jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1082239 [1/2] - in /jackrabbit/trunk/jackrabbit-core/src: main/java/org/apache/jackrabbit/core/ main/java/org/apache/jackrabbit/core/security/ main/java/org/apache/jackrabbit/core/security/authorization/ main/java/org/apache/jackrabbit/cor...
Date Wed, 16 Mar 2011 18:07:08 GMT
Author: angela
Date: Wed Mar 16 18:07:07 2011
New Revision: 1082239

URL: http://svn.apache.org/viewvc?rev=1082239&view=rev
Log:
JCR-2887 : Split PrivilegeRegistry in a per-session manager instance and a repository level registry [work in progress]

Modified:
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEntryImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/CompiledPermissionsImpl.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
    jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractEntryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImplTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/acl/EntryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/principalbased/EntryTest.java
    jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/user/UserAccessControlProviderTest.java

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SystemSession.java Wed Mar 16 18:07:07 2011
@@ -280,7 +280,7 @@ class SystemSession extends SessionImpl 
         public Privilege[] getPrivileges(String absPath)
                 throws PathNotFoundException, RepositoryException {
             checkValidNodePath(absPath);
-            return new Privilege[] {getPrivilegeManager().getPrivilege(Privilege.JCR_ALL)};
+            return new Privilege[] {privilegeFromName(Privilege.JCR_ALL)};
         }
 
         /**

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/DefaultAccessManager.java Wed Mar 16 18:07:07 2011
@@ -278,9 +278,8 @@ public class DefaultAccessManager extend
             log.debug("No privileges passed -> allowed.");
             return true;
         } else {
-            int privs = ((PrivilegeManagerImpl) privilegeManager).getBits(privileges);
             Path p = resolver.getQPath(absPath);
-            return (compiledPermissions.getPrivileges(p) | ~privs) == -1;
+            return compiledPermissions.hasPrivileges(p, privileges);
         }
     }
 
@@ -290,10 +289,8 @@ public class DefaultAccessManager extend
     public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException {
         checkInitialized();
         checkValidNodePath(absPath);
-        int bits = compiledPermissions.getPrivileges(resolver.getQPath(absPath));
-        return (bits == PrivilegeRegistry.NO_PRIVILEGE) ?
-                new Privilege[0] :
-                ((PrivilegeManagerImpl) privilegeManager).getPrivileges(bits);
+        Set<Privilege> privs = compiledPermissions.getPrivilegeSet(resolver.getQPath(absPath));
+        return privs.toArray(new Privilege[privs.size()]);
     }
 
     /**
@@ -415,11 +412,10 @@ public class DefaultAccessManager extend
             log.debug("No privileges passed -> allowed.");
             return true;
         } else {
-            int privs = ((PrivilegeManagerImpl) privilegeManager).getBits(privileges);
             Path p = resolver.getQPath(absPath);
             CompiledPermissions perms = acProvider.compilePermissions(principals);
             try {
-                return (perms.getPrivileges(p) | ~privs) == -1;
+                return perms.hasPrivileges(p, privileges);
             } finally {
                 perms.close();
             }
@@ -436,10 +432,8 @@ public class DefaultAccessManager extend
 
         CompiledPermissions perms = acProvider.compilePermissions(principals);
         try {
-            int bits = perms.getPrivileges(resolver.getQPath(absPath));
-            return (bits == PrivilegeRegistry.NO_PRIVILEGE) ?
-                    new Privilege[0] :
-                    ((PrivilegeManagerImpl) privilegeManager).getPrivileges(bits);
+            Set<Privilege> privs = perms.getPrivilegeSet(resolver.getQPath(absPath));
+            return privs.toArray(new Privilege[privs.size()]);
         } finally {
             perms.close();
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractAccessControlProvider.java Wed Mar 16 18:07:07 2011
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.core.security.authorization;
 
 import java.security.Principal;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
 
@@ -78,6 +79,14 @@ public abstract class AbstractAccessCont
     }
 
     /**
+     * @return the PrivilegeManager
+     * @throws RepositoryException
+     */
+    protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
+        return (PrivilegeManagerImpl) ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
+    }
+
+    /**
      * Returns compiled permissions for the administrator i.e. permissions
      * that grants everything and returns the int representation of {@link Privilege#JCR_ALL}
      * upon {@link CompiledPermissions#getPrivileges(Path)} for all
@@ -96,14 +105,24 @@ public abstract class AbstractAccessCont
                 return true;
             }
             public int getPrivileges(Path absPath) throws RepositoryException {
-                return getPrivilegeManagerImpl().getBits(new String[] {Privilege.JCR_ALL});
+                return getPrivilegeManagerImpl().getBits(new Privilege[] {getAllPrivilege()});
+            }
+            public boolean hasPrivileges(Path absPath, Privilege[] privileges) {
+                return true;
+            }
+            public Set<Privilege> getPrivilegeSet(Path absPath) throws RepositoryException {
+                return Collections.singleton(getAllPrivilege());
             }
             public boolean canReadAll() {
                 return true;
             }
-            public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException {
+            public boolean canRead(Path itemPath, ItemId itemId) {
                 return true;
             }
+
+            private Privilege getAllPrivilege() throws RepositoryException {
+                return getPrivilegeManagerImpl().getPrivilege(Privilege.JCR_ALL);
+            }
         };
     }
 
@@ -131,7 +150,21 @@ public abstract class AbstractAccessCont
                 if (isAcItem(absPath)) {
                     return PrivilegeRegistry.NO_PRIVILEGE;
                 } else {
-                    return getPrivilegeManagerImpl().getBits(new String[] {Privilege.JCR_READ});
+                    return getPrivilegeManagerImpl().getBits(new Privilege[] {getReadPrivilege()});
+                }
+            }
+            public boolean hasPrivileges(Path absPath, Privilege[] privileges) throws RepositoryException {
+                if (isAcItem(absPath)) {
+                    return false;
+                } else {
+                    return privileges != null && privileges.length == 1 && getReadPrivilege().equals(privileges[0]);
+                }
+            }
+            public Set<Privilege> getPrivilegeSet(Path absPath) throws RepositoryException {
+                if (isAcItem(absPath)) {
+                    return Collections.emptySet();
+                } else {
+                    return Collections.singleton(getReadPrivilege());
                 }
             }
             public boolean canReadAll() {
@@ -144,12 +177,13 @@ public abstract class AbstractAccessCont
                     return !isAcItem(session.getItemManager().getItem(itemId));
                 }
             }
+
+            private Privilege getReadPrivilege() throws RepositoryException {
+                return getPrivilegeManagerImpl().getPrivilege(Privilege.JCR_READ);
+            }
         };
     }
 
-    private PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
-        return (PrivilegeManagerImpl) ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
-    }
     //-------------------------------------------------< AccessControlUtils >---
     /**
      * @see org.apache.jackrabbit.core.security.authorization.AccessControlUtils#isAcItem(Path)

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AbstractCompiledPermissions.java Wed Mar 16 18:07:07 2011
@@ -20,7 +20,13 @@ import org.apache.commons.collections.ma
 import org.apache.jackrabbit.spi.Path;
 
 import javax.jcr.RepositoryException;
+import javax.jcr.security.AccessControlException;
+import javax.jcr.security.Privilege;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * <code>AbstractCompiledPermissions</code>...
@@ -63,6 +69,12 @@ public abstract class AbstractCompiledPe
     protected abstract Result buildResult(Path absPath) throws RepositoryException;
 
     /**
+     * 
+     * @return
+     */
+    protected abstract PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException;
+
+    /**
      * Removes all entries from the cache.
      */
     protected void clearCache() {
@@ -71,6 +83,23 @@ public abstract class AbstractCompiledPe
         }
     }
 
+    /**
+     * Adds the given <code>privileges</code> to the specified
+     * <code>target</code> set if they are not present in the specified
+     * <code>complement</code> set.
+     * 
+     * @param privileges
+     * @param target
+     * @param complement
+     */
+    protected static void updatePrivileges(Collection<Privilege> privileges, Set<Privilege> target, Set<Privilege> complement) {
+        for (Privilege p : privileges) {
+            if (!complement.contains(p)) {
+                target.add(p);
+            }
+        }
+    }
+
     //------------------------------------------------< CompiledPermissions >---
     /**
      * @see CompiledPermissions#close()
@@ -94,6 +123,50 @@ public abstract class AbstractCompiledPe
     }
 
