public class DefaultAccessManager extends AbstractAccessControlManager implements AccessManager
DefaultAccessManager
controls access by evaluating access
control policies for the Subject
attached to the
Session
this manager has been built for.
Please note the following exceptional situations:
This manager allows all privileges for a particular item if
It allows to access all available workspaces if
WorkspaceAccessManager
is defined.
How access control policies are matched to a particular item is defined by
the AccessControlProvider
set to this AccessManager.
AccessManager
,
AccessControlManager
READ, REMOVE, WRITE
Constructor and Description |
---|
DefaultAccessManager() |
Modifier and Type | Method and Description |
---|---|
boolean |
canAccess(String workspaceName)
Determines whether the subject of the current context is granted access
to the given workspace.
|
boolean |
canRead(Path itemPath,
ItemId itemId)
Determines whether the item with the specified
itemPath
or itemId can be read. |
protected void |
checkInitialized()
Check if this manager has been properly initialized.
|
void |
checkPermission(ItemId id,
int permissions)
Determines whether the specified
permissions are granted
on the item with the specified id (i.e. |
void |
checkPermission(Path absPath,
int permissions)
Determines whether the specified
permissions are granted
on the item with the specified id (i.e. |
protected void |
checkPermission(String absPath,
int permission)
Check if the specified privileges are granted at
absPath . |
void |
checkRepositoryPermission(int permissions)
Determines whether the specified
permissions are granted
on the repository level. |
protected void |
checkValidNodePath(String absPath)
Tests if the given
absPath is absolute and points to an existing node. |
void |
close()
Close this access manager.
|
JackrabbitAccessControlPolicy[] |
getApplicablePolicies(Principal principal)
Returns the applicable policies for the specified
principal
or an empty array if no additional policies can be applied. |
AccessControlPolicyIterator |
getApplicablePolicies(String absPath)
Returns an empty iterator.
|
AccessControlPolicy[] |
getEffectivePolicies(Set<Principal> principals)
Returns the
AccessControlPolicy objects that are in effect
for the given Principal s. |
AccessControlPolicy[] |
getEffectivePolicies(String absPath) |
JackrabbitAccessControlPolicy[] |
getPolicies(Principal principal)
Returns the
AccessControlPolicy objects that have been set
for the given principal or an empty array if no policy has
been set. |
AccessControlPolicy[] |
getPolicies(String absPath)
Returns
null . |
protected PrivilegeManager |
getPrivilegeManager() |
Privilege[] |
getPrivileges(String absPath) |
Privilege[] |
getPrivileges(String absPath,
Set<Principal> principals)
Returns the privileges the given set of
Principal s has for
absolute path absPath , which must be an existing node. |
boolean |
hasPrivileges(String absPath,
Privilege[] privileges) |
boolean |
hasPrivileges(String absPath,
Set<Principal> principals,
Privilege[] privileges)
Returns whether the given set of
Principal s has the specified
privileges for absolute path absPath , which must be an
existing node. |
void |
init(AMContext amContext)
Initialize this access manager.
|
void |
init(AMContext amContext,
AccessControlProvider acProvider,
WorkspaceAccessManager wspAccessManager)
Initialize this access manager.
