jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r748247 - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/ main/java/org/apache/jackrabbit/core/security/ main/java/org/apache/jackrabbit/core/security/authorization/ main/java/org/apache/jackrabbit/core/secur...
Date Thu, 26 Feb 2009 18:05:36 GMT
Author: angela
Date: Thu Feb 26 18:05:35 2009
New Revision: 748247

URL: http://svn.apache.org/viewvc?rev=748247&view=rev
Log:
JCR-1588 JSR 283: Access Control

Added:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java   (with props)
Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd
    jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/TransactionContext.java Thu Feb 26 18:05:35 2009
@@ -318,8 +318,7 @@
     
     /**
      * Helper Method to bind the {@link Xid} associated with this {@link TransactionContext}
-     * to the {@link #CURRENT_XID} ThreadLocal
-     * @param methodName
+     * to the {@link #CURRENT_XID} ThreadLocal.
      */
     private void bindCurrentXid() {
         CURRENT_XID.set(xid);
@@ -327,8 +326,7 @@
 
     /**
      * Helper Method to clean the {@link Xid} associated with this {@link TransactionContext}
-     * from the {@link #CURRENT_XID} ThreadLocal
-     * @param methodName
+     * from the {@link #CURRENT_XID} ThreadLocal.
      */
     private void cleanCurrentXid() {
         CURRENT_XID.set(null);

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/AbstractAccessControlManager.java Thu Feb 26 18:05:35 2009
@@ -23,6 +23,7 @@
 import org.apache.jackrabbit.api.jsr283.security.Privilege;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -121,11 +122,13 @@
 
     //-------------------------------------< JackrabbitAccessControlManager >---
     /**
-     * {@inheritDoc}
+     * @see JackrabbitAccessControlManager#getApplicablePolicies(java.security.Principal) 
      */
-    public AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
-        log.debug("Implementation does not provide applicable policies -> returning empty array.");        
-        return new AccessControlPolicy[0];
+    public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+        checkInitialized();
+        
+        log.debug("Implementation does not provide applicable policies -> returning empty array.");
+        return new JackrabbitAccessControlPolicy[0];
     }
 
     //--------------------------------------------------------------------------

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Thu Feb 26 18:05:35 2009
@@ -29,6 +29,7 @@
 import org.apache.jackrabbit.core.security.authorization.Permission;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.Path;
@@ -372,7 +373,7 @@
     /**
      * @see JackrabbitAccessControlManager#getApplicablePolicies(Principal)
      */
-    public AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
+    public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
         checkInitialized();
         if (editor == null) {
             throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/JackrabbitAccessControlManager.java Thu Feb 26 18:05:35 2009
@@ -18,7 +18,7 @@
 
 import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
 import org.apache.jackrabbit.api.jsr283.security.AccessControlManager;
-import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.RepositoryException;
@@ -33,17 +33,18 @@
     /**
      * Returns the editable policies for the specified <code>principal</code>.
      *
+     * @param principal
      * @return array of policies for the specified <code>principal</code>. Note
      * that the policy object returned must reveal the path of the node where
-     * they can be applied later on.
+     * they can be applied later on using {@link AccessControlManager#setPolicy(String, org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy)}.
      * @throws AccessDeniedException if the session lacks
      * <code>MODIFY_ACCESS_CONTROL</code> privilege.
      * @throws AccessControlException if the specified principal does not exist
-     * or if same other access control related exception occurs.
-     * @throws UnsupportedRepositoryOperationException if editing the policy
-     * is not supported.
+     * or if another access control related exception occurs.
+     * @throws UnsupportedRepositoryOperationException if editing access control
+     * policies is not supported.
      * @throws RepositoryException if another error occurs.
+     * @see org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy#getPath()
      */
-    AccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
-
+    JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException;
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlConstants.java Thu Feb 26 18:05:35 2009
@@ -53,10 +53,6 @@
 
     //----------------------------------------------------< node type names >---
     /**
-     * rep:AccessControl nodetype
-     */
-    Name NT_REP_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "AccessControl");
-    /**
      * rep:AccessControllable nodetype
      */
     Name NT_REP_ACCESS_CONTROLLABLE = NF.create(Name.NS_REP_URI, "AccessControllable");
@@ -77,4 +73,15 @@
      */
     Name NT_REP_DENY_ACE = NF.create(Name.NS_REP_URI, "DenyACE");
 
+    //----------------------------------< node types for principal based ac >---
+    /**
+     * rep:AccessControl nodetype
+     */
+    Name NT_REP_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "AccessControl");
+
+    /**
+     * rep:PrincipalAccessControl nodetype
+     */
+    Name NT_REP_PRINCIPAL_ACCESS_CONTROL = NF.create(Name.NS_REP_URI, "PrincipalAccessControl");
+    
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEditor.java Thu Feb 26 18:05:35 2009
@@ -87,7 +87,7 @@
      * if same other access control related exception occurs.
      * @throws RepositoryException if another error occurs.
      */
-    AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
+    JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException;
 
     /**
      * Stores the policy template to the respective node.

