privileges == tmpl.privileges;
+        }
+        return false;
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractPolicyEntry.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java Thu Apr  3 01:15:01 2008
@@ -22,7 +22,9 @@
 import org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry;
 
 import javax.jcr.RepositoryException;
-import javax.jcr.ItemNotFoundException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.AccessDeniedException;
 import java.security.Principal;
 
 /**
@@ -44,20 +46,22 @@
      * the scope of the PolicyTemplate it limited to the Node itself and does
      * not take inherited elements into account.
      *
-     * @param id the id of the Node to retrievethe PolicyTemplate for.
+     * @param nodePath Absolute path to an existing node object.
      * @return the PolicyTemplate or <code>null</code> no policy has been
      * applied to the node before.
-     * @throws AccessControlException If the Node identified by the given id does
-     * not allow ACL modifications.
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @throws AccessControlException If the Node identified by the given
+     * <code>nodePath</code> does not allow access control modifications (e.g.
+     * the node itself stores the access control information for its parent).
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
      * @throws RepositoryException if an error occurs
      */
-    PolicyTemplate getPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    PolicyTemplate getPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
 
     /**
-     * Retrieves an editable policy template for the Node identified by the given
+     * Retrieves the policy template for the Node identified by the given
      * <code>NodeId</code>. If the node does not yet have an policy set an
-     * new (empty) template is created (see also {@link #getPolicyTemplate(NodeId)}.<br>
+     * new (empty) template is created (see also {@link #getPolicyTemplate(String)}.<br>
      * The PolicyTemplate returned is detached from the underlying
      * <code>AccessControlProvider</code> and is only an external
      * representation. Modification will therefore not take effect, until it is
@@ -67,98 +71,120 @@
      * the scope of the PolicyTemplate it limited to the Node itself and does
      * never not take inherited elements into account.
      *
-     * @param id the id of the Node to retrieve (or create) the PolicyTemplate for.
-     * @return the PolicyTemplate
-     * @throws AccessControlException If the Node identified by the given id does
-     * not allow ACL modifications.
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @param nodePath Absolute path to an existing node object.
+     * @return policy template
+     * @throws AccessControlException If the Node identified by the given
+     * <code>nodePath</code> does not allow access control modifications.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
      * @throws RepositoryException if an error occurs
      */
-    PolicyTemplate editPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    PolicyTemplate editPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
+
+    /**
+     * Returns a policy template for the given <code>principal</code>.
+     *
+     * @return policy template for the specified <code>principal.</code>.
+     * @throws AccessControlException if the specified principal does not exist,
+     * if this implementation does provide policy tempates for principals or
+     * if same other access control related exception occurs.
+     * @throws RepositoryException if another error occurs.
+     */
+    PolicyTemplate editPolicyTemplate(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
 
     /**
      * Stores the policy template to the respective node.
      *
-     * @param id the id of the node to write the template for. Note, that a
-     * {@link javax.jcr.Session#save()} is required to persist the changes. Upon
-     * 'setPolicyTemplate' the modifications are applied in the transient space only.
+     * @param nodePath Absolute path to an existing node object.
      * @param template the <code>PolicyTemplate</code> to store.
      * @throws AccessControlException If the PolicyTemplate is <code>null</code> or
-     * if it is not applicable to the Node identified by the given id.
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * if it is not applicable to the Node identified by the given
+     * <code>nodePath</code>.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
      * @throws RepositoryException if an other error occurs.
      */
-    void setPolicyTemplate(NodeId id, PolicyTemplate template) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    void setPolicyTemplate(String nodePath, PolicyTemplate template) throws AccessControlException, PathNotFoundException, RepositoryException;
 
     /**
      * Removes the template from the respective node.
      *
-     * @param id the id of the node to remove the acl from.
+     * @param nodePath Absolute path to an existing node object.
      * @return the PolicyTemplate that has been remove or <code>null</code>
      * if there was no policy to remove.
-     * @throws AccessControlException If the Node identified by the given id
-     * does not allow policy modifications.
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @throws AccessControlException If the Node identified by the given
+     * <code>nodePath</code> does not allow policy modifications.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
      * @throws RepositoryException if an other error occurs
      */
-    PolicyTemplate removePolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    PolicyTemplate removePolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException;
 
     /**
      * Returns the access control entries present with the node
      * identified by  <code>id</code>, that have
-     * been added using {@link #addAccessControlEntry(NodeId,Principal,Privilege[])}.
+     * been added using {@link #addAccessControlEntry(String,Principal,Privilege[])}.
      * The implementation may return other entries, if they can be removed
-     * using {@link #removeAccessControlEntry(NodeId,AccessControlEntry)}.
+     * using {@link #removeAccessControlEntry(String,AccessControlEntry)}.
      *
-     * @param id
+     * @param nodePath Absolute path to an existing node object.
      * @return the (granting) access control entries present with the node
      * identified by  <code>id</code>.
      * @throws AccessControlException
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
+     * @throws UnsupportedRepositoryOperationException if only simple access
+     * control is supported.
      * @throws RepositoryException
      */
-    AccessControlEntry[] getAccessControlEntries(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    AccessControlEntry[] getAccessControlEntries(String nodePath) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
 