     /**
+     * @see CompiledPermissions#hasPrivileges(Path, Privilege[])
+     */
+    public boolean hasPrivileges(Path absPath, Privilege[] privileges) throws RepositoryException {
+        Result result = getResult(absPath);
+        int builtin = getPrivilegeManagerImpl().getBits(privileges);
+
+        if ((result.allowPrivileges | ~builtin) == -1) {
+            // in addition check all custom privileges
+            for (Privilege p : privileges) {
+                if (getPrivilegeManagerImpl().isCustomPrivilege(p)) {
+                    if (!result.customAllow.contains(p)) {
+                        if (p.isAggregate()) {
+                            // test if aggregated privs were granted individually.
+                            for (Privilege aggr : p.getAggregatePrivileges()) {
+                                if (!aggr.isAggregate() && !result.customAllow.contains(aggr)) {
+                                    // an aggregated custom priv is not allowed -> return false
+                                    return false;
+                                }
+                            }
+                        } else {
+                            // simple custom allow not allowed -> return false
+                            return false;
+                        }
+                    } // else: custom privilege allowed -> continue.
+                } // else: not a custom priv -> already covered.
+            }
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    /**
+     * @see CompiledPermissions#getPrivilegeSet(Path)
+     */
+    public Set<Privilege> getPrivilegeSet(Path absPath) throws RepositoryException {
+        Result result = getResult(absPath);
+        Set<Privilege> privileges = new HashSet<Privilege>();
+        privileges.addAll(getPrivilegeManagerImpl().getPrivileges(result.getPrivileges()));
+        privileges.addAll(result.customAllow);
+        return privileges;
+    }
+
+    /**
      * @see CompiledPermissions#canReadAll()
      */
     public boolean canReadAll() throws RepositoryException {
@@ -102,7 +175,7 @@ public abstract class AbstractCompiledPe
 
     //--------------------------------------------------------< inner class >---
     /**
-     *
+     * Result of permission (and optionally privilege) evaluation for a given path.
      */
     public static class Result {
 
@@ -113,13 +186,24 @@ public abstract class AbstractCompiledPe
         private final int allowPrivileges;
         private final int denyPrivileges;
 
+        private final Set<Privilege> customAllow;
+        private final Set<Privilege> customDeny;
+
         private int hashCode = -1;
 
         public Result(int allows, int denies, int allowPrivileges, int denyPrivileges) {
+            this(allows, denies, allowPrivileges, denyPrivileges, Collections.<Privilege>emptySet(), Collections.<Privilege>emptySet());
+        }
+
+        public Result(int allows, int denies, int allowPrivileges, int denyPrivileges,
+                      Set<Privilege> customAllow, Set<Privilege> customDeny) {
             this.allows = allows;
             this.denies = denies;
             this.allowPrivileges = allowPrivileges;
             this.denyPrivileges = denyPrivileges;
+
+            this.customAllow = customAllow;
+            this.customDeny = customDeny;
         }
 
         public boolean grants(int permissions) {
@@ -135,7 +219,15 @@ public abstract class AbstractCompiledPe
             int cDenies = denies | Permission.diff(other.denies, allows);
             int cAPrivs = allowPrivileges | Permission.diff(other.allowPrivileges, denyPrivileges);
             int cDPrivs = denyPrivileges | Permission.diff(other.denyPrivileges, allowPrivileges);
-            return new Result(cAllows, cDenies, cAPrivs, cDPrivs);
+
+            Set<Privilege> combinedAllow = new HashSet<Privilege>();
+            combinedAllow.addAll(customAllow);
+            updatePrivileges(other.customAllow, combinedAllow, customDeny);
+
+            Set<Privilege> combinedDeny = new HashSet<Privilege>();
+            combinedDeny.addAll(customDeny);
+            updatePrivileges(other.customDeny, combinedDeny, customAllow);
+            return new Result(cAllows, cDenies, cAPrivs, cDPrivs, customAllow, customDeny);
         }
 
         /**
@@ -149,6 +241,8 @@ public abstract class AbstractCompiledPe
                 h = 37 * h + denies;
                 h = 37 * h + allowPrivileges;
                 h = 37 * h + denyPrivileges;
+                h = 37 * h + customAllow.hashCode();
+                h = 37 * h + customDeny.hashCode();
                 hashCode = h;
             }
             return hashCode;
@@ -167,7 +261,9 @@ public abstract class AbstractCompiledPe
                 return allows == other.allows &&
                        denies == other.denies &&
                        allowPrivileges == other.allowPrivileges &&
-                       denyPrivileges == other.denyPrivileges;
+                       denyPrivileges == other.denyPrivileges &&
+                       customAllow.equals(other.customAllow) &&
+                       customDeny.equals(other.customDeny);
             }
             return false;
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEntryImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEntryImpl.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEntryImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/AccessControlEntryImpl.java Wed Mar 16 18:07:07 2011
@@ -30,7 +30,9 @@ import javax.jcr.security.Privilege;
 import java.security.Principal;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * Simple, immutable implementation of the
@@ -40,12 +42,12 @@ import java.util.Map;
 public abstract class AccessControlEntryImpl implements JackrabbitAccessControlEntry {
 
     /**
-     * Privileges contained in this entry
+     * All privileges contained in this entry
      */
     private final Privilege[] privileges;
 
     /**
-     * PrivilegeBits calculated from the privileges
+     * PrivilegeBits calculated from built-in privileges
      */
     private final int privilegeBits;
 
@@ -72,6 +74,12 @@ public abstract class AccessControlEntry
     private int hashCode = -1;
 
     /**
+     * Calculated set of non-aggregate custom privileges (see also privilegeBits
+     * above for the built-in privileges) used upon ac evaluation.
+     */
+    private Set<Privilege> customPrivs;
+
+    /**
      * Construct an access control entry for the given principal and privileges.
      *
      * @param principal Principal for this access control entry.
@@ -128,31 +136,20 @@ public abstract class AccessControlEntry
     }
 
     /**
-     * 
+     *
      * @param base
      * @param privileges
      * @param isAllow
      * @throws AccessControlException
      */
-    protected AccessControlEntryImpl(AccessControlEntryImpl base, Privilege[] privileges, boolean isAllow) throws AccessControlException {
-        // make sure no abstract privileges are passed.
-        for (Privilege privilege : privileges) {
-            if (privilege.isAbstract()) {
-                throw new AccessControlException("Privilege " + privilege + " is abstract.");
-            }
-        }
-        this.principal = base.principal;
-        this.privileges = privileges;
-        this.privilegeBits = getPrivilegeManager().getBits(privileges);
-        this.allow = isAllow;
+    protected AccessControlEntryImpl(AccessControlEntryImpl base, Privilege[] privileges, boolean isAllow)
+            throws AccessControlException, RepositoryException {
+        this(base.principal, privileges, isAllow, (base.restrictions.isEmpty()) ? null : Collections.<String, Value>emptyMap());
 
-        if (base.restrictions == null) {
-            this.restrictions = Collections.emptyMap();
-        } else {
-            this.restrictions = new HashMap<Name, Value>(base.restrictions.size());
+        if (!base.restrictions.isEmpty()) {
             // validate the passed restrictions and fill the map
-            for (Name name : restrictions.keySet()) {
-                Value value = restrictions.get(name);
+            for (Name name : base.restrictions.keySet()) {
+                Value value = base.restrictions.get(name);
                 value = ValueHelper.copy(value, getValueFactory());
                 this.restrictions.put(name, value);
             }
@@ -160,13 +157,42 @@ public abstract class AccessControlEntry
     }
     
     /**
-     * @return the int representation of the privileges defined for this entry.
+     * @return the permission bits that correspond to the privileges defined by this entry.
      */
     public int getPrivilegeBits() {
         return privilegeBits;
     }
 
