jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ju...@apache.org
Subject svn commit: r812570 [12/24] - in /jackrabbit/sandbox/JCR-1456: ./ jackrabbit-api/ jackrabbit-api/src/main/appended-resources/ jackrabbit-api/src/main/appended-resources/META-INF/ jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/ jackrabb...
Date Tue, 08 Sep 2009 16:09:45 GMT
Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Tue Sep  8 16:09:28 2009
@@ -16,37 +16,37 @@
  */
 package org.apache.jackrabbit.core.security.authorization.acl;
 
-import org.apache.commons.collections.map.ListOrderedMap;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.jcr.NodeIterator;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
+
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplate;
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
 import org.apache.jackrabbit.core.security.authorization.Permission;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
+import org.apache.jackrabbit.core.security.principal.UnknownPrincipal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.NodeIterator;
-import javax.jcr.PropertyType;
-import javax.jcr.RepositoryException;
-import javax.jcr.Value;
-import javax.jcr.ValueFactory;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.AccessControlException;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.Privilege;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
 /**
  * Implementation of the {@link org.apache.jackrabbit.api.security.JackrabbitAccessControlList} interface that
  * is detached from the effective access control content. Consequently, any
@@ -54,21 +54,16 @@
  * {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy) reapplied}
  * to the <code>AccessControlManager</code> and the changes are saved.
  */
-class ACLTemplate implements JackrabbitAccessControlList {
+class ACLTemplate extends AbstractACLTemplate {
 
     private static final Logger log = LoggerFactory.getLogger(ACLTemplate.class);
 
     /**
-     * Path of the node this ACL template has been created for.
-     */
-    private final String path;
-
-    /**
      * Map containing the entries of this ACL Template using the principal
      * name as key. The value represents a List containing maximal one grant
      * and one deny ACE per principal.
      */
-    private final Map entries = new ListOrderedMap();
+    private final Map<String, List<Entry>> entries = new LinkedHashMap<String, List<Entry>>();
 
     /**
      * The principal manager used for validation checks
@@ -81,41 +76,35 @@
     private final PrivilegeRegistry privilegeRegistry;
 
     /**
-     * The value factory
-     */
-    private final ValueFactory valueFactory;
-
-    /**
      * Construct a new empty {@link ACLTemplate}.
      *
-     * @param path
-     * @param privilegeRegistry
-     * @param principalMgr
+     * @param path path
+     * @param privilegeRegistry registry
+     * @param valueFactory value factory
+     * @param principalMgr manager
      */
     ACLTemplate(String path, PrincipalManager principalMgr, 
                 PrivilegeRegistry privilegeRegistry, ValueFactory valueFactory) {
-        this.path = path;
+        super(path, valueFactory);
         this.principalMgr = principalMgr;
         this.privilegeRegistry = privilegeRegistry;
-        this.valueFactory = valueFactory;
     }
 
     /**
      * Create a {@link ACLTemplate} that is used to edit an existing ACL
      * node.
      *
-     * @param aclNode
-     * @param privilegeRegistry
-     * @throws RepositoryException
+     * @param aclNode node
+     * @param privilegeRegistry registry
+     * @throws RepositoryException if an error occurs
      */
     ACLTemplate(NodeImpl aclNode, PrivilegeRegistry privilegeRegistry) throws RepositoryException {
+        super((aclNode != null) ? aclNode.getParent().getPath() : null, (aclNode != null) ? aclNode.getSession().getValueFactory() : null);
         if (aclNode == null || !aclNode.isNodeType(AccessControlConstants.NT_REP_ACL)) {
             throw new IllegalArgumentException("Node must be of type 'rep:ACL'");
         }
         SessionImpl sImpl = (SessionImpl) aclNode.getSession();
-        path = aclNode.getParent().getPath();
         principalMgr = sImpl.getPrincipalManager();
-        valueFactory = sImpl.getValueFactory();
         
         this.privilegeRegistry = privilegeRegistry;
 
@@ -126,14 +115,7 @@
             NodeImpl aceNode = (NodeImpl) itr.nextNode();
             try {
                 String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
-                Principal princ = null;
-                if (principalMgr.hasPrincipal(principalName)) {
-                    try {
-                        princ = principalMgr.getPrincipal(principalName);
-                    } catch (NoSuchPrincipalException e) {
-                        // should not get here.
-                    }
-                }
+                Principal princ = principalMgr.getPrincipal(principalName);
                 if (princ == null) {
                     log.debug("Principal with name " + principalName + " unknown to PrincipalManager.");
                     princ = new PrincipalImpl(principalName);
@@ -163,12 +145,12 @@
      * specified names and return a map consisting of principal name key
      * and a list of ACEs as value.
      *
-     * @param aclNode
+     * @param aclNode acl node
      * @param princToEntries Map of key = principalName and value = ArrayList
      * to be filled with ACEs matching the principal names.
-     * @throws RepositoryException
+     * @throws RepositoryException if an error occurs
      */
-    static void collectEntries(NodeImpl aclNode, Map princToEntries)
+    static void collectEntries(NodeImpl aclNode, Map<String, List<AccessControlEntry>> princToEntries)
             throws RepositoryException {
         SessionImpl sImpl = (SessionImpl) aclNode.getSession();
         PrincipalManager principalMgr = sImpl.getPrincipalManager();
@@ -180,14 +162,7 @@
             String principalName = aceNode.getProperty(AccessControlConstants.P_PRINCIPAL_NAME).getString();
             // only process aceNode if 'principalName' is contained in the given set
             if (princToEntries.containsKey(principalName)) {
-                Principal princ = null;
-                if (principalMgr.hasPrincipal(principalName)) {
-                    try {
-                        princ = principalMgr.getPrincipal(principalName);
-                    } catch (NoSuchPrincipalException e) {
-                        // should not get here
-                    }
-                }
+                Principal princ = principalMgr.getPrincipal(principalName);
                 if (princ == null) {
                     log.warn("Principal with name " + principalName + " unknown to PrincipalManager.");
                     princ = new PrincipalImpl(principalName);
@@ -205,31 +180,31 @@
                         aceNode.isNodeType(AccessControlConstants.NT_REP_GRANT_ACE),
                         sImpl.getValueFactory());
                 // add it to the proper list (e.g. separated by principals)
-                ((List) princToEntries.get(principalName)).add(ace);
+                princToEntries.get(principalName).add(ace);
             }
         }
     }
 
-    private List internalGetEntries() {
-        List l = new ArrayList();
-        for (Iterator it = entries.values().iterator(); it.hasNext();) {
-            l.addAll((List) it.next());
+    private List<? extends AccessControlEntry> internalGetEntries() {
+        List<Entry> l = new ArrayList<Entry>();
+        for (List<Entry> o : entries.values()) {
+            l.addAll(o);
         }
         return l;
     }
 
-    private List internalGetEntries(Principal principal) {
+    private List<Entry> internalGetEntries(Principal principal) {
         String principalName = principal.getName();
         if (entries.containsKey(principalName)) {
-            return (List) entries.get(principalName);
+            return entries.get(principalName);
         } else {
-            return new ArrayList(2);
+            return new ArrayList<Entry>(2);
         }
     }
 
     private synchronized boolean internalAdd(Entry entry) throws AccessControlException {
         Principal principal = entry.getPrincipal();
-        List l = internalGetEntries(principal);
+        List<Entry> l = internalGetEntries(principal);
         if (l.isEmpty()) {
             // simple case: just add the new entry
             l.add(entry);
@@ -240,9 +215,9 @@
                 // the same entry is already contained -> no modification
                 return false;
             }
-            // ev. need to adjust existing entries
+            // check if need to adjust existing entries
             Entry complementEntry = null;
-            Entry[] entries = (Entry[]) l.toArray(new Entry[l.size()]);
+            Entry[] entries = l.toArray(new Entry[l.size()]);
             for (int i = 0; i < entries.length; i++) {
                 if (entry.isAllow() == entries[i].isAllow()) {
                     int existingPrivs = entries[i].getPrivilegeBits();
@@ -253,7 +228,7 @@
                     }
 