     /**
      * Adds an access control entry to the node identified by
      * <code>id</code>. An implementation that always keeps entries with an
      * existing <code>AccessControlPolicy</code> may choose to treat this
-     * method as short-cut for {@link #editPolicyTemplate(NodeId)} and
+     * method as short-cut for {@link #editPolicyTemplate(String)} and
      * subsequent template modification.
      * Note, that in addition an implementation may only allow granting
      * ACEs as specified by JSR 283.
      *
-     * @param id
+     * @param nodePath Absolute path to an existing node object.
      * @param principal
      * @param privileges
      * @return The entry that results from adding the specified
      * privileges for the specified principal.
-     * @throws AccessControlException If the Node identified by the given id
+     * @throws AccessControlException If the Node identified by the given nodePath.
      * does not allow access control modifications, if the principal does not
      * exist or if any of the specified privileges is unknown.
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
+     * @throws UnsupportedRepositoryOperationException if only simple access
+     * control is supported.
      * @throws RepositoryException if an other error occurs
      */
-    AccessControlEntry addAccessControlEntry(NodeId id, Principal principal, Privilege[] privileges) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    AccessControlEntry addAccessControlEntry(String nodePath, Principal principal, Privilege[] privileges) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
 
     /**
      * Removes the access control entry represented by the given
      * <code>template</code> from the node identified by
      * <code>id</code>. An implementation that always keeps entries with an
      * existing <code>AccessControlPolicy</code> may choose to treat this
-     * method as short-cut for {@link #getPolicyTemplate(NodeId)} and
+     * method as short-cut for {@link #getPolicyTemplate(String)} and
      * subsequent template modification.
      * Note that only <code>PolicyEntry</code>s accessible through
-     * {@link #getAccessControlEntries(NodeId)} can be removed by this call.
+     * {@link #getAccessControlEntries(String)} can be removed by this call.
      *
-     * @param id
-     * @param entry
+     * @param nodePath Absolute path to an existing node object.
+     * @param entry The access control entry to be removed.
      * @return true if entry was contained could be successfully removed.
      * @throws AccessControlException If an access control specific exception
      * occurs (e.g. invalid entry implementation, entry cannot be removed
      * by this call, etc.).
-     * @throws ItemNotFoundException if no node exists for the given id.
+     * @throws PathNotFoundException if no node exists for the given
+     * <code>nodePath</code>.
+     * @throws UnsupportedRepositoryOperationException if only simple access
+     * control is supported.
      * @throws RepositoryException if another error occurs.
      */
-    boolean removeAccessControlEntry(NodeId id, AccessControlEntry entry) throws AccessControlException, ItemNotFoundException, RepositoryException;
+    boolean removeAccessControlEntry(String nodePath, AccessControlEntry entry) throws AccessControlException, PathNotFoundException, UnsupportedRepositoryOperationException, RepositoryException;
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyEntry.java Thu Apr  3 01:15:01 2008
@@ -31,6 +31,12 @@
      */
     boolean isAllow();
 
+    /**
+     * @return the int representation of the privileges defined for this entry.
+     * @see #getPrivileges()
+     */
+    int getPrivilegeBits();
+
     // TODO: eventually add
     // String getNodePath();
     // String getGlob();

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PolicyTemplate.java Thu Apr  3 01:15:01 2008
@@ -31,6 +31,13 @@
 public interface PolicyTemplate extends AccessControlPolicy {
 
     /**
+     * Returns the path of the node this template has been created for.
+     *  
+     * @return the path of the node this template has been created for.
+     */
+    String getPath();
+
+    /**
      * Returns <code>true</code> if this template does not yet define any
      * entries.
      *

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACEImpl.java Thu Apr  3 01:15:01 2008
@@ -16,40 +16,14 @@
  */
 package org.apache.jackrabbit.core.security.authorization.acl;
 
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
-import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
-import org.apache.jackrabbit.core.security.jsr283.security.Privilege;
+import org.apache.jackrabbit.core.security.authorization.AbstractPolicyEntry;
 
 import java.security.Principal;
 
