org.apache.jackrabbit.core.security

Class DefaultAccessManager

java.lang.Object

org.apache.jackrabbit.core.security.AbstractAccessControlManager

org.apache.jackrabbit.core.security.DefaultAccessManager

All Implemented Interfaces:

javax.jcr.security.AccessControlManager, JackrabbitAccessControlManager, AccessManager

public class DefaultAccessManager
extends AbstractAccessControlManager
implements AccessManager

The DefaultAccessManager controls access by evaluating access control policies for the Subject attached to the Session this manager has been built for.

Please note the following exceptional situations:
This manager allows all privileges for a particular item if

• the Session's represents a system session or a session associated with the repository's administrator

It allows to access all available workspaces if

• no WorkspaceAccessManager is defined.

How access control policies are matched to a particular item is defined by the AccessControlProvider set to this AccessManager.

See Also:

AccessManager, AccessControlManager

Field Summary

Fields inherited from interface org.apache.jackrabbit.core.security.AccessManager

READ, REMOVE, WRITE

Constructor Summary

Constructors

Constructor and Description
DefaultAccessManager()

Method Summary

Methods

Modifier and Type	Method and Description
boolean	canAccess(String workspaceName) Determines whether the subject of the current context is granted access to the given workspace.
boolean	canRead(Path itemPath, ItemId itemId) Determines whether the item with the specified itemPath or itemId can be read.
protected void	checkInitialized() Check if this manager has been properly initialized.
void	checkPermission(ItemId id, int permissions) Determines whether the specified permissions are granted on the item with the specified id (i.e.
void	checkPermission(Path absPath, int permissions) Determines whether the specified permissions are granted on the item with the specified id (i.e.
protected void	checkPermission(String absPath, int permission) Check if the specified privileges are granted at absPath.
void	checkRepositoryPermission(int permissions) Determines whether the specified permissions are granted on the repository level.
protected void	checkValidNodePath(String absPath) Tests if the given absPath is absolute and points to an existing node.
void	close() Close this access manager.
JackrabbitAccessControlPolicy[]	getApplicablePolicies(Principal principal) Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.
javax.jcr.security.AccessControlPolicyIterator	getApplicablePolicies(String absPath) Returns an empty iterator.
javax.jcr.security.AccessControlPolicy[]	getEffectivePolicies(Set<Principal> principals) Returns the AccessControlPolicy objects that are in effect for the given Principals.
javax.jcr.security.AccessControlPolicy[]	getEffectivePolicies(String absPath)
JackrabbitAccessControlPolicy[]	getPolicies(Principal principal) Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set.
javax.jcr.security.AccessControlPolicy[]	getPolicies(String absPath) Returns null.
protected PrivilegeManager	getPrivilegeManager()
javax.jcr.security.Privilege[]	getPrivileges(String absPath)
javax.jcr.security.Privilege[]	getPrivileges(String absPath, Set<Principal> principals) Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.
boolean	hasPrivileges(String absPath, javax.jcr.security.Privilege[] privileges)
boolean	hasPrivileges(String absPath, Set<Principal> principals, javax.jcr.security.Privilege[] privileges) Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.
void	init(AMContext amContext) Initialize this access manager.
void	init(AMContext amContext, AccessControlProvider acProvider, WorkspaceAccessManager wspAccessManager) Initialize this access manager.
boolean	isGranted(ItemId id, int actions) Determines whether the specified permissions are granted on the item with the specified id (i.e.
boolean	isGranted(Path absPath, int permissions) Determines whether the specified permissions are granted on the item with the specified absPath (i.e.
boolean	isGranted(Path parentPath, Name childName, int permissions) Determines whether the specified permissions are granted on an item represented by the combination of the given parentPath and childName (i.e.
void	removePolicy(String absPath, javax.jcr.security.AccessControlPolicy policy) Always throws AccessControlException
void	setPolicy(String absPath, javax.jcr.security.AccessControlPolicy policy) Always throws AccessControlException

Methods inherited from class org.apache.jackrabbit.core.security.AbstractAccessControlManager

getSupportedPrivileges, privilegeFromName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultAccessManager

public DefaultAccessManager()

Method Detail

init

public void init(AMContext amContext)
          throws javax.jcr.AccessDeniedException,
                 Exception

Description copied from interface: AccessManager

Initialize this access manager. An AccessDeniedException will be thrown if the subject of the given context is not granted access to the specified workspace.

