org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly

Class ReadOnlyAuthorizationConfiguration

java.lang.Object

org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default

org.apache.jackrabbit.oak.spi.security.ConfigurationBase

org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration

All Implemented Interfaces:

AuthorizationConfiguration, SecurityConfiguration

@Service(value={AuthorizationConfiguration.class,SecurityConfiguration.class})
 @Property(name="configurationRanking",label="Ranking",description="Ranking of this configuration in a setup with multiple authorization configurations.",intValue=300) @Property(name="oak.security.name",propertyPrivate=true,value="org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration")
public final class ReadOnlyAuthorizationConfiguration
extends ConfigurationBase
implements AuthorizationConfiguration

Read Only Authorization Model

This authorization module forms part of the training material provided by the oak-exercise module and must not be used in a productive environment!

Overview

This simplistic authorization model is limited to permission evaluation and doesn't support access control management. The permission evaluation is hardcoded to only allow read access to every single item in the repository (even access control content). All other permissions are denied for every set of principals. There exists a single exception to that rule: For the internal SystemPrincipal permission evaluation is not enforced by this module i.e. this module is skipped.

Intended Usage

This authorization model is intended to be used in 'AND' combination with the default authorization setup defined by Oak (and optionally additional models such as e.g. oak-authorization-cug. It is not intended to be used as standalone model as it would grant full read access to everyone.

Limitations

Experimental model for training purpose and not intended for usage in production.

Key Features

Access Control Management

Feature	Description
Supported Privileges	all
Supports Custom Privileges	yes
Management by Path	not supported
Management by Principals	not supported
Owned Policies	None
Effective Policies by Path	for every path a single effective policy of type NamedAccessControlPolicy
Effective Policies by Principals	for every set of principals a single effective policy of type NamedAccessControlPolicy

Permission Evaluation

Feature	Description
Supported Permissions	all
Aggregated Permission Provider	yes

Representation in the Repository

There exists no dedicated access control or permission content for this authorization model as it doesn't persist any information into the repository. SecurityConfiguration.getContext() therefore returns the default.

Configuration

This model comes with a single mandatory configurable property: - configurationRanking : CompositeConfiguration.PARAM_RANKING, no default value.

Installation Instructions

The following steps are required to install this authorization model in an OSGi based Oak setup.

• Upload the oak-exercise bundle
• Edit configuration of 'ReadOnlyAuthorizationConfiguration' specifying the mandatory ranking property
• Edit configuration of SecurityProviderRegistration
  • add org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration to the list of required service IDs
  • make sure the 'Authorization Composition Type' is set to AND
• Wait for the SecurityProvider to be successfully registered again.

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.jackrabbit.oak.spi.security.SecurityConfiguration

SecurityConfiguration.Default

Field Summary

Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration

NAME

Constructor Summary

Constructors

Constructor and Description
ReadOnlyAuthorizationConfiguration()

Method Summary

Modifier and Type	Method and Description
@NotNull AccessControlManager	getAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper)
@NotNull List<? extends CommitHook>	getCommitHooks(@NotNull String workspaceName) Returns the list of commit hooks that need to be executed for the specified workspace name.
@NotNull List<ThreeWayConflictHandler>	getConflictHandlers() Returns the list of conflict handlers available for this security configuration.
@NotNull Context	getContext()
@NotNull String	getName() Returns the name of this security configuration.
@NotNull ConfigurationParameters	getParameters() Returns the configuration parameters associated with this security configuration instance.
@NotNull PermissionProvider	getPermissionProvider(@NotNull Root root, @NotNull String workspaceName, @NotNull Set<Principal> principals)
@NotNull List<ProtectedItemImporter>	getProtectedItemImporters()
@NotNull RepositoryInitializer	getRepositoryInitializer() Returns a repository initializer for this security configuration.
@NotNull RestrictionProvider	getRestrictionProvider()
@NotNull List<? extends ValidatorProvider>	getValidators(@NotNull String workspaceName, @NotNull Set<Principal> principals, @NotNull MoveTracker moveTracker) Returns the list of validators that need to be executed for the specified workspace name.
@NotNull WorkspaceInitializer	getWorkspaceInitializer() Returns a workspace initializer for this security configuration.