 /**
- * Simple, immutable implementation of the
- * {@link org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry}
- * and the {@link PolicyEntry} interfaces.
- * 
- * @see PolicyEntry
+ * <code>ACEImpl</code>
  */
-class ACEImpl implements PolicyEntry {
-
-    /**
-     * Privileges contained in this entry
-     */
-    private final int privileges;
-
-    /**
-     * if the actions contained are allowed or denied
-     */
-    private final boolean allow;
-
-    /**
-     * the Principal of this entry
-     */
-    private final Principal principal;
-
-    /**
-     * Hash code being calculated on demand.
-     */
-    private final int hashCode;
+class ACEImpl extends AbstractPolicyEntry {
 
     /**
      * Construct an access control entry for the given principal, privileges and
@@ -60,76 +34,6 @@
      * @param allow
      */
     ACEImpl(Principal principal, int privileges, boolean allow) {
-        this.principal = principal;
-        this.privileges = privileges;
-        this.allow = allow;
-
-        int h = 17;
-        h = 37 * h + principal.getName().hashCode();
-        h = 37 * h + privileges;
-        h = 37 * h + Boolean.valueOf(allow).hashCode();
-        hashCode = h;
-    }
-
-    /**
-     * @return the int representation of the privileges defined for this entry.
-     * @see #getPrivileges() 
-     */
-    int getPrivilegeBits() {
-        return privileges;
-    }
-
-    //-------------------------------------------------< AccessControlEntry >---
-    /**
-     * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrincipal()
-     */
-    public Principal getPrincipal() {
-        return principal;
-    }
-
-    /**
-     * @see org.apache.jackrabbit.core.security.jsr283.security.AccessControlEntry#getPrivileges()
-     */
-    public Privilege[] getPrivileges() {
-        return PrivilegeRegistry.getPrivileges(privileges);
-    }
-
-    //--------------------------------------------------------< PolicyEntry >---
-    /**
-     * @see PolicyEntry#isAllow()
-     */
-    public boolean isAllow() {
-        return allow;
-    }
-
-    //-------------------------------------------------------------< Object >---
-    /**
-     * @see Object#hashCode()
-     */
-    public int hashCode() {
-        return hashCode;
-    }
-
-    /**
-     * Returns true if the principal, the allow-flag and all privileges are
-     * equal / the same.
-     *
-     * @param obj
-     * @return
-     * @see Object#equals(Object)
-     */
-    public boolean equals(Object obj) {
-        if (obj == this) {
-            return true;
-        }
-
-        if (obj instanceof ACEImpl) {
-            ACEImpl tmpl = (ACEImpl) obj;
-            // TODO: check again if comparing principal-name is sufficient
-            return principal.getName().equals(tmpl.principal.getName()) &&
-                   allow == tmpl.allow &&
-                   privileges == tmpl.privileges;
-        }
-        return false;
+        super(principal, privileges, allow);
     }
 }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java Thu Apr  3 01:15:01 2008
@@ -17,7 +17,6 @@
 package org.apache.jackrabbit.core.security.authorization.acl;
 
 import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.NodeId;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.SecurityItemModifier;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
@@ -38,9 +37,10 @@
 import javax.jcr.Session;
 import javax.jcr.RepositoryException;
 import javax.jcr.Node;
-import javax.jcr.ItemNotFoundException;
 import javax.jcr.Value;
 import javax.jcr.ValueFactory;
+import javax.jcr.PathNotFoundException;
+import javax.jcr.AccessDeniedException;
 import java.security.Principal;
 import java.util.List;
 import java.util.ArrayList;
@@ -60,7 +60,7 @@
      */
     private static final String DEFAULT_PERMISSION_NAME = "permission";
 
-    private final SessionImpl session;
+    protected final SessionImpl session;
     private final PrincipalManager principalManager;
 
     protected ACLEditor(Session editingSession) throws RepositoryException {
@@ -74,13 +74,14 @@
 
     //------------------------------------------------< AccessControlEditor >---
     /**
-     * @see AccessControlEditor#getPolicyTemplate(NodeId)
+     * @see AccessControlEditor#getPolicyTemplate(String)
+     * @param nodePath
      */
-    public PolicyTemplate getPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
-        checkProtectsNode(id);
+    public PolicyTemplate getPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+        checkProtectsNode(nodePath);
 
         PolicyTemplate tmpl = null;
-        NodeImpl aclNode = getAclNode(id);
+        NodeImpl aclNode = getAclNode(nodePath);
         if (aclNode != null) {
             tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
         }
@@ -88,15 +89,16 @@
     }
 
     /**
-     * @see AccessControlEditor#editPolicyTemplate(NodeId)
+     * @see AccessControlEditor#editPolicyTemplate(String)
+     * @param nodePath
      */
-    public PolicyTemplate editPolicyTemplate(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
-        checkProtectsNode(id);
+    public PolicyTemplate editPolicyTemplate(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+        checkProtectsNode(nodePath);
 