|
boolean |
isGranted(ItemId id,
int actions)
Determines whether the specified
permissions are granted
on the item with the specified id (i.e. |
boolean |
isGranted(Path absPath,
int permissions)
Determines whether the specified
permissions are granted
on the item with the specified absPath (i.e. |
boolean |
isGranted(Path parentPath,
Name childName,
int permissions)
Determines whether the specified
permissions are granted
on an item represented by the combination of the given
parentPath and childName (i.e. |
void |
removePolicy(String absPath,
AccessControlPolicy policy)
Always throws
AccessControlException |
void |
setPolicy(String absPath,
AccessControlPolicy policy)
Always throws
AccessControlException |
getSupportedPrivileges, privilegeFromName
public void init(AMContext amContext) throws AccessDeniedException, Exception
AccessManager
AccessDeniedException
will
be thrown if the subject of the given context
is not
granted access to the specified workspace.init
in interface AccessManager
amContext
- access manager contextAccessDeniedException
- if the subject is not granted access
to the specified workspace.Exception
- if another error occursAccessManager.init(AMContext)
public void init(AMContext amContext, AccessControlProvider acProvider, WorkspaceAccessManager wspAccessManager) throws AccessDeniedException, Exception
AccessManager
AccessDeniedException
will
be thrown if the subject of the given context
is not
granted access to the specified workspace.init
in interface AccessManager
amContext
- access manager context.acProvider
- The access control provider.wspAccessManager
- The workspace access manager.AccessDeniedException
- if the subject is not granted access
to the specified workspace.Exception
- if another error occursAccessManager.init(AMContext, AccessControlProvider, WorkspaceAccessManager)
public void close() throws Exception
AccessManager
close
in interface AccessManager
Exception
- if an error occursAccessManager.close()
public void checkPermission(ItemId id, int permissions) throws AccessDeniedException, ItemNotFoundException, RepositoryException
AccessManager
permissions
are granted
on the item with the specified id
(i.e. the target item).checkPermission
in interface AccessManager
id
- the id of the target itempermissions
- A combination of one or more of the following constants
encoded as a bitmask value:
READ
WRITE
REMOVE
AccessDeniedException
- if permission is deniedItemNotFoundException
- if the target item does not existRepositoryException
- it an error occursAccessManager.checkPermission(ItemId, int)
public void checkPermission(Path absPath, int permissions) throws AccessDeniedException, RepositoryException
AccessManager
permissions
are granted
on the item with the specified id
(i.e. the target item).checkPermission
in interface AccessManager
absPath
- Path to an item.permissions
- A combination of one or more of the
Permission
constants encoded as a bitmask value.AccessDeniedException
- if permission is deniedRepositoryException
- it another error occursAccessManager.checkPermission(Path, int)
public void checkRepositoryPermission(int permissions) throws AccessDeniedException, RepositoryException
AccessManager
permissions
are granted
on the repository level.checkRepositoryPermission
in interface AccessManager
permissions
- The permissions to check.AccessDeniedException
- if permissions are denied.RepositoryException
- if another error occurs.AccessManager.checkRepositoryPermission(int)
public boolean isGranted(ItemId id, int actions) throws ItemNotFoundException, RepositoryException
AccessManager
permissions
are granted
on the item with the specified id
(i.e. the target item).isGranted
in interface AccessManager
id
- the id of the target itemactions
- A combination of one or more of the following constants
encoded as a bitmask value:
READ
WRITE
REMOVE
true
if permission is granted; otherwise false
ItemNotFoundException
- if the target item does not existRepositoryException
- if another error occursAccessManager.isGranted(ItemId, int)
public boolean isGranted(Path absPath, int permissions) throws RepositoryException
AccessManager
permissions
are granted
on the item with the specified absPath
(i.e. the target
item, that may or may not yet exist).isGranted
in interface AccessManager
absPath
- the absolute path to testpermissions
- A combination of one or more of the
Permission
constants encoded as a bitmask value.true
if the specified permissions are granted;
otherwise false
.RepositoryException
- if an error occurs.AccessManager.isGranted(Path, int)
public boolean isGranted(Path parentPath, Name childName, int permissions) throws RepositoryException
AccessManager
permissions
are granted
on an item represented by the combination of the given
parentPath
and childName
(i.e. the target
item, that may or may not yet exist).isGranted
in interface AccessManager
parentPath
- Path to an existing parent node.childName
- Name of the child item that may or may not exist yet.permissions
- A combination of one or more of the
Permission
constants encoded as a bitmask value.true
if the specified permissions are granted;
otherwise false
.RepositoryException
- if an error occurs.AccessManager.isGranted(Path, Name, int)
public boolean canRead(Path itemPath, ItemId itemId) throws RepositoryException
AccessManager
itemPath
or itemId
can be read. Either of the two parameters
may be null
.AccessManager.isGranted(Path, int)
should be used instead.
