Package org.apache.jackrabbit.oak.spi.security.authentication.external.impl

Class DynamicSyncContext

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext

org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContext

All Implemented Interfaces:

SyncContext

public class DynamicSyncContext
extends DefaultSyncContext

Extension of the DefaultSyncContext that doesn't synchronize group membership of new external users into the user management of the repository. Instead it will only synchronize the principal names up to the configured depths. In combination with the a dedicated PrincipalConfiguration this allows to benefit from the repository's authorization model (which is solely based on principals) i.e. full compatibility with the default approach without the complication of synchronizing user management information into the repository, when user management is effectively take care of by the third party system. With the DefaultSyncHandler this feature can be turned on using DefaultSyncConfig.User.setDynamicMembership(boolean) Note: users and groups that have been synchronized before the dynamic membership feature has been enabled will continue to be synchronized in the default way and this context doesn't take effect.

Since:

Oak 1.5.3

Field Summary

Fields inherited from class org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext

config, forceGroupSync, forceUserSync, idp, keepMissing, now, nowValue, REP_EXTERNAL_ID, REP_LAST_SYNCED, userManager, valueFactory

Constructor Summary

Constructors

Constructor	Description
DynamicSyncContext(@NotNull DefaultSyncConfig config, @NotNull ExternalIdentityProvider idp, @NotNull UserManager userManager, @NotNull ValueFactory valueFactory)

Method Summary

Modifier and Type	Method	Description
protected void	applyMembership(@NotNull Authorizable member, @NotNull Set<String> groups)	Ensures that the given authorizable is member of the specific groups.
boolean	convertToDynamicMembership(@NotNull Authorizable authorizable)
@NotNull SyncResult	sync(@NotNull ExternalIdentity identity)	Synchronizes an external identity with the repository based on the respective configuration.
protected void	syncMembership(@NotNull ExternalIdentity external, @NotNull Authorizable auth, long depth)	Recursively sync the memberships of an authorizable up-to the specified depth.

Methods inherited from class org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext

close, createGroup, createSyncedIdentity, createUser, createValue, createValues, getAuthorizable, getExternalGroupFromRef, getIdentityRef, isExpired, isForceGroupSync, isForceUserSync, isKeepMissing, isSameIDP, isSameIDP, joinPaths, setForceGroupSync, setForceUserSync, setKeepMissing, sync, syncGroup, syncProperties, syncUser, warnForeign, warnForeignExisting

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DynamicSyncContext

public DynamicSyncContext(@NotNull
                          @NotNull DefaultSyncConfig config,
                          @NotNull
                          @NotNull ExternalIdentityProvider idp,
                          @NotNull
                          @NotNull UserManager userManager,
                          @NotNull
                          @NotNull ValueFactory valueFactory)

Method Detail

convertToDynamicMembership

public boolean convertToDynamicMembership(@NotNull
                                          @NotNull Authorizable authorizable)
                                   throws RepositoryException

Throws:

RepositoryException

sync

@NotNull
public @NotNull SyncResult sync(@NotNull
                                @NotNull ExternalIdentity identity)
                         throws SyncException

Description copied from class: DefaultSyncContext

Synchronizes an external identity with the repository based on the respective configuration.

Specified by:

sync in interface SyncContext

Overrides:

sync in class DefaultSyncContext

Parameters:

identity - the identity to sync.

Returns:

the result of the operation

Throws:

SyncException - if an error occurs

syncMembership

protected void syncMembership(@NotNull
                              @NotNull ExternalIdentity external,
                              @NotNull
                              @NotNull Authorizable auth,
                              long depth)
                       throws RepositoryException

Description copied from class: DefaultSyncContext

Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth is equal or less than 0, no syncing is performed.

Overrides:

syncMembership in class DefaultSyncContext

Parameters:

external - the external identity

auth - the authorizable

depth - recursion depth.

Throws:

RepositoryException - If a user management specific error occurs upon synchronizing membership

applyMembership

protected void applyMembership(@NotNull
                               @NotNull Authorizable member,
                               @NotNull
                               @NotNull Set<String> groups)
                        throws RepositoryException

Description copied from class: DefaultSyncContext

Ensures that the given authorizable is member of the specific groups. Note that it does not create groups if missing, nor remove memberships of groups not in the given set.

Overrides:

applyMembership in class DefaultSyncContext

Parameters:

member - the authorizable

groups - set of groups.

Throws:

RepositoryException