     /**
+     * @return A collection of all non-aggregate custom privileges defined by
+     * this entry including those contained in the aggregated custom privileges.
+     */
+    public Set<Privilege> getCustomPrivileges() {
+        if (customPrivs == null) {
+            customPrivs = new HashSet<Privilege>();
+            for (Privilege p : privileges) {
+                try {
+                    if (getPrivilegeManager().isCustomPrivilege(p)) {
+                        if (p.isAggregate()) {
+                            for (Privilege aggr : p.getAggregatePrivileges()) {
+                                if (!aggr.isAggregate()) {
+                                    customPrivs.add(p);
+                                }
+                            }
+                        } else {
+                            customPrivs.add(p);
+
+                        }
+                    }
+                } catch (AccessControlException e) {
+                    // ignore.
+                }
+            }
+        }
+        return customPrivs;
+    }
+
+    /**
      * Returns <code>true</code> if this ACE defines any restriction.
      *
      * @return <code>true</code> if this ACE defines any restriction;
@@ -216,7 +242,9 @@ public abstract class AccessControlEntry
     protected int buildHashCode() {
         int h = 17;
         h = 37 * h + principal.getName().hashCode();
-        h = 37 * h + privilegeBits;
+        for (Privilege p : privileges) {
+            h = 37 * h + p.hashCode();
+        }
         h = 37 * h + Boolean.valueOf(allow).hashCode();
         h = 37 * h + restrictions.hashCode();
         return h;
@@ -287,11 +315,19 @@ public abstract class AccessControlEntry
             return true;
         }
         if (obj instanceof AccessControlEntryImpl) {
-            AccessControlEntryImpl tmpl = (AccessControlEntryImpl) obj;
-            return principal.getName().equals(tmpl.principal.getName()) &&
-                   privilegeBits == tmpl.privilegeBits && allow == tmpl.allow &&
-                   restrictions.equals(tmpl.restrictions);
+            AccessControlEntryImpl other = (AccessControlEntryImpl) obj;
+            return principal.getName().equals(other.principal.getName()) &&
+                   privilegeBits == other.privilegeBits &&
+                   allow == other.allow &&
+                   restrictions.equals(other.restrictions) &&
+                   equalCustomPrivileges(other);
         }
         return false;
     }
+
+    private boolean equalCustomPrivileges(AccessControlEntryImpl other) {
+        Set<Privilege> a1 = getCustomPrivileges();
+        Set<Privilege> a2 = other.getCustomPrivileges();
+        return a1.size() == a2.size() && a1.containsAll(a2);
+    }
 }
\ No newline at end of file

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/CompiledPermissions.java Wed Mar 16 18:07:07 2011
@@ -20,6 +20,9 @@ import org.apache.jackrabbit.spi.Path;
 import org.apache.jackrabbit.core.id.ItemId;
 
 import javax.jcr.RepositoryException;
+import javax.jcr.security.Privilege;
+import java.util.Collections;
+import java.util.Set;
 
 /**
  * <code>CompiledPermissions</code> represents the evaluation of an
@@ -52,17 +55,38 @@ public interface CompiledPermissions {
 
     /**
      * Returns the <code>Privilege</code> bits granted by the underlying policy
-     * if the given <code>absPath</code> denotes an existing <code>Node</code>,
-     * otherwise it returns zero.
+     * if the given <code>absPath</code>.
      *
      * @param absPath Absolute path to a <code>Node</code>.
-     * @return the granted privileges at <code>absPath</code> or zero if
-     * the path does not denote an existing <code>Node</code>.
+     * @return the granted privileges at <code>absPath</code>.
      * @throws RepositoryException if an error occurs
+     * @deprecated Use {@link #getPrivilegeSet(Path)} instead.
      */
     int getPrivileges(Path absPath) throws RepositoryException;
 
     /**
+     * Returns <code>true</code> if the given privileges are granted at the
+     * specified <code>absPath</code>.
+     *
+     * @param absPath
+     * @param privileges
+     * @return <code>true</code> if the given privileges are granted at the
+     * specified <code>absPath</code>.
+     * @throws RepositoryException
+     */
+    boolean hasPrivileges(Path absPath, Privilege[] privileges) throws RepositoryException;
+
+    /**
+     * Returns the <code>Privilege</code>s granted by the underlying policy
+     * at the given <code>absPath</code>.
+     *
+     * @param absPath Absolute path to a <code>Node</code>.
+     * @return the granted privileges at <code>absPath</code>.
+     * @throws RepositoryException if an error occurs
+     */
+    Set<Privilege> getPrivilegeSet(Path absPath) throws RepositoryException;
+
+    /**
      * Returns <code>true</code> if READ permission is granted everywhere.
      * This method acts as shortcut for {@link #grants(Path, int)} where
      * permissions is {@link Permission#READ} and allows to shorten the
@@ -110,6 +134,14 @@ public interface CompiledPermissions {
         public int getPrivileges(Path absPath) {
             return PrivilegeRegistry.NO_PRIVILEGE;
         }
+
+        public boolean hasPrivileges(Path absPath, Privilege[] privileges) throws RepositoryException {
+            return false;
+        }
+        public Set<Privilege> getPrivilegeSet(Path absPath) throws RepositoryException {
+            return Collections.emptySet();
+        }
+
         public boolean canReadAll() {
             return false;
         }

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/Permission.java Wed Mar 16 18:07:07 2011
@@ -55,9 +55,9 @@ public final class Permission {
      * Returns those bits from <code>permissions</code> that are not present in
      * the <code>otherPermissions</code>, i.e. subtracts the other permissions
      * from permissions.<br>
-     * If the specified <code>otherBits</code> do not intersect with
-     * <code>bits</code>,  <code>bits</code> are returned.<br>
-     * If <code>bits</code> is included <code>otherBits</code>,
+     * If the specified <code>otherPermissions</code> do not intersect with
+     * <code>permissions</code>,  <code>permissions</code> are returned.<br>
+     * If <code>permissions</code> is included in <code>otherPermissions</code>,
      * {@link #NONE} is returned.
      *
      * @param permissions

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeManagerImpl.java Wed Mar 16 18:07:07 2011
@@ -19,7 +19,6 @@ package org.apache.jackrabbit.core.secur
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
 import org.apache.jackrabbit.core.SessionImpl;
 import org.apache.jackrabbit.spi.Name;
-import org.apache.jackrabbit.spi.commons.conversion.IllegalNameException;
 import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
 import org.apache.jackrabbit.spi.commons.name.NameConstants;
 import org.slf4j.Logger;
@@ -50,7 +49,7 @@ public final class PrivilegeManagerImpl 
     private static final Privilege[] EMPTY_ARRAY = new Privilege[0];
 
     /**
-     * 
+     * The privilege registry
      */
     private final PrivilegeRegistry registry;
 
@@ -79,9 +78,7 @@ public final class PrivilegeManagerImpl 
 
     //---------------------------------------------------< PrivilegeManager >---
     /**
-     * Returns all registered privileges.
-     *
-     * @return all registered privileges.
+     * @see PrivilegeManager#getRegisteredPrivileges()
      */
     public Privilege[] getRegisteredPrivileges() throws RepositoryException {
         PrivilegeRegistry.Definition[] allDefs = registry.getAll();
@@ -98,12 +95,7 @@ public final class PrivilegeManagerImpl 
     }
 
     /**
-     * Returns the privilege with the specified <code>privilegeName</code>.
-     *
-     * @param privilegeName Name of the principal.
-     * @return the privilege with the specified <code>privilegeName</code>.
-     * @throws javax.jcr.security.AccessControlException If no privilege with the given name exists.
-     * @throws javax.jcr.RepositoryException If another error occurs.
+     * @see PrivilegeManager#getPrivilege(String)
      */
     public Privilege getPrivilege(String privilegeName) throws AccessControlException, RepositoryException {
         Name name = resolver.getQName(privilegeName);
@@ -120,14 +112,14 @@ public final class PrivilegeManagerImpl 
      * <li>the namespace URI must be a valid, registered namespace excluding
      * those namespaces marked as being reserved</li>
      * <li>an aggregate custom privilege is valid if all declared aggregate
-     * names can be resolved to registered privileges and if there exists no
-     * registered privilege with the same aggregated privileges.</li>
+     * names can be resolved to registered custom privileges and if there exists
+     * no registered privilege with the same aggregated privileges.</li>
      * </ul>
      *
      * <strong>Please note</strong><br>
      * Custom privilege(s) will not be enforced for any kind of repository
      * operations. Those are exclusively covered by the built-in privileges.
-     * This also implies that the {@link Permission}s are not effected by
+     * This also implies that the {@link Permission}s are not affected by
      * custom privileges.<p/>
      * Applications making use of the custom privilege(s) are in charge of
      * asserting whether the privileges are granted/denied according to their
@@ -143,6 +135,7 @@ public final class PrivilegeManagerImpl 
      * for isn't the administrator.
      * @throws RepositoryException If the privilege could not be registered due
      * to constraint violations or if persisting the custom privilege fails.
+     * @see PrivilegeManager#registerPrivilege(String, boolean, String[])
      */
     public Privilege registerPrivilege(String privilegeName, boolean isAbstract,
                                        String[] declaredAggregateNames)
@@ -167,59 +160,50 @@ public final class PrivilegeManagerImpl 
         return getPrivilege(privilegeName);
     }
 
