This is an automated email from the ASF dual-hosted git repository.

enorman pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git


The following commit(s) were added to refs/heads/master by this push:
     new 3dc7c2f  SLING-8117 Add support to read/write ACE restrictions from 
REST
3dc7c2f is described below

commit 3dc7c2fb05926e60f3699a0c2f0c337264a82637
Author: Eric Norman <[email protected]>
AuthorDate: Sun Dec 16 13:58:12 2018 -0800

    SLING-8117 Add support to read/write ACE restrictions from REST
---
 pom.xml                                            |  33 +++++-
 .../jcr/jackrabbit/accessmanager/ModifyAce.java    |  50 +++++++-
 .../jackrabbit/accessmanager/PrivilegesInfo.java   |  55 +++++++++
 .../jcr/jackrabbit/accessmanager/package-info.java |   2 +-
 .../accessmanager/post/AbstractGetAclServlet.java  |  87 +++++++++++---
 .../accessmanager/post/ModifyAceServlet.java       | 126 ++++++++++++++++++---
 .../accessmanager/post/package-info.java           |   2 +-
 7 files changed, 316 insertions(+), 39 deletions(-)

diff --git a/pom.xml b/pom.xml
index 57d5626..43e1abf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,7 +40,10 @@
         
<developerConnection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-jackrabbit-accessmanager.git</developerConnection>
         
<url>https://gitbox.apache.org/repos/asf?p=sling-org-apache-sling-jcr-jackrabbit-accessmanager.git</url>
       <tag>HEAD</tag>
-  </scm>
+    </scm>
+    <properties>
+        <sling.java.version>8</sling.java.version>
+    </properties>
 
     <build>
         <plugins>
@@ -68,6 +71,18 @@
 
     <dependencies>
         <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>osgi.core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>osgi.cmpn</artifactId>
+            <scope>provided</scope>
+        </dependency>
+
+            
+        <dependency>
             <groupId>javax.servlet</groupId>
             <artifactId>javax.servlet-api</artifactId>
         </dependency>
@@ -97,7 +112,13 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.jcr.base</artifactId>
-            <version>2.1.0</version>
+            <version>3.0.6</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-security-spi</artifactId>
+            <version>1.8.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -116,8 +137,14 @@
         </dependency>
         <dependency>
             <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.testing.sling-mock</artifactId>
+            <version>2.3.4</version>
+            <scope>test</scope>
+        </dependency>        
+        <dependency>
+            <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.testing.sling-mock-oak</artifactId>
-            <version>2.0.2</version>
+            <version>2.1.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/ModifyAce.java 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/ModifyAce.java
index 06c7964..6ad8095 100644
--- a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/ModifyAce.java
+++ b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/ModifyAce.java
@@ -19,9 +19,12 @@
 package org.apache.sling.jcr.jackrabbit.accessmanager;
 
 import java.util.Map;
+import java.util.Set;
 
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.Value;
 
 /**
  * The <code>ModifyAce</code> service api.
@@ -40,8 +43,16 @@ public interface ModifyAce {
         * @param resourcePath The absolute path of the resource to apply the 
ACE to (required)
         * @param principalId The name of the user/group to provision (required)
         * @param privileges Map of privileges to apply. (optional)
-     * @param changes The list of changes for this operation (optional)
-     * @return the user that was updated or null if not found 
+     * @param order where the access control entry should go in the list.
+     *         Value should be one of these:
+     *         <table>
+     *          <tr><td>null</td><td>If the ACE for the principal doesn't 
exist add at the end, otherwise leave the ACE at it's current 
position.</td></tr>
+     *                         <tr><td>first</td><td>Place the target ACE as 
the first amongst its siblings</td></tr>
+        *                      <tr><td>last</td><td>Place the target ACE as 
the last amongst its siblings</td></tr>
+        *                      <tr><td>before xyz</td><td>Place the target ACE 
immediately before the sibling whose name is xyz</td></tr>
+        *                      <tr><td>after xyz</td><td>Place the target ACE 
immediately after the sibling whose name is xyz</td></tr>
+        *                      <tr><td>numeric</td><td>Place the target ACE at 
the specified numeric index</td></tr>
+        *         </table>
         * @throws RepositoryException
         */
        void modifyAce(Session jcrSession,
@@ -51,4 +62,39 @@ public interface ModifyAce {
                                                        String order
                                ) throws RepositoryException;
        