         PolicyTemplate tmpl;
-        NodeImpl aclNode = getAclNode(id);
+        NodeImpl aclNode = getAclNode(nodePath);
         if (aclNode == null) {
-            tmpl = new ACLTemplate();
+            tmpl = new ACLTemplate(nodePath);
         } else {
             tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
         }
@@ -104,12 +106,19 @@
     }
 
     /**
-     * @see AccessControlEditor#setPolicyTemplate(NodeId, PolicyTemplate)
+     * @see AccessControlEditor#editPolicyTemplate(Principal)
      */
-    public void setPolicyTemplate(NodeId id, PolicyTemplate template) throws RepositoryException {
-        checkProtectsNode(id);
+    public PolicyTemplate editPolicyTemplate(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
+        throw new AccessControlException("Unable to edit policy for principal " + principal.getName());
+    }
+
+    /**
+     * @see AccessControlEditor#setPolicyTemplate(String,PolicyTemplate)
+     */
+    public void setPolicyTemplate(String nodePath, PolicyTemplate template) throws RepositoryException {
+        checkProtectsNode(nodePath);
 
-        NodeImpl aclNode = getAclNode(id);
+        NodeImpl aclNode = getAclNode(nodePath);
         /* in order to assert that the parent (ac-controlled node) gets modified
            an existing ACL node is removed first and the recreated.
            this also asserts that all ACEs are cleared without having to
@@ -119,7 +128,7 @@
             removeSecurityItem(aclNode);
         }
         // now (re) create it
-        aclNode = createAclNode(id);
+        aclNode = createAclNode(nodePath);
 
         PolicyEntry[] entries = template.getEntries();
         for (int i = 0; i < entries.length; i++) {
@@ -141,13 +150,13 @@
     }
 
     /**
-     * @see AccessControlEditor#removePolicyTemplate(NodeId)
+     * @see AccessControlEditor#removePolicyTemplate(String)
      */
-    public PolicyTemplate removePolicyTemplate(NodeId id) throws AccessControlException, RepositoryException {
-        checkProtectsNode(id);
+    public PolicyTemplate removePolicyTemplate(String nodePath) throws AccessControlException, RepositoryException {
+        checkProtectsNode(nodePath);
 
         PolicyTemplate tmpl = null;
-        NodeImpl aclNode = getAclNode(id);
+        NodeImpl aclNode = getAclNode(nodePath);
         if (aclNode != null) {
             // need to build the template in order to have a return value.
             tmpl = new ACLTemplate(aclNode, Collections.EMPTY_SET);
@@ -157,10 +166,10 @@
     }
 
     /**
-     * @see AccessControlEditor#getAccessControlEntries(NodeId)
+     * @see AccessControlEditor#getAccessControlEntries(String)
      */
-    public AccessControlEntry[] getAccessControlEntries(NodeId id) throws AccessControlException, ItemNotFoundException, RepositoryException {
-        PolicyTemplate pt = getPolicyTemplate(id);
+    public AccessControlEntry[] getAccessControlEntries(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
+        PolicyTemplate pt = getPolicyTemplate(nodePath);
         if (pt == null) {
             return new AccessControlEntry[0];
         } else {
@@ -176,15 +185,15 @@
     }
 
     /**
-     * @see AccessControlEditor#addAccessControlEntry(NodeId,Principal,Privilege[])
+     * @see AccessControlEditor#addAccessControlEntry(String,Principal,Privilege[])
      */
-    public AccessControlEntry addAccessControlEntry(NodeId id, Principal principal, Privilege[] privileges) throws AccessControlException, ItemNotFoundException, RepositoryException {
+    public AccessControlEntry addAccessControlEntry(String nodePath, Principal principal, Privilege[] privileges) throws AccessControlException, PathNotFoundException, RepositoryException {
         // JSR 283 requires that the principal is known TODO: check again.
         if (!principalManager.hasPrincipal(principal.getName())) {
             throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
         }
 
-        ACLTemplate pt = (ACLTemplate) editPolicyTemplate(id);
+        ACLTemplate pt = (ACLTemplate) editPolicyTemplate(nodePath);
         // TODO: check again. maybe these 'grant-ACE' should be stored/evaluated separated
         int privs = PrivilegeRegistry.getBits(privileges);
         /*
@@ -202,7 +211,7 @@
         }
 
         pt.setEntry(new ACEImpl(principal, privs, true));
-        setPolicyTemplate(id, pt);
+        setPolicyTemplate(nodePath, pt);
         ACEImpl[] tmpls = pt.getEntries(principal);
         for (int i = 0; i < tmpls.length; i++) {
             if (tmpls[i].isAllow()) {
@@ -215,17 +224,17 @@
 
