public class UserAccessControlProvider extends AbstractAccessControlProvider
AccessControlProvider
interface that
is used to protected the 'security workspace' containing the user and
group data. It applies special care to make sure that modifying user data
(e.g. password), group membership and impersonation is properly controlled.
This provider creates upon initialization the following 2 groups:
true
this also applies to the anonymous user.Modifier and Type | Field and Description |
---|---|
static String |
AUTHORIZABLES_PATH |
static String |
GROUP_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the
'GroupAdmin' group-principal
|
static String |
GROUPS_PATH |
static Name |
MIX_REP_IMPERSONATABLE |
static Name |
N_MEMBERS |
static NameFactory |
NF |
static Name |
NT_REP_AUTHORIZABLE |
static Name |
NT_REP_AUTHORIZABLE_FOLDER |
static Name |
NT_REP_GROUP |
static Name |
NT_REP_MEMBERS |
static Name |
NT_REP_USER |
static Name |
P_DISABLED |
static Name |
P_GROUPS
Deprecated.
As of 2.0 group membership is stored with the group node.
|
static Name |
P_IMPERSONATORS
Name of the user property containing the principal names of those allowed
to impersonate.
|
static Name |
P_MEMBERS |
static Name |
P_PASSWORD |
static Name |
P_PRINCIPAL_NAME |
static Name |
P_USERID
Deprecated.
As of 2.0 the id-hash is stored with the jcr:uuid making the
rep:userId property redundant. It has been removed from the node type
definition.
|
static String |
PARAM_ANONYMOUS_ACCESS
Constant for the name of the configuration option "anonymousAccess".
|
static String |
PARAM_ANONYMOUS_ID
Constant for the name of the configuration option "anonymousId".
|
static String |
SECURITY_ROOT_PATH
root-path to security related content e.g.
|
static String |
USER_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the
'UserAdmin' group-principal.
|
static String |
USERS_PATH |
observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privilegeManager, session
N_ACCESSCONTROL, N_POLICY, N_REPO_POLICY, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, NT_REP_REPO_ACCESS_CONTROLLABLE, P_GLOB, P_PRINCIPAL_NAME, P_PRIVILEGES
Constructor and Description |
---|
UserAccessControlProvider() |
Modifier and Type | Method and Description |
---|---|
boolean |
canAccessRoot(Set<Principal> principals)
Returns
true if the given set of principals can access the
root node of the workspace this provider has been built for;
false otherwise. |
CompiledPermissions |
compilePermissions(Set<Principal> principals)
Compiles the effective policy for the specified set of
Principal s. |
AccessControlEditor |
getEditor(Session session)
Always returns
null . |
AccessControlPolicy[] |
getEffectivePolicies(Path absPath,
CompiledPermissions permissions)
Returns the effective policies for the node at the given absPath.
|
AccessControlPolicy[] |
getEffectivePolicies(Set<Principal> principals,
CompiledPermissions permission)
Returns the effective policies for the given principals.
|
void |
init(Session systemSession,
Map configuration)
Tests if the given
systemSession is a SessionImpl and
retrieves the observation manager. |
boolean |
isAcItem(ItemImpl item)
Always returns false, since this ac provider does not use content stored
in items to evaluate AC information.
|
boolean |
isAcItem(Path absPath)
Always returns false, since this ac provider does not use content stored
in items to evaluate AC information.
|
checkInitialized, close, getAdminPermissions, getPrivilegeManagerImpl, getReadOnlyPermissions, isAdminOrSystem, isLive, isReadOnly
public static final String PARAM_ANONYMOUS_ID
public static final String PARAM_ANONYMOUS_ACCESS
public static final NameFactory NF
public static final String SECURITY_ROOT_PATH
public static final String AUTHORIZABLES_PATH
public static final String USERS_PATH
public static final String GROUPS_PATH
public static final String USER_ADMIN_GROUP_NAME
public static final String GROUP_ADMIN_GROUP_NAME
public static final Name P_PRINCIPAL_NAME
public static final Name P_USERID
public static final Name P_PASSWORD
public static final Name P_DISABLED
public static final Name P_GROUPS
P_MEMBERS
public static final Name P_MEMBERS
public static final Name N_MEMBERS
public static final Name P_IMPERSONATORS
public static final Name NT_REP_AUTHORIZABLE
public static final Name NT_REP_AUTHORIZABLE_FOLDER
public static final Name NT_REP_USER
public static final Name NT_REP_GROUP
public static final Name NT_REP_MEMBERS
public static final Name MIX_REP_IMPERSONATABLE
public boolean isAcItem(Path absPath) throws RepositoryException
isAcItem
in interface AccessControlUtils
isAcItem
in class AbstractAccessControlProvider
absPath
- Path to an item.absPath
contains
access control information.RepositoryException
- If an error occurs.AccessControlUtils.isAcItem(Path)
public boolean isAcItem(ItemImpl item) throws RepositoryException
isAcItem
in interface AccessControlUtils
isAcItem
in class AbstractAccessControlProvider
item
- An item.item
defines
access control related information is should therefore be considered
protected.RepositoryException
- If an error occurs.AccessControlUtils.isAcItem(ItemImpl)
public void init(Session systemSession, Map configuration) throws RepositoryException
AbstractAccessControlProvider
systemSession
is a SessionImpl and
retrieves the observation manager. The it sets the internal 'initialized'
field to true.init
in interface AccessControlProvider
init
in class AbstractAccessControlProvider
systemSession
- System session.configuration
- Configuration used to initialize this provider.RepositoryException
- If the specified session is not a
SessionImpl
or if retrieving the observation manager fails.AccessControlProvider.init(Session, Map)
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException
AccessControlProvider
getEffectivePolicies
in interface AccessControlProvider
absPath
- an absolute path.permissions
- The effective permissions of the editing
sessions that attempts to view the effective policies.absPath
or
an empty array if the implementation cannot determine the effective
policy at the given path.ItemNotFoundException
- If no Node with the specified
absPath
exists.RepositoryException
- If another error occurs.AccessControlProvider.getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals, CompiledPermissions permission) throws ItemNotFoundException, RepositoryException
AccessControlProvider
getEffectivePolicies
in interface AccessControlProvider
principals
- A set of principal.permission
- The effective permissions of the editing
sessions that attempts to view the effective policies. @return The effective policies that are in effect for the given
principal
or an empty array.RepositoryException
- If error occurs.ItemNotFoundException
AccessControlProvider.getEffectivePolicies(java.util.Set, CompiledPermissions)
public AccessControlEditor getEditor(Session session)
null
.getEditor
in interface AccessControlProvider
session
- The editing session.null
.AccessControlProvider.getEditor(Session)
public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException
AccessControlProvider
Principal
s.compilePermissions
in interface AccessControlProvider
principals
- Set of principals to compile the permissions for. If
the order of evaluating permissions for principals is meaningful, the
caller should pass a Set that respects the order of insertion.RepositoryException
- If an error occurs.AccessControlProvider.compilePermissions(Set)
public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException
AccessControlProvider
true
if the given set of principals can access the
root node of the workspace this provider has been built for;
false
otherwise.canAccessRoot
in interface AccessControlProvider
principals
- Set of principals to be tested for being allowed to
access the root node.true
if the given set of principals can access the
root node of the workspace this provider has been built for;
false
otherwise.RepositoryException
- If an error occurs.AccessControlProvider.canAccessRoot(Set)
Copyright © 2004–2021 The Apache Software Foundation. All rights reserved.