                     // remove the existing entry and create a new that includes
-                    // both the new privileges and the existing onces.
+                    // both the new privileges and the existing ones.
                     l.remove(i);
                     int mergedBits = entries[i].getPrivilegeBits() | entry.getPrivilegeBits();
                     Privilege[] mergedPrivs = privilegeRegistry.getPrivileges(mergedBits);
@@ -265,7 +240,7 @@
             }
 
             // make sure, that the complement entry (if existing) does not
-            // grant/deny the same privileges -> remove privs that are now
+            // grant/deny the same privileges -> remove privileges that are now
             // denied/granted.
             if (complementEntry != null) {
                 int complPrivs = complementEntry.getPrivilegeBits();
@@ -288,22 +263,22 @@
         }
     }
 
+    //------------------------------------------------< AbstractACLTemplate >---
     /**
-     *
-     * @param principal
-     * @param privileges
-     * @param isAllow
-     * @throws AccessControlException
+     * @see AbstractACLTemplate#checkValidEntry(java.security.Principal, javax.jcr.security.Privilege[], boolean, java.util.Map) 
      */
-    private void checkValidEntry(Principal principal, Privilege[] privileges, boolean isAllow) throws AccessControlException {
+    protected void checkValidEntry(Principal principal, Privilege[] privileges,
+                                 boolean isAllow, Map<String, Value> restrictions)
+            throws AccessControlException {
+        if (restrictions != null && !restrictions.isEmpty()) {
+            throw new AccessControlException("This AccessControlList does not allow for additional restrictions.");
+        }
         // validate principal
-        if (!principalMgr.hasPrincipal(principal.getName())) {
+        if (principal instanceof UnknownPrincipal) {
+            log.debug("Consider fallback principal as valid: {}", principal.getName());
+        } else if (!principalMgr.hasPrincipal(principal.getName())) {
             throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
         }
-        // additional validation: a group may not have 'denied' permissions
-        if (!isAllow && principal instanceof Group) {
-            throw new AccessControlException("For group principals permissions can only be added but not denied.");
-        }
     }
 
     //--------------------------------------------------< AccessControlList >---
@@ -311,16 +286,8 @@
      * @see javax.jcr.security.AccessControlList#getAccessControlEntries()
      */
     public AccessControlEntry[] getAccessControlEntries() throws RepositoryException {
-        List l = internalGetEntries();
-        return (AccessControlEntry[]) l.toArray(new AccessControlEntry[l.size()]);
-    }
-
-    /**
-     * @see javax.jcr.security.AccessControlList#addAccessControlEntry(Principal, Privilege[])
-     */
-    public boolean addAccessControlEntry(Principal principal, Privilege[] privileges)
-            throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, true, Collections.EMPTY_MAP);
+        List<? extends AccessControlEntry> l = internalGetEntries();
+        return l.toArray(new AccessControlEntry[l.size()]);
     }
 
     /**
@@ -341,14 +308,7 @@
         }
     }
 
-    //-----------------------------------------------------< JackrabbitAccessControlList >---
-    /**
-     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getPath()
-     */
-    public String getPath() {
-        return path;
-    }
-
+    //----------------------------------------< JackrabbitAccessControlList >---
     /**
      * Returns an empty String array.
      *
@@ -383,24 +343,12 @@
     }
 
     /**
-     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean)
-     */
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow)
-            throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, isAllow, null);
-    }
-
-    /**
      * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map)
      */
     public boolean addEntry(Principal principal, Privilege[] privileges,
                             boolean isAllow, Map<String, Value> restrictions)
             throws AccessControlException, RepositoryException {
-        if (restrictions != null && !restrictions.isEmpty()) {
-            throw new AccessControlException("This AccessControlList does not allow for additional restrictions.");
-        }
-
-        checkValidEntry(principal, privileges, isAllow);
+        checkValidEntry(principal, privileges, isAllow, restrictions);
         Entry ace = new Entry(principal, privileges, isAllow, valueFactory);
         return internalAdd(ace);
     }
@@ -442,8 +390,9 @@
      */
     static class Entry extends AccessControlEntryImpl {
 
-        Entry(Principal principal, Privilege[] privileges, boolean allow, ValueFactory valueFactory) throws AccessControlException {
-            super(principal, privileges, allow, Collections.EMPTY_MAP, valueFactory);
+        Entry(Principal principal, Privilege[] privileges, boolean allow, ValueFactory valueFactory)
+                throws AccessControlException {
+            super(principal, privileges, allow, Collections.<String, Value>emptyMap(), valueFactory);
         }
     }
 }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedEditor.java Tue Sep  8 16:09:28 2009
@@ -49,8 +49,8 @@
      */
     public AccessControlPolicy[] getPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
         List<AccessControlPolicy> templates = new ArrayList<AccessControlPolicy>();
-        for (int i = 0; i < editors.length; i++) {
-            AccessControlPolicy[] ts = editors[i].getPolicies(nodePath);
+        for (AccessControlEditor editor : editors) {
+            AccessControlPolicy[] ts = editor.getPolicies(nodePath);
             if (ts != null && ts.length > 0) {
                 templates.addAll(Arrays.asList(ts));
             }
@@ -63,8 +63,8 @@
      */
     public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessControlException, RepositoryException {
         List<JackrabbitAccessControlPolicy> templates = new ArrayList<JackrabbitAccessControlPolicy>();
-        for (int i = 0; i < editors.length; i++) {
-            JackrabbitAccessControlPolicy[] ts = editors[i].getPolicies(principal);
+        for (AccessControlEditor editor : editors) {
+            JackrabbitAccessControlPolicy[] ts = editor.getPolicies(principal);
             if (ts != null && ts.length > 0) {
                 templates.addAll(Arrays.asList(ts));
             }
@@ -77,9 +77,9 @@
      */
     public AccessControlPolicy[] editAccessControlPolicies(String nodePath) throws AccessControlException, PathNotFoundException, RepositoryException {
         List<AccessControlPolicy> templates = new ArrayList<AccessControlPolicy>();
-        for (int i = 0; i < editors.length; i++) {
+        for (AccessControlEditor editor : editors) {
             try {
-                templates.addAll(Arrays.asList(editors[i].editAccessControlPolicies(nodePath)));
+                templates.addAll(Arrays.asList(editor.editAccessControlPolicies(nodePath)));
             } catch (AccessControlException e) {
                 log.debug(e.getMessage());
                 // ignore.
@@ -93,9 +93,9 @@
      */
     public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
         List<JackrabbitAccessControlPolicy> templates = new ArrayList<JackrabbitAccessControlPolicy>();
-        for (int i = 0; i < editors.length; i++) {
+        for (AccessControlEditor editor : editors) {
             try {
-                templates.addAll(Arrays.asList(editors[i].editAccessControlPolicies(principal)));
+                templates.addAll(Arrays.asList(editor.editAccessControlPolicies(principal)));
             } catch (AccessControlException e) {
                 log.debug(e.getMessage());
                 // ignore.
@@ -108,12 +108,12 @@
      * @see AccessControlEditor#setPolicy(String,AccessControlPolicy)
      */
     public void setPolicy(String nodePath, AccessControlPolicy template) throws AccessControlException, PathNotFoundException, RepositoryException {
-        for (int i = 0; i < editors.length; i++) {
+        for (AccessControlEditor editor : editors) {
             try {
                 // return as soon as the first editor successfully handled the
                 // specified template
-                editors[i].setPolicy(nodePath, template);
-                log.debug("Set template " + template + " using " + editors[i]);
+                editor.setPolicy(nodePath, template);
+                log.debug("Set template " + template + " using " + editor);
                 return;
             } catch (AccessControlException e) {
                 log.debug(e.getMessage());
@@ -130,12 +130,12 @@
      */
     public void removePolicy(String nodePath,
                              AccessControlPolicy policy) throws AccessControlException, PathNotFoundException, RepositoryException {
-        for (int i = 0; i < editors.length; i++) {
+        for (AccessControlEditor editor : editors) {
             try {
                 // return as soon as the first editor successfully handled the
                 // specified template
-                editors[i].removePolicy(nodePath, policy);
-                log.debug("Removed template " + policy + " using " + editors[i]);
+                editor.removePolicy(nodePath, policy);
+                log.debug("Removed template " + policy + " using " + editor);
                 return;
             } catch (AccessControlException e) {
                 log.debug(e.getMessage());

