Class AbstractAccessControlManager
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager
-
- All Implemented Interfaces:
AccessControlManager
,JackrabbitAccessControlManager
,AccessControlConstants
@ProviderType public abstract class AbstractAccessControlManager extends Object implements JackrabbitAccessControlManager, AccessControlConstants
Default implementation of theJackrabbitAccessControlManager
interface. This implementation covers both editing access control content by path and byPrincipal
resulting both in the same content structure.
-
-
Field Summary
-
Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants
AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_CURRENT, REP_GLOB, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description @NotNull PrivilegeCollection
getPrivilegeCollection(@Nullable String absPath)
Returns thePrivilegeCollection
for editing session at the given absolute path, which must be an existing node.@NotNull PrivilegeCollection
getPrivilegeCollection(@Nullable String absPath, @NotNull Set<Principal> principals)
Returns thePrivilegeCollection
for the given set of principals at the given absolute path, which must be an existing node.@NotNull Privilege[]
getPrivileges(@Nullable String absPath)
Returns the privileges the session has for absolute path absPath, which must be an existing node.@NotNull Privilege[]
getPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals)
Returns the privileges the given set ofPrincipal
s has for absolute pathabsPath
, which must be an existing node.@NotNull Privilege[]
getSupportedPrivileges(@Nullable String absPath)
Returns the privileges supported for absolute pathabsPath
, which must be an existing node.boolean
hasPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals, @Nullable Privilege[] privileges)
Returns whether the given set ofPrincipal
s has the specified privileges for absolute pathabsPath
, which must be an existing node.boolean
hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges)
Returns whether the session has the specified privileges for absolute pathabsPath
, which must be an existing node.@NotNull PrivilegeCollection
privilegeCollectionFromNames(@NotNull String... privilegeNames)
Returns thePrivilegeCollection
for the specifiedprivilegeNames
.@NotNull Privilege
privilegeFromName(@NotNull String privilegeName)
Returns the privilege with the specifiedprivilegeName
.-
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface javax.jcr.security.AccessControlManager
getApplicablePolicies, getEffectivePolicies, getPolicies, removePolicy, setPolicy
-
Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
getApplicablePolicies, getEffectivePolicies, getPolicies
-
-
-
-
Method Detail
-
getSupportedPrivileges
@NotNull public @NotNull Privilege[] getSupportedPrivileges(@Nullable @Nullable String absPath) throws RepositoryException
Description copied from interface:AccessControlManager
Returns the privileges supported for absolute pathabsPath
, which must be an existing node.This method does not return the privileges held by the session. Instead, it returns the privileges that the repository supports.
- Specified by:
getSupportedPrivileges
in interfaceAccessControlManager
- Parameters:
absPath
- an absolute path.- Returns:
- an array of
Privilege
s. - Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.RepositoryException
- if another error occurs.
-
privilegeFromName
@NotNull public @NotNull Privilege privilegeFromName(@NotNull @NotNull String privilegeName) throws RepositoryException
Description copied from interface:AccessControlManager
Returns the privilege with the specifiedprivilegeName
. Since the privilege name is a JCR name, it may be passed in either qualified or expanded form (see specification for details on JCR names).- Specified by:
privilegeFromName
in interfaceAccessControlManager
- Parameters:
privilegeName
- the name of an existing privilege.- Returns:
- the
Privilege
with the specifiedprivilegeName
. - Throws:
AccessControlException
- if no privilege with the specified name exists.RepositoryException
- if another error occurs.
-
hasPrivileges
public boolean hasPrivileges(@Nullable @Nullable String absPath, @Nullable @Nullable Privilege[] privileges) throws RepositoryException
Description copied from interface:AccessControlManager
Returns whether the session has the specified privileges for absolute pathabsPath
, which must be an existing node.Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling
Privilege.getAggregatePrivileges()
for that privilege.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of the privilege test methods.- Specified by:
hasPrivileges
in interfaceAccessControlManager
- Parameters:
absPath
- an absolute path.privileges
- an array ofPrivilege
s.- Returns:
true
if the session has the specified privileges;false
otherwise.- Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficent access to retrieve a node at that location.RepositoryException
- if another error occurs.
-
getPrivileges
@NotNull public @NotNull Privilege[] getPrivileges(@Nullable @Nullable String absPath) throws RepositoryException
Description copied from interface:AccessControlManager
Returns the privileges the session has for absolute path absPath, which must be an existing node.The returned privileges are those for which
AccessControlManager.hasPrivileges(java.lang.String, javax.jcr.security.Privilege[])
would returntrue
.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of the privilege test methods.- Specified by:
getPrivileges
in interfaceAccessControlManager
- Parameters:
absPath
- an absolute path.- Returns:
- an array of
Privilege
s. - Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.RepositoryException
- if another error occurs.
