in src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java [357:391]
public static void removePrincipalEntries(Session session, String principalName, Collection<AclLine> lines) throws RepositoryException {
final JackrabbitAccessControlManager acMgr = getJACM(session);
Principal principal = AccessControlUtils.getPrincipal(session, principalName);
if (principal == null) {
// due to transient nature of the repo-init the principal lookup may not succeed if completed through query
// -> save transient changes and retry principal lookup
session.save();
principal = AccessControlUtils.getPrincipal(session, principalName);
checkState(principal != null, PRINCIPAL_NOT_FOUND_PATTERN, principalName);
}
final PrincipalAccessControlList acl = getPrincipalAccessControlList(acMgr, principal, true);
boolean modified = false;
for (AclLine line : lines) {
List<String> jcrPaths = getJcrPaths(session, line.getProperty(PROP_PATHS));
LocalRestrictions restr = createLocalRestrictions(line.getRestrictions(), acl, session);
List<String> privNames = line.getProperty(PROP_PRIVILEGES);
Privilege[] privs = AccessControlUtils.privilegesFromNames(acMgr, privNames.toArray(new String[0]));
Predicate<PrincipalAccessControlList.Entry> predicate = entry -> {
if (!jcrPaths.contains(entry.getEffectivePath())) {
return false;
}
LocalAccessControlEntry lace = new LocalAccessControlEntry(entry.getPrincipal(), privs, line.getAction()== AclLine.Action.ALLOW, restr);
return lace.isEqual(entry);
};
if (removePrincipalEntries(acl, principalName, predicate)) {
modified = true;
} else {
LOG.info("No matching access control entry found to remove for principal {} at {}. Expected entry with isAllow={}, privileges={}, restrictions={}", principalName, jcrPaths, line.getAction(), privNames, line.getRestrictions());
}
}
if (modified) {
acMgr.setPolicy(acl.getPath(), acl);
}
}