public class UserManagerImpl extends ProtectedItemModifier implements UserManager, SessionListener
UserManager
interface with the
following characteristics:
UserConstants.USERS_PATH
,UserConstants.GROUPS_PATH
(unless otherwise configured).getUsersPath()
or getGroupsPath()
.escaped
.+ rep:security [nt:unstructured] + rep:authorizables [rep:AuthorizableFolder] + rep:users [rep:AuthorizableFolder] + a [rep:AuthorizableFolder] + aS [rep:AuthorizableFolder] + aSmith [rep:User]Creating a non-existing user with ID 'aSmith' specifying an intermediate path 'some/tree' would result in the following structure:
+ rep:security [nt:unstructured] + rep:authorizables [rep:AuthorizableFolder] + rep:users [rep:AuthorizableFolder] + some [rep:AuthorizableFolder] + tree [rep:AuthorizableFolder] + aSmith [rep:User]
UserManager
is able to handle the following configuration
options:
PARAM_USERS_PATH
: Defines where user nodes are created.
If missing set to USERS_PATH
.PARAM_GROUPS_PATH
. Defines where group nodes are created.
If missing set to GROUPS_PATH
.PARAM_COMPATIBLE_JR16
: If the param is present and its
value is true
looking up authorizables by ID will use the
NodeResolver
if not found otherwise.PARAM_DEFAULT_DEPTH
: Parameter used to change the number of
levels that are used by default to store authorizable nodes.PARAM_AUTO_EXPAND_TREE
: If this parameter is present and its
value is true
, the trees containing user and group nodes will
automatically created additional hierarchy levels if the number of nodes
on a given level exceeds the maximal allowed size
.
PARAM_AUTO_EXPAND_SIZE
: This parameter only takes effect
if PARAM_AUTO_EXPAND_TREE
is enabled.PARAM_GROUP_MEMBERSHIP_SPLIT_SIZE
: If this parameter is present
group memberships are collected in a node structure below UserConstants.N_MEMBERS
instead of the default multi valued property UserConstants.P_MEMBERS
.
Its value determines the maximum number of member properties until additional
intermediate nodes are inserted. Valid parameter values are integers > 4.PARAM_PASSWORD_HASH_ALGORITHM
: Optional parameter to configure
the algorithm used for password hash generation. The default value is
PasswordUtility.DEFAULT_ALGORITHM
.PARAM_PASSWORD_HASH_ITERATIONS
: Optional parameter to configure
the number of iterations used for password hash generations. The default
value is PasswordUtility.DEFAULT_ITERATIONS
.AuthorizableAction
s.
Authorizable actions provide the ability to execute additional validation or
tasks upon authorizable creation, removal and upon changing a users password.UserManagerConfig.getAuthorizableActions()
Modifier and Type | Field and Description |
---|---|
static String |
AUTHORIZABLES_PATH |
static String |
GROUP_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the
'GroupAdmin' group-principal
|
static String |
GROUPS_PATH |
static Name |
MIX_REP_IMPERSONATABLE |
static Name |
N_MEMBERS |
static NameFactory |
NF |
static Name |
NT_REP_AUTHORIZABLE |
static Name |
NT_REP_AUTHORIZABLE_FOLDER |
static Name |
NT_REP_GROUP |
static Name |
NT_REP_MEMBERS |
static Name |
NT_REP_USER |
static Name |
P_DISABLED |
static Name |
P_GROUPS
Deprecated.
As of 2.0 group membership is stored with the group node.
|
static Name |
P_IMPERSONATORS
Name of the user property containing the principal names of those allowed
to impersonate.
|
static Name |
P_MEMBERS |
static Name |
P_PASSWORD |
static Name |
P_PRINCIPAL_NAME |
static Name |
P_USERID
Deprecated.
As of 2.0 the id-hash is stored with the jcr:uuid making the
rep:userId property redundant. It has been removed from the node type
definition.
|
static String |
PARAM_AUTO_EXPAND_SIZE
This parameter only takes effect if
PARAM_AUTO_EXPAND_TREE is
enabled.The default value is 1000. |
static String |
PARAM_AUTO_EXPAND_TREE
If this parameter is present and its value is
true , the trees
containing user and group nodes will automatically created additional
hierarchy levels if the number of nodes on a given level exceeds the
maximal allowed size . |
static String |
PARAM_COMPATIBILE_JR16
Deprecated.