+       /**
+        * Add or modify the access control entry for the specified user 
+        * or group.
+        * 
+        * @param jcrSession the JCR session of the user updating the user
+        * @param resourcePath The absolute path of the resource to apply the 
ACE to (required)
+        * @param principalId The name of the user/group to provision (required)
+        * @param privileges Map of privileges to apply. (optional)
+     * @param order where the access control entry should go in the list.
+     *         Value should be one of these:
+     *         <table>
+     *          <tr><td>null</td><td>If the ACE for the principal doesn't 
exist add at the end, otherwise leave the ACE at it's current 
position.</td></tr>
+     *                         <tr><td>first</td><td>Place the target ACE as 
the first amongst its siblings</td></tr>
+        *                      <tr><td>last</td><td>Place the target ACE as 
the last amongst its siblings</td></tr>
+        *                      <tr><td>before xyz</td><td>Place the target ACE 
immediately before the sibling whose name is xyz</td></tr>
+        *                      <tr><td>after xyz</td><td>Place the target ACE 
immediately after the sibling whose name is xyz</td></tr>
+        *                      <tr><td>numeric</td><td>Place the target ACE at 
the specified numeric index</td></tr>
+        *         </table>
+        * @param restrictions Map of single-value restrictions to apply. 
(optional)
+        * @param mvRestrictions Map of multi-value restrictions to apply. 
(optional)
+        * @param removeRestrictionNames Set of existing restriction names to 
remove (optional)
+        * @throws RepositoryException
+        */
+       default void modifyAce(Session jcrSession,
+                                                       String resourcePath,
+                                                       String principalId,
+                                                       Map<String, String> 
privileges,
+                                                       String order,
+                                                       Map<String, Value> 
restrictions,
+                                                       Map<String, Value[]> 
mvRestrictions,
+                                                       Set<String> 
removeRestrictionNames
+                               ) throws RepositoryException {
+               throw new UnsupportedRepositoryOperationException();
+       }
+
 }
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
index 0232e2f..b4f7744 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java
@@ -31,12 +31,15 @@ import java.util.Set;
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFormatException;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.AccessControlList;
 import javax.jcr.security.AccessControlManager;
 import javax.jcr.security.AccessControlPolicy;
 import javax.jcr.security.Privilege;
 
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.sling.jcr.base.util.AccessControlUtil;
 
 /**
@@ -241,6 +244,58 @@ public class PrivilegesInfo {
                return rights;
        }
        
+       /**
+        * Returns the restrictions for the specified path.
+        * 
+        * @param node the node to inspect
+        * @param principalId the principalId to get the access rights for
+        * @return map of restrictions (key is restriction name, value is Value 
or Value[])
+        * @throws RepositoryException
+        */
+       public Map<String, Object> getDeclaredRestrictionsForPrincipal(Node 
node, String principalId) throws RepositoryException {
+               return getDeclaredRestrictionsForPrincipal(node.getSession(), 
node.getPath(), principalId);
+       }
+       
+       /**
+        * Returns the restrictions for the specified path.
+        * 
+        * @param session the session for the current user
+        * @param absPath the path to get the privileges for
+        * @param principalId the principalId to get the access rights for
+        * @return map of restrictions (key is restriction name, value is Value 
or Value[])
+        * @throws RepositoryException
+        */
+       public Map<String, Object> getDeclaredRestrictionsForPrincipal(Session 
session, String absPath, String principalId) throws RepositoryException {
+               Map<String, Object> restrictions = new LinkedHashMap<>();
+               AccessControlEntry[] entries = 
getDeclaredAccessControlEntries(session, absPath);
+               if (entries != null) {
+                       for (AccessControlEntry ace : entries) {
+                               if 
(principalId.equals(ace.getPrincipal().getName())) {
+                                       if (ace instanceof 
JackrabbitAccessControlEntry) {
+                                               JackrabbitAccessControlEntry 
jace = (JackrabbitAccessControlEntry)ace;
+                                               String[] restrictionNames = 
jace.getRestrictionNames();
+                                               if (restrictionNames != null) {
+                                                       for (String name : 
restrictionNames) {
+                                                               try {
+                                                                       Value 
value = jace.getRestriction(name);
+                                                                       if 
(value != null) {
+                                                                               
restrictions.put(name, value);
+                                                                       }       
                                                                