Specified by:

init in interface AccessManager

Parameters:

amContext - access manager context

Throws:

javax.jcr.AccessDeniedException - if the subject is not granted access to the specified workspace.

Exception - if another error occurs

See Also:

AccessManager.init(AMContext)

init

public void init(AMContext amContext,
        AccessControlProvider acProvider,
        WorkspaceAccessManager wspAccessManager)
          throws javax.jcr.AccessDeniedException,
                 Exception

Description copied from interface: AccessManager

Initialize this access manager. An AccessDeniedException will be thrown if the subject of the given context is not granted access to the specified workspace.

Specified by:

init in interface AccessManager

Parameters:

amContext - access manager context.

acProvider - The access control provider.

wspAccessManager - The workspace access manager.

Throws:

javax.jcr.AccessDeniedException - if the subject is not granted access to the specified workspace.

Exception - if another error occurs

See Also:

AccessManager.init(AMContext, AccessControlProvider, WorkspaceAccessManager)

close

public void close()
           throws Exception

Description copied from interface: AccessManager

Close this access manager. After having closed an access manager, further operations on this object are treated as illegal and throw

Specified by:

close in interface AccessManager

Throws:

Exception - if an error occurs

See Also:

AccessManager.close()

checkPermission

public void checkPermission(ItemId id,
                   int permissions)
                     throws javax.jcr.AccessDeniedException,
                            javax.jcr.ItemNotFoundException,
                            javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on the item with the specified id (i.e. the target item).

Specified by:

checkPermission in interface AccessManager

Parameters:

id - the id of the target item

permissions - A combination of one or more of the following constants encoded as a bitmask value:

• READ
• WRITE
• REMOVE

Throws:

javax.jcr.AccessDeniedException - if permission is denied

javax.jcr.ItemNotFoundException - if the target item does not exist

javax.jcr.RepositoryException - it an error occurs

See Also:

AccessManager.checkPermission(ItemId, int)

checkPermission

public void checkPermission(Path absPath,
                   int permissions)
                     throws javax.jcr.AccessDeniedException,
                            javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on the item with the specified id (i.e. the target item).

Specified by:

checkPermission in interface AccessManager

Parameters:

absPath - Path to an item.

permissions - A combination of one or more of the Permission constants encoded as a bitmask value.

Throws:

javax.jcr.AccessDeniedException - if permission is denied

javax.jcr.RepositoryException - it another error occurs

See Also:

AccessManager.checkPermission(Path, int)

checkRepositoryPermission

public void checkRepositoryPermission(int permissions)
                               throws javax.jcr.AccessDeniedException,
                                      javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on the repository level.

Specified by:

checkRepositoryPermission in interface AccessManager

Parameters:

permissions - The permissions to check.

Throws:

javax.jcr.AccessDeniedException - if permissions are denied.

javax.jcr.RepositoryException - if another error occurs.

See Also:

AccessManager.checkRepositoryPermission(int)

isGranted

public boolean isGranted(ItemId id,
                int actions)
                  throws javax.jcr.ItemNotFoundException,
                         javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on the item with the specified id (i.e. the target item).

Specified by:

isGranted in interface AccessManager

Parameters:

id - the id of the target item

actions - A combination of one or more of the following constants encoded as a bitmask value:

• READ
• WRITE
• REMOVE

Returns:

true if permission is granted; otherwise false

Throws:

javax.jcr.ItemNotFoundException - if the target item does not exist

javax.jcr.RepositoryException - if another error occurs

See Also:

AccessManager.isGranted(ItemId, int)

isGranted

public boolean isGranted(Path absPath,
                int permissions)
                  throws javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on the item with the specified absPath (i.e. the target item, that may or may not yet exist).