Use
PARAM_COMPATIBLE_JR16 instead. |
static String |
PARAM_COMPATIBLE_JR16
Flag to enable a minimal backwards compatibility with Jackrabbit <
v2.0
If the param is present and its value is true looking up
authorizables by ID will use the NodeResolver if not found
otherwise.If the parameter is missing (or false) users and groups created with a Jackrabbit repository < v2.0 will not be found any more. By default this option is disabled. |
static String |
PARAM_DEFAULT_DEPTH
Parameter used to change the number of levels that are used by default
store authorizable nodes.
The default number of levels is 2. |
static String |
PARAM_GROUP_MEMBERSHIP_SPLIT_SIZE
If this parameter is present group members are collected in a node
structure below
UserConstants.N_MEMBERS instead of the default
multi valued property UserConstants.P_MEMBERS . |
static String |
PARAM_GROUPS_PATH
Configuration option to change the
default path for creating groups. |
static String |
PARAM_PASSWORD_HASH_ALGORITHM
Configuration parameter to change the default algorithm used to generate
password hashes.
|
static String |
PARAM_PASSWORD_HASH_ITERATIONS
Configuration parameter to change the number of iterations used for
password hash generation.
|
static String |
PARAM_USERS_PATH
Configuration option to change the
default path for creating users. |
static String |
SECURITY_ROOT_PATH
root-path to security related content e.g.
|
static String |
USER_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the
'UserAdmin' group-principal.
|
static String |
USERS_PATH |
SEARCH_TYPE_AUTHORIZABLE, SEARCH_TYPE_GROUP, SEARCH_TYPE_USER
Constructor and Description |
---|
UserManagerImpl(SessionImpl session,
String adminId)
Create a new
UserManager with the default configuration. |
UserManagerImpl(SessionImpl session,
String adminId,
Properties config)
Create a new
UserManager |
UserManagerImpl(SessionImpl session,
String adminId,
Properties config,
MembershipCache mCache)
Create a new
UserManager for the given session . |
Modifier and Type | Method and Description |
---|---|
void |
autoSave(boolean enable)
Always throws
unsupportedRepositoryOperationException as
modification of the autosave behavior is not supported. |
Group |
createGroup(Principal principal)
Same as
createGroup(java.security.Principal, String) where the
intermediate path is null . |
Group |
createGroup(Principal principal,
String intermediatePath)
Same as
createGroup(String, Principal, String) where a groupID
is generated from the principal name. |
Group |
createGroup(String groupID)
Creates a Group for the given groupID, which must not be
null . |
Group |
createGroup(String groupID,
Principal principal,
String intermediatePath)
Create a new
Group from the given groupID and
principal . |
User |
createSystemUser(String userID,
String intermediatePath)
Create a new system user for the specified
userID . |
User |
createUser(String userID,
String password)
Creates an User for the given userID / password pair; neither of the
specified parameters can be
null .Same as UserManager.createUser(String,String,Principal,String) where
the specified userID is equal to the principal name and the intermediate
path is null . |
User |
createUser(String userID,
String password,
Principal principal,
String intermediatePath)
Creates an User for the given parameters.
|
protected Group |
doCreateGroup(NodeImpl node)
Build the group object from the given group node.
|
protected User |
doCreateUser(NodeImpl node)
Build the user object from the given user node.
|
Iterator<Authorizable> |
findAuthorizables(Query query)
Return
Authorizable s that match a specific Query . |
Iterator<Authorizable> |
findAuthorizables(String relPath,
String value)
Returns all
Authorizable s that have a
property with the given relative
path (or name) that matches the specified value. |
Iterator<Authorizable> |
findAuthorizables(String relPath,
String value,
int searchType)
Returns all
Authorizable s that have a
property with the given relative
path (or name) that matches the specified value. |
Authorizable |
getAuthorizable(Principal principal)
Get the Authorizable by its Principal.
|
Authorizable |
getAuthorizable(String id)
Get the Authorizable by its id.