If this method is called with both Path and ItemId it is left to the evaluation, which parameter is used.
canRead
in interface AccessManager
itemPath
- The path to the item or null
if itemId
should be used to determine the READ permission.itemId
- Id of the item to be tested or null
if the
itemPath should be used to determine the permission.true
if the item can be read; otherwise false
.RepositoryException
- if the item is NEW and only an itemId is
specified or if another error occurs.AccessManager.canRead(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.id.ItemId)
public boolean canAccess(String workspaceName) throws RepositoryException
AccessManager
false
, if no such workspace
exists.canAccess
in interface AccessManager
workspaceName
- name of workspacetrue
if the subject of the current context is
granted access to the given workspace; otherwise false
.RepositoryException
- if an error occurs.AccessManager.canAccess(String)
public boolean hasPrivileges(String absPath, Privilege[] privileges) throws PathNotFoundException, RepositoryException
hasPrivileges
in interface AccessControlManager
PathNotFoundException
RepositoryException
AccessControlManager.hasPrivileges(String, Privilege[])
public Privilege[] getPrivileges(String absPath) throws PathNotFoundException, RepositoryException
getPrivileges
in interface AccessControlManager
PathNotFoundException
RepositoryException
AccessControlManager.getPrivileges(String)
public AccessControlPolicy[] getPolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException
AbstractAccessControlManager
null
.getPolicies
in interface AccessControlManager
getPolicies
in class AbstractAccessControlManager
absPath
- Path to an existing node.null
.PathNotFoundException
AccessDeniedException
RepositoryException
AccessControlManager.getPolicies(String)
public AccessControlPolicy[] getEffectivePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException
getEffectivePolicies
in interface AccessControlManager
PathNotFoundException
AccessDeniedException
RepositoryException
AccessControlManager.getEffectivePolicies(String)
public AccessControlPolicyIterator getApplicablePolicies(String absPath) throws PathNotFoundException, AccessDeniedException, RepositoryException
AbstractAccessControlManager
getApplicablePolicies
in interface AccessControlManager
getApplicablePolicies
in class AbstractAccessControlManager
absPath
- Path to an existing node.PathNotFoundException
AccessDeniedException
RepositoryException
AccessControlManager.getApplicablePolicies(String)
public void setPolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException
AbstractAccessControlManager
AccessControlException
setPolicy
in interface AccessControlManager
setPolicy
in class AbstractAccessControlManager
PathNotFoundException
AccessControlException
AccessDeniedException
RepositoryException
AccessControlManager.setPolicy(String, AccessControlPolicy)
public void removePolicy(String absPath, AccessControlPolicy policy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException
AbstractAccessControlManager
AccessControlException
removePolicy
in interface AccessControlManager
removePolicy
in class AbstractAccessControlManager
PathNotFoundException
AccessControlException
AccessDeniedException
RepositoryException
AccessControlManager.removePolicy(String, AccessControlPolicy)
public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException
JackrabbitAccessControlManager
principal
or an empty array if no additional policies can be applied.getApplicablePolicies
in interface JackrabbitAccessControlManager
getApplicablePolicies
in class AbstractAccessControlManager
principal
- A principal known to the editing session.principal
. Note
that the policy object returned must reveal the path of the node where
they can be applied later on using AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy)
.AccessDeniedException
- if the session lacks
MODIFY_ACCESS_CONTROL
privilege.AccessControlException
- if the specified principal does not exist
or if another access control related exception occurs.UnsupportedRepositoryOperationException
- if editing access control
policies by principal is not supported.RepositoryException
- if another error occurs.JackrabbitAccessControlManager.getApplicablePolicies(Principal)
public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException
JackrabbitAccessControlManager
AccessControlPolicy
objects that have been set
for the given principal
or an empty array if no policy has
been set. This method reflects the binding state, including transient
policy modifications.getPolicies
in interface JackrabbitAccessControlManager
getPolicies
in class AbstractAccessControlManager
principal
- A valid principal.AccessDeniedException
- if the session lacks
READ_ACCESS_CONTROL
privilege.AccessControlException
- if the specified principal does not exist
or if another access control related exception occurs.UnsupportedRepositoryOperationException
- if editing access control
policies by principal is not supported.RepositoryException
- If another error occurs.JackrabbitAccessControlManager.getPolicies(Principal)
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException
JackrabbitAccessControlManager
AccessControlPolicy
objects that are in effect
for the given Principal
s. This may be policies set through
this API or some implementation specific (default) policies.getEffectivePolicies
in interface JackrabbitAccessControlManager
principals
- A set of valid principals.AccessDeniedException
- if the session lacks
READ_ACCESS_CONTROL
privilege.AccessControlException
- if the specified principal does not exist
or if another access control related exception occurs.UnsupportedRepositoryOperationException
- if editing access control
policies by principal is not supported.RepositoryException
- If another error occurs.JackrabbitAccessControlManager.getEffectivePolicies(Set)
public boolean hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges) throws PathNotFoundException, RepositoryException
JackrabbitAccessControlManager
Principal
s has the specified
privileges for absolute path absPath
, which must be an
existing node.