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java Tue Sep  8 16:09:28 2009
@@ -41,6 +41,7 @@
 import java.util.HashMap;
 import java.util.Arrays;
 import java.util.Iterator;
+import java.security.Principal;
 
 /**
  * <code>CombinedProvider</code>...
@@ -56,8 +57,8 @@
      * @see AccessControlUtils#isAcItem(Path)
      */
     public boolean isAcItem(Path absPath) throws RepositoryException {
-        for (int i = 0; i < providers.length; i++) {
-            if (providers[i] instanceof AccessControlUtils && ((AccessControlUtils) providers[i]).isAcItem(absPath)) {
+        for (AccessControlProvider provider : providers) {
+            if (provider instanceof AccessControlUtils && ((AccessControlUtils) provider).isAcItem(absPath)) {
                 return true;
             }
         }
@@ -68,8 +69,8 @@
      * @see AccessControlUtils#isAcItem(ItemImpl)
      */
     public boolean isAcItem(ItemImpl item) throws RepositoryException {
-        for (int i = 0; i < providers.length; i++) {
-            if (providers[i] instanceof AccessControlUtils && ((AccessControlUtils) providers[i]).isAcItem(item)) {
+        for (AccessControlProvider provider : providers) {
+            if (provider instanceof AccessControlUtils && ((AccessControlUtils) provider).isAcItem(item)) {
                 return true;
             }
         }
@@ -81,8 +82,8 @@
      * @see AccessControlProvider#close()
      */
     public void close() {
-        for (int i = 0; i < providers.length; i++) {
-            providers[i].close();
+        for (AccessControlProvider provider : providers) {
+            provider.close();
         }
         super.close();
     }
@@ -93,11 +94,11 @@
     public void init(Session systemSession, Map configuration) throws RepositoryException {
         super.init(systemSession, configuration);
 
-        // this provider combines the result of 2 (currently hardcoded) AC-providers
+        // this provider combines the result of 2 (currently hard coded) AC-providers
         // TODO: make this configurable
         providers = new AccessControlProvider[2];
 
-        // 1) a resource-based ACL provider, that is not inited with default
+        // 1) a resource-based ACL provider, that is not initialized with default
         //    permissions and should only be used to overrule the permissions
         //    granted or denied by the default provider (see 2).
         providers[0] = new org.apache.jackrabbit.core.security.authorization.acl.ACLProvider();
@@ -117,11 +118,11 @@
      */
     public AccessControlPolicy[] getEffectivePolicies(Path absPath)
             throws ItemNotFoundException, RepositoryException {
-        List l = new ArrayList();
-        for (int i = 0; i < providers.length; i++) {
-            l.addAll(Arrays.asList(providers[i].getEffectivePolicies(absPath)));
+        List<AccessControlPolicy> l = new ArrayList<AccessControlPolicy>();
+        for (AccessControlProvider provider : providers) {
+            l.addAll(Arrays.asList(provider.getEffectivePolicies(absPath)));
         }
-        return (AccessControlPolicy[]) l.toArray(new AccessControlPolicy[l.size()]);
+        return l.toArray(new AccessControlPolicy[l.size()]);
     }
 
     /**
@@ -129,17 +130,17 @@
      */
     public AccessControlEditor getEditor(Session editingSession) {
         checkInitialized();
-        List editors = new ArrayList();
-        for (int i = 0; i < providers.length; i++) {
+        List<AccessControlEditor> editors = new ArrayList<AccessControlEditor>();
+        for (AccessControlProvider provider : providers) {
             try {
-                editors.add(providers[i].getEditor(editingSession));
+                editors.add(provider.getEditor(editingSession));
             } catch (RepositoryException e) {
                 log.debug(e.getMessage());
                 // ignore.
             }
         }
         if (!editors.isEmpty()) {
-            return new CombinedEditor((AccessControlEditor[]) editors.toArray(new AccessControlEditor[editors.size()]));
+            return new CombinedEditor(editors.toArray(new AccessControlEditor[editors.size()]));
         } else {
             log.debug("None of the derived access control providers supports editing.");
             return null;
@@ -149,7 +150,7 @@
     /**
      * @see AccessControlProvider#compilePermissions(Set)
      */
-    public CompiledPermissions compilePermissions(Set principals) throws RepositoryException {
+    public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException {
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return getAdminPermissions();
@@ -161,7 +162,7 @@
     /**
      * @see AccessControlProvider#canAccessRoot(Set)
      */
-    public boolean canAccessRoot(Set principals) throws RepositoryException {
+    public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException {
         checkInitialized();
         if (isAdminOrSystem(principals)) {
             return true;
@@ -182,20 +183,21 @@
      */
     private class CompiledPermissionImpl extends AbstractCompiledPermissions  {
 
-        private final List cPermissions;
+        private final List<AbstractCompiledPermissions> cPermissions;
 
         /**
-         * @param principals
+         * @param principals the principals
+         * @throws RepositoryException if an error occurs
          */
-        private CompiledPermissionImpl(Set principals) throws
+        private CompiledPermissionImpl(Set<Principal> principals) throws
                 RepositoryException {
-            this.cPermissions = new ArrayList();
-            for (int i = 0; i < providers.length; i++) {
-                CompiledPermissions cp = providers[i].compilePermissions(principals);
+            this.cPermissions = new ArrayList<AbstractCompiledPermissions>();
+            for (AccessControlProvider provider : providers) {
+                CompiledPermissions cp = provider.compilePermissions(principals);
                 if (cp instanceof AbstractCompiledPermissions) {
-                    cPermissions.add(cp);
+                    cPermissions.add((AbstractCompiledPermissions) cp);
                 } else {
-                    // TODO: deal with other impls.
+                    // TODO: deal with other implementations
                     log.warn("AbstractCompiledPermissions expected. Found " + cp.getClass().getName() + " -> ignore.");
                 }
             }
@@ -207,8 +209,7 @@
          */
         protected Result buildResult(Path absPath) throws RepositoryException {
             Result res = null;
-            for (Iterator it = cPermissions.iterator(); it.hasNext();) {
-                AbstractCompiledPermissions acp = (AbstractCompiledPermissions) it.next();
+            for (AbstractCompiledPermissions acp : cPermissions) {
                 Result other = acp.getResult(absPath);
                 res = (res == null) ? other : res.combine(other);
             }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.java Tue Sep  8 16:09:28 2009
@@ -29,7 +29,7 @@
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
 import org.apache.jackrabbit.core.security.authorization.Permission;
-import org.apache.jackrabbit.core.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.Path;
@@ -54,6 +54,7 @@
 public class ACLEditor extends ProtectedItemModifier implements AccessControlEditor, AccessControlConstants {
 
     private static Logger log = LoggerFactory.getLogger(ACLEditor.class);
+
     /**
      * Default name for ace nodes
      */
@@ -63,6 +64,7 @@
      * the editing session
      */
     private final SessionImpl session;
+
     private final String acRootPath;
 
     ACLEditor(SessionImpl session, Path acRootPath) throws RepositoryException {
@@ -142,7 +144,7 @@
             } // else: acl has already been set before -> use getPolicies instead
         }
 
-        // nodePath not below rep:accesscontrol -> not editable
+        // nodePath not below rep:policy -> not editable
         // or policy has been set before in which case getPolicies should be used instead.
         return new AccessControlPolicy[0];
     }
@@ -175,7 +177,8 @@
     /**
      * @see AccessControlEditor#setPolicy(String,AccessControlPolicy)
      */
-    public void setPolicy(String nodePath, AccessControlPolicy policy) throws AccessControlException, PathNotFoundException, RepositoryException {
+    public void setPolicy(String nodePath, AccessControlPolicy policy)
+            throws AccessControlException, PathNotFoundException, RepositoryException {
         checkProtectsNode(nodePath);
         checkValidPolicy(nodePath, policy);
 
@@ -201,8 +204,8 @@
 
         /* add all new entries defined on the template */
         AccessControlEntry[] aces = acl.getAccessControlEntries();
-        for (int i = 0; i < aces.length; i++) {
-            JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) aces[i];
+        for (AccessControlEntry ace1 : aces) {
+            JackrabbitAccessControlEntry ace = (JackrabbitAccessControlEntry) ace1;
 