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlProvider.java Thu Feb 26 18:05:35 2009
@@ -74,7 +74,9 @@
      * Returns the effective policies for the node at the given absPath.
      *
      * @param absPath an absolute path.
-     * @return The effective policies that apply at <code>absPath</code>.
+     * @return The effective policies that apply at <code>absPath</code> or
+     * an empty array if the implementation cannot determine the effective
+     * policy at the given path.
      * @throws ItemNotFoundException If no Node with the specified
      * <code>absPath</code> exists.
      * @throws RepositoryException If another error occurs.
@@ -87,8 +89,8 @@
      * or <code>null</code> if the implementation does not support editing
      * of access control policies.
      *
-     * @param session
-     * @return the ACL editor or <code>null</code>
+     * @param session The editing session.
+     * @return the ACL editor or <code>null</code>.
      * @throws RepositoryException If an error occurs.
      */
     AccessControlEditor getEditor(Session session) throws RepositoryException;

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlList.java Thu Feb 26 18:05:35 2009
@@ -31,14 +31,26 @@
  * {@link org.apache.jackrabbit.api.jsr283.security.AccessControlManager#setPolicy(String, AccessControlPolicy)
  * written back} and {@link javax.jcr.Session#save() saved}.
  */
-public interface JackrabbitAccessControlList extends AccessControlList {
+public interface JackrabbitAccessControlList extends JackrabbitAccessControlPolicy, AccessControlList {
 
     /**
-     * Returns the path of the node this policy has been created for.
-     *  
-     * @return the path of the node this policy has been created for.
+     * Returns the names of the supported restrictions or an empty array
+     * if no restrictions are respected.
+     *
+     * @return the names of the supported restrictions or an empty array.
+     * @see #addEntry(Principal, Privilege[], boolean, Map)
+     */
+    String[] getRestrictionNames();
+
+    /**
+     * Return the expected {@link javax.jcr.PropertyType property type} of the
+     * restriction with the specified <code>restrictionName</code>.
+     *
+     * @param restrictionName Any of the restriction names retrieved from
+     * {@link #getRestrictionNames()}.
+     * @return expected {@link javax.jcr.PropertyType property type}.
      */
-    String getPath();
+    int getRestrictionType(String restrictionName);
 
     /**
      * Returns <code>true</code> if this policy does not yet define any

Added: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java?rev=748247&view=auto
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java (added)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java Thu Feb 26 18:05:35 2009
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.core.security.authorization;
+
+import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlList;
+import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
+import org.apache.jackrabbit.api.jsr283.security.Privilege;
+
+import javax.jcr.RepositoryException;
+import java.security.Principal;
+import java.util.Map;
+
+/**
+ * <code>JackrabbitAccessControlPolicy</code> is an extension of the
+ * <code>AccessControlPolicy</code> that exposes the path of the Node to
+ * which it can be applied using {@link org.apache.jackrabbit.api.jsr283.security.AccessControlManager#setPolicy(String, org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy)}.
+ */
+public interface JackrabbitAccessControlPolicy extends AccessControlPolicy {
+
+    /**
+     * Returns the path of the node this policy has been created for.
+     *
+     * @return the path of the node this policy has been created for.
+     */
+    String getPath();
+}
\ No newline at end of file

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlPolicy.java
------------------------------------------------------------------------------
    svn:keywords = author date id revision url

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.java Thu Feb 26 18:05:35 2009
@@ -30,6 +30,7 @@
 import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.commons.conversion.NameException;
 import org.apache.jackrabbit.spi.commons.conversion.NameParser;
@@ -112,26 +113,31 @@
     public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
         checkProtectsNode(nodePath);
 
-        AccessControlPolicy acl;
-        NodeImpl aclNode = getAclNode(nodePath);
+        AccessControlPolicy acl = null;
+        NodeImpl controlledNode = getNode(nodePath);
+        NodeImpl aclNode = getAclNode(controlledNode);
         if (aclNode == null) {
-            // create an empty acl
-            acl = new ACLTemplate(nodePath, session.getPrincipalManager(), privilegeRegistry);
+            // create an empty acl unless the node is protected or cannot have
+            // rep:AccessControllable mixin set (e.g. due to a lock)
+            String mixin = session.getJCRName(NT_REP_ACCESS_CONTROLLABLE);
+            if (controlledNode.isNodeType(mixin) || controlledNode.canAddMixin(mixin)) {
+                acl = new ACLTemplate(nodePath, session.getPrincipalManager(), privilegeRegistry);
+            }
         } else {
             acl = getACL(aclNode);
         }
-        return new AccessControlPolicy[] {acl};
+        return (acl != null) ? new AccessControlPolicy[] {acl} : new AccessControlPolicy[0];
     }
 
     /**
      * @see AccessControlEditor#editAccessControlPolicies(Principal)
      */
-    public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
+    public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
         if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
             throw new AccessControlException("Unknown principal.");
         }
         // TODO: impl. missing
-        return new AccessControlPolicy[0];
+        return new JackrabbitAccessControlPolicy[0];
     }
 