-    //-----------------------------< implementation specific public methods >---
+    //-----------------------------< implementation specific public methods >---       
+    /**
+     * Returns <code>true</code> if the specified privilege is a custom
+     * privilege that has been
+     * {@link #registerPrivilege(String, boolean, String[]) registered} before.
+     *
+     * @param privilege
+     * @return <code>true</code> if the specified privilege is a custom
+     * privilege; <code>false</code> otherwise.
+     * @throws AccessControlException If the specified privilege is
+     * <code>null</code> or unknown to this manager.
+     */
+    public boolean isCustomPrivilege(Privilege privilege) throws AccessControlException {
+        if (privilege instanceof PrivilegeImpl) {
+            return ((PrivilegeImpl) privilege).definition.isCustom();
+        } else {
+            throw new AccessControlException("Invalid privilege instance.");
+        }
+    }
+
     /**
      * @param privileges An array of privileges.
-     * @return The privilege bits.
+     * @return The bits of the built-in privileges contained in the specified
+     * array.
      * @throws AccessControlException If the specified array is null, empty
      * or if it contains an unregistered privilege.
-     * @see #getPrivileges(int)
      */
     public int getBits(Privilege[] privileges) throws AccessControlException {
         if (privileges == null || privileges.length == 0) {
             throw new AccessControlException("Privilege array is empty or null.");
         }
-        int bits = PrivilegeRegistry.NO_PRIVILEGE;
-        for (Privilege priv : privileges) {
+        PrivilegeRegistry.Definition[] defs = new PrivilegeRegistry.Definition[privileges.length];
+        for (int i = 0; i < privileges.length; i++) {
+            Privilege priv = privileges[i];
             if (priv instanceof PrivilegeImpl) {
-                bits |= ((PrivilegeImpl) priv).definition.getBits();
+                defs[i] = ((PrivilegeImpl) priv).definition;
             } else {
                 throw new AccessControlException("Unknown privilege '" + priv.getName() + "'.");
             }
         }
-        return bits;
+        return registry.getBits(defs);
     }
 
     /**
-     * 
-     * @param privilegeNames
-     * @return
-     * @throws AccessControlException
-     * @throws RepositoryException
-     */
-    public int getBits(String[] privilegeNames) throws AccessControlException {
-        if (privilegeNames == null || privilegeNames.length == 0) {
-            throw new AccessControlException("Privilege name array is null or empty.");
-        }
-        int bits = PrivilegeRegistry.NO_PRIVILEGE;
-        for (String privName : privilegeNames) {
-            try {
-                PrivilegeRegistry.Definition def = registry.get(resolver.getQName(privName));
-                if (def == null) {
-                    throw new AccessControlException("Unknown privilege name '" + privName + "'.");
-                } else {
-                    bits |= def.getBits();
-                }
-            } catch (NamespaceException e) {
-                throw new AccessControlException("Invalid privilege name '" + privName + "'.");
-            } catch (IllegalNameException e) {
-                throw new AccessControlException("Invalid privilege name '" + privName + "'.");
-            }
-        }
-        return bits;
-    }
-        
-    /**
      * Returns an array of registered <code>Privilege</code>s. If the specified
      * <code>bits</code> represent a single registered privilege the returned array
      * contains a single element. Otherwise the returned array contains the
@@ -232,25 +216,31 @@ public final class PrivilegeManagerImpl 
      * <code>bits</code> or an empty array if <code>bits</code> cannot be
      * resolved to registered <code>Privilege</code>s.
      * @see #getBits(Privilege[])
-     * @see #getBits(String[])
      */
-    public Privilege[] getPrivileges(int bits) {
+    public Set<Privilege> getPrivileges(int bits) {
         Name[] names = registry.getNames(bits);
         if (names.length == 0) {
-            return EMPTY_ARRAY;
+            return Collections.emptySet();
         } else {
-            Privilege[] privs = new Privilege[names.length];
-            for (int i = 0; i < names.length; i++) {
+            Set<Privilege> privs = new HashSet<Privilege>(names.length);
+            for (Name n : names) {
                 try {
-                    privs[i] = getPrivilege(names[i]);
+                    privs.add(getPrivilege(n));
                 } catch (RepositoryException e) {
-                    log.error("Internal error: invalid privilege name " + names[i].toString());
+                    log.error("Internal error: invalid privilege name " + n.toString());
                 }
             }
             return privs;
         }
     }
 
+    //------------------------------------------------------------< private >---
+    /**
+     * @param name
+     * @return The privilege with the specified name.
+     * @throws AccessControlException
+     * @throws RepositoryException
+     */
     private Privilege getPrivilege(Name name) throws AccessControlException, RepositoryException {
         Privilege privilege;
         synchronized (cache) {
@@ -270,7 +260,6 @@ public final class PrivilegeManagerImpl 
     }
 
     //-----------------------------------------< PrivilegeRegistry.Listener >---
-
     /**
      * @see PrivilegeRegistry.Listener#privilegeRegistered(org.apache.jackrabbit.spi.Name)
      */
@@ -296,14 +285,14 @@ public final class PrivilegeManagerImpl 
         private PrivilegeImpl(PrivilegeRegistry.Definition definition) throws RepositoryException {
             this.definition = definition;
 
-            Name[] aggrNames = definition.getDeclaredAggregateNames();
-            if (aggrNames.length == 0) {
+            Name[] declAggrNames = definition.getDeclaredAggregateNames();
+            if (declAggrNames.length == 0) {
                 declaredAggregates = EMPTY_ARRAY;
                 aggregates = EMPTY_ARRAY;
             } else {
-                declaredAggregates = new Privilege[aggrNames.length];
-                for (int i = 0; i < aggrNames.length; i++) {
-                    declaredAggregates[i] = getPrivilege(aggrNames[i]);
+                declaredAggregates = new Privilege[declAggrNames.length];
+                for (int i = 0; i < declAggrNames.length; i++) {
+                    declaredAggregates[i] = getPrivilege(declAggrNames[i]);
                 }
 
                 Set<Privilege> aggr = new HashSet<Privilege>();

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/PrivilegeRegistry.java Wed Mar 16 18:07:07 2011
@@ -29,6 +29,7 @@ import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.NameFactory;
 import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
 import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
+import org.apache.jackrabbit.spi.commons.iterator.Iterators;
 import org.apache.jackrabbit.spi.commons.name.NameConstants;
 import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
 import org.apache.jackrabbit.util.Text;
@@ -71,6 +72,11 @@ public final class PrivilegeRegistry {
     public static final Name REP_WRITE_NAME = NAME_FACTORY.create(REP_WRITE);
 
     /**
+     * A custom privilege for which bits were not calculated
+     */
+    private static final int UNDEFINED = -1;
+
+    /**
      * No privileges 
      */
     public static final int NO_PRIVILEGE = 0;
@@ -122,8 +128,6 @@ public final class PrivilegeRegistry {
 
     private final NameResolver resolver;
 
-    private int nextBits = RETENTION_MNGMT << 1;
-
     public PrivilegeRegistry(NamespaceRegistry namespaceRegistry, FileSystem fs)
             throws RepositoryException {
 