             // create the ACE node
             Name nodeName = getUniqueNodeName(aclNode, "entry");
@@ -222,9 +225,9 @@
 
             // store the restrictions:
             String[] restrNames = ace.getRestrictionNames();
-            for (int rnIndex = 0; rnIndex < restrNames.length; rnIndex++) {
-                Name pName = session.getQName(restrNames[rnIndex]);
-                Value value = ace.getRestriction(restrNames[rnIndex]);
+            for (String restrName : restrNames) {
+                Name pName = session.getQName(restrName);
+                Value value = ace.getRestriction(restrName);
                 setProperty(aceNode, pName, value);
             }
         }
@@ -257,16 +260,17 @@
     //------------------------------------------------------------< private >---
     /**
      *
-     * @param nodePath
-     * @return
-     * @throws PathNotFoundException
-     * @throws RepositoryException
+     * @param nodePath the node path
+     * @return the node
+     * @throws PathNotFoundException if the node does not exist
+     * @throws RepositoryException if an error occurs
      */
-    private NodeImpl getAcNode(String nodePath) throws PathNotFoundException, RepositoryException {
+    private NodeImpl getAcNode(String nodePath) throws PathNotFoundException,
+            RepositoryException {
         if (Text.isDescendant(acRootPath, nodePath)) {
             return (NodeImpl) session.getNode(nodePath);
         } else {
-            // node outside of rep:accesscontrol tree -> not handled by this editor.
+            // node outside of rep:policy tree -> not handled by this editor.
             return null;
         }
     }
@@ -324,7 +328,7 @@
      * defining content. It this case setting or modifying an AC-policy is
      * obviously not possible.
      *
-     * @param nodePath
+     * @param nodePath the node path
      * @throws AccessControlException If the given id identifies a Node that
      * represents a ACL or ACE item.
      * @throws RepositoryException
@@ -341,9 +345,9 @@
     /**
      * Check if the specified policy can be set or removed at nodePath.
      *
-     * @param nodePath
-     * @param policy
-     * @throws AccessControlException
+     * @param nodePath the node path
+     * @param policy the policy
+     * @throws AccessControlException if not allowed
      */
     private void checkValidPolicy(String nodePath, AccessControlPolicy policy)
             throws AccessControlException {
@@ -358,9 +362,9 @@
 
     /**
      *
-     * @param principal
-     * @return
-     * @throws RepositoryException
+     * @param principal the principal
+     * @return the path
+     * @throws RepositoryException if an error occurs
      */
     String getPathToAcNode(Principal principal) throws RepositoryException {
         StringBuffer princPath = new StringBuffer(acRootPath);
@@ -376,11 +380,7 @@
     private Principal getPrincipal(String pathToACNode) throws RepositoryException {
         String name = getPrincipalName(pathToACNode);
         PrincipalManager pMgr = session.getPrincipalManager();
-        if (pMgr.hasPrincipal(name)) {
-            return pMgr.getPrincipal(name);
-        } else {
-            return null;
-        }
+        return pMgr.getPrincipal(name);
     }
 
     private static String getPrincipalName(String pathToACNode) {
@@ -389,9 +389,9 @@
 
     /**
      *
-     * @param node
-     * @return
-     * @throws RepositoryException
+     * @param node the node
+     * @return <code>true</code> if access controlled
+     * @throws RepositoryException if an error occurs
      */
     private static boolean isAccessControlled(NodeImpl node) throws RepositoryException {
         return node != null && node.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL) && node.hasNode(N_POLICY);
@@ -399,9 +399,9 @@
 
     /**
      *
-     * @param acNode
-     * @return
-     * @throws RepositoryException
+     * @param acNode the acl node
+     * @return the polict
+     * @throws RepositoryException if an error occurs
      */
     private JackrabbitAccessControlPolicy createTemplate(NodeImpl acNode) throws RepositoryException {
         if (!acNode.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL)) {
@@ -425,8 +425,8 @@
      *
      * @param node a name for the child is resolved
      * @param name if missing the {@link #DEFAULT_ACE_NAME} is taken
-     * @return
-     * @throws RepositoryException
+     * @return the name
+     * @throws RepositoryException if an error occurs
      */
     protected static Name getUniqueNodeName(Node node, String name) throws RepositoryException {
         if (name == null) {

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java Tue Sep  8 16:09:28 2009
@@ -16,49 +16,49 @@
  */
 package org.apache.jackrabbit.core.security.authorization.principalbased;
 
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.Item;
+import javax.jcr.ItemNotFoundException;
+import javax.jcr.PropertyType;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
+import javax.jcr.observation.Event;
+import javax.jcr.observation.EventIterator;
+import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.AccessControlPolicy;
+import javax.jcr.security.Privilege;
+
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import org.apache.jackrabbit.core.ItemImpl;
+import org.apache.jackrabbit.core.NodeImpl;
+import org.apache.jackrabbit.core.SessionImpl;
+import org.apache.jackrabbit.core.observation.SynchronousEventListener;
+import org.apache.jackrabbit.core.security.SecurityConstants;
 import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
+import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
 import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
 import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
 import org.apache.jackrabbit.core.security.authorization.Permission;
-import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
-import org.apache.jackrabbit.core.security.SecurityConstants;
-import org.apache.jackrabbit.core.NodeImpl;
-import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.ItemImpl;
-import org.apache.jackrabbit.core.observation.SynchronousEventListener;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.spi.Path;
 import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-import javax.jcr.security.AccessControlPolicy;
-import javax.jcr.security.AccessControlEntry;
-import javax.jcr.security.Privilege;
-import javax.jcr.security.AccessControlManager;
-import javax.jcr.security.AccessControlException;
-
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.Item;
-import javax.jcr.ItemNotFoundException;
-import javax.jcr.PropertyType;
-import javax.jcr.ValueFactory;
-import javax.jcr.observation.Event;
-import javax.jcr.observation.EventIterator;
-import java.util.Map;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Iterator;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.security.Principal;
-
 /**
  * <code>CombinedProvider</code>...
  */
@@ -70,6 +70,7 @@
     private static final AccessControlPolicy effectivePolicy = EffectivePrincipalBasedPolicy.getInstance();
 
     private ACLEditor editor;
+
     private NodeImpl acRoot;
 
     //-------------------------------------------------< AccessControlUtils >---
@@ -78,8 +79,8 @@
      */
     public boolean isAcItem(Path absPath) throws RepositoryException {
         Path.Element[] elems = absPath.getElements();
-        for (int i = 0; i < elems.length; i++) {
-            if (N_POLICY.equals(elems[i].getName())) {
+        for (Path.Element elem : elems) {
+            if (N_POLICY.equals(elem.getName())) {
                 return true;
             }
         }
@@ -117,7 +118,7 @@
                 log.debug("Install initial permissions: ...");
 
                 ValueFactory vf = session.getValueFactory();
-                Map restrictions = new HashMap();
+                Map<String, Value> restrictions = new HashMap<String, Value>();
                 restrictions.put(session.getJCRName(ACLTemplate.P_NODE_PATH), vf.createValue(root.getPath(), PropertyType.PATH));
                 restrictions.put(session.getJCRName(ACLTemplate.P_GLOB), vf.createValue(GlobPattern.WILDCARD_ALL));
 
@@ -149,7 +150,11 @@
         }
     }
 
-    private static void installDefaultPermissions(Principal principal, Privilege[] privs, Map restrictions, AccessControlEditor editor) throws RepositoryException, AccessControlException {
+    private static void installDefaultPermissions(Principal principal,
+                                                  Privilege[] privs,
+                                                  Map<String, Value> restrictions,
+                                                  AccessControlEditor editor)
+            throws RepositoryException, AccessControlException {
         AccessControlPolicy[] acls = editor.editAccessControlPolicies(principal);
         if (acls.length > 0) {
             ACLTemplate acl = (ACLTemplate) acls[0];
@@ -176,7 +181,7 @@
            most nodes in the repository isn't available anyway) doesn't
            provide the desired information.
            As tmp. solution some default policy is returned indicating.
-           TODO: add proper evalution and return a set of ACLs that take effect on the node at abspath
+           TODO: add proper evaluation and return a set of ACLs that take effect on the node at abs path
         */
         return new AccessControlPolicy[] {effectivePolicy};
     }
@@ -238,21 +243,22 @@
         private List<AccessControlEntry> entries;
 