 
     /**
-     * @see AccessControlEditor#removeAccessControlEntry(NodeId,AccessControlEntry)
+     * @see AccessControlEditor#removeAccessControlEntry(String,AccessControlEntry)
      */
-    public boolean removeAccessControlEntry(NodeId id, AccessControlEntry entry) throws AccessControlException, ItemNotFoundException, RepositoryException {
+    public boolean removeAccessControlEntry(String nodePath, AccessControlEntry entry) throws AccessControlException, PathNotFoundException, RepositoryException {
         if (!(entry instanceof ACEImpl)) {
             throw new AccessControlException("Unknown AccessControlEntry implementation.");
         }
         // TODO: check again. maybe these 'grant-ACE' should be removed separated
-        PolicyTemplate pt = editPolicyTemplate(id);
+        PolicyTemplate pt = editPolicyTemplate(nodePath);
         boolean removed = pt.removeEntry((ACEImpl) entry);
         if (removed) {
-            setPolicyTemplate(id, pt);
+            setPolicyTemplate(nodePath, pt);
         }
         return removed;
     }
@@ -236,31 +245,42 @@
      * defining content. It this case setting or modifying an AC-policy is
      * obviously not possible.
      *
-     * @param id
+     * @param nodePath
      * @throws AccessControlException If the given id identifies a Node that
      * represents a ACL or ACE item.
      * @throws RepositoryException
      */
-    private void checkProtectsNode(NodeId id) throws RepositoryException {
-        NodeImpl node = session.getNodeById(id);
+    private void checkProtectsNode(String nodePath) throws RepositoryException {
+        NodeImpl node = getNode(nodePath);
         if (ACLProvider.protectsNode(node)) {
-            throw new AccessControlException("Node " + id + " defines ACL or ACE itself.");
+            throw new AccessControlException("Node " + nodePath + " defines ACL or ACE itself.");
         }
     }
 
     /**
+     *
+     * @param path
+     * @return
+     * @throws PathNotFoundException
+     * @throws RepositoryException
+     */
+    private NodeImpl getNode(String path) throws PathNotFoundException, RepositoryException {
+        return (NodeImpl) session.getNode(path);
+    }
+
+    /**
      * Returns the rep:Policy node below the Node identified by the given
      * id or <code>null</code> if the node is not mix:AccessControllable
      * or if no policy node exists.
      *
-     * @param id
+     * @param nodePath
      * @return node or <code>null</code>
-     * @throws ItemNotFoundException
+     * @throws PathNotFoundException
      * @throws RepositoryException
      */
-    private NodeImpl getAclNode(NodeId id) throws ItemNotFoundException, RepositoryException {
+    private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException {
         NodeImpl aclNode = null;
-        NodeImpl protectedNode = session.getNodeById(id);
+        NodeImpl protectedNode = getNode(nodePath);
         if (ACLProvider.isAccessControlled(protectedNode)) {
             aclNode = protectedNode.getNode(N_POLICY);
         }
@@ -269,12 +289,12 @@
 
     /**
      *
-     * @param id
+     * @param nodePath
      * @return
      * @throws RepositoryException
      */
-    private NodeImpl createAclNode(NodeId id) throws RepositoryException {
-        NodeImpl protectedNode = session.getNodeById(id);
+    private NodeImpl createAclNode(String nodePath) throws RepositoryException {
+        NodeImpl protectedNode = getNode(nodePath);
         if (!protectedNode.isNodeType(NT_REP_ACCESS_CONTROLLABLE)) {
             protectedNode.addMixin(NT_REP_ACCESS_CONTROLLABLE);
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Apr  3 01:15:01 2008
@@ -19,9 +19,9 @@
 import org.apache.jackrabbit.core.NodeId;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.PropertyImpl;
-import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.SecurityConstants;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.api.JackrabbitSession;
 import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
 import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
@@ -50,7 +50,6 @@
 import javax.jcr.observation.Event;
 import javax.jcr.observation.EventIterator;
 import javax.jcr.observation.EventListener;
-import javax.jcr.observation.ObservationManager;
 import javax.jcr.query.Query;
 import javax.jcr.query.QueryManager;
 import java.security.Principal;
@@ -91,49 +90,32 @@
      */
     private static final Logger log = LoggerFactory.getLogger(ACLProvider.class);
 
-    /**
-     * the system session that accesses the workspace
-     */
-    private SessionImpl systemSession;
-
     private AccessControlEditor systemEditor;
 
-    private ObservationManager obsMgr;
-
     /**
      * The node id of the root node
      */
     private NodeId rootNodeId;
 
-    private String jcrRepPolicy;
+    private String policyNodeName;
 
     //----------------------------------------------< AccessControlProvider >---
     /**
      * @see AccessControlProvider#init(Session, Map)
      */
     public void init(Session systemSession, Map options) throws RepositoryException {
-        if (initialized) {
-            throw new IllegalStateException("already initialized");
-        }
-        if (!(systemSession instanceof SessionImpl)) {
-            throw new RepositoryException("SessionImpl (system session) expected.");
-        }
+        super.init(systemSession, options);
 