Specified by:

isGranted in interface AccessManager

Parameters:

absPath - the absolute path to test

permissions - A combination of one or more of the Permission constants encoded as a bitmask value.

Returns:

true if the specified permissions are granted; otherwise false.

Throws:

javax.jcr.RepositoryException - if an error occurs.

See Also:

AccessManager.isGranted(Path, int)

isGranted

public boolean isGranted(Path parentPath,
                Name childName,
                int permissions)
                  throws javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the specified permissions are granted on an item represented by the combination of the given parentPath and childName (i.e. the target item, that may or may not yet exist).

Specified by:

isGranted in interface AccessManager

Parameters:

parentPath - Path to an existing parent node.

childName - Name of the child item that may or may not exist yet.

permissions - A combination of one or more of the Permission constants encoded as a bitmask value.

Returns:

true if the specified permissions are granted; otherwise false.

Throws:

javax.jcr.RepositoryException - if an error occurs.

See Also:

AccessManager.isGranted(Path, Name, int)

canRead

public boolean canRead(Path itemPath,
              ItemId itemId)
                throws javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the item with the specified itemPath or itemId can be read. Either of the two parameters may be null.
Note, that this method should only be called for persisted items as NEW items may not be visible to the permission evaluation. For new items AccessManager.isGranted(Path, int) should be used instead.

If this method is called with both Path and ItemId it is left to the evaluation, which parameter is used.

Specified by:

canRead in interface AccessManager

Parameters:

itemPath - The path to the item or null if itemId should be used to determine the READ permission.

itemId - Id of the item to be tested or null if the itemPath should be used to determine the permission.

Returns:

true if the item can be read; otherwise false.

Throws:

javax.jcr.RepositoryException - if the item is NEW and only an itemId is specified or if another error occurs.

See Also:

AccessManager.canRead(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.id.ItemId)

canAccess

public boolean canAccess(String workspaceName)
                  throws javax.jcr.RepositoryException

Description copied from interface: AccessManager

Determines whether the subject of the current context is granted access to the given workspace. Note that an implementation is free to test for the existence of a workspace with the specified name. In this case the expected return value is false, if no such workspace exists.

Specified by:

canAccess in interface AccessManager

Parameters:

workspaceName - name of workspace

Returns:

true if the subject of the current context is granted access to the given workspace; otherwise false.

Throws:

javax.jcr.RepositoryException - if an error occurs.

See Also:

AccessManager.canAccess(String)

hasPrivileges

public boolean hasPrivileges(String absPath,
                    javax.jcr.security.Privilege[] privileges)
                      throws javax.jcr.PathNotFoundException,
                             javax.jcr.RepositoryException

Specified by:

hasPrivileges in interface javax.jcr.security.AccessControlManager

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException

See Also:

AccessControlManager.hasPrivileges(String, Privilege[])

getPrivileges

public javax.jcr.security.Privilege[] getPrivileges(String absPath)
                                             throws javax.jcr.PathNotFoundException,
                                                    javax.jcr.RepositoryException

Specified by:

getPrivileges in interface javax.jcr.security.AccessControlManager

Throws:

javax.jcr.PathNotFoundException

javax.jcr.RepositoryException

See Also:

AccessControlManager.getPrivileges(String)

getPolicies

public javax.jcr.security.AccessControlPolicy[] getPolicies(String absPath)
                                                     throws javax.jcr.PathNotFoundException,
                                                            javax.jcr.AccessDeniedException,
                                                            javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Returns null.

Specified by:

getPolicies in interface javax.jcr.security.AccessControlManager

Overrides:

getPolicies in class AbstractAccessControlManager

Parameters:

absPath - Path to an existing node.

Returns:

always returns null.