         /**
-         * @param principals
-         * @throws RepositoryException
+         * @param principals the underlying principals
+         * @throws RepositoryException if an error occurs
          */
         private CompiledPermissionImpl(Set<Principal> principals) throws RepositoryException {
             this(principals, true);
         }
 
         /**
-         * @param principals
-         * @throws RepositoryException
+         * @param principals the underlying principals
+         * @param listenToEvents if <code>true</code> listens to events
+         * @throws RepositoryException if an error occurs
          */
         private CompiledPermissionImpl(Set<Principal> principals, boolean listenToEvents) throws RepositoryException {
 
             this.principals = principals;
-            acPaths = new HashSet(principals.size());
+            acPaths = new HashSet<String>(principals.size());
             entries = reload();
 
             // TODO: describe
@@ -298,9 +304,9 @@
          * evaluated or <code>null</code>.
          * @param targetPath Path used for the evaluation; pointing to an
          * existing or non-existing item.
-         * @param isAcItem
-         * @return
-         * @throws RepositoryException
+         * @param isAcItem the item
+         * @return the result
+         * @throws RepositoryException if an error occurs
          */
         private Result getResult(Item target,
                                  String targetPath,
@@ -401,24 +407,23 @@
 
         /**
          *
-         * @return
-         * @throws RepositoryException
+         * @return the aces
+         * @throws RepositoryException if an error occurs
          */
         private List<AccessControlEntry> reload() throws RepositoryException {
             // reload the paths
             acPaths.clear();
 
             // acNodes must be ordered in the same order as the principals
-            // in order to obtain proper acl-evalution in case the given
+            // in order to obtain proper acl-evaluation in case the given
             // principal-set is ordered.
             List<AccessControlEntry> allACEs = new ArrayList<AccessControlEntry>();
             // build acl-hierarchy assuming that principal-order determines the
             // acl-inheritance.
-            for (Iterator it = principals.iterator(); it.hasNext();) {
-                Principal princ = (Principal) it.next();
-                ACLTemplate acl = editor.getACL(princ);
+            for (Principal p : principals) {
+                ACLTemplate acl = editor.getACL(p);
                 if (acl == null || acl.isEmpty()) {
-                    acPaths.add(editor.getPathToAcNode(princ));
+                    acPaths.add(editor.getPathToAcNode(p));
                 } else {
                     // retrieve the ACEs from the node
                     AccessControlEntry[] aces = acl.getAccessControlEntries();

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java Tue Sep  8 16:09:28 2009
@@ -19,8 +19,8 @@
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.core.NodeImpl;
 import org.apache.jackrabbit.core.SessionImpl;
-import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
 import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
+import org.apache.jackrabbit.core.security.authorization.AbstractACLTemplate;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
 import org.slf4j.Logger;
@@ -38,7 +38,6 @@
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.Privilege;
 import java.security.Principal;
-import java.security.acl.Group;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -53,7 +52,7 @@
  * {@link javax.jcr.security.AccessControlManager#setPolicy(String, javax.jcr.security.AccessControlPolicy) reapplied}
  * to the <code>AccessControlManager</code> and the changes are saved.
  */
-class ACLTemplate implements JackrabbitAccessControlList, AccessControlConstants {
+class ACLTemplate extends AbstractACLTemplate {
 
     private static Logger log = LoggerFactory.getLogger(ACLTemplate.class);
 
@@ -70,28 +69,28 @@
     static final Name P_GLOB = NF.create(Name.NS_REP_URI, "glob");
 
     private final Principal principal;
-    private final String path;
-    private final ValueFactory valueFactory;
 
-    private final List entries = new ArrayList();
+    private final List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>();
 
     private final String jcrNodePathName;
     private final String jcrGlobName;
 
-    ACLTemplate(Principal principal, String path, NamePathResolver resolver, ValueFactory vf) throws RepositoryException {
+    ACLTemplate(Principal principal, String path, NamePathResolver resolver, ValueFactory vf)
+            throws RepositoryException {
         this(principal, path, null, resolver, vf);
     }
 
     ACLTemplate(Principal principal, NodeImpl acNode) throws RepositoryException {
-        this(principal, acNode.getPath(), acNode, (SessionImpl) acNode.getSession(), acNode.getSession().getValueFactory());
+        this(principal, acNode.getPath(), acNode, (SessionImpl) acNode.getSession(),
+                acNode.getSession().getValueFactory());
     }
 
     private ACLTemplate(Principal principal, String path, NodeImpl acNode,
                         NamePathResolver resolver, ValueFactory vf)
             throws RepositoryException {
+        super(path, vf);
+
         this.principal = principal;
-        this.path = path;
-        this.valueFactory = vf;
 
         jcrNodePathName = resolver.getJCRName(P_NODE_PATH);
         jcrGlobName = resolver.getJCRName(P_GLOB);
@@ -114,7 +113,7 @@
                         privileges[i] = acMgr.privilegeFromName(pValues[i].getString());
                     }
                     // the restrictions:
-                    Map restrictions = new HashMap(2);
+                    Map<String, Value> restrictions = new HashMap<String, Value>(2);
                     Property prop = aceNode.getProperty(P_NODE_PATH);
                     restrictions.put(prop.getName(), prop.getValue());
 
@@ -133,18 +132,9 @@
     }
 
     AccessControlEntry createEntry(Principal princ, Privilege[] privileges,
-                                   boolean allow, Map<String, Value> restrictions) throws RepositoryException {
-        if (!principal.equals(princ)) {
-            throw new AccessControlException("Invalid principal. Expected: " + principal);
-        }
-        if (!allow && principal instanceof Group) {
-            throw new AccessControlException("For group principals permissions can only be added but not denied.");
-        }
-
-        Set rNames = restrictions.keySet();
-        if (!rNames.contains(jcrNodePathName)) {
-            throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
-        }
+                                   boolean allow, Map<String, Value> restrictions)
+            throws RepositoryException {
+        checkValidEntry(princ, privileges, allow, restrictions);
 
         // make sure the nodePath restriction is of type PATH
         Value v = restrictions.get(jcrNodePathName);
@@ -161,14 +151,24 @@
         return new Entry(princ, privileges, allow, restrictions);
     }
 
-    //-----------------------------------------------------< JackrabbitAccessControlList >---
+    //------------------------------------------------< AbstractACLTemplate >---
     /**
-     * @see JackrabbitAccessControlList#getPath()
+     * @see AbstractACLTemplate#checkValidEntry(java.security.Principal, javax.jcr.security.Privilege[], boolean, java.util.Map)
      */
-    public String getPath() {
-        return path;
-    }
+    protected void checkValidEntry(Principal principal, Privilege[] privileges,
+                                 boolean isAllow, Map<String, Value> restrictions)
+            throws AccessControlException {
+        if (!this.principal.equals(principal)) {
+            throw new AccessControlException("Invalid principal. Expected: " + principal);
+        }
 
+        Set<String> rNames = restrictions.keySet();
+        if (!rNames.contains(jcrNodePathName)) {
+            throw new AccessControlException("Missing mandatory restriction: " + jcrNodePathName);
+        }
+    }
+    
+    //----------------------------------------< JackrabbitAccessControlList >---
     /**
      * @see JackrabbitAccessControlList#getRestrictionNames()
      */
@@ -204,14 +204,6 @@
     }
 
     /**
-     * @see JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean)
-     */
-    public boolean addEntry(Principal principal, Privilege[] privileges, boolean isAllow)
-            throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, isAllow, null);
-    }
-
-    /**
      * Known restrictions are:
      * <pre>
      *   rep:nodePath  (mandatory) value-type: PATH
@@ -221,7 +213,7 @@
      * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(Principal, Privilege[], boolean, Map)
      */
     public boolean addEntry(Principal principal, Privilege[] privileges,
-                            boolean isAllow, Map restrictions)
+                            boolean isAllow, Map<String, Value> restrictions)
             throws AccessControlException, RepositoryException {
         if (restrictions == null || restrictions.isEmpty()) {
             log.debug("Restrictions missing. Using default: rep:nodePath = " + getPath() + "; rep:glob = null.");
@@ -246,16 +238,7 @@
      */
     public AccessControlEntry[] getAccessControlEntries()
             throws RepositoryException {
-        return (AccessControlEntry[]) entries.toArray(new AccessControlEntry[entries.size()]);
-    }
-
-    /**
-     * @see javax.jcr.security.AccessControlList#addAccessControlEntry(Principal, Privilege[])
-     */
-    public boolean addAccessControlEntry(Principal principal,
-                                         Privilege[] privileges)
-            throws AccessControlException, RepositoryException {
-        return addEntry(principal, privileges, true, Collections.EMPTY_MAP);
+        return entries.toArray(new AccessControlEntry[entries.size()]);
     }
 