         // make sure the workspace of the given systemSession has a
         // minimal protection on the root node.
-        SessionImpl sImpl = (SessionImpl) systemSession;
-        NodeImpl root = (NodeImpl) sImpl.getRootNode();
+        NodeImpl root = (NodeImpl) session.getRootNode();
         rootNodeId = root.getNodeId();
-        jcrRepPolicy = "/" + sImpl.getJCRName(N_POLICY);
-        systemEditor = new ACLEditor(sImpl);
+        policyNodeName = resolver.getJCRName(N_POLICY);
+        systemEditor = new ACLEditor(systemSession);
 
         if (!isAccessControlled(root)) {
-            initRootACL(sImpl, rootNodeId);
+            initRootACL(session, systemEditor);
         }
-
-        this.systemSession = sImpl;
-        obsMgr = sImpl.getWorkspace().getObservationManager();
-        initialized = true;
     }
 
     /**
@@ -246,12 +228,12 @@
      */
     private ACLImpl getACL(NodeId nodeId, Set principalNameFilter) throws ItemNotFoundException, RepositoryException {
         // -> build the acl for the Node identified by 'id'
-        NodeImpl node = systemSession.getNodeById(nodeId);
+        NodeImpl node = session.getNodeById(nodeId);
         ACLImpl acl;
         // check for special ACL building item
         if (protectsNode(node)) {
             NodeImpl parentNode;
-            if (node.isNodeType(ACLEditor.NT_REP_ACL)) {
+            if (node.isNodeType(NT_REP_ACL)) {
                 parentNode = (NodeImpl) node.getParent();
             } else {
                 parentNode = (NodeImpl) node.getParent().getParent();
@@ -299,7 +281,7 @@
         ACLImpl acl;
         if (isAccessControlled(node)) {
             // build acl from access controlled node
-            NodeImpl aclNode = node.getNode(ACLEditor.N_POLICY);
+            NodeImpl aclNode = node.getNode(N_POLICY);
             PolicyTemplate tmpl = new ACLTemplate(aclNode, principalNameFilter);
             List localEntries = Arrays.asList(tmpl.getEntries());
 
@@ -328,10 +310,11 @@
      * @param session to the workspace to set-up inital ACL to
      * @throws RepositoryException
      */
-    private void initRootACL(SessionImpl session, NodeId rootId) throws RepositoryException {
+    private static void initRootACL(JackrabbitSession session, AccessControlEditor editor) throws RepositoryException {
         try {
             log.info("Install initial ACL:...");
-            PolicyTemplate tmpl = systemEditor.editPolicyTemplate(rootId);
+            String rootPath = session.getRootNode().getPath();
+            PolicyTemplate tmpl = editor.editPolicyTemplate(rootPath);
             PrincipalManager pMgr = session.getPrincipalManager();
 
             log.info("... Privilege.ALL for administrators.");
@@ -352,7 +335,7 @@
             entr = new ACEImpl(everyone, PrivilegeRegistry.READ, true);
             tmpl.setEntry(entr);
 
-            systemEditor.setPolicyTemplate(rootId, tmpl);
+            editor.setPolicyTemplate(rootPath, tmpl);
             session.save();
             log.info("... done.");
 
@@ -366,9 +349,9 @@
     /**
      * Test if the given node is access controlled. The node is access
      * controlled if it is of nodetype
-     * {@link ACLEditor#NT_REP_ACCESS_CONTROLLABLE "rep:AccessControllable"}
+     * {@link AccessControlConstants#NT_REP_ACCESS_CONTROLLABLE "rep:AccessControllable"}
      * and if it has a child node named
-     * {@link ACLEditor#N_POLICY "rep:ACL"}.
+     * {@link AccessControlConstants#N_POLICY "rep:ACL"}.
      *
      * @param node
      * @return <code>true</code> if the node is access controlled;
@@ -376,7 +359,7 @@
      * @throws RepositoryException
      */
     static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
-        return node.isNodeType(ACLEditor.NT_REP_ACCESS_CONTROLLABLE) && node.hasNode(ACLEditor.N_POLICY);
+        return node.isNodeType(NT_REP_ACCESS_CONTROLLABLE) && node.hasNode(N_POLICY);
     }
 
     /**
@@ -387,7 +370,7 @@
      * @throws RepositoryException
      */
     static boolean protectsNode(NodeImpl node) throws RepositoryException {
-        return node.isNodeType(ACLEditor.NT_REP_ACL) || node.isNodeType(ACLEditor.NT_REP_ACE);
+        return node.isNodeType(NT_REP_ACL) || node.isNodeType(NT_REP_ACE);
     }
 
