Interface ResourceAccessGate
-
- All Known Implementing Classes:
AllowingResourceAccessGate
@ConsumerType public interface ResourceAccessGate
TheResourceAccessGate
defines a service API which might be used to make some restrictions to accessing resources. Implementations of this service interface must be registered like ResourceProvider with a path (like provider.roots). If different ResourceAccessGateService services match a path, not only the ResourceAccessGateService with the longest path will be called, but all of them, that's in contrast to the ResourceProvider, but in this case more logical (and secure!). The gates will be called in the order of the service ranking. If one of the gates grants access for a given operation access will be granted. service properties:- path: regexp to define on which paths the service should be called (default .*)
- operations: set of operations on which the service should be called ("read,create,update,delete,execute", default all of them)
- finaloperations: set of operations on which the service answer is
final and no further service should be called (default none of them), except
the GateResult is
GateResult.DONTCARE
PROVIDER_CONTEXT
, in this case the gate is only applied to resource providers requesting the security checks. Or the context can beAPPLICATION_CONTEXT
. In this case the access gate is invoked for the whole resource tree. This is indicated by the required service propertyCONTEXT
. If the property is missing or invalid, the service is ignored.
-
-
Nested Class Summary
Nested Classes Modifier and Type Interface Description static class
ResourceAccessGate.GateResult
GateResult
defines 3 possible states which can be returned by the different canXXX methods of this interface.static class
ResourceAccessGate.Operation
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
APPLICATION_CONTEXT
Allowed value for theCONTEXT
service registration property.static java.lang.String
CONTEXT
The name of the service registration property containing the context of this service.static java.lang.String
FINALOPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called and no further service should be called after this, except the services returns DONTCARE as result, default is empty (none of them are final) (value is "finaloperations").static java.lang.String
OPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called, defaults to all the operations (value is "operations").static java.lang.String
PATH
The name of the service registration property containing the path as a regular expression for which the service should be called (value is "path").static java.lang.String
PROVIDER_CONTEXT
Allowed value for theCONTEXT
service registration property.static java.lang.String
SERVICE_NAME
The service name to use when registering implementations of this interface as services (value is "org.apache.sling.api.resource.ResourceAccessGate").
-
Method Summary
-
-
-
Field Detail
-
SERVICE_NAME
static final java.lang.String SERVICE_NAME
The service name to use when registering implementations of this interface as services (value is "org.apache.sling.api.resource.ResourceAccessGate").
-
CONTEXT
static final java.lang.String CONTEXT
The name of the service registration property containing the context of this service. Allowed values areAPPLICATION_CONTEXT
andPROVIDER_CONTEXT
. This property is required and has no default value. (value is "access.context")- See Also:
- Constant Field Values
-
APPLICATION_CONTEXT
static final java.lang.String APPLICATION_CONTEXT
Allowed value for theCONTEXT
service registration property. Services marked with this context are applied to all resources.- See Also:
- Constant Field Values
-
PROVIDER_CONTEXT
static final java.lang.String PROVIDER_CONTEXT
Allowed value for theCONTEXT
service registration property. Services marked with this context are only applied to resource providers which indicate the additional checks with theResourceProvider.USE_RESOURCE_ACCESS_SECURITY
property.- See Also:
- Constant Field Values
-
PATH
static final java.lang.String PATH
The name of the service registration property containing the path as a regular expression for which the service should be called (value is "path").- See Also:
- Constant Field Values
-
OPERATIONS
static final java.lang.String OPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called, defaults to all the operations (value is "operations").- See Also:
- Constant Field Values
-
FINALOPERATIONS
static final java.lang.String FINALOPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called and no further service should be called after this, except the services returns DONTCARE as result, default is empty (none of them are final) (value is "finaloperations").- See Also:
- Constant Field Values
-
-
Method Detail
-
canRead
ResourceAccessGate.GateResult canRead(Resource resource)
-
canCreate
ResourceAccessGate.GateResult canCreate(java.lang.String absPathName, ResourceResolver resourceResolver)
-
canOrderChildren
default ResourceAccessGate.GateResult canOrderChildren(Resource resource)
-
canUpdate
ResourceAccessGate.GateResult canUpdate(Resource resource)
-
canDelete
ResourceAccessGate.GateResult canDelete(Resource resource)
-
canExecute
ResourceAccessGate.GateResult canExecute(Resource resource)
-
canReadValue
ResourceAccessGate.GateResult canReadValue(Resource resource, java.lang.String valueName)
-
canCreateValue
ResourceAccessGate.GateResult canCreateValue(Resource resource, java.lang.String valueName)
-
canUpdateValue
ResourceAccessGate.GateResult canUpdateValue(Resource resource, java.lang.String valueName)
-
canDeleteValue
ResourceAccessGate.GateResult canDeleteValue(Resource resource, java.lang.String valueName)
-
transformQuery
java.lang.String transformQuery(java.lang.String query, java.lang.String language, ResourceResolver resourceResolver) throws AccessSecurityException
Allows to transform the query based on the current user's credentials. Can be used to narrow down queries to omit results that the current user is not allowed to see anyway, speeding up downstream access control. Query transformations are not critical with respect to access control as results are checked using the canRead.. methods anyway.- Parameters:
query
- the querylanguage
- the language in which the query is expressedresourceResolver
- the resource resolver which resolves the query- Returns:
- the transformed query or the original query if no tranformation
took place. This method should never return
null
- Throws:
AccessSecurityException
-
hasReadRestrictions
boolean hasReadRestrictions(ResourceResolver resourceResolver)
-
hasCreateRestrictions
boolean hasCreateRestrictions(ResourceResolver resourceResolver)
-
hasOrderChildrenRestrictions
default boolean hasOrderChildrenRestrictions(ResourceResolver resourceResolver)
-
hasUpdateRestrictions
boolean hasUpdateRestrictions(ResourceResolver resourceResolver)
-
hasDeleteRestrictions
boolean hasDeleteRestrictions(ResourceResolver resourceResolver)
-
hasExecuteRestrictions
boolean hasExecuteRestrictions(ResourceResolver resourceResolver)
-
canReadAllValues
boolean canReadAllValues(Resource resource)
-
canCreateAllValues
boolean canCreateAllValues(Resource resource)
-
canUpdateAllValues
boolean canUpdateAllValues(Resource resource)
-
canDeleteAllValues
boolean canDeleteAllValues(Resource resource)
-
-