     /**
@@ -319,7 +302,8 @@
          */
         private final GlobPattern pattern;
 
-        private Entry(Principal principal, Privilege[] privileges, boolean allow, Map restrictions)
+        private Entry(Principal principal, Privilege[] privileges, boolean allow,
+                      Map<String, Value> restrictions)
                 throws AccessControlException, RepositoryException {
             super(principal, privileges, allow, restrictions, valueFactory);
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/AdminPrincipal.java Tue Sep  8 16:09:28 2009
@@ -16,6 +16,8 @@
  */
 package org.apache.jackrabbit.core.security.principal;
 
+import org.apache.jackrabbit.api.security.principal.JackrabbitPrincipal;
+
 /**
  * This principal represents the admin user as a distinct principal having all
  * the access rights and is being authenticated (in contrast to the

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/DefaultPrincipalProvider.java Tue Sep  8 16:09:28 2009
@@ -16,9 +16,20 @@
  */
 package org.apache.jackrabbit.core.security.principal;
 
+import java.security.Principal;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.observation.Event;
+import javax.jcr.observation.EventIterator;
+import javax.jcr.observation.EventListener;
+
 import org.apache.commons.collections.iterators.IteratorChain;
 import org.apache.commons.collections.map.LRUMap;
-import org.apache.commons.collections.set.ListOrderedSet;
 import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.api.security.user.Authorizable;
@@ -31,15 +42,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.observation.Event;
-import javax.jcr.observation.EventIterator;
-import javax.jcr.observation.EventListener;
-import java.security.Principal;
-import java.util.Iterator;
-import java.util.Set;
-
 /**
  * Provides principals for the users contained within the Repository.<p/>
  * Each {@link Authorizable} accessible via {@link UserManager}
@@ -60,7 +62,7 @@
      * a cache for group memberships: maps principal-name to a set of principals
      * representing the members.
      */
-    private final LRUMap membershipCache;
+    private final Map<String, Set<Principal>> membershipCache;
 
     /**
      * Principal-Base of this Provider
@@ -180,9 +182,9 @@
      */
     public PrincipalIterator getGroupMembership(Principal userPrincipal) {
         checkInitialized();
-        Set mship;
+        Set<Principal> mship;
         synchronized (membershipCache) {
-            mship = (Set) membershipCache.get(userPrincipal.getName());
+            mship = membershipCache.get(userPrincipal.getName());
             if (mship == null) {
                 // recursively collect group membership
                 mship = collectGroupMembership(userPrincipal);
@@ -275,15 +277,15 @@
      * @return all Group principals the specified <code>princ</code> is member of
      * including inherited membership.
      */
-    private Set collectGroupMembership(Principal princ) {
-        Set membership = new ListOrderedSet();
+    private Set<Principal> collectGroupMembership(Principal princ) {
+        Set<Principal> membership = new LinkedHashSet<Principal>();
             try {
                 Authorizable auth = userManager.getAuthorizable(princ);
                 if (auth != null) {
                     addToCache(princ);
-                    Iterator itr = auth.memberOf();
+                    Iterator<Group> itr = auth.memberOf();
                     while (itr.hasNext()) {
-                        Group group = (Group) itr.next();
+                        Group group = itr.next();
                         Principal gp = group.getPrincipal();
                         addToCache(gp);
                         membership.add(gp);
@@ -324,7 +326,7 @@
             try {
                 Iterator itr = userManager.findAuthorizables(pPrincipalName, simpleFilter, UserManager.SEARCH_TYPE_GROUP);
 
-                // everyone will not be found by the usermanager -> extra test
+                // everyone will not be found by the user manager -> extra test
                 boolean addEveryone = everyonePrincipal.getName().matches(".*"+simpleFilter+".*");
                 return new PrincipalIteratorImpl(itr, addEveryone);
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/EveryonePrincipal.java Tue Sep  8 16:09:28 2009
@@ -51,7 +51,7 @@
         return !member.equals(this);
     }
 
-    public Enumeration members() {
+    public Enumeration<? extends Principal> members() {
         throw new UnsupportedOperationException("Not implemented.");
     }
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalImpl.java Tue Sep  8 16:09:28 2009
@@ -16,6 +16,8 @@
  */
 package org.apache.jackrabbit.core.security.principal;
 
+import org.apache.jackrabbit.api.security.principal.JackrabbitPrincipal;
+
 import java.io.Serializable;
 import java.security.Principal;
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/PrincipalManagerImpl.java Tue Sep  8 16:09:28 2009
@@ -16,12 +16,6 @@
  */
 package org.apache.jackrabbit.core.security.principal;
 
-import org.apache.jackrabbit.api.security.principal.NoSuchPrincipalException;
-import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
-import org.apache.jackrabbit.api.security.principal.PrincipalManager;
-
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
 import java.security.Principal;
 import java.security.acl.Group;
 import java.util.ArrayList;
@@ -30,6 +24,13 @@
 import java.util.Iterator;
 import java.util.List;
 
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+
+import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+
 /**
  * This principal manager implementation uses the {@link DefaultPrincipalProvider}
  * in order to dispatch the respective requests and assemble the required
@@ -49,8 +50,8 @@
     /**
      * Creates a new default principal manager implementation.
      *
-     * @param session
-     * @param providers
+     * @param session the underlying session
+     * @param providers the providers
      */
     public PrincipalManagerImpl(Session session, PrincipalProvider[] providers) {
         this.session = session;
@@ -68,14 +69,8 @@
     /**
      * {@inheritDoc}
      */
-    public Principal getPrincipal(String principalName) throws NoSuchPrincipalException {
-        Principal p = internalGetPrincipal(principalName);
-        if (p == null) {
-            // not found (or access denied)
-            throw new NoSuchPrincipalException("Unknown principal " + principalName);
-        } else {
-            return p;
-        }
+    public Principal getPrincipal(String principalName) {
+        return internalGetPrincipal(principalName);
     }
 
     /**
@@ -83,9 +78,8 @@
      */
     public PrincipalIterator findPrincipals(String simpleFilter) {
         checkIsValid();
-        List entries = new ArrayList(providers.length);
-        for (int i = 0; i < providers.length; i++) {
-            PrincipalProvider pp = providers[i];
+        List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+        for (PrincipalProvider pp : providers) {
             PrincipalIterator it = pp.findPrincipals(simpleFilter);
             if (it.hasNext()) {
                 entries.add(new CheckedIteratorEntry(it, pp));
@@ -99,9 +93,8 @@
      */
     public PrincipalIterator findPrincipals(String simpleFilter, int searchType) {
         checkIsValid();
-        List entries = new ArrayList(providers.length);
-        for (int i = 0; i < providers.length; i++) {
-            PrincipalProvider pp = providers[i];
+        List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+        for (PrincipalProvider pp : providers) {
             PrincipalIterator it = pp.findPrincipals(simpleFilter, searchType);
             if (it.hasNext()) {
                 entries.add(new CheckedIteratorEntry(it, pp));
@@ -116,9 +109,8 @@
      */
     public PrincipalIterator getPrincipals(int searchType) {
         checkIsValid();
-        List entries = new ArrayList(providers.length);
-        for (int i = 0; i < providers.length; i++) {
-            PrincipalProvider pp = providers[i];
+        List<CheckedIteratorEntry> entries = new ArrayList<CheckedIteratorEntry>(providers.length);
+        for (PrincipalProvider pp : providers) {
             PrincipalIterator it = pp.getPrincipals(searchType);
             if (it.hasNext()) {
                 entries.add(new CheckedIteratorEntry(it, pp));
@@ -132,9 +124,8 @@
      */
     public PrincipalIterator getGroupMembership(Principal principal) {
         checkIsValid();
-        List entries =  new ArrayList(providers.length + 1);
-        for (int i = 0; i < providers.length; i++) {
-            PrincipalProvider pp = providers[i];
+        List<CheckedIteratorEntry> entries =  new ArrayList<CheckedIteratorEntry>(providers.length + 1);
+        for (PrincipalProvider pp : providers) {
             PrincipalIterator groups = pp.getGroupMembership(principal);
             if (groups.hasNext()) {
                 entries.add(new CheckedIteratorEntry(groups, pp));
@@ -169,17 +160,17 @@
     }
 
