Author: angela
Date: Mon Oct 13 10:07:32 2014
New Revision: 1631327
URL: http://svn.apache.org/r1631327
Log:
OAK-2158 : Fail for ACEs created for the admin principal
-> make failure depending on configured importbehavior
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java?rev=1631327&r1=1631326&r2=1631327&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.java
Mon Oct 13 10:07:32 2014
@@ -59,7 +59,7 @@ abstract class ACL extends AbstractAcces
}
abstract ACE createACE(Principal principal, PrivilegeBits privilegeBits,
boolean isAllow, Set<Restriction> restrictions) throws RepositoryException;
- abstract void checkValidPrincipal(Principal principal) throws
AccessControlException;
+ abstract boolean checkValidPrincipal(Principal principal) throws
AccessControlException;
abstract PrivilegeManager getPrivilegeManager();
abstract PrivilegeBits getPrivilegeBits(Privilege[] privileges);
@@ -95,7 +95,9 @@ abstract class ACL extends AbstractAcces
}
}
- checkValidPrincipal(principal);
+ if (!checkValidPrincipal(principal)) {
+ return false;
+ }
for (RestrictionDefinition def :
getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
String jcrName = getNamePathMapper().getJcrName(def.getName());
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java?rev=1631327&r1=1631326&r2=1631327&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.java
Mon Oct 13 10:07:32 2014
@@ -563,11 +563,25 @@ public class AccessControlManagerImpl ex
}
@Override
- void checkValidPrincipal(Principal principal) throws
AccessControlException {
- Util.checkValidPrincipal(principal, principalManager,
ImportBehavior.BESTEFFORT != Util.getImportBehavior(getConfig()));
+ boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
+ int importBehavior = Util.getImportBehavior(getConfig());
+ Util.checkValidPrincipal(principal, principalManager,
ImportBehavior.BESTEFFORT != importBehavior);
+
if (principal instanceof AdminPrincipal) {
- throw new AccessControlException("Attempt to create an ACE for
the admin principal which always has full access.");
+ log.warn("Attempt to create an ACE for the admin principal
which always has full access.");
+ switch (Util.getImportBehavior(getConfig())) {
+ case ImportBehavior.ABORT:
+ throw new AccessControlException("Attempt to create an
ACE for the admin principal which always has full access.");
+ case ImportBehavior.IGNORE:
+ return false;
+ case ImportBehavior.BESTEFFORT:
+ // just log warning, no other action required.
+ break;
+ default :
+ throw new IllegalArgumentException("Invalid import
behavior" + importBehavior);
+ }
}
+ return true;
}
@Override
@@ -628,8 +642,9 @@ public class AccessControlManagerImpl ex
}
@Override
- void checkValidPrincipal(Principal principal) throws
AccessControlException {
+ boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
Util.checkValidPrincipal(principal, principalManager, true);
+ return true;
}
@Override
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java?rev=1631327&r1=1631326&r2=1631327&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.java
Mon Oct 13 10:07:32 2014
@@ -113,9 +113,9 @@ public class ACLTest extends AbstractAcc
}
@Override
- void checkValidPrincipal(Principal principal) throws
AccessControlException {
+ boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
Util.checkValidPrincipal(principal, principalManager, true);
-
+ return true;
}
@Override
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java?rev=1631327&r1=1631326&r2=1631327&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
(original)
+++
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImplTest.java
Mon Oct 13 10:07:32 2014
@@ -190,8 +190,9 @@ public class AccessControlManagerImplTes
}
@Override
- void checkValidPrincipal(Principal principal) throws
AccessControlException {
+ boolean checkValidPrincipal(Principal principal) throws
AccessControlException {
Util.checkValidPrincipal(principal, pm, true);
+ return true;
}
@Override