     //------------------------------------------------< CompiledPermissions >---
@@ -423,10 +406,10 @@
             */
             int events = Event.PROPERTY_CHANGED | Event.NODE_ADDED | Event.NODE_REMOVED;
             String[] ntNames = new String[] {
-                    systemSession.getJCRName(NT_REP_ACE),
-                    systemSession.getJCRName(NT_REP_ACL)
+                    resolver.getJCRName(NT_REP_ACE),
+                    resolver.getJCRName(NT_REP_ACL)
             };
-            obsMgr.addEventListener(this, events, systemSession.getRootNode().getPath(), true, null, ntNames, true);
+            observationMgr.addEventListener(this, events, session.getRootNode().getPath(), true, null, ntNames, true);
         }
 
         /**
@@ -438,10 +421,10 @@
          */
         private boolean readAllowedEveryWhere(Set principalnames) {
             try {
-                QueryManager qm = systemSession.getWorkspace().getQueryManager();
+                QueryManager qm = session.getWorkspace().getQueryManager();
                 StringBuffer stmt = new StringBuffer("/jcr:root");
                 stmt.append("//element(*,");
-                stmt.append(systemSession.getJCRName(NT_REP_DENY_ACE));
+                stmt.append(resolver.getJCRName(NT_REP_DENY_ACE));
                 stmt.append(")[");
 
                 // where the rep:principalName property exactly matches any of
@@ -450,7 +433,7 @@
                 Iterator itr = principalnames.iterator();
                 while (itr.hasNext()) {
                     stmt.append("@");
-                    String pName = systemSession.getJCRName(P_PRINCIPAL_NAME);
+                    String pName = resolver.getJCRName(P_PRINCIPAL_NAME);
                     stmt.append(ISO9075.encode(pName));
                     stmt.append("='").append(itr.next().toString()).append("'");
                     if (++i < principalnames.size()) {
@@ -459,7 +442,7 @@
                 }
                 // AND rep:privileges contains the READ privilege
                 stmt.append(" and jcr:like(@");
-                String pName = systemSession.getJCRName(P_PRIVILEGES);
+                String pName = resolver.getJCRName(P_PRIVILEGES);
                 stmt.append(ISO9075.encode(pName));
                 stmt.append(",'%").append(Privilege.READ).append("%')");
                 stmt.append("]");
@@ -490,17 +473,30 @@
          */
         protected Result buildResult(Path absPath) throws RepositoryException {
             boolean existingNode = false;
-            NodeId nid;
-            String jcrPath = systemSession.getJCRPath(absPath);
-            if (systemSession.nodeExists(jcrPath)) {
-                nid = systemSession.getHierarchyManager().resolveNodePath(absPath);
+            NodeId nid = null;
+            String jcrPath = resolver.getJCRPath(absPath);
+
+            if (session.nodeExists(jcrPath)) {
+                nid = session.getHierarchyManager().resolveNodePath(absPath);
                 existingNode = true;
             } else {
                 // path points to existing prop or non-existing item (node or prop).
-                nid = systemSession.getHierarchyManager().resolveNodePath(absPath.getAncestor(1));
+                // -> find the nearest persisted node
+                Path parentPath = absPath.getAncestor(1);
+                while (nid == null) {
+                    nid = session.getHierarchyManager().resolveNodePath(parentPath);
+                    if (parentPath.getDepth() == 1) {
+                        // root-node reached
+                        break;
+                    } else {
+                        parentPath = parentPath.getAncestor(1);
+                    }
+                }
             }
+
             if (nid == null) {
-                throw new ItemNotFoundException("No item exists at " + absPath + " nor at its direct ancestor.");
+                // should never get here
+                throw new ItemNotFoundException("Item out of hierarchy.");
             }
 
             // build the ACL for the specified principals at path or at the
@@ -508,14 +504,14 @@
             ACLImpl acl = getACL(nid, principalNames);
 
             // privileges to expose
-            int privileges = (existingNode) ? acl.getPrivileges() : PrivilegeRegistry.NO_PRIVILEGE;
+            int privileges = acl.getPrivileges();
 