+                                                               } catch 
(ValueFormatException vfe) {
+                                                                       //try 
multi-value restriction
+                                                                       Value[] 
values = jace.getRestrictions(name);
+                                                                       if 
(values != null && values.length > 0) {
+                                                                               
restrictions.put(name,  values);
+                                                                       }
+                                                               }
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+               }
+               return restrictions;
+       }
 
        
        
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/package-info.java 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/package-info.java
index 5119ee5..e46171e 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/package-info.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/package-info.java
@@ -17,7 +17,7 @@
  * under the License.
  */
 
[email protected]("3.0.0")
[email protected]("3.1.0")
 package org.apache.sling.jcr.jackrabbit.accessmanager;
 
 
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
index 9ee88f6..72c9e19 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/AbstractGetAclServlet.java
@@ -17,6 +17,7 @@
 package org.apache.sling.jcr.jackrabbit.accessmanager.post;
 
 import java.io.IOException;
+import java.lang.reflect.Array;
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -31,6 +32,8 @@ import javax.jcr.AccessDeniedException;
 import javax.jcr.Item;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFormatException;
 import javax.jcr.security.AccessControlEntry;
 import javax.jcr.security.Privilege;
 import javax.json.Json;
@@ -41,6 +44,7 @@ import javax.json.stream.JsonGenerator;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.SlingHttpServletResponse;
 import org.apache.sling.api.resource.ResourceNotFoundException;
@@ -120,6 +124,7 @@ public abstract class AbstractGetAclServlet extends 
SlingAllMethodsServlet {
 
         AccessControlEntry[] declaredAccessControlEntries = 
getAccessControlEntries(jcrSession, resourcePath);
         Map<String, Map<String, Object>> aclMap = new LinkedHashMap<String, 
Map<String,Object>>();
+        Map<String, Map<String, Object>> restrictionMap = new 
LinkedHashMap<String, Map<String,Object>>();
         int sequence = 0;
 
         for (AccessControlEntry ace : declaredAccessControlEntries) {
@@ -134,8 +139,31 @@ public abstract class AbstractGetAclServlet extends 
SlingAllMethodsServlet {
         //evaluate these in reverse order so the most entries with highest 
specificity are last
         for (int i = declaredAccessControlEntries.length - 1; i >= 0; i--) {
                        AccessControlEntry ace = 
declaredAccessControlEntries[i];
-
                        Principal principal = ace.getPrincipal();
+
+                       if (ace instanceof JackrabbitAccessControlEntry) {
+                               JackrabbitAccessControlEntry jace = 
(JackrabbitAccessControlEntry)ace;
+                               String[] restrictionNames = 
jace.getRestrictionNames();
+                               if (restrictionNames != null) {
+                                       Map<String, Object> restrictions = 
restrictionMap.get(principal.getName());
+                                       if (restrictions == null) {
+                                               restrictions = new HashMap<>();
+                                               
restrictionMap.put(principal.getName(), restrictions);
+                                       }
+                                       for (String rname : restrictionNames) {
+                                               try {
+                                                       //try as a single-value 
restriction
+                                                       Value value = 
jace.getRestriction(rname);
+                                                       restrictions.put(rname, 
value);
+                                               } catch (ValueFormatException 
vfe) {
+                                                       //try as a multi-value 
restriction
+                                                       Value[] values = 
jace.getRestrictions(rname);
+                                                       restrictions.put(rname, 
values);
+                                               }
+                                       }
+                               }
+                       }
+                       
             Map<String, Object> map = aclMap.get(principal.getName());
 