     /**
@@ -237,8 +243,8 @@
     }
 
     /**
-     * Returns the rep:Policy node below the Node identified by the given
-     * id or <code>null</code> if the node is not mix:AccessControllable
+     * Returns the rep:Policy node below the Node identified at the given
+     * path or <code>null</code> if the node is not mix:AccessControllable
      * or if no policy node exists.
      *
      * @param nodePath
@@ -247,10 +253,22 @@
      * @throws RepositoryException
      */
     private NodeImpl getAclNode(String nodePath) throws PathNotFoundException, RepositoryException {
+        NodeImpl controlledNode = getNode(nodePath);
+        return getAclNode(controlledNode);
+    }
+
+    /**
+     * Returns the rep:Policy node below the given Node or <code>null</code>
+     * if the node is not mix:AccessControllable or if no policy node exists.
+     *
+     * @param controlledNode
+     * @return node or <code>null</code>
+     * @throws RepositoryException
+     */
+    private NodeImpl getAclNode(NodeImpl controlledNode) throws RepositoryException {
         NodeImpl aclNode = null;
-        NodeImpl protectedNode = getNode(nodePath);
-        if (ACLProvider.isAccessControlled(protectedNode)) {
-            aclNode = protectedNode.getNode(N_POLICY);
+        if (ACLProvider.isAccessControlled(controlledNode)) {
+            aclNode = controlledNode.getNode(N_POLICY);
         }
         return aclNode;
     }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.java Thu Feb 26 18:05:35 2009
@@ -305,7 +305,6 @@
         } catch (RepositoryException e) {
             log.error("Failed to set-up minimal access control for root node of workspace " + session.getWorkspace().getName());
             session.getRootNode().refresh(false);
-            throw e;
         }
     }
 

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Thu Feb 26 18:05:35 2009
@@ -37,6 +37,7 @@
 import javax.jcr.NodeIterator;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
+import javax.jcr.PropertyType;
 import java.security.Principal;
 import java.security.acl.Group;
 import java.util.ArrayList;
@@ -96,8 +97,7 @@
      */
     ACLTemplate(NodeImpl aclNode, PrivilegeRegistry privilegeRegistry) throws RepositoryException {
         if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
-            throw new IllegalArgumentException("Node must be of type: " +
-                    AccessControlConstants.NT_REP_ACL);
+            throw new IllegalArgumentException("Node must be of type 'rep:ACL'");
         }
         SessionImpl sImpl = (SessionImpl) aclNode.getSession();
         path = aclNode.getParent().getPath();
@@ -333,6 +333,25 @@
     }
 
     /**
+     * Returns an empty String array.
+     *
+     * @see JackrabbitAccessControlList#getRestrictionType(String)
+     */
+    public String[] getRestrictionNames() {
+        return new String[0];
+    }
+
+    /**
+     * Always returns {@link PropertyType#UNDEFINED} as no restrictions are
+     * supported.
+     *
+     * @see JackrabbitAccessControlList#getRestrictionType(String)
+     */
+    public int getRestrictionType(String restrictionName) {
+        return PropertyType.UNDEFINED;
+    }
+
+    /**
      * @see JackrabbitAccessControlList#isEmpty()
      */
     public boolean isEmpty() {

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java Thu Feb 26 18:05:35 2009
@@ -19,6 +19,7 @@
 import org.apache.jackrabbit.api.jsr283.security.AccessControlException;
 import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -76,7 +77,7 @@
     /**
      * @see AccessControlEditor#editAccessControlPolicies(Principal)
      */
-    public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
+    public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
         List templates = new ArrayList();
         for (int i = 0; i < editors.length; i++) {
             try {
@@ -86,7 +87,7 @@
                 // ignore.
             }
         }
-        return (AccessControlPolicy[]) templates.toArray(new AccessControlPolicy[templates.size()]);
+        return (JackrabbitAccessControlPolicy[]) templates.toArray(new JackrabbitAccessControlPolicy[templates.size()]);
     }
 
     /**

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java Thu Feb 26 18:05:35 2009
@@ -21,7 +21,6 @@
 import org.apache.jackrabbit.api.jsr283.security.Privilege;
 import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.ProtectedItemModifier;
 import org.apache.jackrabbit.core.SessionImpl;
@@ -29,6 +28,7 @@
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
 import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.core.security.principal.ItemBasedPrincipal;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.spi.Name;
@@ -114,22 +114,25 @@
             NodeImpl acNode = getAcNode(nodePath);
             if (acNode == null) {
                 // check validity and create the ac node
-                getPrincipal(nodePath);
+                Principal p = getPrincipal(nodePath);
+                if (p == null) {
+                    throw new AccessControlException("Access control modification not allowed at " + nodePath);
+                }
                 acNode = createAcNode(nodePath);
             }
             return new AccessControlPolicy[] {createTemplate(acNode)};
-        } else {
-            // nodePath not below rep:accesscontrol -> not editable
-            return new AccessControlPolicy[0];
         }
+
+        // nodePath not below rep:accesscontrol -> not editable
+        return new AccessControlPolicy[0];
     }
 
     /**
      * @see AccessControlEditor#editAccessControlPolicies(Principal)
      */
-    public AccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
+    public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
         if (!session.getPrincipalManager().hasPrincipal(principal.getName())) {
-            throw new AccessControlException("Unknown principal.");
+            throw new AccessControlException("Cannot edit access control: " + principal.getName() +" isn't a known principal.");
         }
         String nPath = getPathToAcNode(principal);
         NodeImpl acNode;
@@ -138,7 +141,7 @@
         } else {
             acNode = (NodeImpl) session.getNode(nPath);
         }
-        return new AccessControlPolicy[] {createTemplate(acNode)};
+        return new JackrabbitAccessControlPolicy[] {createTemplate(acNode)};
     }
 
