Class ReadOnlyAuthorizationConfiguration

java.lang.Object
org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default
org.apache.jackrabbit.oak.spi.security.ConfigurationBase
org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration
All Implemented Interfaces:
AuthorizationConfiguration, SecurityConfiguration

public final class ReadOnlyAuthorizationConfiguration extends ConfigurationBase implements AuthorizationConfiguration

Read Only Authorization Model

This authorization module forms part of the training material provided by the oak-exercise module and must not be used in a productive environment!

Overview

This simplistic authorization model is limited to permission evaluation and doesn't support access control management. The permission evaluation is hardcoded to only allow read access to every single item in the repository (even access control content). All other permissions are denied for every set of principals. There exists a single exception to that rule: For the internal SystemPrincipal permission evaluation is not enforced by this module i.e. this module is skipped.

Intended Usage

This authorization model is intended to be used in 'AND' combination with the default authorization setup defined by Oak (and optionally additional models such as e.g. oak-authorization-cug. It is not intended to be used as standalone model as it would grant full read access to everyone.

Limitations

Experimental model for training purpose and not intended for usage in production.

Key Features

Access Control Management

FeatureDescription
Supported Privilegesall
Supports Custom Privilegesyes
Management by Pathnot supported
Management by Principalsnot supported
Owned PoliciesNone
Effective Policies by Pathfor every path a single effective policy of type NamedAccessControlPolicy
Effective Policies by Principalsfor every set of principals a single effective policy of type NamedAccessControlPolicy

Permission Evaluation

FeatureDescription
Supported Permissionsall
Aggregated Permission Provideryes

Representation in the Repository

There exists no dedicated access control or permission content for this authorization model as it doesn't persist any information into the repository. SecurityConfiguration.getContext() therefore returns the default.

Configuration

This model comes with a single mandatory configurable property: - configurationRanking : CompositeConfiguration.PARAM_RANKING, no default value.

Installation Instructions

The following steps are required to install this authorization model in an OSGi based Oak setup.
  • Upload the oak-exercise bundle
  • Edit configuration of 'ReadOnlyAuthorizationConfiguration' specifying the mandatory ranking property
  • Edit configuration of SecurityProviderRegistration
    • add org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration to the list of required service IDs
    • make sure the 'Authorization Composition Type' is set to AND
  • Wait for the SecurityProvider to be successfully registered again.