@@ -133,7 +137,7 @@ public final class PrivilegeRegistry {
 
         try {
             Map<Name, DefinitionStub> customDefs = customPrivilegesStore.load();
-            Map<Name, Definition> definitions = createPrivilegeDefinitions(customDefs);
+            Map<Name, Definition> definitions = createCustomDefinitions(customDefs);
             registerDefinitions(definitions);
         } catch (IOException e) {
             throw new RepositoryException("Failed to load custom privileges", e);
@@ -203,15 +207,14 @@ public final class PrivilegeRegistry {
      * @deprecated Use {@link PrivilegeManagerImpl#getPrivileges(int)} instead.
      */
     public Privilege[] getPrivileges(int bits) {
-        return new PrivilegeManagerImpl(this, resolver).getPrivileges(bits);
+        Set<Privilege> prvs = new PrivilegeManagerImpl(this, resolver).getPrivileges(bits);
+        return prvs.toArray(new Privilege[prvs.size()]);
     }
 
     /**
      * Best effort approach to calculate bits for built-in privileges. Throws
      * <code>UnsupportedOperationException</code> if the workaround fails.
-     * Note, that the bits calculated for jcr:all does not include any
-     * registered custom privileges.
-     *
+     * 
      * @param privileges An array of privileges.
      * @return The privilege bits.
      * @throws AccessControlException If the specified array is null
@@ -228,7 +231,7 @@ public final class PrivilegeRegistry {
         lookup.put(Name.NS_REP_PREFIX, Name.NS_REP_URI);
         lookup.put(Name.NS_JCR_PREFIX, Name.NS_JCR_URI);
 
-        int bits = PrivilegeRegistry.NO_PRIVILEGE;
+        int bits = NO_PRIVILEGE;
         for (Privilege priv : privileges) {
             String prefix = Text.getNamespacePrefix(priv.getName());
             if (lookup.containsKey(prefix)) {
@@ -374,8 +377,8 @@ public final class PrivilegeRegistry {
             throw new UnsupportedOperationException("No privilege store defined.");
         }
         synchronized (registeredPrivileges) {
-            Map<Name, DefinitionStub> stubs = Collections.singletonMap(privilegeName, new DefinitionStub(privilegeName, isAbstract, declaredAggregateNames, true));
-            Map<Name, Definition> definitions = createPrivilegeDefinitions(stubs);
+            Map<Name, DefinitionStub> stubs = Collections.singletonMap(privilegeName, new DefinitionStub(privilegeName, isAbstract, declaredAggregateNames));
+            Map<Name, Definition> definitions = createCustomDefinitions(stubs);
             try {
                 // write the new custom privilege to the store and upon successful
                 // update of the file system resource add finally it to the map of
@@ -417,14 +420,38 @@ public final class PrivilegeRegistry {
     }
 
     /**
+     * Calculates the bits of the specified definitions. Note, that custom
+     * privileges don't have a integer representation as they are not used
+     * for permission calculation.
+     *
+     * @param defs
+     * @return
+     */
+    int getBits(Definition[] defs) {
+        int bits = NO_PRIVILEGE;
+        for (Definition def : defs) {
+            bits |= def.bits;
+        }
+        return bits;
+    }
+
+    /**
+     * Returns the names of the privileges identified by the specified bits.
+     * Note, that custom privileges don't have a integer representation as they
+     * are not used for permission calculation.
+     * 
      * @param bits The privilege bits.
      * @return Privilege names that corresponds to the given bits.
      */
     Name[] getNames(int bits) {
-        if (bitsToNames.containsKey(bits)) {
+        if (bits <= NO_PRIVILEGE) {
+            return Name.EMPTY_ARRAY;
+        } else if (bitsToNames.containsKey(bits)) {
+            // matches all built-in aggregates and single built-in privileges
             Set<Name> ips = bitsToNames.get(bits);
             return ips.toArray(new Name[ips.size()]);
         } else {
+            // bits are a combination of built-in privileges.
             Set<Name> names = new HashSet<Name>();
             if ((bits & READ) == READ) {
                 names.add(NameConstants.JCR_READ);
@@ -471,13 +498,6 @@ public final class PrivilegeRegistry {
                 names.add(NameConstants.JCR_RETENTION_MANAGEMENT);
             }
 
-            // include matching custom privilege names 
-            for (Definition def : registeredPrivileges.values()) {
-                if (def.isCustom && ((bits & def.bits) == def.bits)) {
-                    names.add(def.name);
-                }
-            }
-
             if (!names.isEmpty()) {
                 bitsToNames.put(bits, names);
             }
@@ -499,7 +519,9 @@ public final class PrivilegeRegistry {
     private void registerDefinitions(Map<Name, Definition> definitions) {
         registeredPrivileges.putAll(definitions);
         for (Definition def : definitions.values()) {
-            bitsToNames.put(def.bits, Collections.singleton(def.name));
+            if (def.bits > NO_PRIVILEGE) {
+                bitsToNames.put(def.bits, Collections.singleton(def.name));
+            }
         }
 
         if (!definitions.containsKey(NameConstants.JCR_ALL)) {
@@ -509,12 +531,7 @@ public final class PrivilegeRegistry {
             Set<Name> allAggrNames = all.declaredAggregateNames;
             allAggrNames.addAll(definitions.keySet());
 
-            int allBits = all.bits;
-            for (Definition def : definitions.values()) {
-                allBits |= def.bits;
-            }
-
-            all = new Definition(NameConstants.JCR_ALL, false, allAggrNames, allBits);
+            all = new Definition(NameConstants.JCR_ALL, false, allAggrNames, all.bits);
             registeredPrivileges.put(NameConstants.JCR_ALL, all);
             bitsToNames.put(all.bits, Collections.singleton(NameConstants.JCR_ALL));
         }
@@ -566,7 +583,7 @@ public final class PrivilegeRegistry {
 
     /**
      * Validates the specified <code>DefinitionStub</code>s and creates
-     * new <code>PrivilegeDefinition</code>s. The validation includes name
+     * new custom <code>PrivilegeDefinition</code>s. The validation includes name
      * validation and resolution of declared aggregate names. The latter
      * also includes checks to prevent cyclic aggregation.
      *  
@@ -574,7 +591,7 @@ public final class PrivilegeRegistry {
      * @return new privilege definitions.
      * @throws RepositoryException If any of the specified stubs is invalid.
      */
-    private Map<Name, Definition> createPrivilegeDefinitions(Map<Name, DefinitionStub> toRegister) throws RepositoryException {
+    private Map<Name, Definition> createCustomDefinitions(Map<Name, DefinitionStub> toRegister) throws RepositoryException {
         Map<Name, Definition> definitions = new HashMap<Name, Definition>(toRegister.size());
         Set<DefinitionStub> aggregates = new HashSet<DefinitionStub>();
 
@@ -598,7 +615,7 @@ public final class PrivilegeRegistry {
             // validate aggregates
             if (stub.declaredAggregateNames.isEmpty()) {
                 // not an aggregate priv definition.
-                definitions.put(name, new Definition(stub, nextBits()));
+                definitions.put(name, new Definition(stub, NO_PRIVILEGE));
             } else {
                 for (Name declaredAggregateName : stub.declaredAggregateNames) {
                     if (name.equals(declaredAggregateName)) {
@@ -629,16 +646,40 @@ public final class PrivilegeRegistry {
             // look for those definitions whose declared aggregates have all been processed.
             for (Iterator<DefinitionStub> itr = aggregates.iterator(); itr.hasNext();) {
                 DefinitionStub stub = itr.next();
-                int bts = getAggregateBits(stub.declaredAggregateNames, definitions);
-                if (bitsToNames.containsKey(bts) && bitsToNames.get(bts).size() == 1) {
-                    Name existingName = bitsToNames.get(bts).iterator().next();
-                    throw new RepositoryException("Custom aggregate privilege '" + stub.name + "' is already covered by '" + existingName.toString() + "'");
+
+                int bts = NO_PRIVILEGE;
+                for (Name n : stub.declaredAggregateNames) {
+                    Definition aggr = null;
+                    if (registeredPrivileges.containsKey(n)) {
+                        aggr = registeredPrivileges.get(n);
+                    } else if (definitions.containsKey(n)) {
+                        aggr = definitions.get(n);
+                    }
+
+                    if (aggr == null) {
+                        // unknown dependency
+                        bts = UNDEFINED;
+                        break;
+                    } else if (!aggr.isCustom()) {
+                        throw new RepositoryException("Custom privileges may only aggregate custom privileges.");
+                    } // else: a known custom privilege -> try next.
                 }
-                if (bts != NO_PRIVILEGE) {
+
+                if (bts == NO_PRIVILEGE) {
                     Definition def = new Definition(stub, bts);
+
+                    // final validation if a custom aggregated has not yet been defined.
+                    Iterator<Definition> it = Iterators.iteratorChain(registeredPrivileges.values().iterator(), definitions.values().iterator());
+                    while (it.hasNext()) {
+                        Definition d = it.next();
+                        if (isEquivalentAggregate(d, def, definitions)) {
+                            throw new RepositoryException("Custom aggregate privilege '" + def.name + "' is already defined by '"+ d.name+"'");
+                        }
+                    }
+
                     definitions.put(def.name, def);
                     itr.remove();
-                }
+                } // unresolvable bts -> postpone to next iterator.
             }
 
             if (cnt == aggregates.size()) {
@@ -650,41 +691,33 @@ public final class PrivilegeRegistry {
         return definitions;
     }
 