     /**
@@ -242,14 +245,16 @@
         NodeImpl node = (NodeImpl) session.getRootNode();
         for (int i = 0; i < segms.length; i++) {
             Name nName = session.getQName(segms[i]);
+            Name ntName = (i < segms.length-1) ? NT_REP_ACCESS_CONTROL : NT_REP_PRINCIPAL_ACCESS_CONTROL;
             if (node.hasNode(nName)) {
-                node = node.getNode(nName);
-                if (!node.isNodeType(NT_REP_ACCESS_CONTROL)) {
+                NodeImpl n = node.getNode(nName);
+                if (!n.isNodeType(ntName)) {
                     // should never get here.
-                    throw new RepositoryException("Internal error: Unexpected nodetype " + node.getPrimaryNodeType().getName() + " below /rep:accessControl");
+                    throw new RepositoryException("Error while creating access control node: Expected nodetype " + session.getJCRName(ntName) + " below /rep:accessControl, was " + node.getPrimaryNodeType().getName() + " instead");
                 }
+                node = n;
             } else {
-                node = addNode(node, nName, NT_REP_ACCESS_CONTROL);
+                node = addNode(node, nName, ntName);
             }
         }
         return node;
@@ -310,12 +315,17 @@
     }
 
     private Principal getPrincipal(String pathToACNode) throws RepositoryException {
-        String name = Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
+        String name = getPrincipalName(pathToACNode);
         PrincipalManager pMgr = session.getPrincipalManager();
-        if (!pMgr.hasPrincipal(name)) {
-            throw new AccessControlException("Unknown principal.");
+        if (pMgr.hasPrincipal(name)) {
+            return pMgr.getPrincipal(name);
+        } else {
+            return null;
         }
-        return pMgr.getPrincipal(name);
+    }
+
+    private static String getPrincipalName(String pathToACNode) {
+        return Text.unescapeIllegalJcrChars(Text.getName(pathToACNode));
     }
 
     /**
@@ -325,7 +335,7 @@
      * @throws RepositoryException
      */
     private static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
-        return node != null && node.isNodeType(NT_REP_ACCESS_CONTROL) && node.hasNode(N_POLICY);
+        return node != null && node.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL) && node.hasNode(N_POLICY);
     }
 
     /**
@@ -334,22 +344,17 @@
      * @return
      * @throws RepositoryException
      */
-    private static AccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
-        if (!acNode.isNodeType(NT_REP_ACCESS_CONTROL)) {
-            throw new RepositoryException("Expected node of type rep:AccessControl.");
+    private JackrabbitAccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
+        if (!acNode.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL)) {
+            String msg = "Unable to edit Access Control at "+ acNode.getPath()+ ". Expected node of type rep:PrinicipalAccessControl, was " + acNode.getPrimaryNodeType().getName();
+            log.debug(msg);
+            throw new AccessControlException(msg);
         }
 
-        Principal principal = null;
-        String principalName = Text.unescapeIllegalJcrChars(acNode.getName());
-        PrincipalManager pMgr = ((SessionImpl) acNode.getSession()).getPrincipalManager();
-        if (pMgr.hasPrincipal(principalName)) {
-            try {
-                principal = pMgr.getPrincipal(principalName);
-            } catch (NoSuchPrincipalException e) {
-                // should not get here. 
-            }
-        }
+        Principal principal = getPrincipal(acNode.getPath());
         if (principal == null) {
+            // use fall back in order to be able to get/remove the policy
+            String principalName = getPrincipalName(acNode.getPath());
             log.warn("Principal with name " + principalName + " unknown to PrincipalManager.");
             principal = new PrincipalImpl(principalName);
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java Thu Feb 26 18:05:35 2009
@@ -163,7 +163,6 @@
             } catch (RepositoryException e) {
                 log.error("Failed to set-up minimal access control for root node of workspace " + session.getWorkspace().getName());
                 session.getRootNode().refresh(false);
-                throw e;
             }
         }
     }
@@ -173,6 +172,15 @@
      */
     public AccessControlPolicy[] getEffectivePolicies(Path absPath)
             throws ItemNotFoundException, RepositoryException {
+        /* 
+           TODO review
+           since the per-node effect of the policies is defined by the
+           rep:nodePath restriction, returning the principal-based
+           policy at 'absPath' probably doesn't reveal what the caller expects.
+           Maybe it would be better not to return an empty array as
+           {@link AccessControlManager#getEffectivePolicies(String)
+           is defined to express a best-effor estimate only.
+        */
         AccessControlPolicy[] tmpls = editor.getPolicies(session.getJCRPath(absPath));
         AccessControlPolicy[] effectives = new AccessControlPolicy[tmpls.length];
         for (int i = 0; i < tmpls.length; i++) {

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java Thu Feb 26 18:05:35 2009
@@ -33,7 +33,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.jcr.Item;
-import javax.jcr.NamespaceException;
 import javax.jcr.NodeIterator;
 import javax.jcr.Property;
 import javax.jcr.PropertyType;
@@ -43,11 +42,11 @@
 import java.security.Principal;
 import java.security.acl.Group;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * Implementation of the {@link JackrabbitAccessControlList} interface that
@@ -124,7 +123,7 @@
                         restrictions.put(prop.getName(), prop.getValue());
                     }
                     // finally add the entry
-                    Entry entry = new Entry(principal, privileges, isAllow, restrictions);
+                    AccessControlEntry entry = createEntry(principal, privileges, isAllow, restrictions);
                     entries.add(entry);
                 } else {
                     log.warn("ACE must be of nodetype rep:ACE -> ignored child-node " + aceNode.getPath());
@@ -133,6 +132,34 @@
         } // else: no-node at all or no acl-node present.
     }
 