|
<T extends Authorizable> |
getAuthorizable(String id,
Class<T> authorizableClass)
Get the Authorizable of a specific type by its id.
|
Authorizable |
getAuthorizableByPath(String path)
Always throws
UnsupportedRepositoryOperationException since
this implementation of the user management API does not allow to retrieve
the path of an authorizable. |
String |
getGroupsPath()
Implementation specific methods revealing where groups are created within
the content.
|
MembershipCache |
getMembershipCache() |
int |
getMemberSplitSize()
Maximum number of properties on the group membership node structure under
UserConstants.N_MEMBERS until additional intermediate nodes are inserted. |
String |
getUsersPath()
Implementation specific methods revealing where users are created within
the content.
|
boolean |
hasMemberSplitSize()
Returns
true if the split-member configuration parameter
is greater or equal than 4 indicating that group members should be stored
in a tree instead of a single multivalued property. |
boolean |
isAutoSave()
Always returns
true as by default the autoSave behavior
cannot be altered (see also autoSave(boolean) . |
void |
loggedOut(SessionImpl session)
Called when a
Session has been 'closed' by
calling . |
void |
loggingOut(SessionImpl session)
Called when a
Session is about to be 'closed' by
calling . |
void |
setAuthorizableActions(AuthorizableAction[] authorizableActions)
Set the authorizable actions that will be invoked upon authorizable
creation and removal.
|
addNode, addNode, markModified, performProtected, removeItem, setProperty, setProperty, setProperty, setProperty
public static final String PARAM_USERS_PATH
default path
for creating users.public static final String PARAM_GROUPS_PATH
default path
for creating groups.public static final String PARAM_COMPATIBILE_JR16
PARAM_COMPATIBLE_JR16
instead.public static final String PARAM_COMPATIBLE_JR16
true
looking up
authorizables by ID will use the NodeResolver
if not found
otherwise.public static final String PARAM_DEFAULT_DEPTH
NOTE: Changing the default depth once users and groups
have been created in the repository will cause inconsistencies, due to
the fact that the resolution of ID to an authorizable relies on the
structure defined by the default depth.
It is recommended to remove all authorizable nodes that will not be
reachable any more, before this config option is changed.
PARAM_AUTO_EXPAND_TREE
flag is set to true
.public static final String PARAM_AUTO_EXPAND_TREE
true
, the trees
containing user and group nodes will automatically created additional
hierarchy levels if the number of nodes on a given level exceeds the
maximal allowed size
.
public static final String PARAM_AUTO_EXPAND_SIZE
PARAM_AUTO_EXPAND_TREE
is
enabled.public static final String PARAM_GROUP_MEMBERSHIP_SPLIT_SIZE
UserConstants.N_MEMBERS
instead of the default
multi valued property UserConstants.P_MEMBERS
. Its value determines
the maximum number of member properties until additional intermediate nodes
are inserted. Valid values are integers > 4. The default value is 0 and
indicates that the UserConstants.P_MEMBERS
property is used to
record group members.public static final String PARAM_PASSWORD_HASH_ALGORITHM
PasswordUtility.DEFAULT_ALGORITHM
.public static final String PARAM_PASSWORD_HASH_ITERATIONS
PasswordUtility.DEFAULT_ITERATIONS
.public static final NameFactory NF
public static final String SECURITY_ROOT_PATH
public static final String AUTHORIZABLES_PATH
public static final String USERS_PATH
public static final String GROUPS_PATH
public static final String USER_ADMIN_GROUP_NAME
public static final String GROUP_ADMIN_GROUP_NAME
public static final Name P_PRINCIPAL_NAME
public static final Name P_USERID
public static final Name P_PASSWORD
public static final Name P_DISABLED
public static final Name P_GROUPS
P_MEMBERS
public static final Name P_MEMBERS
public static final Name N_MEMBERS
public static final Name P_IMPERSONATORS
public static final Name NT_REP_AUTHORIZABLE
public static final Name NT_REP_AUTHORIZABLE_FOLDER
public static final Name NT_REP_USER
public static final Name NT_REP_GROUP
public static final Name NT_REP_MEMBERS
public static final Name MIX_REP_IMPERSONATABLE
public UserManagerImpl(SessionImpl session, String adminId) throws RepositoryException
UserManager
with the default configuration.session
- The editing/reading session.adminId
- The user ID of the administrator.RepositoryException
- If an error occurs.public UserManagerImpl(SessionImpl session, String adminId, Properties config) throws RepositoryException
UserManager
session
- The editing/reading session.adminId
- The user ID of the administrator.config
- The configuration parameters.RepositoryException
- If an error occurs.public UserManagerImpl(SessionImpl session, String adminId, Properties config, MembershipCache mCache) throws RepositoryException
UserManager
for the given session
.