-    /**
-     *
-     * @return
-     */
-    private int nextBits() {
-        int b = nextBits;
-        nextBits = nextBits << 1;
-        return b;
-    }
-
-    /**
-     *
-     * @param declaredAggregateNames
-     * @param toRegister
-     * @return
-     */
-    private int getAggregateBits(Set<Name> declaredAggregateNames, Map<Name, Definition> toRegister) {
-        int bts = NO_PRIVILEGE;
-        for (Name n : declaredAggregateNames) {
-            if (registeredPrivileges.containsKey(n)) {
-                bts |= registeredPrivileges.get(n).bits;
-            } else if (toRegister.containsKey(n)) {
-                Definition def = toRegister.get(n);
-                if (def.bits == NO_PRIVILEGE) {
-                    // not yet processed dependency -> wait for next iteration.
-                    return NO_PRIVILEGE;
-                } else {
-                    bts |= def.bits;
-                }
+    private boolean isEquivalentAggregate(Definition d, Definition otherDef,
+                                          Map<Name, Definition> unregistered) {
+        // either of the definitions isn't an aggregate.
+        if (d.declaredAggregateNames.isEmpty() || otherDef.declaredAggregateNames.isEmpty()) {
+            return false;
+        }
+        // two aggregates that defined the same declared aggregate names
+        if (d.declaredAggregateNames.equals(otherDef.declaredAggregateNames)) {
+            return true;
+        }
+        // two aggregates that defined the same aggregation of simple definitions.
+        Set<Name> aggrNames = getAggrNames(d, unregistered);
+        Set<Name> otherAggrNames = getAggrNames(otherDef, unregistered);
+        return aggrNames.size() == otherAggrNames.size() && aggrNames.containsAll(otherAggrNames);
+    }
+
+    private Set<Name> getAggrNames(Definition def, Map<Name, Definition> unregistered) {
+        Set<Name> names = new HashSet<Name>();
+        for (Name n : def.declaredAggregateNames) {
+            Definition a = (unregistered.containsKey(n)) ? unregistered.get(n) : registeredPrivileges.get(n);
+            if (a.declaredAggregateNames.isEmpty()) {
+                names.add(a.name);
             } else {
-                // unknown dependency (should not get here)
-                return NO_PRIVILEGE;
+                names.addAll(getAggrNames(a, unregistered));
             }
         }
-        return bts;
+        return names;
     }
 
     /**
@@ -758,15 +791,13 @@ public final class PrivilegeRegistry {
         protected final Name name;
         protected final boolean isAbstract;
         protected final Set<Name> declaredAggregateNames;
-        protected final boolean isCustom;
-        
+
         private int hashCode;
 
-        private DefinitionStub(Name name, boolean isAbstract, Set<Name> declaredAggregateNames, boolean isCustom) {
+        private DefinitionStub(Name name, boolean isAbstract, Set<Name> declaredAggregateNames) {
             this.name = name;
             this.isAbstract = isAbstract;
             this.declaredAggregateNames = (declaredAggregateNames == null) ? Collections.<Name>emptySet() : declaredAggregateNames;
-            this.isCustom = isCustom;
         }
 
         //---------------------------------------------------------< Object >---
@@ -781,6 +812,8 @@ public final class PrivilegeRegistry {
                 int h = 17;
                 h = 37 * h + name.hashCode();
                 h = 37 * h + Boolean.valueOf(isAbstract).hashCode();
+                /* NOTE: evaluation of decl-aggr-names is sufficient as
+                   uniqueness is asserted upon registration */
                 h = 37 * h + declaredAggregateNames.hashCode();
                 hashCode = h;
             }
@@ -796,6 +829,8 @@ public final class PrivilegeRegistry {
                 DefinitionStub other = (DefinitionStub) obj;
                 return name.equals(other.name)
                         && isAbstract==other.isAbstract
+                        /* NOTE: comparison of decl-aggr-names is sufficient as
+                           uniqueness is asserted upon registration */
                         && declaredAggregateNames.equals(other.declaredAggregateNames);
             }
             return false;
@@ -810,30 +845,22 @@ public final class PrivilegeRegistry {
         private final int bits;
 
         private Definition(DefinitionStub stub, int bits) {
-            this(stub.name, stub.isAbstract, stub.declaredAggregateNames, bits, stub.isCustom);
+            this(stub.name, stub.isAbstract, stub.declaredAggregateNames, bits);
         }
 
         private Definition(Name name, boolean isAbstract, int bits) {
-            this(name, isAbstract, Collections.<Name>emptySet(), bits, false);
+            this(name, isAbstract, Collections.<Name>emptySet(), bits);
         }
 
         private Definition(Name name, boolean isAbstract, Set<Name> declaredAggregateNames, int bits) {
-            this(name, isAbstract, declaredAggregateNames, bits, false);
-        }
-
-        private Definition(Name name, boolean isAbstract, Set<Name> declaredAggregateNames, int bits, boolean isCustom) {
-            super(name, isAbstract, declaredAggregateNames, isCustom);
-            if (bits == NO_PRIVILEGE) {
+            super(name, isAbstract, declaredAggregateNames);
+            if (bits < NO_PRIVILEGE) {
                 throw new IllegalArgumentException("Failed to build int representation of PrivilegeDefinition.");
             } else {
                 this.bits = bits;
             }
         }
 
-        int getBits() {
-            return bits;
-        }
-
         Name getName() {
             return name;
         }
@@ -849,6 +876,10 @@ public final class PrivilegeRegistry {
                 return declaredAggregateNames.toArray(new Name[declaredAggregateNames.size()]);
             }
         }
+
+        boolean isCustom() {
+            return bits == NO_PRIVILEGE;
+        }
     }
 
     /**
@@ -896,7 +927,7 @@ public final class PrivilegeRegistry {
                         if (stubs.containsKey(privName)) {
                             throw new RepositoryException("Duplicate entry for custom privilege with name " + privName.toString());
                         }
-                        stubs.put(privName, new DefinitionStub(privName, isAbstract, declaredAggrNames, true));
+                        stubs.put(privName, new DefinitionStub(privName, isAbstract, declaredAggrNames));
                     }
                 } finally {
                     in.close();

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/ACLTemplate.java Wed Mar 16 18:07:07 2011
@@ -21,6 +21,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import javax.jcr.NamespaceException;
 import javax.jcr.NodeIterator;
@@ -45,8 +46,8 @@ import org.apache.jackrabbit.core.securi
 import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
 import org.apache.jackrabbit.core.security.authorization.Permission;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
-import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.authorization.GlobPattern;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
 import org.apache.jackrabbit.core.security.principal.UnknownPrincipal;
 import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
@@ -171,8 +172,8 @@ class ACLTemplate extends AbstractACLTem
                         privs,
                         NT_REP_GRANT_ACE.equals(((NodeTypeImpl) aceNode.getPrimaryNodeType()).getQName()),
                         restrictions);
-                // add the entry
-                internalAdd(ace);
+                // add the entry omitting any validation.
+                entries.add(ace);
             } catch (RepositoryException e) {
                 log.debug("Failed to build ACE from content.", e.getMessage());
             }
@@ -219,16 +220,20 @@ class ACLTemplate extends AbstractACLTem
                 // the same entry is already contained -> no modification
                 return false;
             }
+
             // check if need to adjust existing entries
             int updateIndex = -1;
             Entry complementEntry = null;
 