Throws:

javax.jcr.PathNotFoundException

javax.jcr.AccessDeniedException

javax.jcr.RepositoryException

See Also:

AccessControlManager.getPolicies(String)

getEffectivePolicies

public javax.jcr.security.AccessControlPolicy[] getEffectivePolicies(String absPath)
                                                              throws javax.jcr.PathNotFoundException,
                                                                     javax.jcr.AccessDeniedException,
                                                                     javax.jcr.RepositoryException

Specified by:

getEffectivePolicies in interface javax.jcr.security.AccessControlManager

Throws:

javax.jcr.PathNotFoundException

javax.jcr.AccessDeniedException

javax.jcr.RepositoryException

See Also:

AccessControlManager.getEffectivePolicies(String)

getApplicablePolicies

public javax.jcr.security.AccessControlPolicyIterator getApplicablePolicies(String absPath)
                                                                     throws javax.jcr.PathNotFoundException,
                                                                            javax.jcr.AccessDeniedException,
                                                                            javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Returns an empty iterator.

Specified by:

getApplicablePolicies in interface javax.jcr.security.AccessControlManager

Overrides:

getApplicablePolicies in class AbstractAccessControlManager

Parameters:

absPath - Path to an existing node.

Returns:

always returns an empty iterator.

Throws:

javax.jcr.PathNotFoundException

javax.jcr.AccessDeniedException

javax.jcr.RepositoryException

See Also:

AccessControlManager.getApplicablePolicies(String)

setPolicy

public void setPolicy(String absPath,
             javax.jcr.security.AccessControlPolicy policy)
               throws javax.jcr.PathNotFoundException,
                      javax.jcr.security.AccessControlException,
                      javax.jcr.AccessDeniedException,
                      javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Always throws AccessControlException

Specified by:

setPolicy in interface javax.jcr.security.AccessControlManager

Overrides:

setPolicy in class AbstractAccessControlManager

Throws:

javax.jcr.PathNotFoundException

javax.jcr.security.AccessControlException

javax.jcr.AccessDeniedException

javax.jcr.RepositoryException

See Also:

AccessControlManager.setPolicy(String, AccessControlPolicy)

removePolicy

public void removePolicy(String absPath,
                javax.jcr.security.AccessControlPolicy policy)
                  throws javax.jcr.PathNotFoundException,
                         javax.jcr.security.AccessControlException,
                         javax.jcr.AccessDeniedException,
                         javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Always throws AccessControlException

Specified by:

removePolicy in interface javax.jcr.security.AccessControlManager

Overrides:

removePolicy in class AbstractAccessControlManager

Throws:

javax.jcr.PathNotFoundException

javax.jcr.security.AccessControlException

javax.jcr.AccessDeniedException

javax.jcr.RepositoryException

See Also:

AccessControlManager.removePolicy(String, AccessControlPolicy)

getApplicablePolicies

public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal)
                                                      throws javax.jcr.AccessDeniedException,
                                                             javax.jcr.security.AccessControlException,
                                                             javax.jcr.UnsupportedRepositoryOperationException,
                                                             javax.jcr.RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.

Specified by:

getApplicablePolicies in interface JackrabbitAccessControlManager

Overrides:

getApplicablePolicies in class AbstractAccessControlManager

Parameters:

principal - A principal known to the editing session.

Returns:

array of policies for the specified principal. Note that the policy object returned must reveal the path of the node where they can be applied later on using AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy).

Throws:

javax.jcr.AccessDeniedException - if the session lacks MODIFY_ACCESS_CONTROL privilege.

javax.jcr.security.AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

javax.jcr.UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

javax.jcr.RepositoryException - if another error occurs.

See Also:

JackrabbitAccessControlManager.getApplicablePolicies(Principal)

getPolicies

public JackrabbitAccessControlPolicy[] getPolicies(Principal principal)
                                            throws javax.jcr.AccessDeniedException,
                                                   javax.jcr.security.AccessControlException,
                                                   javax.jcr.UnsupportedRepositoryOperationException,
                                                   javax.jcr.RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set. This method reflects the binding state, including transient policy modifications.

Specified by:

getPolicies in interface JackrabbitAccessControlManager

Overrides:

getPolicies in class AbstractAccessControlManager

Parameters:

principal - A valid principal.

Returns:

The policies defined for the given principal or an empty array.