+    AccessControlEntry createEntry(Principal princ, Privilege[] privileges, boolean allow, Map restrictions) throws RepositoryException {
+        if (!principal.equals(princ)) {
+            throw new AccessControlException("Invalid principal. Expected: " + principal);
+        }
+        if (!allow && principal instanceof Group) {
+            throw new AccessControlException("For group principals permissions can only be added but not denied.");
+        }
+
+        Set rNames = restrictions.keySet();
+        if (!rNames.contains(jcrNodePathName)) {
+            throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
+        }
+
+        // make sure the nodePath restriction is of type PATH
+        Value v = (Value) restrictions.get(jcrNodePathName);
+        if (v.getType() != PropertyType.PATH) {
+            v = V_FACTORY.createValue(v.getString(), PropertyType.PATH);
+            restrictions.put(jcrNodePathName, v);
+        }
+        // ... and glob is of type STRING.
+        v = (Value) restrictions.get(jcrGlobName);
+        if (v != null && v.getType() != PropertyType.STRING) {
+            v = V_FACTORY.createValue(v.getString(), PropertyType.STRING);
+            restrictions.put(jcrGlobName, v);
+        }
+        return new Entry(princ, privileges, allow, restrictions);
+    }
+
     //-----------------------------------------------------< JackrabbitAccessControlList >---
     /**
      * @see JackrabbitAccessControlList#getPath()
@@ -142,6 +169,26 @@
     }
 
     /**
+     * @see JackrabbitAccessControlList#getRestrictionNames()
+     */
+    public String[] getRestrictionNames() {
+        return new String[] {jcrNodePathName, jcrGlobName};
+    }
+
+    /**
+     * @see JackrabbitAccessControlList#getRestrictionType(String)
+     */
+    public int getRestrictionType(String restrictionName) {
+        if (jcrNodePathName.equals(restrictionName)) {
+            return PropertyType.PATH;
+        } else if (jcrGlobName.equals(restrictionName)) {
+            return PropertyType.STRING;
+        } else {
+            return PropertyType.UNDEFINED;
+        }
+    }
+
+    /**
      * @see JackrabbitAccessControlList#isEmpty()
      */
     public boolean isEmpty() {
@@ -181,7 +228,7 @@
             restrictions = Collections.singletonMap(jcrNodePathName,
                     V_FACTORY.createValue(getPath(), PropertyType.PATH));
         }
-        Entry entry = new Entry(principal, privileges, isAllow, restrictions);
+        AccessControlEntry entry = createEntry(principal, privileges, isAllow, restrictions);
         if (entries.contains(entry)) {
             log.debug("Entry is already contained in policy -> no modification.");
             return false;
@@ -198,7 +245,7 @@
      */
     public AccessControlEntry[] getAccessControlEntries()
             throws RepositoryException {
-        return (Entry[]) entries.toArray(new Entry[entries.size()]);
+        return (AccessControlEntry[]) entries.toArray(new AccessControlEntry[entries.size()]);
     }
 
     /**
@@ -271,12 +318,12 @@
          */
         private final GlobPattern pattern;
 
-        Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
+        private Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
                 throws AccessControlException, RepositoryException {
             super(principal, privileges, allow, restrictions);
-            checkValidEntry();
 
             // TODO: review again
+            Value np = getRestriction(jcrNodePathName);
             nodePath = getRestriction(jcrNodePathName).getString();
             Value glob = getRestriction(jcrGlobName);
             if (glob != null) {
@@ -288,20 +335,6 @@
             }
         }
 
-        private void checkValidEntry() throws AccessControlException, NamespaceException {
-            if (!principal.equals(getPrincipal())) {
-                throw new AccessControlException("Invalid principal. Expected: " + principal);
-            }
-            if (!isAllow() && getPrincipal() instanceof Group) {
-                throw new AccessControlException("For group principals permissions can only be added but not denied.");
-            }
-
-            String[] rNames = getRestrictionNames();
-            if (!Arrays.asList(rNames).contains(jcrNodePathName)) {
-                throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
-            }
-        }
-
         boolean matches(String jcrPath) throws RepositoryException {
             return pattern.matches(jcrPath);
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.cnd Thu Feb 26 18:05:35 2009
@@ -197,9 +197,21 @@
 
 [rep:DenyACE] > rep:ACE
 
-[rep:AccessControl] > nt:base, rep:AccessControllable
+// -----------------------------------------------------------------------------
+// Principal based AC
+// -----------------------------------------------------------------------------
+
+[rep:AccessControl] > nt:base
   + * (rep:AccessControl) protected ignore
-  
+  + * (rep:PrincipalAccessControl) protected ignore
+
+[rep:PrincipalAccessControl] > rep:AccessControl
+  + rep:policy (rep:Policy) protected ignore
+
+// -----------------------------------------------------------------------------
+// User Management 
+// -----------------------------------------------------------------------------
+
 [rep:Authorizable] > nt:base, mix:referenceable abstract
   + * (rep:Authorizable) = rep:Authorizable protected version
   + * (rep:AuthorizableFolder) = rep:AuthorizableFolder protected version