+            Set<Privilege> otherCustom = entry.getCustomPrivileges();
             for (Entry e : entriesPerPrincipal) {
                 if (equalRestriction(entry, e)) {
                     if (entry.isAllow() == e.isAllow()) {
                         // need to update an existing entry
                         int existingPrivs = e.getPrivilegeBits();
-                        if ((existingPrivs | ~entry.getPrivilegeBits()) == -1) {
+                        Set<Privilege> existingCustom = e.getCustomPrivileges();
+                        if ((existingPrivs | ~entry.getPrivilegeBits()) == -1 &&
+                                existingCustom.containsAll(otherCustom)) {
                             // all privileges to be granted/denied are already present
                             // in the existing entry -> not modified
                             return false;
@@ -237,13 +242,16 @@ class ACLTemplate extends AbstractACLTem
                         // remember the index of the existing entry to be updated later on.
                         updateIndex = entries.indexOf(e);
 
-                        // remove the existing entry and create a new that includes
-                        // both the new privileges and the existing ones.
+                        // remove the existing entry and create a new one that
+                        // includes both the new privileges and the existing ones.
                         entries.remove(e);
+
                         int mergedBits = e.getPrivilegeBits() | entry.getPrivilegeBits();
-                        Privilege[] mergedPrivs = privilegeMgr.getPrivileges(mergedBits);
+                        Set<Privilege> mergedPrivs = privilegeMgr.getPrivileges(mergedBits);
+                        mergedPrivs.addAll(existingCustom);
+                        mergedPrivs.addAll(otherCustom);
                         // omit validation check.
-                        entry = createEntry(entry, mergedPrivs, entry.isAllow());
+                        entry = createEntry(entry, mergedPrivs.toArray(new Privilege[mergedPrivs.size()]), entry.isAllow());
                     } else {
                         complementEntry = e;
                     }
@@ -256,20 +264,27 @@ class ACLTemplate extends AbstractACLTem
             if (complementEntry != null) {
 
                 int complPrivs = complementEntry.getPrivilegeBits();
-                int resultPrivs = Permission.diff(complPrivs, entry.getPrivilegeBits());
+                int diff = Permission.diff(complPrivs, entry.getPrivilegeBits());
 
-                if (resultPrivs == PrivilegeRegistry.NO_PRIVILEGE) {
+                Set<Privilege> result = complementEntry.getCustomPrivileges();
+                boolean customMod = result.removeAll(otherCustom);
+                
+                if (diff == PrivilegeRegistry.NO_PRIVILEGE && result.isEmpty()) {
                     // remove the complement entry as the new entry covers
                     // all privileges granted by the existing entry.
                     entries.remove(complementEntry);
                     updateIndex--;
-                    
-                } else if (resultPrivs != complPrivs) {
+
+                } else if (diff != complPrivs || customMod) {
                     // replace the existing entry having the privileges adjusted
                     int index = entries.indexOf(complementEntry);
                     entries.remove(complementEntry);
+
+                    // combine set of new builtin and custom privileges
+                    result.addAll(privilegeMgr.getPrivileges(diff));
+                    // and create a new entry.
                     Entry tmpl = createEntry(entry,
-                            privilegeMgr.getPrivileges(resultPrivs),
+                            result.toArray(new Privilege[result.size()]),
                             !entry.isAllow());
                     entries.add(index, tmpl);
                 } /* else: does not need to be modified.*/

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/CompiledPermissionsImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/CompiledPermissionsImpl.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/CompiledPermissionsImpl.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/acl/CompiledPermissionsImpl.java Wed Mar 16 18:07:07 2011
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.core.security.authorization.acl;
 
 import org.apache.commons.collections.map.LRUMap;
+import org.apache.jackrabbit.api.JackrabbitWorkspace;
 import org.apache.jackrabbit.core.ItemImpl;
 import org.apache.jackrabbit.core.ItemManager;
 import org.apache.jackrabbit.core.NodeImpl;
@@ -29,6 +30,7 @@ import org.apache.jackrabbit.core.securi
 import org.apache.jackrabbit.core.security.authorization.AccessControlModifications;
 import org.apache.jackrabbit.core.security.authorization.AccessControlUtils;
 import org.apache.jackrabbit.core.security.authorization.Permission;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
 import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
 import org.apache.jackrabbit.spi.Name;
 import org.apache.jackrabbit.spi.Path;
@@ -37,8 +39,10 @@ import org.apache.jackrabbit.util.Text;
 import javax.jcr.ItemNotFoundException;
 import javax.jcr.RepositoryException;
 import javax.jcr.security.AccessControlEntry;
+import javax.jcr.security.Privilege;
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
@@ -104,10 +108,13 @@ class CompiledPermissionsImpl extends Ab
         int allows = Permission.NONE;
         int denies = Permission.NONE;
 
-        int allowPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-        int denyPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-        int parentAllows = PrivilegeRegistry.NO_PRIVILEGE;
-        int parentDenies = PrivilegeRegistry.NO_PRIVILEGE;
+        int allowBits = PrivilegeRegistry.NO_PRIVILEGE;
+        int denyBits = PrivilegeRegistry.NO_PRIVILEGE;
+        int parentAllowBits = PrivilegeRegistry.NO_PRIVILEGE;
+        int parentDenyBits = PrivilegeRegistry.NO_PRIVILEGE;
+
+        Set<Privilege> customAllow = new HashSet<Privilege>();
+        Set<Privilege> customDeny = new HashSet<Privilege>();
 
         String parentPath = Text.getRelativeParent(filter.getPath(), 1);
 
@@ -126,22 +133,27 @@ class CompiledPermissionsImpl extends Ab
             boolean matchesParent = (!isLocal && ace.matches(parentPath));
             if (matchesParent) {
                 if (ace.isAllow()) {
-                    parentAllows |= Permission.diff(entryBits, parentDenies);
+                    parentAllowBits |= Permission.diff(entryBits, parentDenyBits);
                 } else {
-                    parentDenies |= Permission.diff(entryBits, parentAllows);
+                    parentDenyBits |= Permission.diff(entryBits, parentAllowBits);
                 }
             }
             if (ace.isAllow()) {
-                allowPrivileges |= Permission.diff(entryBits, denyPrivileges);
-                int permissions = PrivilegeRegistry.calculatePermissions(allowPrivileges, parentAllows, true, isAcItem);
+                allowBits |= Permission.diff(entryBits, denyBits);
+                int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
                 allows |= Permission.diff(permissions, denies);
+
+                updatePrivileges(ace.getCustomPrivileges(), customAllow, customDeny);
             } else {
-                denyPrivileges |= Permission.diff(entryBits, allowPrivileges);
-                int permissions = PrivilegeRegistry.calculatePermissions(denyPrivileges, parentDenies, false, isAcItem);
+                denyBits |= Permission.diff(entryBits, allowBits);
+                int permissions = PrivilegeRegistry.calculatePermissions(denyBits, parentDenyBits, false, isAcItem);
                 denies |= Permission.diff(permissions, allows);
+
+                updatePrivileges(ace.getCustomPrivileges(), customDeny, customAllow);
             }
         }
-        return new Result(allows, denies, allowPrivileges, denyPrivileges);
+
+        return new Result(allows, denies, allowBits, denyBits, customAllow, customDeny);
     }
 
     //------------------------------------< AbstractCompiledPermissions >---
@@ -190,6 +202,14 @@ class CompiledPermissionsImpl extends Ab
     }
 
     /**
+     * @see AbstractCompiledPermissions#getPrivilegeManagerImpl()
+     */
+    @Override
+    protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
+        return (PrivilegeManagerImpl) ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
+    }
+
+    /**
      * @see AbstractCompiledPermissions#clearCache()
      */
     @Override

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/combined/CombinedProvider.java Wed Mar 16 18:07:07 2011
@@ -23,6 +23,7 @@ import org.apache.jackrabbit.core.securi
 import org.apache.jackrabbit.core.security.authorization.Permission;
 import org.apache.jackrabbit.core.security.authorization.AccessControlUtils;
 import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
+import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
 import org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider;
 import org.apache.jackrabbit.core.ItemImpl;
 import org.apache.jackrabbit.core.id.ItemId;
@@ -219,7 +220,16 @@ public class CombinedProvider extends Ab
             }
         }
 