             // calculate the permissions
             int permissions;
-            if (existingNode || systemSession.propertyExists(jcrPath)) {
-                permissions = acl.getPermissions(systemSession.getItem(jcrPath));
+            if (existingNode || session.propertyExists(jcrPath)) {
+                permissions = acl.getPermissions(session.getItem(jcrPath));
             } else {
-                String name = systemSession.getJCRName(absPath.getNameElement().getName());
+                String name = resolver.getJCRName(absPath.getNameElement().getName());
                 permissions = acl.getPermissions(name);
             }
             return new Result(permissions, privileges);
@@ -527,7 +523,7 @@
          */
         public void close() {
             try {
-                obsMgr.removeEventListener(this);
+                observationMgr.removeEventListener(this);
             } catch (RepositoryException e) {
                 log.error("Internal error: ", e.getMessage());
             }
@@ -545,7 +541,7 @@
             // common check
             if (permissions == Permission.READ && readAllowed &&
                     /* easy check if path doesn't point to AC-content */
-                    systemSession.getJCRPath(absPath).indexOf(jcrRepPolicy) == -1) {
+                    resolver.getJCRPath(absPath).indexOf(policyNodeName) == -1) {
                 return true;
             }
             return super.grants(absPath, permissions);
@@ -573,7 +569,7 @@
                         case Event.NODE_ADDED:
                             // test if the new ACE-nodes affects the permission
                             // of any of the 'principals'.
-                            NodeImpl n = (NodeImpl) systemSession.getNode(path);
+                            NodeImpl n = (NodeImpl) session.getNode(path);
                             String pName = n.getProperty(P_PRINCIPAL_NAME).getString();
                             if (principalNames.contains(pName)) {
                                 // new ACE entry for the principals -> clear cache
@@ -598,7 +594,7 @@
                             // test if the changed ACE_prop affects the permission
                             // of any of the 'principals' (most interesting are
                             // changed privileges.
-                            PropertyImpl p = (PropertyImpl) systemSession.getProperty(path);
+                            PropertyImpl p = (PropertyImpl) session.getProperty(path);
                             if (P_PRIVILEGES.equals(p.getQName())) {
                                 // test if principal-name sibling-prop matches
                                 pName = ((NodeImpl) p.getParent()).getProperty(P_PRINCIPAL_NAME).toString();

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=644215&r1=644214&r2=644215&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Thu Apr  3 01:15:01 2008
@@ -20,6 +20,7 @@
 import org.apache.jackrabbit.core.security.authorization.PolicyEntry;
 import org.apache.jackrabbit.core.security.authorization.PolicyTemplate;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
@@ -49,7 +50,8 @@
 
     private static final Logger log = LoggerFactory.getLogger(ACLTemplate.class);
 
-    private final String name;
+    private final String path;
+    private final String name = ACLImpl.POLICY_NAME;
     private final String description;
 
     /**
@@ -62,8 +64,8 @@
     /**
      * Construct a new empty {@link PolicyTemplate}.
      */
-    ACLTemplate() {
-        name = ACLImpl.POLICY_NAME;
+    ACLTemplate(String path) {
+        this.path = path;
         description = null;
     }
 
@@ -83,10 +85,11 @@
      * the principals in the set will be retrieved.
      */
     ACLTemplate(NodeImpl aclNode, Set principalNames) throws RepositoryException {
-        if (aclNode == null || !aclNode.isNodeType(ACLEditor.NT_REP_ACL)) {
-            throw new IllegalArgumentException("Node must be of type: " + ACLEditor.NT_REP_ACL);
+        if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
+            throw new IllegalArgumentException("Node must be of type: " +
+                    AccessControlConstants.NT_REP_ACL);
         }
-        name = ACLImpl.POLICY_NAME;
+        path = aclNode.getPath();
         description = null;
         loadEntries(aclNode, principalNames);
     }
@@ -211,13 +214,13 @@
         NodeIterator itr = aclNode.getNodes();
         while (itr.hasNext()) {
             NodeImpl aceNode = (NodeImpl) itr.nextNode();
-            String principalName = aceNode.getProperty(ACLEditor.P_PRINCIPAL_NAME).getString();
+            String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
             // only process aceNode if no filter is present of if the filter
             // contains the principal-name defined with the ace-Node
             String key = (filter == null || filter.isEmpty()) ? noFilter : principalName;
             if (princToEntries.containsKey(key)) {
                 Principal princ = pMgr.getPrincipal(principalName);
-                Value[] privValues = aceNode.getProperty(ACLEditor.P_PRIVILEGES).getValues();
+                Value[] privValues = aceNode.getProperty(AccessControlConstants.P_PRIVILEGES).getValues();
                 String[] privNames = new String[privValues.length];
                 for (int i = 0; i < privValues.length; i++) {
                     privNames[i] = privValues[i].getString();
@@ -226,7 +229,7 @@
                 ACEImpl ace = new ACEImpl(
                         princ,
                         PrivilegeRegistry.getBits(privNames),
-                        aceNode.isNodeType(ACLEditor.NT_REP_GRANT_ACE));
+                        aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE));
                 // add it to the proper list (e.g. separated by principals)
                 ((List) princToEntries.get(key)).add(ace);
             }
@@ -261,6 +264,13 @@
     }
 
     //-----------------------------------------------------< PolicyTemplate >---
+    /**
+     * @see PolicyTemplate#getPath()
+     */
+    public String getPath() {
+        return path;
+    }
+
     /**
      * @see PolicyTemplate#isEmpty()
      */



Mime
View raw message