     /**
-     * @param principalName
+     * @param principalName the name of the principal
      * @return The principal with the given name or <code>null</code> if none
      * of the providers knows that principal of if the Session is not allowed
      * to see it.
      */
     private Principal internalGetPrincipal(String principalName) {
         checkIsValid();
-        for (int i = 0; i < providers.length; i++) {
-            Principal principal = providers[i].getPrincipal(principalName);
-            if (principal != null && providers[i].canReadPrincipal(session, principal)) {
-                return disguise(principal, providers[i]);
+        for (PrincipalProvider provider : providers) {
+            Principal principal = provider.getPrincipal(principalName);
+            if (principal != null && provider.canReadPrincipal(session, principal)) {
+                return disguise(principal, provider);
             }
         }
         // nothing found or not allowed to see it.
@@ -187,7 +178,8 @@
     }
 
     /**
-     * @param principal
+     * @param principal the principal
+     * @param provider the provider
      * @return A group that only reveals those members that are visible to the
      * current session or the specified principal if its not a group or the
      * everyone principal.
@@ -237,15 +229,15 @@
             return delegatee.isMember(member);
         }
 
-        public Enumeration members() {
+        public Enumeration<? extends Principal> members() {
             Iterator it = Collections.list(delegatee.members()).iterator();
-            final Iterator members = new CheckedPrincipalIterator(it, provider);
-            return new Enumeration() {
+            final PrincipalIterator members = new CheckedPrincipalIterator(it, provider);
+            return new Enumeration<Principal>() {
                 public boolean hasMoreElements() {
                     return members.hasNext();
                 }
-                public Object nextElement() {
-                    return members.next();
+                public Principal nextElement() {
+                    return members.nextPrincipal();
                 }
             };
         }
@@ -290,16 +282,16 @@
      */
     private class CheckedPrincipalIterator extends AbstractPrincipalIterator {
 
-        private final List entries;
+        private final List<CheckedIteratorEntry> entries;
 
         private CheckedPrincipalIterator(Iterator it, PrincipalProvider provider) {
-            entries = new ArrayList(1);
+            entries = new ArrayList<CheckedIteratorEntry>(1);
             entries.add(new CheckedIteratorEntry(it, provider));
             next = seekNext();
         }
 
-        private CheckedPrincipalIterator(List entries) {
-            this.entries = new ArrayList(entries);
+        private CheckedPrincipalIterator(List<CheckedIteratorEntry> entries) {
+            this.entries = new ArrayList<CheckedIteratorEntry>(entries);
             next = seekNext();
         }
 
@@ -308,8 +300,8 @@
          */
         protected final Principal seekNext() {
             while (!entries.isEmpty()) {
-                // first test if current-itr has more elements
-                CheckedIteratorEntry current = (CheckedIteratorEntry) entries.get(0);
+                // first test if current iterator has more elements
+                CheckedIteratorEntry current = entries.get(0);
                 Iterator iterator = current.iterator;
                 while (iterator.hasNext()) {
                     Principal chk = (Principal) iterator.next();
@@ -318,7 +310,7 @@
                         return disguise(chk, current.provider);
                     }
                 }
-                // ino more elements in current-itr -> move to next iterator.
+                // no more elements in current iterator -> move to next iterator.
                 entries.remove(0);
             }
             return null;

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/principal/ProviderRegistryImpl.java Tue Sep  8 16:09:28 2009
@@ -16,17 +16,18 @@
  */
 package org.apache.jackrabbit.core.security.principal;
 
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import javax.jcr.RepositoryException;
+
 import org.apache.jackrabbit.core.config.BeanConfig;
 import org.apache.jackrabbit.core.config.LoginModuleConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.RepositoryException;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
-
 /**
  * This is the default implementation of the {@link PrincipalProviderRegistry}
  * interface.
@@ -37,7 +38,7 @@
     private static final Logger log = LoggerFactory.getLogger(ProviderRegistryImpl.class);
 
     private final PrincipalProvider defaultPrincipalProvider;
-    private final Map providers = new HashMap();
+    private final Map<String, PrincipalProvider> providers = new LinkedHashMap<String, PrincipalProvider>();
 
     /**
      * Create an instance of <code>ProviderRegistryImpl</code> with the given
@@ -82,7 +83,7 @@
      */
     public PrincipalProvider getProvider(String className) {
         synchronized (providers) {
-            return (PrincipalProvider) providers.get(className);
+            return providers.get(className);
         }
     }
 
@@ -91,8 +92,8 @@
      */
     public PrincipalProvider[] getProviders() {
         synchronized (providers) {
-            Collection pps = providers.values();
-            return (PrincipalProvider[]) pps.toArray(new PrincipalProvider[pps.size()]);
+            Collection<PrincipalProvider> pps = providers.values();
+            return pps.toArray(new PrincipalProvider[pps.size()]);
         }
     }
 

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleAccessManager.java Tue Sep  8 16:09:28 2009
@@ -38,6 +38,8 @@
 import javax.jcr.PathNotFoundException;
 import javax.jcr.RepositoryException;
 import javax.security.auth.Subject;
+import java.security.Principal;
+import java.util.Set;
 
 /**
  * <code>SimpleAccessManager</code> ...
@@ -295,4 +297,44 @@
             throw new PathNotFoundException(absPath);
         }
     }
+
+    /**
+     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#hasPrivileges(String, Set, Privilege[])
+     */
+    public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges) throws PathNotFoundException, RepositoryException {
+        if (anonymous) {
+            // anonymous doesn't have READ_AC privilege
+            throw new AccessDeniedException();
+        }
+        
+        if (principals.size() == 1) {
+            Principal princ = principals.iterator().next();
+            if (princ instanceof AnonymousPrincipal) {
+                return privileges.length == 1 && privileges[0].equals(privilegeRegistry.getPrivilege(Privilege.JCR_READ));
+            }
+        }
+
+        // @todo check permission based on principals
+        return true;
+    }
+
+    /**
+     * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivileges(String, Set)
+     */
+    public Privilege[] getPrivileges(String absPath, Set<Principal> principals) throws PathNotFoundException, RepositoryException {
+        if (anonymous) {
+            // anonymous doesn't have READ_AC privilege
+            throw new AccessDeniedException();
+        }
+
+        if (principals.size() == 1) {
+            Principal princ = principals.iterator().next();
+            if (princ instanceof AnonymousPrincipal) {
+                return new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_READ)};
+            }
+        }
+
+        // @todo check permission based on principals
+        return new Privilege[] {privilegeRegistry.getPrivilege(Privilege.JCR_ALL)};
+    }
 }

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleLoginModule.java Tue Sep  8 16:09:28 2009
@@ -75,8 +75,8 @@
     }
 
     /**
-     * Uses the configured {@link PrincipalProvider} to retrieve the principal.
-     * It takes the {@link PrincipalProvider#getPrincipal(String)} for the User-ID
+     * Uses the configured {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider} to retrieve the principal.
+     * It takes the {@link org.apache.jackrabbit.core.security.principal.PrincipalProvider#getPrincipal(String)} for the User-ID
      * resolved by  {@link #getUserID(Credentials)}, assuming that
      * User-ID and the corresponding principal name are always identical.
      *

Modified: jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java?rev=812570&r1=812569&r2=812570&view=diff
==============================================================================
--- jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java (original)
+++ jackrabbit/sandbox/JCR-1456/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/simple/SimpleSecurityManager.java Tue Sep  8 16:09:28 2009
@@ -16,6 +16,25 @@
  */
 package org.apache.jackrabbit.core.security.simple;
 