Modified: jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/resources/org/apache/jackrabbit/core/nodetype/builtin_nodetypes.xml Thu Feb 26 18:05:35 2009
@@ -450,13 +450,28 @@
     <nodeType name="rep:AccessControl" isMixin="false" hasOrderableChildNodes="false" primaryItemName="">
         <supertypes>
             <supertype>nt:base</supertype>
-            <supertype>rep:AccessControllable</supertype>
         </supertypes>
         <childNodeDefinition name="*" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
             <requiredPrimaryTypes>
                 <requiredPrimaryType>rep:AccessControl</requiredPrimaryType>
             </requiredPrimaryTypes>
         </childNodeDefinition>
+        <childNodeDefinition name="*" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
+            <requiredPrimaryTypes>
+                <requiredPrimaryType>rep:PrincipalAccessControl</requiredPrimaryType>
+            </requiredPrimaryTypes>
+        </childNodeDefinition>
+    </nodeType>
+
+    <nodeType name="rep:PrincipalAccessControl" isMixin="false" hasOrderableChildNodes="false" primaryItemName="">
+        <supertypes>
+            <supertype>rep:AccessControl</supertype>
+        </supertypes>
+        <childNodeDefinition name="rep:policy" autoCreated="false" mandatory="false" onParentVersion="IGNORE" protected="true" sameNameSiblings="false">
+            <requiredPrimaryTypes>
+                <requiredPrimaryType>rep:Policy</requiredPrimaryType>
+            </requiredPrimaryTypes>
+        </childNodeDefinition>
     </nodeType>
 
     <nodeType name="rep:Authorizable" isMixin="false" hasOrderableChildNodes="false" primaryItemName="" abstract="true">

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Thu Feb 26 18:05:35 2009
@@ -73,7 +73,7 @@
     }
 
     public void testGetPath() throws RepositoryException {
-        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         assertEquals(getTestPath(), pt.getPath());
     }
 
@@ -84,7 +84,7 @@
         } else {
             throw new NotExecutableException();
         }
-        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         try {
             pt.addAccessControlEntry(unknownPrincipal, privilegesFromName(Privilege.JCR_READ));
             fail("Adding an ACE with an unknown principal should fail");
@@ -94,7 +94,7 @@
     }
 
     public void testAddInvalidEntry2() throws RepositoryException {
-        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         try {
             pt.addAccessControlEntry(testPrincipal, new Privilege[0]);
             fail("Adding an ACE with invalid privileges should fail");
@@ -104,7 +104,7 @@
     }
 
     public void testRemoveInvalidEntry() throws RepositoryException {
-        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         try {
             pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
                 public boolean isAllow() {
@@ -138,7 +138,7 @@
     }
 
     public void testRemoveInvalidEntry2() throws RepositoryException {
-        JackrabbitAccessControlList pt = (JackrabbitAccessControlList) createEmptyTemplate(getTestPath());
+        JackrabbitAccessControlList pt = createEmptyTemplate(getTestPath());
         try {
             pt.removeAccessControlEntry(new JackrabbitAccessControlEntry() {
                 public boolean isAllow() {

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java Thu Feb 26 18:05:35 2009
@@ -201,7 +201,7 @@
             };
             createEntry(null, privs, true);
             fail("Principal must not be null");
-        } catch (IllegalArgumentException e) {
+        } catch (Exception e) {
             // success
         }
     }

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/JackrabbitAccessControlListTest.java Thu Feb 26 18:05:35 2009
@@ -28,6 +28,7 @@
 
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
 import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collections;
@@ -79,6 +80,18 @@
         }
     }
 
+    public void testGetRestrictionNames() {
+        assertNotNull(templ.getRestrictionNames());
+    }
+
+    public void testGetRestrictionType() {
+        String[] names = templ.getRestrictionNames();
+        for (int i = 0; i < names.length; i++) {
+            int type = templ.getRestrictionType(names[i]);
+            assertTrue(type > PropertyType.UNDEFINED);
+        }
+    }
+
     public void testIsEmpty() throws RepositoryException {
         if (templ.isEmpty()) {
             assertEquals(0, templ.getAccessControlEntries().length);

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -23,12 +23,14 @@
 import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
 import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlList;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
+import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.test.NotExecutableException;
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Node;
 import java.util.Collections;
 import java.util.Map;
 import java.security.Principal;
@@ -170,4 +172,16 @@
         assertFalse(getTestSession().hasPermission(policyPath, org.apache.jackrabbit.api.jsr283.Session.ACTION_REMOVE));
         assertTrue(testAcMgr.hasPrivileges(policyPath, new Privilege[] {rmChildNodes[0], rmNode[0]}));
     }
+
+    public void testApplicablePolicies() throws RepositoryException {
+        AccessControlPolicyIterator it = acMgr.getApplicablePolicies(childNPath);
+        assertTrue(it.hasNext());
+
+        // the same should be true, if the rep:AccessControllable mixin has
+        // been manually added
+        Node n = (Node) superuser.getItem(childNPath);
+        n.addMixin(((SessionImpl) superuser).getJCRName(AccessControlConstants.NT_REP_ACCESS_CONTROLLABLE));
+        it = acMgr.getApplicablePolicies(childNPath);
+        assertTrue(it.hasNext());
+    }
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/combined/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -30,6 +30,7 @@
 
 import javax.jcr.AccessDeniedException;
 import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
 import java.security.Principal;
 import java.util.Map;
 import java.util.HashMap;
@@ -96,7 +97,7 @@
     private Map getPrincipalBasedRestrictions(String path) throws RepositoryException, NotExecutableException {
         if (superuser instanceof SessionImpl) {
             Map restr = new HashMap();
-            restr.put("rep:nodePath", path);
+            restr.put("rep:nodePath", superuser.getValueFactory().createValue(path, PropertyType.PATH));
             return restr;
         } else {
             throw new NotExecutableException();

