Class ReadOnlyAuthorizationConfiguration
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
- org.apache.jackrabbit.oak.spi.security.ConfigurationBase
-
- org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration
-
- All Implemented Interfaces:
org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
,org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
@Service({org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration.class,org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.class}) @Property(name="configurationRanking",label="Ranking",description="Ranking of this configuration in a setup with multiple authorization configurations.",intValue=300) @Property(name="oak.security.name",propertyPrivate=true,value="org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration") public final class ReadOnlyAuthorizationConfiguration extends org.apache.jackrabbit.oak.spi.security.ConfigurationBase implements org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
Read Only Authorization Model
This authorization module forms part of the training material provided by the oak-exercise module and must not be used in a productive environment!Overview
This simplistic authorization model is limited to permission evaluation and doesn't support access control management. The permission evaluation is hardcoded to only allow read access to every single item in the repository (even access control content). All other permissions are denied for every set of principals. There exists a single exception to that rule: For the internalSystemPrincipal
permission evaluation is not enforced by this module i.e. this module is skipped.Intended Usage
This authorization model is intended to be used in 'AND' combination with the default authorization setup defined by Oak (and optionally additional models such as e.g. oak-authorization-cug. It is not intended to be used as standalone model as it would grant full read access to everyone.Limitations
Experimental model for training purpose and not intended for usage in production.Key Features
Access Control Management
Feature Description Supported Privileges all Supports Custom Privileges yes Management by Path not supported Management by Principals not supported Owned Policies None Effective Policies by Path for every path a single effective policy of type NamedAccessControlPolicy
Effective Policies by Principals for every set of principals a single effective policy of type NamedAccessControlPolicy
Permission Evaluation
Feature Description Supported Permissions all Aggregated Permission Provider yes Representation in the Repository
There exists no dedicated access control or permission content for this authorization model as it doesn't persist any information into the repository.SecurityConfiguration.getContext()
therefore returns thedefault
.Configuration
This model comes with a single mandatory configurable property: - configurationRanking :CompositeConfiguration.PARAM_RANKING
, no default value.Installation Instructions
The following steps are required to install this authorization model in an OSGi based Oak setup.- Upload the oak-exercise bundle
- Edit configuration of 'ReadOnlyAuthorizationConfiguration' specifying the mandatory ranking property
- Edit configuration of
SecurityProviderRegistration
- add
org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration
to the list of required service IDs - make sure the 'Authorization Composition Type' is set to AND
- add
- Wait for the
SecurityProvider
to be successfully registered again.
-
-
Constructor Summary
Constructors Constructor Description ReadOnlyAuthorizationConfiguration()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description @NotNull javax.jcr.security.AccessControlManager
getAccessControlManager(@NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull org.apache.jackrabbit.oak.namepath.NamePathMapper namePathMapper)
@NotNull List<? extends org.apache.jackrabbit.oak.spi.commit.CommitHook>
getCommitHooks(@NotNull String workspaceName)
@NotNull List<org.apache.jackrabbit.oak.spi.commit.ThreeWayConflictHandler>
getConflictHandlers()
@NotNull org.apache.jackrabbit.oak.spi.security.Context
getContext()
@NotNull String
getName()
@NotNull org.apache.jackrabbit.oak.spi.security.ConfigurationParameters
getParameters()
@NotNull org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
getPermissionProvider(@NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull String workspaceName, @NotNull Set<Principal> principals)
@NotNull List<org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter>
getProtectedItemImporters()
@NotNull org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer
getRepositoryInitializer()
@NotNull org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider
getRestrictionProvider()
@NotNull List<? extends org.apache.jackrabbit.oak.spi.commit.ValidatorProvider>
getValidators(@NotNull String workspaceName, @NotNull Set<Principal> principals, @NotNull org.apache.jackrabbit.oak.spi.commit.MoveTracker moveTracker)
@NotNull org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer
getWorkspaceInitializer()
-
-
-
Method Detail
-
getAccessControlManager
@NotNull public @NotNull javax.jcr.security.AccessControlManager getAccessControlManager(@NotNull @NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull @NotNull org.apache.jackrabbit.oak.namepath.NamePathMapper namePathMapper)
- Specified by:
getAccessControlManager
in interfaceorg.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
-
getRestrictionProvider
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider getRestrictionProvider()
- Specified by:
getRestrictionProvider
in interfaceorg.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
-
getPermissionProvider
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider getPermissionProvider(@NotNull @NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull @NotNull String workspaceName, @NotNull @NotNull Set<Principal> principals)
- Specified by:
getPermissionProvider
in interfaceorg.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
-
getName
@NotNull public @NotNull String getName()
- Specified by:
getName
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getName
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getParameters
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.security.ConfigurationParameters getParameters()
- Specified by:
getParameters
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getParameters
in classorg.apache.jackrabbit.oak.spi.security.ConfigurationBase
-
getWorkspaceInitializer
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer getWorkspaceInitializer()
- Specified by:
getWorkspaceInitializer
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getWorkspaceInitializer
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getRepositoryInitializer
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer getRepositoryInitializer()
- Specified by:
getRepositoryInitializer
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getRepositoryInitializer
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getCommitHooks
@NotNull public @NotNull List<? extends org.apache.jackrabbit.oak.spi.commit.CommitHook> getCommitHooks(@NotNull @NotNull String workspaceName)
- Specified by:
getCommitHooks
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getCommitHooks
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getValidators
@NotNull public @NotNull List<? extends org.apache.jackrabbit.oak.spi.commit.ValidatorProvider> getValidators(@NotNull @NotNull String workspaceName, @NotNull @NotNull Set<Principal> principals, @NotNull @NotNull org.apache.jackrabbit.oak.spi.commit.MoveTracker moveTracker)
- Specified by:
getValidators
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getValidators
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getConflictHandlers
@NotNull public @NotNull List<org.apache.jackrabbit.oak.spi.commit.ThreeWayConflictHandler> getConflictHandlers()
- Specified by:
getConflictHandlers
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getConflictHandlers
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getProtectedItemImporters
@NotNull public @NotNull List<org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter> getProtectedItemImporters()
- Specified by:
getProtectedItemImporters
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getProtectedItemImporters
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
getContext
@NotNull public @NotNull org.apache.jackrabbit.oak.spi.security.Context getContext()
- Specified by:
getContext
in interfaceorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration
- Overrides:
getContext
in classorg.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
-
-