Package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal

Class ExternalPrincipalConfiguration

java.lang.Object

org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default

org.apache.jackrabbit.oak.spi.security.ConfigurationBase

org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration

All Implemented Interfaces:

PrincipalConfiguration, SecurityConfiguration

@Service({PrincipalConfiguration.class,SecurityConfiguration.class})
@Property(name="protectExternalId",label="External Identity Protection",description="If disabled rep:externalId properties won\'t be properly protected (backwards compatible behavior). NOTE: for security reasons it is strongly recommend to keep the protection enabled!",boolValue=true) @Property(name="protectExternalIdentities",label="External User and Group Protection",description="If \'None\' is selected the synchronized external users/groups won\'t be protected (backwards compatible behavior) and can be edited like local users/groups. NOTE: in order to avoid having inconsistencies between the IDP that defines the external identities and local synced identities it is recommend to enable the protection. With option \'Warn\' the protection is disabled but warnings will be logged.",options={@PropertyOption(name="None",value="None"),@PropertyOption(name="Warn",value="Warn"),@PropertyOption(name="Protected",value="Protected")}) @Property(name="systemPrincipalNames",label="System Principal Names",description="Names of additional \'SystemUserPrincipal\' instances that are excluded from the protection check. Note that this configuration does not grant the required permission to perform the operation.",value={},cardinality=10) @Property(name="oak.security.name",propertyPrivate=true,value="org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration")
public class ExternalPrincipalConfiguration
extends ConfigurationBase
implements PrincipalConfiguration

Implementation of the PrincipalConfiguration interface that provides principal management for Group principals associated with external identities managed outside of the scope of the repository by an ExternalIdentityProvider.

Since:

Oak 1.5.3

See Also:

OAK-4101

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.jackrabbit.oak.spi.security.SecurityConfiguration

SecurityConfiguration.Default

Field Summary

Fields inherited from interface org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration

NAME

Constructor Summary

Constructors

Constructor	Description
ExternalPrincipalConfiguration()
ExternalPrincipalConfiguration(SecurityProvider securityProvider)

Method Summary

Modifier and Type	Method	Description
@NotNull java.util.List<ThreeWayConflictHandler>	getConflictHandlers()	Returns the list of conflict handlers available for this security configuration.
@NotNull java.lang.Iterable<Monitor<?>>	getMonitors(@NotNull StatisticsProvider statisticsProvider)
@NotNull java.lang.String	getName()	Returns the name of this security configuration.
@NotNull PrincipalManager	getPrincipalManager(Root root, NamePathMapper namePathMapper)	Returns an instance of PrincipalManager that can be used to query and retrieve principals such as needed for JCR access control management.
@NotNull PrincipalProvider	getPrincipalProvider(Root root, NamePathMapper namePathMapper)	Returns an instance of the OAK PrincipalProvider.
@NotNull java.util.List<ProtectedItemImporter>	getProtectedItemImporters()
@NotNull RepositoryInitializer	getRepositoryInitializer()	Returns a repository initializer for this security configuration.
@NotNull java.util.List<? extends ValidatorProvider>	getValidators(@NotNull java.lang.String workspaceName, @NotNull java.util.Set<java.security.Principal> principals, @NotNull MoveTracker moveTracker)	Returns the list of validators that need to be executed for the specified workspace name.

Methods inherited from class org.apache.jackrabbit.oak.spi.security.ConfigurationBase

getParameters, getRootProvider, getSecurityProvider, getTreeProvider, setParameters, setRootProvider, setSecurityProvider, setTreeProvider

Methods inherited from class org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default

getCommitHooks, getContext, getWorkspaceInitializer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.jackrabbit.oak.spi.security.SecurityConfiguration

getCommitHooks, getContext, getParameters, getWorkspaceInitializer

Constructor Detail

ExternalPrincipalConfiguration

public ExternalPrincipalConfiguration()

ExternalPrincipalConfiguration

public ExternalPrincipalConfiguration(SecurityProvider securityProvider)

Method Detail

getPrincipalManager

@NotNull
public @NotNull PrincipalManager getPrincipalManager(Root root,
                                                     NamePathMapper namePathMapper)

Description copied from interface: PrincipalConfiguration

Returns an instance of PrincipalManager that can be used to query and retrieve principals such as needed for JCR access control management.