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplateTest.java Thu Feb 26 18:05:35 2009
@@ -19,8 +19,12 @@
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplateTest;
 import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlList;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
 
 import javax.jcr.RepositoryException;
+import javax.jcr.PropertyType;
+import java.util.List;
+import java.util.Arrays;
 
 /**
  * <code>ACLTemplateTest</code>...
@@ -37,4 +41,21 @@
             throws RepositoryException {
         return new ACLTemplate(testPrincipal, testPath, (SessionImpl) superuser);
     }
+
+    public void testGetRestrictionNames() throws RepositoryException {
+        List names = Arrays.asList(createEmptyTemplate(getTestPath()).getRestrictionNames());
+
+        assertEquals(2, names.size());
+        NameResolver resolver = (NameResolver) superuser;
+        assertTrue(names.contains(resolver.getJCRName(ACLTemplate.P_NODE_PATH)));
+        assertTrue(names.contains(resolver.getJCRName(ACLTemplate.P_GLOB)));
+    }
+
+    public void testGetRestrictionTypes() throws RepositoryException {
+        JackrabbitAccessControlList acl = createEmptyTemplate(getTestPath());
+
+        NameResolver resolver = (NameResolver) superuser;
+        assertEquals(PropertyType.PATH, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_NODE_PATH)));
+        assertEquals(PropertyType.STRING, acl.getRestrictionType(resolver.getJCRName(ACLTemplate.P_GLOB)));
+    }
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java Thu Feb 26 18:05:35 2009
@@ -22,7 +22,9 @@
 import org.apache.jackrabbit.core.security.authorization.AbstractEntryTest;
 import org.apache.jackrabbit.core.security.authorization.JackrabbitAccessControlEntry;
 import org.apache.jackrabbit.value.StringValue;
+import org.apache.jackrabbit.value.BooleanValue;
 import org.apache.jackrabbit.test.NotExecutableException;
+import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
 
 import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
@@ -43,23 +45,34 @@
     private Map restrictions;
     private ACLTemplate acl;
 
+    private String nodePath;
+    private String glob;
+
     protected void setUp() throws Exception {
         super.setUp();
 
+        if (superuser instanceof NameResolver) {
+            NameResolver resolver = (NameResolver) superuser;
+            nodePath = resolver.getJCRName(ACLTemplate.P_NODE_PATH);
+            glob = resolver.getJCRName(ACLTemplate.P_GLOB);
+        } else {
+            throw new NotExecutableException();
+        }
+
         restrictions = new HashMap(2);
-        restrictions.put("rep:nodePath", superuser.getValueFactory().createValue("/a/b/c/d", PropertyType.PATH));
-        restrictions.put("rep:glob",  superuser.getValueFactory().createValue("*"));
+        restrictions.put(nodePath, superuser.getValueFactory().createValue("/a/b/c/d", PropertyType.PATH));
+        restrictions.put(glob,  superuser.getValueFactory().createValue("*"));
         acl = new ACLTemplate(testPrincipal, testPath, (SessionImpl) superuser);
     }
 
     protected JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow)
             throws RepositoryException {
-        return acl.new Entry(principal, privileges, isAllow, restrictions);
+        return (JackrabbitAccessControlEntry) acl.createEntry(principal, privileges, isAllow, restrictions);
     }
 
     private JackrabbitAccessControlEntry createEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map restrictions)
             throws RepositoryException {
-        return acl.new Entry(principal, privileges, isAllow, restrictions);
+        return (JackrabbitAccessControlEntry) acl.createEntry(principal, privileges, isAllow, restrictions);
     }
 
     public void testNodePathMustNotBeNull() throws RepositoryException, NotExecutableException {
@@ -75,39 +88,68 @@
     public void testGetNodePath() throws RepositoryException, NotExecutableException {
         Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
         JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true);
-        assertEquals(restrictions.get("rep:nodePath"), pe.getRestriction("rep:nodePath"));
+
+        assertEquals(restrictions.get(nodePath), pe.getRestriction(nodePath));
+        assertEquals(PropertyType.PATH, pe.getRestriction(nodePath).getType());
     }
 
     public void testGetGlob() throws RepositoryException, NotExecutableException {
         Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
 
         JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true);
-        assertEquals(restrictions.get("rep:glob"), pe.getRestriction("rep:glob"));
+
+        assertEquals(restrictions.get(glob), pe.getRestriction(glob));
+        assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
 