Testing an aggregate privilege is equivalent to testing each non
aggregate privilege among the set returned by calling
Privilege.getAggregatePrivileges()
for that privilege.
The results reported by the this method reflect the net effect of
the currently applied control mechanisms. It does not reflect unsaved
access control policies or unsaved access control entries. Changes to
access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of
the privilege test methods.
Since this method allows to view the privileges of principals other
than included in the editing session, this method must throw
AccessDeniedException
if the session lacks
READ_ACCESS_CONTROL
privilege for the absPath
node.
hasPrivileges
in interface JackrabbitAccessControlManager
absPath
- an absolute path.principals
- a set of Principal
s for which is the
given privileges are tested.privileges
- an array of Privilege
s.true
if the session has the specified privileges;
false
otherwise.PathNotFoundException
- if no node at absPath
exists
or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException
- if the session lacks
READ_ACCESS_CONTROL
privilege for the absPath
node.RepositoryException
- if another error occurs.JackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[])
public Privilege[] getPrivileges(String absPath, Set<Principal> principals) throws PathNotFoundException, RepositoryException
JackrabbitAccessControlManager
Principal
s has for
absolute path absPath
, which must be an existing node.
The returned privileges are those for which JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[])
would
return true
.
The results reported by the this method reflect the net effect of
the currently applied control mechanisms. It does not reflect unsaved
access control policies or unsaved access control entries. Changes to
access control status caused by these mechanisms only take effect on
Session.save()
and are only then reflected in the results of
the privilege test methods.
Since this method allows to view the privileges of principals other
than included in the editing session, this method must throw
AccessDeniedException
if the session lacks
READ_ACCESS_CONTROL
privilege for the absPath
node.
Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.
getPrivileges
in interface JackrabbitAccessControlManager
absPath
- an absolute path.principals
- a set of Principal
s for which is the
privileges are retrieved.Privilege
s.PathNotFoundException
- if no node at absPath
exists
or the session does not have sufficient access to retrieve a node at that
location.AccessDeniedException
- if the session lacks READ_ACCESS_CONTROL
privilege for the absPath
node.RepositoryException
- if another error occurs.JackrabbitAccessControlManager.getPrivileges(String, Set)
protected void checkInitialized()
AbstractAccessControlManager
checkInitialized
in class AbstractAccessControlManager
AbstractAccessControlManager.checkInitialized()
protected void checkValidNodePath(String absPath) throws PathNotFoundException, RepositoryException
AbstractAccessControlManager
absPath
is absolute and points to an existing node.checkValidNodePath
in class AbstractAccessControlManager
absPath
- Path to an existing node.PathNotFoundException
- if no node at absPath
exists
or the session does not have privilege to retrieve the node.RepositoryException
- If the given absPath
is not
absolute or if some other error occurs.AbstractAccessControlManager.checkValidNodePath(String)
protected void checkPermission(String absPath, int permission) throws AccessDeniedException, RepositoryException
AbstractAccessControlManager
absPath
.checkPermission
in class AbstractAccessControlManager
absPath
- Path to an existing node.permission
- Permissions to be checked.AccessDeniedException
- if the session does not have the
specified privileges.PathNotFoundException
- if no node exists at absPath
of if the session does not have the permission to READ it.RepositoryException
- If another error occurs.AbstractAccessControlManager.checkPermission(String,int)
protected PrivilegeManager getPrivilegeManager() throws RepositoryException
getPrivilegeManager
in class AbstractAccessControlManager
RepositoryException
- If another error occurs.AbstractAccessControlManager.getPrivilegeManager()
Copyright © 2004–2021 The Apache Software Foundation. All rights reserved.