             Set<Privilege> grantedSet = (Set<Privilege>) map.get("granted");
@@ -196,6 +224,30 @@ public abstract class AbstractGetAclServlet extends 
SlingAllMethodsServlet {
                 aceObject.add("denied", arrayBuilder);
             }
             aceObject.add("order", (Integer) value.get("order"));
+
+            Map<String, Object> restrictions = 
restrictionMap.get(principalName);
+            if (restrictions != null && !restrictions.isEmpty()) {
+               Set<Entry<String, Object>> entrySet2 = restrictions.entrySet();
+               JsonObjectBuilder jsonRestrictions = Json.createObjectBuilder();
+               for (Entry<String, Object> entry2 : entrySet2) {
+                               Object rvalue = entry2.getValue();
+                               if (rvalue != null) {
+                                       if (rvalue.getClass().isArray()) {
+                               JsonArrayBuilder arrayBuilder = 
Json.createArrayBuilder();
+                               int length = Array.getLength(rvalue);
+                               for (int i= 0; i  < length; i++) {
+                                       Object object = Array.get(rvalue, i);
+                                       addTo(arrayBuilder, object);
+                               }
+                               jsonRestrictions.add(entry2.getKey(), 
arrayBuilder);
+                                       } else {
+                                               addTo(jsonRestrictions, 
entry2.getKey(), rvalue);
+                                       }
+                               }
+                       }
+               aceObject.add("restrictions", jsonRestrictions);
+            }
+            
             aclList.add(aceObject.build());
         }
         JsonObjectBuilder jsonAclMap = Json.createObjectBuilder();
@@ -208,6 +260,7 @@ public abstract class AbstractGetAclServlet extends 
SlingAllMethodsServlet {
             }
             jsonAclMap.add(entry.getKey(), builder);
         }
+
         for (JsonObject jsonObj : aclList) {
             jsonAclMap.add(jsonObj.getString("principal"), jsonObj);
         }
@@ -216,31 +269,35 @@ public abstract class AbstractGetAclServlet extends 
SlingAllMethodsServlet {
     }
     
     private JsonObjectBuilder addTo(JsonObjectBuilder builder, String key, 
Object value) {
-        if (value instanceof Byte || value instanceof Short || value 
instanceof Integer || value instanceof Long)
-        {
+        if (value instanceof Byte || value instanceof Short || value 
instanceof Integer || value instanceof Long) {
             builder.add(key, ((Number) value).longValue());
-        }
-        else if (value instanceof Float || value instanceof Double)
-        {
+        } else if (value instanceof Float || value instanceof Double) {
             builder.add(key, ((Number) value).doubleValue());
-        }
-        else if (value instanceof Privilege)
-        {
+        } else if (value instanceof Privilege) {
             JsonObjectBuilder privilegeBuilder = Json.createObjectBuilder();
             privilegeBuilder.add("name", ((Privilege) value).getName());
             builder.add(key, privilegeBuilder);
-        }
-        else if (value instanceof String)
-        {
+        } else if (value instanceof String) {
             builder.add(key, (String) value);
-        }
-        else
-        {
+        } else {
             builder.add(key, value.toString());
         }
         return builder;
     }
 
+    private JsonArrayBuilder addTo(JsonArrayBuilder builder, Object value) {
+        if (value instanceof Byte || value instanceof Short || value 
instanceof Integer || value instanceof Long) {
+            builder.add(((Number) value).longValue());
+        } else if (value instanceof Float || value instanceof Double) {
+            builder.add(((Number) value).doubleValue());
+        } else if (value instanceof String) {
+            builder.add((String) value);
+        } else {
+            builder.add(value.toString());
+        }
+        return builder;
+    }
+
     protected abstract AccessControlEntry[] getAccessControlEntries(Session 
session, String absPath) throws RepositoryException;
 
 }
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.java
 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.java
index c11f85c..1282299 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.java
@@ -28,9 +28,13 @@ import java.util.Set;
 import javax.jcr.Item;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
+import javax.jcr.Value;
+import javax.jcr.ValueFactory;
 import javax.servlet.Servlet;
 
 import org.apache.jackrabbit.api.security.principal.PrincipalManager;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
+import 
org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.resource.ResourceNotFoundException;
 import org.apache.sling.jcr.base.util.AccessControlUtil;
@@ -42,6 +46,7 @@ import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Reference;
 import org.osgi.service.component.annotations.ReferenceCardinality;
 import org.osgi.service.component.annotations.ReferencePolicy;
+import org.osgi.service.component.annotations.ReferencePolicyOption;
 
 /**
  * <p>
@@ -66,6 +71,12 @@ import 
org.osgi.service.component.annotations.ReferencePolicy;
  * to (or removed from) the node ACL. Any permissions that are present in an
  * existing ACE for the principal but not in the request are left 
untouched.</dd>
  * </dl>
+ * <dt>restriction@*</dt>
+ * <dd>One or more restrictions which will be applied to the ACE</dd>
+ * </dl>
+ * <dt>restriction@*@Delete</dt>
+ * <dd>One or more restrictions which will be removed from the ACE</dd>
+ * </dl>
  *
  * <h4>Response</h4>
  * <dl>
@@ -94,6 +105,19 @@ property= {
 public class ModifyAceServlet extends AbstractAccessPostServlet implements 
ModifyAce {
        private static final long serialVersionUID = -9182485466670280437L;
 