-
hasPrivileges
public boolean hasPrivileges(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals, @Nullable @Nullable Privilege[] privileges) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManager
Returns whether the given set ofPrincipal
s has the specified privileges for absolute pathabsPath
, which must be an existing node.Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling
Privilege.getAggregatePrivileges()
for that privilege.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of the privilege test methods.Since this method allows to view the privileges of principals other than included in the editing session, this method must throw
AccessDeniedException
if the session lacksREAD_ACCESS_CONTROL
privilege for theabsPath
node.- Specified by:
hasPrivileges
in interfaceJackrabbitAccessControlManager
- Parameters:
absPath
- an absolute path.principals
- a set ofPrincipal
s for which is the given privileges are tested.privileges
- an array ofPrivilege
s.- Returns:
true
if the session has the specified privileges;false
otherwise.- Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException
- if the session lacksREAD_ACCESS_CONTROL
privilege for theabsPath
node.RepositoryException
- if another error occurs.
-
getPrivileges
@NotNull public @NotNull Privilege[] getPrivileges(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManager
Returns the privileges the given set ofPrincipal
s has for absolute pathabsPath
, which must be an existing node.The returned privileges are those for which
JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[])
would returntrue
.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of the privilege test methods.Since this method allows to view the privileges of principals other than included in the editing session, this method must throw
AccessDeniedException
if the session lacksREAD_ACCESS_CONTROL
privilege for theabsPath
node.Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.
- Specified by:
getPrivileges
in interfaceJackrabbitAccessControlManager
- Parameters:
absPath
- an absolute path.principals
- a set ofPrincipal
s for which is the privileges are retrieved.- Returns:
- an array of
Privilege
s. - Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException
- if the session lacksREAD_ACCESS_CONTROL
privilege for theabsPath
node.RepositoryException
- if another error occurs.
-
getPrivilegeCollection
@NotNull public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable @Nullable String absPath) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManager
Returns the
Note: For backwards compatibility this method comes with a default implementation that computes thePrivilegeCollection
for editing session at the given absolute path, which must be an existing node. This is equivalent toAccessControlManager.getPrivileges(String)
andAccessControlManager.hasPrivileges(String, Privilege[])
but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.PrivilegeCollection
using regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManager
are therefore expected to overwrite the default.- Specified by:
getPrivilegeCollection
in interfaceJackrabbitAccessControlManager
- Parameters:
absPath
- An absolute path to an existing JCR node.- Returns:
- A
PrivilegeCollection
wrapping around the privileges granted for the editing session at absPath. - Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.RepositoryException
- If another error occurs.
-
getPrivilegeCollection
@NotNull public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManager
Returns the
Note: For backwards compatibility this method comes with a default implementation that computes thePrivilegeCollection
for the given set of principals at the given absolute path, which must be an existing node. This is equivalent toJackrabbitAccessControlManager.getPrivileges(String,Set)
andJackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[])
but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.PrivilegeCollection
using regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManager
are therefore expected to overwrite the default.- Specified by:
getPrivilegeCollection
in interfaceJackrabbitAccessControlManager
- Parameters:
absPath
- An absolute path to an existing JCR node.principals
- A set of principals for which thePrivilegeCollection
should be created.- Returns:
- A
PrivilegeCollection
wrapping around the privileges granted for the editing session at absPath. - Throws:
PathNotFoundException
- if no node atabsPath
exists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException
- if the session lacksREAD_ACCESS_CONTROL
privilege for theabsPath
node.RepositoryException
- If another error occurs.
-
privilegeCollectionFromNames
@NotNull public @NotNull PrivilegeCollection privilegeCollectionFromNames(@NotNull @NotNull String... privilegeNames) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManager
Returns the
Note: For backwards compatibility this method comes with a default implementation that computes thePrivilegeCollection
for the specifiedprivilegeNames
. Since the privilege names are JCR names, they may be passed in either qualified or expanded form (see specification for details on JCR names).PrivilegeCollection
using regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManager
are therefore expected to overwrite the default.- Specified by:
privilegeCollectionFromNames
in interfaceJackrabbitAccessControlManager
- Parameters:
privilegeNames
- the names of existing privilege.- Returns:
- the
PrivilegeCollection
representing the specifiedprivilegeNames
. - Throws:
AccessControlException
- if no privilege with any of the specified names exists.RepositoryException
- If another error occurs.
-
-