Currently the following configuration options are respected:
PARAM_USERS_PATH
. If missing set to UserConstants.USERS_PATH
.PARAM_GROUPS_PATH
. If missing set to UserConstants.GROUPS_PATH
.PARAM_DEFAULT_DEPTH
. The default number of levels is 2.PARAM_AUTO_EXPAND_TREE
. By default this option is disabled.PARAM_AUTO_EXPAND_SIZE
. The default value is 1000.PARAM_GROUP_MEMBERSHIP_SPLIT_SIZE
. The default is 0 which means use
UserConstants.P_MEMBERS
.introduction
for details.session
- The editing/reading session.adminId
- The user ID of the administrator.config
- The configuration parameters.mCache
- Shared membership cache.RepositoryException
- If an error occurs.public String getUsersPath()
For the corresponding configuration parameter.
public String getGroupsPath()
For the corresponding configuration parameter.
public MembershipCache getMembershipCache()
public int getMemberSplitSize()
UserConstants.N_MEMBERS
until additional intermediate nodes are inserted.
If 0 (default), UserConstants.P_MEMBERS
is used to record group
memberships.public boolean hasMemberSplitSize()
true
if the split-member configuration parameter
is greater or equal than 4 indicating that group members should be stored
in a tree instead of a single multivalued property.public void setAuthorizableActions(AuthorizableAction[] authorizableActions)
authorizableActions
- An array of authorizable actions.public Authorizable getAuthorizable(String id) throws RepositoryException
UserManager
getAuthorizable
in interface UserManager
id
- The user or group id.null
, if not present.RepositoryException
- If an error occurs.UserManager.getAuthorizable(String)
public <T extends Authorizable> T getAuthorizable(String id, Class<T> authorizableClass) throws AuthorizableTypeException, RepositoryException
UserManager
getAuthorizable
in interface UserManager
T
- the required Authorizable type.id
- the user or group id.authorizableClass
- the class of the type of Authorizable required; must not be null
.null
, if not present.AuthorizableTypeException
- If an authorizable exists but is not of the requested type.RepositoryException
- If an error occursUserManager.getAuthorizable(String, Class)
public Authorizable getAuthorizable(Principal principal) throws RepositoryException
UserManager
getAuthorizable
in interface UserManager
principal
- The principal of the authorizable to retrieve.null
, if not present.RepositoryException
- If an error occurs.UserManager.getAuthorizable(Principal)
public Authorizable getAuthorizableByPath(String path) throws UnsupportedRepositoryOperationException, RepositoryException
UnsupportedRepositoryOperationException
since
this implementation of the user management API does not allow to retrieve
the path of an authorizable.getAuthorizableByPath
in interface UserManager
path
- The path to an authorizable.null
, if not present.UnsupportedRepositoryOperationException
- If this implementation does
support to retrieve authorizables by path.RepositoryException
- If another error occurs.UserManager.getAuthorizableByPath(String)
public Iterator<Authorizable> findAuthorizables(String relPath, String value) throws RepositoryException
UserManager
Authorizable
s that have a
property
with the given relative
path (or name) that matches the specified value.
If a relative path with more than one segment is specified only properties
exactly matching that patch will be returned. If, however, a name is
specified all properties that may be retrieved using
Authorizable.getProperty(String)
will be searched for a match.
findAuthorizables
in interface UserManager
relPath
- A relative property path or name.value
- A string value to match.Authorizable
s that have a property with the given
name exactly matching the given value.RepositoryException
- If an error occurs.UserManager.findAuthorizables(String,String)
public Iterator<Authorizable> findAuthorizables(String relPath, String value, int searchType) throws RepositoryException
UserManager
Authorizable
s that have a
property
with the given relative
path (or name) that matches the specified value. In contrast to
UserManager.findAuthorizables(String, String)
the type of authorizable is
respected while executing the search.