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.jcr.AccessDeniedException;
+import javax.jcr.Credentials;
+import javax.jcr.Repository;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.security.auth.Subject;
+
 import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
 import org.apache.jackrabbit.api.security.user.UserManager;
@@ -24,14 +43,17 @@
 import org.apache.jackrabbit.core.config.AccessManagerConfig;
 import org.apache.jackrabbit.core.config.LoginModuleConfig;
 import org.apache.jackrabbit.core.config.SecurityConfig;
+import org.apache.jackrabbit.core.config.SecurityManagerConfig;
 import org.apache.jackrabbit.core.security.AMContext;
 import org.apache.jackrabbit.core.security.AccessManager;
-import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
-import org.apache.jackrabbit.core.security.UserPrincipal;
 import org.apache.jackrabbit.core.security.AnonymousPrincipal;
+import org.apache.jackrabbit.core.security.JackrabbitSecurityManager;
 import org.apache.jackrabbit.core.security.SecurityConstants;
+import org.apache.jackrabbit.core.security.UserPrincipal;
 import org.apache.jackrabbit.core.security.authentication.AuthContext;
 import org.apache.jackrabbit.core.security.authentication.AuthContextProvider;
+import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
+import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
 import org.apache.jackrabbit.core.security.principal.AdminPrincipal;
 import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
 import org.apache.jackrabbit.core.security.principal.PrincipalIteratorAdapter;
@@ -42,24 +64,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.jcr.AccessDeniedException;
-import javax.jcr.Credentials;
-import javax.jcr.Repository;
-import javax.jcr.RepositoryException;
-import javax.jcr.Session;
-import javax.jcr.UnsupportedRepositoryOperationException;
-import javax.jcr.SimpleCredentials;
-import javax.security.auth.Subject;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.Iterator;
-
 /**
  * <code>SimpleSecurityManager</code>: simple implementation ignoring both
  * configuration entries for 'principalProvider' and for 'workspaceAccessManager'.
@@ -85,6 +89,11 @@
     private PrincipalProviderRegistry principalProviderRegistry;
 
     /**
+     * The workspace access manager
+     */
+    private WorkspaceAccessManager workspaceAccessManager;
+
+    /**
      * factory for login-context {@see Repository#login())
      */
     private AuthContextProvider authCtxProvider;
@@ -92,6 +101,20 @@
     private String adminID;
     private String anonymID;
 
+    /**
+     * Always returns <code>null</code>. AccessControlProvider configuration
+     * is ignored with this security manager. Subclasses may overwrite this
+     * lazy behavior that originates from the <code>SimpleAccessManager</code>.
+     *
+     * @param systemSession The system session used to init the security manager.
+     * @param workspaceName The name of the workspace for which the provider
+     * should be retrieved.
+     * @return Always returns <code>null</code>.
+     */
+    protected AccessControlProvider getAccessControlProvider(Session systemSession, String workspaceName) {
+        return null;
+    }
+
     //------------------------------------------< JackrabbitSecurityManager >---
     /**
      * @see JackrabbitSecurityManager#init(Repository, Session)
@@ -122,13 +145,13 @@
 
         Properties[] moduleConfig = authCtxProvider.getModuleConfig();
 
-        // retrieve default-ids (admin and anomymous) from login-module-configuration.
-        for (int i = 0; i < moduleConfig.length; i++) {
-            if (moduleConfig[i].containsKey(LoginModuleConfig.PARAM_ADMIN_ID)) {
-                adminID = moduleConfig[i].getProperty(LoginModuleConfig.PARAM_ADMIN_ID);
+        // retrieve default-ids (admin and anonymous) from login-module-configuration.
+        for (Properties aModuleConfig1 : moduleConfig) {
+            if (aModuleConfig1.containsKey(LoginModuleConfig.PARAM_ADMIN_ID)) {
+                adminID = aModuleConfig1.getProperty(LoginModuleConfig.PARAM_ADMIN_ID);
             }
-            if (moduleConfig[i].containsKey(LoginModuleConfig.PARAM_ANONYMOUS_ID)) {
-                anonymID = moduleConfig[i].getProperty(LoginModuleConfig.PARAM_ANONYMOUS_ID);
+            if (aModuleConfig1.containsKey(LoginModuleConfig.PARAM_ANONYMOUS_ID)) {
+                anonymID = aModuleConfig1.getProperty(LoginModuleConfig.PARAM_ANONYMOUS_ID);
             }
         }
         // fallback:
@@ -147,9 +170,19 @@
         // skip init of provider (nop)
         principalProviderRegistry = new ProviderRegistryImpl(principalProvider);
         // register all configured principal providers.
-        for (int i = 0; i < moduleConfig.length; i++) {
-            principalProviderRegistry.registerProvider(moduleConfig[i]);
+        for (Properties aModuleConfig : moduleConfig) {
+            principalProviderRegistry.registerProvider(aModuleConfig);
+        }
+
+        SecurityManagerConfig smc = config.getSecurityManagerConfig();
+        if (smc != null && smc.getWorkspaceAccessConfig() != null) {
+            workspaceAccessManager = (WorkspaceAccessManager) smc.getWorkspaceAccessConfig().newInstance();
+        } else {
+            // fallback -> the default simple implementation
+            log.debug("No WorkspaceAccessManager configured; using default.");
+            workspaceAccessManager = new SimpleWorkspaceAccessManager();
         }
+        workspaceAccessManager.init(systemSession);
 
         initialized = true;
     }
@@ -175,6 +208,9 @@
     public AccessManager getAccessManager(Session session, AMContext amContext) throws RepositoryException {
         checkInitialized();
         try {
+            String wspName = session.getWorkspace().getName();
+            AccessControlProvider acP = getAccessControlProvider(systemSession, wspName);
+
             AccessManagerConfig amc = config.getAccessManagerConfig();
             AccessManager accessMgr;
             if (amc == null) {
@@ -182,7 +218,7 @@
             } else {
                 accessMgr = (AccessManager) amc.newInstance();
             }
-            accessMgr.init(amContext);
+            accessMgr.init(amContext, acP, workspaceAccessManager);
             return accessMgr;
         } catch (AccessDeniedException ade) {
             // re-throw
@@ -223,9 +259,9 @@
     public String getUserID(Subject subject) throws RepositoryException {
         String uid = null;
         // if SimpleCredentials are present, the UserID can easily be retrieved.
-        Iterator creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
+        Iterator<SimpleCredentials> creds = subject.getPublicCredentials(SimpleCredentials.class).iterator();
         if (creds.hasNext()) {
-            SimpleCredentials sc = (SimpleCredentials) creds.next();
+            SimpleCredentials sc = creds.next();
             uid = sc.getUserID();
         } else if (anonymID != null && !subject.getPrincipals(AnonymousPrincipal.class).isEmpty()) {
             uid = anonymID;
@@ -233,8 +269,7 @@
             // assume that UserID and principal name
             // are the same (not totally correct) and thus return the name
             // of the first non-group principal.
-            for (Iterator it = subject.getPrincipals().iterator(); it.hasNext();) {
-                Principal p = (Principal) it.next();
+            for (Principal p : subject.getPrincipals()) {
                 if (!(p instanceof Group)) {
                     uid = p.getName();
                     break;
@@ -271,7 +306,7 @@
      */
     private class SimplePrincipalProvider implements PrincipalProvider {
 
-        private final Map principals = new HashMap();
+        private final Map<String, Principal> principals = new HashMap<String, Principal>();
 
         private SimplePrincipalProvider() {
             if (adminID != null) {
@@ -287,7 +322,7 @@
 
         public Principal getPrincipal(String principalName) {
             if (principals.containsKey(principalName)) {
-                return (Principal) principals.get(principalName);
+                return principals.get(principalName);
             } else {
                 return new UserPrincipal(principalName);
             }
@@ -316,7 +351,7 @@
                     it = new PrincipalIteratorAdapter(Collections.singletonList(EveryonePrincipal.getInstance()));
                     break;
                 case PrincipalManager.SEARCH_TYPE_NOT_GROUP:
-                    Set set = new HashSet(principals.values());
+                    Set<Principal> set = new HashSet<Principal>(principals.values());
                     set.remove(EveryonePrincipal.getInstance());
                     it = new PrincipalIteratorAdapter(set);
                     break;



Mime
View raw message