Specified by:

getPrincipalManager in interface PrincipalConfiguration

Parameters:

root - The target root.

namePathMapper - The NamePathMapper to be used.

Returns:

An instance of PrincipalManager.

See Also:

JackrabbitSession.getPrincipalManager()

getPrincipalProvider

@NotNull
public @NotNull PrincipalProvider getPrincipalProvider(Root root,
                                                       NamePathMapper namePathMapper)

Description copied from interface: PrincipalConfiguration

Returns an instance of the OAK PrincipalProvider.

Backwards compatibility with Jackrabbit 2.x

Configuration of Principal Providers

In Jackrabbit 2.x the configuration of principal providers was tied to the LoginModule configuration and thus mixing authentication concerns with the principal management. Since OAK makes the PrincipalProvider a public interface of the SPI, it's configuration goes along with the configuration of the JCR level PrincipalManager. The authentication setup may have access to the principal configuration if the SecurityProvider is made available in the AuthenticationConfiguration.

Multiple Sources for Principals

In Jackrabbit 2.x it was possible to configure multiple principal providers. As of OAK there is only one single principal provider implementation responsible for a given configuration. If principals originate from different sources it is recommended to define a separate PrincipalConfiguration for each source.

Specified by:

getPrincipalProvider in interface PrincipalConfiguration

Parameters:

root - The target Root.

namePathMapper - The NamePathMapper to be used.

Returns:

An instance of PrincipalProvider.

getName

@NotNull
public @NotNull java.lang.String getName()

Description copied from interface: SecurityConfiguration

Returns the name of this security configuration.

Specified by:

getName in interface SecurityConfiguration

Overrides:

getName in class SecurityConfiguration.Default

Returns:

The name of this configuration.

getRepositoryInitializer

@NotNull
public @NotNull RepositoryInitializer getRepositoryInitializer()

Description copied from interface: SecurityConfiguration

Returns a repository initializer for this security configuration. If this configuration doesn't require any specific repository initialization RepositoryInitializer.DEFAULT should be returned.

Specified by:

getRepositoryInitializer in interface SecurityConfiguration

Overrides:

getRepositoryInitializer in class SecurityConfiguration.Default

Returns:

An instance of RepositoryInitializer.

getValidators

@NotNull
public @NotNull java.util.List<? extends ValidatorProvider> getValidators(@NotNull
                                                                          @NotNull java.lang.String workspaceName,
                                                                          @NotNull
                                                                          @NotNull java.util.Set<java.security.Principal> principals,
                                                                          @NotNull
                                                                          @NotNull MoveTracker moveTracker)

Description copied from interface: SecurityConfiguration

Returns the list of validators that need to be executed for the specified workspace name.

Specified by:

getValidators in interface SecurityConfiguration

Overrides:

getValidators in class SecurityConfiguration.Default

Parameters:

workspaceName - The name of the workspace.

principals - The set of principals associated with the subject that is committing modifications.

moveTracker - The move tracker associated with the commit.

Returns:

A list of validators.

getProtectedItemImporters

@NotNull
public @NotNull java.util.List<ProtectedItemImporter> getProtectedItemImporters()

Specified by:

getProtectedItemImporters in interface SecurityConfiguration

Overrides:

getProtectedItemImporters in class SecurityConfiguration.Default

Returns:

The list of protected item importers defined by this configuration.

getMonitors

@NotNull
public @NotNull java.lang.Iterable<Monitor<?>> getMonitors(@NotNull
                                                           @NotNull StatisticsProvider statisticsProvider)

Specified by:

getMonitors in interface SecurityConfiguration

getConflictHandlers

@NotNull
public @NotNull java.util.List<ThreeWayConflictHandler> getConflictHandlers()

Description copied from interface: SecurityConfiguration

Returns the list of conflict handlers available for this security configuration.

Specified by:

getConflictHandlers in interface SecurityConfiguration

Overrides:

getConflictHandlers in class SecurityConfiguration.Default

Returns:

A list of ThreeWayConflictHandler.