Throws:

javax.jcr.AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

javax.jcr.security.AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

javax.jcr.UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

javax.jcr.RepositoryException - If another error occurs.

See Also:

JackrabbitAccessControlManager.getPolicies(Principal)

getEffectivePolicies

public javax.jcr.security.AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals)
                                                              throws javax.jcr.AccessDeniedException,
                                                                     javax.jcr.security.AccessControlException,
                                                                     javax.jcr.UnsupportedRepositoryOperationException,
                                                                     javax.jcr.RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that are in effect for the given Principals. This may be policies set through this API or some implementation specific (default) policies.

Specified by:

getEffectivePolicies in interface JackrabbitAccessControlManager

Parameters:

principals - A set of valid principals.

Returns:

The policies defined for the given principal or an empty array.

Throws:

javax.jcr.AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

javax.jcr.security.AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

javax.jcr.UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

javax.jcr.RepositoryException - If another error occurs.

See Also:

JackrabbitAccessControlManager.getEffectivePolicies(Set)

hasPrivileges

public boolean hasPrivileges(String absPath,
                    Set<Principal> principals,
                    javax.jcr.security.Privilege[] privileges)
                      throws javax.jcr.PathNotFoundException,
                             javax.jcr.RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.

Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling Privilege.getAggregatePrivileges() for that privilege.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Specified by:

hasPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the given privileges are tested.

privileges - an array of Privileges.

Returns:

true if the session has the specified privileges; false otherwise.

Throws:

javax.jcr.PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

javax.jcr.AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

javax.jcr.RepositoryException - if another error occurs.

See Also:

JackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[])

getPrivileges

public javax.jcr.security.Privilege[] getPrivileges(String absPath,
                                           Set<Principal> principals)
                                             throws javax.jcr.PathNotFoundException,
                                                    javax.jcr.RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.

The returned privileges are those for which JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[]) would return true.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.

Specified by:

getPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the privileges are retrieved.

Returns:

an array of Privileges.

Throws:

javax.jcr.PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

javax.jcr.AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

javax.jcr.RepositoryException - if another error occurs.

See Also:

JackrabbitAccessControlManager.getPrivileges(String, Set)

checkInitialized

protected void checkInitialized()

Description copied from class: AbstractAccessControlManager

Check if this manager has been properly initialized.

Specified by:

checkInitialized in class AbstractAccessControlManager

See Also:

AbstractAccessControlManager.checkInitialized()

checkValidNodePath

protected void checkValidNodePath(String absPath)
                           throws javax.jcr.PathNotFoundException,
                                  javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Tests if the given absPath is absolute and points to an existing node.

Specified by:

checkValidNodePath in class AbstractAccessControlManager

Parameters:

absPath - Path to an existing node.

Throws:

javax.jcr.PathNotFoundException - if no node at absPath exists or the session does not have privilege to retrieve the node.

javax.jcr.RepositoryException - If the given absPath is not absolute or if some other error occurs.

See Also:

AbstractAccessControlManager.checkValidNodePath(String)

checkPermission

protected void checkPermission(String absPath,
                   int permission)
                        throws javax.jcr.AccessDeniedException,
                               javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlManager

Check if the specified privileges are granted at absPath.

Specified by:

checkPermission in class AbstractAccessControlManager

Parameters:

absPath - Path to an existing node.

permission - Permissions to be checked.

Throws:

javax.jcr.AccessDeniedException - if the session does not have the specified privileges.

javax.jcr.PathNotFoundException - if no node exists at absPath of if the session does not have the permission to READ it.

javax.jcr.RepositoryException - If another error occurs.

See Also:

AbstractAccessControlManager.checkPermission(String,int)

getPrivilegeManager

protected PrivilegeManager getPrivilegeManager()
                                        throws javax.jcr.RepositoryException

Specified by:

getPrivilegeManager in class AbstractAccessControlManager

Returns:

the privilege manager

Throws:

javax.jcr.RepositoryException - If another error occurs.

See Also:

AbstractAccessControlManager.getPrivilegeManager()