         Map restr = new HashMap();
-        restr.put("rep:nodePath",  restrictions.get("rep:nodePath"));
+        restr.put(nodePath,  restrictions.get(nodePath));
         pe = createEntry(testPrincipal, privs, true, restr);
-        assertNull(pe.getRestriction("rep:glob"));
+        assertNull(pe.getRestriction(glob));
 
         restr = new HashMap();
-        restr.put("rep:nodePath",  restrictions.get("rep:nodePath"));
-        restr.put("rep:glob",  new StringValue(""));
+        restr.put(nodePath,  restrictions.get(nodePath));
+        restr.put(glob,  new StringValue(""));
 
         pe = createEntry(testPrincipal, privs, true, restr);
-        assertEquals("", pe.getRestriction("rep:glob").getString());
+        assertEquals("", pe.getRestriction(glob).getString());
+
+        restr = new HashMap();
+        restr.put(nodePath,  restrictions.get(nodePath));
+        restr.put(glob,  new BooleanValue(true));
+        assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
+    }
+
+    public void testTypeConversion() throws RepositoryException, NotExecutableException {
+        // ACLTemplate impl tries to convert the property types if the don't
+        // match the required ones.
+        Privilege[] privs = privilegesFromName(Privilege.JCR_ALL);
+
+        Map restr = new HashMap();
+        restr.put(nodePath, new StringValue("/a/b/c/d"));
+        JackrabbitAccessControlEntry pe = createEntry(testPrincipal, privs, true, restr);
+
+        assertEquals("/a/b/c/d", pe.getRestriction(nodePath).getString());
+        assertEquals(PropertyType.PATH, pe.getRestriction(nodePath).getType());
+
+        restr = new HashMap();
+        restr.put(nodePath,  restrictions.get(nodePath));
+        restr.put(glob,  new BooleanValue(true));
+        pe = createEntry(testPrincipal, privs, true, restr);
+
+        assertEquals(true, pe.getRestriction(glob).getBoolean());
+        assertEquals(PropertyType.STRING, pe.getRestriction(glob).getType());
     }
 
     public void testMatches() throws RepositoryException {
         Privilege[] privs = new Privilege[] {acMgr.privilegeFromName(Privilege.JCR_ALL)};
         ACLTemplate.Entry ace = (ACLTemplate.Entry) createEntry(testPrincipal, privs, true);
 
-        // TODO: review again
-        String nodePath = ((Value) restrictions.get("rep:nodePath")).getString();
+        String nPath = ((Value) restrictions.get(nodePath)).getString();
         List toMatch = new ArrayList();
-        toMatch.add(nodePath + "/any");
-        toMatch.add(nodePath + "/anyother");
-        toMatch.add(nodePath + "/f/g/h");
-        toMatch.add(nodePath);
+        toMatch.add(nPath + "/any");
+        toMatch.add(nPath + "/anyother");
+        toMatch.add(nPath + "/f/g/h");
+        toMatch.add(nPath);
         for (Iterator it = toMatch.iterator(); it.hasNext();) {
             String str = it.next().toString();
             assertTrue("Restrictions should match " + str, ace.matches(str));

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EvaluationUtil.java Thu Feb 26 18:05:35 2009
@@ -26,6 +26,7 @@
 import javax.jcr.AccessDeniedException;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.PropertyType;
 import java.security.Principal;
 import java.util.HashMap;
 import java.util.Map;
@@ -52,7 +53,7 @@
     static  Map getRestrictions(Session s, String path) throws RepositoryException, NotExecutableException {
         if (s instanceof SessionImpl) {
             Map restr = new HashMap();
-            restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), path);
+            restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), s.getValueFactory().createValue(path, PropertyType.PATH));
             return restr;
         } else {
             throw new NotExecutableException();

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/VersionTest.java Thu Feb 26 18:05:35 2009
@@ -30,8 +30,6 @@
 import javax.jcr.Node;
 import javax.jcr.AccessDeniedException;
 import javax.jcr.ItemNotFoundException;
-import javax.jcr.Property;
-import javax.jcr.version.Version;
 import java.security.Principal;
 import java.util.Map;
 

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java?rev=748247&r1=748246&r2=748247&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/WriteTest.java Thu Feb 26 18:05:35 2009
@@ -33,7 +33,6 @@
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import java.security.Principal;
-import java.util.HashMap;
 import java.util.Map;
 
 /**
@@ -64,13 +63,7 @@
     }
 
     protected Map getRestrictions(Session s, String path) throws RepositoryException, NotExecutableException {
-        if (s instanceof SessionImpl) {
-            Map restr = new HashMap();
-            restr.put(((SessionImpl) s).getJCRName(ACLTemplate.P_NODE_PATH), path);
-            return restr;
-        } else {
-            throw new NotExecutableException();
-        }
+        return EvaluationUtil.getRestrictions(s, path);
     }
 
 
@@ -79,7 +72,7 @@
 
         // testuser is not allowed to READ the protected property jcr:created.
         Map restr = getRestrictions(superuser, path);
-        restr.put(ACLTemplate.P_GLOB, GlobPattern.create("/afolder/jcr:created"));
+        restr.put(((SessionImpl) superuser).getJCRName(ACLTemplate.P_GLOB), superuser.getValueFactory().createValue("/afolder/jcr:created"));
         withdrawPrivileges(path, testUser.getPrincipal(), privilegesFromName(Privilege.JCR_READ), restr);
 
         // still: adding a nt:folder node should be possible



Mime
View raw message