-        //------------------------------------< AbstractCompiledPermissions >---
+        //------------------------------------< AbstractCompiledPermissions >---      
+        /**
+         * @see AbstractCompiledPermissions#getResult(Path)
+         */
+        @Override
+        public Result getResult(Path absPath) throws RepositoryException {
+            // TODO: missing caching
+            return buildResult(absPath);
+        }
+
         /**
          * @see AbstractCompiledPermissions#buildResult(Path)
          */
@@ -234,12 +244,11 @@ public class CombinedProvider extends Ab
         }
 
         /**
-         * @see AbstractCompiledPermissions#getResult(Path)
+         * @see AbstractCompiledPermissions#getPrivilegeManagerImpl()
          */
         @Override
-        public Result getResult(Path absPath) throws RepositoryException {
-            // TODO: missing caching
-            return buildResult(absPath);
+        protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
+            return CombinedProvider.this.getPrivilegeManagerImpl();
         }
 
         //--------------------------------------------< CompiledPermissions >---

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.java Wed Mar 16 18:07:07 2011
@@ -101,8 +101,8 @@ public class ACLProvider extends Abstrac
 
         editor = new ACLEditor(session, resolver.getQPath(acRoot.getPath()));
         entriesCache = new EntriesCache(session, editor, acRoot.getPath());
-        JackrabbitWorkspace wsp = (JackrabbitWorkspace) session.getWorkspace();
-        readBits = ((PrivilegeManagerImpl) wsp.getPrivilegeManager()).getBits(new String[] {Privilege.JCR_READ});
+        PrivilegeManagerImpl pm = getPrivilegeManagerImpl();
+        readBits = pm.getBits(new Privilege[] {pm.getPrivilege(Privilege.JCR_READ)});
 
         // TODO: replace by configurable default policy (see JCR-2331)
         if (!configuration.containsKey(PARAM_OMIT_DEFAULT_PERMISSIONS)) {
@@ -395,6 +395,13 @@ public class ACLProvider extends Abstrac
             return buildResult(jcrPath, isAcItem);
         }
 
+        /**
+         * @see AbstractCompiledPermissions#getPrivilegeManagerImpl()
+         */
+        @Override
+        protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
+            return ACLProvider.this.getPrivilegeManagerImpl();
+        }
 
         /**
          * Loop over all entries and evaluate allows/denies for those matching
@@ -402,7 +409,7 @@ public class ACLProvider extends Abstrac
          * 
          * @param targetPath Path used for the evaluation; pointing to an
          * existing or non-existing item.
-         * @param isAcItem the item
+         * @param isAcItem the item.
          * @return the result
          * @throws RepositoryException if an error occurs
          */
@@ -410,10 +417,14 @@ public class ACLProvider extends Abstrac
                                    boolean isAcItem) throws RepositoryException {
             int allows = Permission.NONE;
             int denies = Permission.NONE;
-            int allowPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-            int denyPrivileges = PrivilegeRegistry.NO_PRIVILEGE;
-            int parentAllows = PrivilegeRegistry.NO_PRIVILEGE;
-            int parentDenies = PrivilegeRegistry.NO_PRIVILEGE;
+
+            int allowBits = PrivilegeRegistry.NO_PRIVILEGE;
+            int denyBits = PrivilegeRegistry.NO_PRIVILEGE;
+            int parentAllowBits = PrivilegeRegistry.NO_PRIVILEGE;
+            int parentDenyBits = PrivilegeRegistry.NO_PRIVILEGE;
+
+            Set<Privilege> customAllow = new HashSet<Privilege>();
+            Set<Privilege> customDeny = new HashSet<Privilege>();
 
             String parentPath = Text.getRelativeParent(targetPath, 1);
             for (AccessControlEntry entry : entries) {
@@ -426,26 +437,31 @@ public class ACLProvider extends Abstrac
 
                 if (!"".equals(parentPath) && entr.matches(parentPath)) {
                     if (entr.isAllow()) {
-                        parentAllows |= Permission.diff(privs, parentDenies);
+                        parentAllowBits |= Permission.diff(privs, parentDenyBits);
                     } else {
-                        parentDenies |= Permission.diff(privs, parentAllows);
+                        parentDenyBits |= Permission.diff(privs, parentAllowBits);
                     }
                 }
 
                 boolean matches = entr.matches(targetPath);
                 if (matches) {
                     if (entr.isAllow()) {
-                        allowPrivileges |= Permission.diff(privs, denyPrivileges);
-                        int permissions = PrivilegeRegistry.calculatePermissions(allowPrivileges, parentAllows, true, isAcItem);
+                        allowBits |= Permission.diff(privs, denyBits);
+                        int permissions = PrivilegeRegistry.calculatePermissions(allowBits, parentAllowBits, true, isAcItem);
                         allows |= Permission.diff(permissions, denies);
+
+                        updatePrivileges(entr.getCustomPrivileges(), customAllow, customDeny);
                     } else {
-                        denyPrivileges |= Permission.diff(privs, allowPrivileges);
-                        int permissions = PrivilegeRegistry.calculatePermissions(denyPrivileges, parentDenies, false, isAcItem);
+                        denyBits |= Permission.diff(privs, allowBits);
+                        int permissions = PrivilegeRegistry.calculatePermissions(denyBits, parentDenyBits, false, isAcItem);
                         denies |= Permission.diff(permissions, allows);
+
+                        updatePrivileges(entr.getCustomPrivileges(), customDeny, customAllow);
                     }
                 }
             }
-            return new Result(allows, denies, allowPrivileges, denyPrivileges);
+
+            return new Result(allows, denies, allowBits, denyBits, customAllow, customDeny);
         }
 
         //--------------------------------------------< CompiledPermissions >---

Modified: jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/user/UserAccessControlProvider.java Wed Mar 16 18:07:07 2011
@@ -53,6 +53,8 @@ import javax.jcr.security.Privilege;
 
 import java.security.Principal;
 import java.security.acl.Group;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
@@ -314,11 +316,6 @@ public class UserAccessControlProvider e
         }
     }
 
-    private int getPrivilegeBits(String privName) throws RepositoryException {
-        PrivilegeManagerImpl impl = (PrivilegeManagerImpl) ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
-        return impl.getBits(new String[] {privName});
-    }
-
     private static boolean containsGroup(Set<Principal> principals, Principal group) {
         for (Iterator<Principal> it = principals.iterator(); it.hasNext() && group != null;) {
             Principal p = it.next();
@@ -380,6 +377,11 @@ public class UserAccessControlProvider e
             observationMgr.addEventListener(this, events, groupsPath, true, null, null, false);
         }
 
+        private int getPrivilegeBits(String privName) throws RepositoryException {
+            PrivilegeManagerImpl impl = getPrivilegeManagerImpl();
+            return impl.getBits(new Privilege[] {impl.getPrivilege(privName)});
+        }
+
         //------------------------------------< AbstractCompiledPermissions >---
         /**
          * @see AbstractCompiledPermissions#buildResult(Path)
@@ -489,6 +491,11 @@ public class UserAccessControlProvider e
             return new Result(allows, denies, privs, PrivilegeRegistry.NO_PRIVILEGE);
         }
 
+        @Override
+        protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
+            return (PrivilegeManagerImpl) ((JackrabbitWorkspace) session.getWorkspace()).getPrivilegeManager();
+        }
+
         //--------------------------------------------< CompiledPermissions >---
         /**
          * @see CompiledPermissions#close()

Modified: jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java?rev=1082239&r1=1082238&r2=1082239&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java (original)
+++ jackrabbit/trunk/jackrabbit-core/src/test/java/org/apache/jackrabbit/core/security/authorization/AbstractACLTemplateTest.java Wed Mar 16 18:07:07 2011
@@ -119,8 +119,8 @@ public abstract class AbstractACLTemplat
                 public boolean isAllow() {
                     return false;
                 }
-                public int getPrivilegeBits() throws RepositoryException, NotExecutableException {
-                    return privilegeMgr.getBits(new String[] {Privilege.JCR_READ});
+                public int getPrivilegeBits() throws RepositoryException {
+                    return privilegeMgr.getBits(new Privilege[] {privilegeMgr.getPrivilege(Privilege.JCR_READ)});
                 }
                 public String[] getRestrictionNames() {
                     return new String[0];



Mime
View raw message