Methods inherited from class org.apache.jackrabbit.oak.spi.security.ConfigurationBase

getRootProvider, getSecurityProvider, getTreeProvider, setParameters, setRootProvider, setSecurityProvider, setTreeProvider

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ReadOnlyAuthorizationConfiguration

public ReadOnlyAuthorizationConfiguration()

Method Detail

getAccessControlManager

@NotNull
public @NotNull AccessControlManager getAccessControlManager(@NotNull
                                                                      @NotNull Root root,
                                                                      @NotNull
                                                                      @NotNull NamePathMapper namePathMapper)

Specified by:

getAccessControlManager in interface AuthorizationConfiguration

getRestrictionProvider

@NotNull
public @NotNull RestrictionProvider getRestrictionProvider()

Specified by:

getRestrictionProvider in interface AuthorizationConfiguration

getPermissionProvider

@NotNull
public @NotNull PermissionProvider getPermissionProvider(@NotNull
                                                                  @NotNull Root root,
                                                                  @NotNull
                                                                  @NotNull String workspaceName,
                                                                  @NotNull
                                                                  @NotNull Set<Principal> principals)

Specified by:

getPermissionProvider in interface AuthorizationConfiguration

getName

@NotNull
public @NotNull String getName()

Description copied from interface: SecurityConfiguration

Returns the name of this security configuration.

Specified by:

getName in interface SecurityConfiguration

Overrides:

getName in class SecurityConfiguration.Default

Returns:

The name of this configuration.

getParameters

@NotNull
public @NotNull ConfigurationParameters getParameters()

Description copied from interface: SecurityConfiguration

Returns the configuration parameters associated with this security configuration instance. If no parameters are present ConfigurationParameters.EMPTY should be returned.

Specified by:

getParameters in interface SecurityConfiguration

Overrides:

getParameters in class ConfigurationBase

Returns:

The configuration parameters.

getWorkspaceInitializer

@NotNull
public @NotNull WorkspaceInitializer getWorkspaceInitializer()

Description copied from interface: SecurityConfiguration

Returns a workspace initializer for this security configuration. If this configuration doesn't require any specific workspace initialization WorkspaceInitializer.DEFAULT should be returned.

Specified by:

getWorkspaceInitializer in interface SecurityConfiguration

Overrides:

getWorkspaceInitializer in class SecurityConfiguration.Default

Returns:

An instance of WorkspaceInitializer.

getRepositoryInitializer

@NotNull
public @NotNull RepositoryInitializer getRepositoryInitializer()

Description copied from interface: SecurityConfiguration

Returns a repository initializer for this security configuration. If this configuration doesn't require any specific repository initialization RepositoryInitializer.DEFAULT should be returned.

Specified by:

getRepositoryInitializer in interface SecurityConfiguration

Overrides:

getRepositoryInitializer in class SecurityConfiguration.Default

Returns:

An instance of RepositoryInitializer.

getCommitHooks

@NotNull
public @NotNull List<? extends CommitHook> getCommitHooks(@NotNull
                                                                   @NotNull String workspaceName)

Description copied from interface: SecurityConfiguration

Returns the list of commit hooks that need to be executed for the specified workspace name.

Specified by:

getCommitHooks in interface SecurityConfiguration

Overrides:

getCommitHooks in class SecurityConfiguration.Default

Parameters:

workspaceName - The name of the workspace.

Returns:

A list of commit hooks.

getValidators

@NotNull
public @NotNull List<? extends ValidatorProvider> getValidators(@NotNull
                                                                         @NotNull String workspaceName,
                                                                         @NotNull
                                                                         @NotNull Set<Principal> principals,
                                                                         @NotNull
                                                                         @NotNull MoveTracker moveTracker)

Description copied from interface: SecurityConfiguration

Returns the list of validators that need to be executed for the specified workspace name.

Specified by:

getValidators in interface SecurityConfiguration

Overrides:

getValidators in class SecurityConfiguration.Default

Parameters:

workspaceName - The name of the workspace.

principals - The set of principals associated with the subject that is committing modifications.

moveTracker - The move tracker associated with the commit.

Returns:

A list of validators.

getConflictHandlers

@NotNull
public @NotNull List<ThreeWayConflictHandler> getConflictHandlers()

Description copied from interface: SecurityConfiguration

Returns the list of conflict handlers available for this security configuration.

Specified by:

getConflictHandlers in interface SecurityConfiguration

Overrides:

getConflictHandlers in class SecurityConfiguration.Default

Returns:

A list of ThreeWayConflictHandler.

getProtectedItemImporters

@NotNull
public @NotNull List<ProtectedItemImporter> getProtectedItemImporters()

Specified by:

getProtectedItemImporters in interface SecurityConfiguration

Overrides:

getProtectedItemImporters in class SecurityConfiguration.Default

Returns:

The list of protected item importers defined by this configuration.

getContext

@NotNull
public @NotNull Context getContext()

Specified by:

getContext in interface SecurityConfiguration

Overrides:

getContext in class SecurityConfiguration.Default

Returns:

The context defined by this configuration.