+       private RestrictionProvider restrictionProvider = null;
+
+       // NOTE: the @Reference annotation is not inherited, so subclasses will 
need to override the #bindRestrictionProvider 
+       // and #unbindRestrictionProvider methods to provide the @Reference 
annotation.     
+       //
+    @Reference(cardinality=ReferenceCardinality.OPTIONAL, policy = 
ReferencePolicy.DYNAMIC, policyOption=ReferencePolicyOption.GREEDY)
+    protected void bindRestrictionProvider(RestrictionProvider rp) {
+       this.restrictionProvider = rp;
+    }
+    protected void unbindRestrictionProvider(RestrictionProvider rp) {
+       this.restrictionProvider = null;
+    }
+    
     /**
      * Overridden since the @Reference annotation is not inherited from the 
super method
      *  
@@ -126,7 +150,15 @@ public class ModifyAceServlet extends 
AbstractAccessPostServlet implements Modif
                Session session = 
request.getResourceResolver().adaptTo(Session.class);
        String resourcePath = request.getResource().getPath();
                String principalId = request.getParameter("principalId");
-               Map<String, String> privileges = new HashMap<String, String>();
+               Map<String, String> privileges = new HashMap<>();
+               Map<String, Value> restrictions = new HashMap<>();
+               Map<String, Value[]> mvRestrictions = new HashMap<>();
+               Set<String> removeRestrictionNames = new HashSet<>();
+
+               //lazy initialized map for quick lookup when processing POSTed 
restrictions
+               Map<String, RestrictionDefinition> supportedRestrictionsMap = 
null;
+               ValueFactory factory = session.getValueFactory();
+
                Enumeration<?> parameterNames = request.getParameterNames();
                while (parameterNames.hasMoreElements()) {
                        Object nextElement = parameterNames.nextElement();
@@ -136,19 +168,74 @@ public class ModifyAceServlet extends 
AbstractAccessPostServlet implements Modif
                                        String privilegeName = 
paramName.substring(10);
                                        String parameterValue = 
request.getParameter(paramName);
                                        privileges.put(privilegeName, 
parameterValue);
+                               } else if 
(paramName.startsWith("restriction@")) {
+                                       if (restrictionProvider == null) {
+                                               throw new 
IllegalArgumentException("No restriction provider is available so unable to 
process POSTed restriction values");
+                                       }
+                                       if (supportedRestrictionsMap == null) {
+                                               supportedRestrictionsMap = new 
HashMap<>();
+
+                                               //populate the map for quick 
lookup below
+                                               Set<RestrictionDefinition> 
supportedRestrictions = 
restrictionProvider.getSupportedRestrictions(resourcePath);
+                                               for (RestrictionDefinition 
restrictionDefinition : supportedRestrictions) {
+                                                       
supportedRestrictionsMap.put(restrictionDefinition.getName(), 
restrictionDefinition);
+                                               }
+                                       }
+                                       
+                                       if (paramName.endsWith("@Delete")) {
+                                               String restrictionName = 
paramName.substring(12, paramName.length() - 7);
+                                               
removeRestrictionNames.add(restrictionName);
+                                       } else {
+                                               String restrictionName = 
paramName.substring(12);
+                                               String[] parameterValues = 
request.getParameterValues(paramName);
+                                               if (parameterValues != null) {
+                                                       RestrictionDefinition 
rd = supportedRestrictionsMap.get(restrictionName);
+                                                       if (rd == null) {
+                                                               //illegal 
restriction name?
+                                                               throw new 
IllegalArgumentException("Invalid or not supported restriction name was 
supplied");
+                                                       }
+                                                       
+                                                       boolean multival = 
rd.getRequiredType().isArray();
+                                                       int restrictionType = 
rd.getRequiredType().tag();
+                                                       
+                                                       if (multival) {
+                                                               Value [] v = 
new Value[parameterValues.length];
+                                                               for (int j = 0; 
j < parameterValues.length; j++) {
+                                                                       String 
string = parameterValues[j];
+                                                                       v[j] = 
factory.createValue(string, restrictionType);
+                                                               }
+
+                                                               
mvRestrictions.put(restrictionName, v);
+                                                       } else if 
(parameterValues.length > 0) {
+                                                               Value v = 
factory.createValue(parameterValues[0], restrictionType);
+                                                               
restrictions.put(restrictionName, v);
+                                                       }
+                                               }
+                                       }
                                }
                        }
                }
                String order = request.getParameter("order");
-       modifyAce(session, resourcePath, principalId, privileges, order);
+       modifyAce(session, resourcePath, principalId, privileges, order, 
restrictions, mvRestrictions, 
+                       removeRestrictionNames);
        }
        
+
        /* (non-Javadoc)
         * @see 
org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce#modifyAce(javax.jcr.Session,
 java.lang.String, java.lang.String, java.util.Map, java.lang.String)
         */
        public void modifyAce(Session jcrSession, String resourcePath,
                        String principalId, Map<String, String> privileges, 
String order)
                        throws RepositoryException {
+               modifyAce(jcrSession, resourcePath, principalId, privileges, 
order, null, null, null);
+       }
+       /* (non-Javadoc)
+        * @see 
org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce#modifyAce(javax.jcr.Session,
 java.lang.String, java.lang.String, java.util.Map, java.lang.String, 
java.util.Map, java.util.Map, java.util.Set)
+        */
+       @Override
+       public void modifyAce(Session jcrSession, String resourcePath, String 
principalId, Map<String, String> privileges,
+                       String order, Map<String, Value> restrictions, 
Map<String, Value[]> mvRestrictions,
+                       Set<String> removeRestrictionNames) throws 
RepositoryException {
                if (jcrSession == null) {
                        throw new RepositoryException("JCR Session not found");
                }
@@ -174,20 +261,22 @@ public class ModifyAceServlet extends 
AbstractAccessPostServlet implements Modif
                Set<String> grantedPrivilegeNames = new HashSet<String>();
                Set<String> deniedPrivilegeNames = new HashSet<String>();
                Set<String> removedPrivilegeNames = new HashSet<String>();
-               Set<Entry<String, String>> entrySet = privileges.entrySet();
-               for (Entry<String, String> entry : entrySet) {
-                       String privilegeName = entry.getKey();
-                       if (privilegeName.startsWith("privilege@")) {
-                               privilegeName = privilegeName.substring(10);
-                       }
-                       String parameterValue = entry.getValue();
-                       if (parameterValue != null && parameterValue.length() > 
0) {
-                               if ("granted".equals(parameterValue)) {
-                                       
grantedPrivilegeNames.add(privilegeName);
-                               } else if ("denied".equals(parameterValue)) {
-                                       deniedPrivilegeNames.add(privilegeName);
-                               } else if ("none".equals(parameterValue)){
-                                       
removedPrivilegeNames.add(privilegeName);
+               if (privileges != null) {
+                       Set<Entry<String, String>> entrySet = 
privileges.entrySet();
+                       for (Entry<String, String> entry : entrySet) {
+                               String privilegeName = entry.getKey();
+                               if (privilegeName.startsWith("privilege@")) {
+                                       privilegeName = 
privilegeName.substring(10);
+                               }
+                               String parameterValue = entry.getValue();
+                               if (parameterValue != null && 
parameterValue.length() > 0) {
+                                       if ("granted".equals(parameterValue)) {
+                                               
grantedPrivilegeNames.add(privilegeName);
+                                       } else if 
("denied".equals(parameterValue)) {
+                                               
deniedPrivilegeNames.add(privilegeName);
+                                       } else if 
("none".equals(parameterValue)){
+                                               
removedPrivilegeNames.add(privilegeName);
+                                       }
                                }
                        }
                }
@@ -198,7 +287,10 @@ public class ModifyAceServlet extends 
AbstractAccessPostServlet implements Modif
                                        grantedPrivilegeNames.toArray(new 
String[grantedPrivilegeNames.size()]),
                                        deniedPrivilegeNames.toArray(new 
String[deniedPrivilegeNames.size()]),
                                        removedPrivilegeNames.toArray(new 
String[removedPrivilegeNames.size()]),
-                                       order);
+                                       order,
+                                       restrictions,
+                                       mvRestrictions,
+                                       removeRestrictionNames);
                        if (jcrSession.hasPendingChanges()) {
                                jcrSession.save();
                        }
diff --git 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/package-info.java
 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/package-info.java
index 79406f4..839033a 100644
--- 
a/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/package-info.java
+++ 
b/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/post/package-info.java
@@ -17,7 +17,7 @@
  * under the License.
  */
 
[email protected]("3.1.0")
[email protected]("3.2.0")
 package org.apache.sling.jcr.jackrabbit.accessmanager.post;
 
 

Reply via email to