If a relative path with more than one segment is specified only properties
exactly matching that path will be returned. If, however, a name is
specified all properties that may be retrieved using
Authorizable.getProperty(String)
will be searched for a match.
findAuthorizables
in interface UserManager
relPath
- A relative property path or name.value
- A string value to match.searchType
- Any of the following constants:
Authorizable
.RepositoryException
- If an error occurs.UserManager.findAuthorizables(String,String, int)
public Iterator<Authorizable> findAuthorizables(Query query) throws RepositoryException
UserManager
Authorizable
s that match a specific Query
.findAuthorizables
in interface UserManager
query
- A queryquery
.RepositoryException
- If an error occurs.UserManager.findAuthorizables(Query)
public User createUser(String userID, String password) throws RepositoryException
UserManager
null
.UserManager.createUser(String,String,Principal,String)
where
the specified userID is equal to the principal name and the intermediate
path is null
.createUser
in interface UserManager
userID
- The ID of the new user.password
- The initial password of this user.User
.AuthorizableExistsException
- in case the given userID is already
in use or another Authorizable with the same principal name exists.RepositoryException
- If another error occurs.UserManager.createUser(String,String)
public User createUser(String userID, String password, Principal principal, String intermediatePath) throws AuthorizableExistsException, RepositoryException
UserManager
intermediatePath
that parameter should
be ignored.
Except for the intermediatePath
, neither of the specified
parameters can be null
.createUser
in interface UserManager
userID
- The ID of the new user.password
- The initial password of the new user.principal
- The principal of the new user.intermediatePath
- An optional intermediate path used to create the
new user. If the intermediate path is null
an internal,
implementation specific structure will be used.User
.AuthorizableExistsException
- in case the given userID is already
in use or another Authorizable with the same principal name exists.RepositoryException
- If the current Session is
not allowed to create users or some another error occurs.UserManager.createUser(String, String, java.security.Principal, String)
public User createSystemUser(String userID, String intermediatePath) throws AuthorizableExistsException, RepositoryException
UserManager
userID
. The new authorizable
is required to have the following characteristics:
User.isSystemUser()
returns true
.userID
.intermediatePath
.createSystemUser
in interface UserManager
userID
- A valid userID.intermediatePath
- An optional intermediate path to create the new
system user. The implemenation may decide to reject intermediate paths
if they violate an implementation specific requirement with respect to
the location where systems users are being held. If the intermediate path
is null
an internal implementation specific structure will be used.AuthorizableExistsException
- if an Authorizable with this id already exists.RepositoryException
- If another error occurs.public Group createGroup(String groupID) throws AuthorizableExistsException, RepositoryException
UserManager
null
.
UserManager.createGroup(String, Principal,String)
where the specified
groupID is the name of the Principal
the intermediate path
is null
.createGroup
in interface UserManager
groupID
- The ID of the new group; must not be null
.Group
.AuthorizableExistsException
- in case the given groupID is already
in use or another Authorizable
with the same
ID
or principal name already exists.RepositoryException
- If another error occurs.UserManager.createGroup(String)
public Group createGroup(Principal principal) throws RepositoryException
createGroup(java.security.Principal, String)
where the
intermediate path is null
.createGroup
in interface UserManager
principal
- A non-null Principal
Group
.AuthorizableExistsException
- in case the given principal is
already in use with another Authorizable.RepositoryException
- If another error occurs.UserManager.createGroup(Principal)
public Group createGroup(Principal principal, String intermediatePath) throws AuthorizableExistsException, RepositoryException
createGroup(String, Principal, String)
where a groupID
is generated from the principal name. If the name conflicts with an
existing authorizable ID (may happen in cases where
principal name != ID) the principal name is expanded by a suffix;
otherwise the resulting group ID equals the principal name.createGroup
in interface UserManager
principal
- A principal that doesn't yet represent an existing user
or group.intermediatePath
- Is always ignored.AuthorizableExistsException
RepositoryException
UserManager.createGroup(java.security.Principal, String)
public Group createGroup(String groupID, Principal principal, String intermediatePath) throws AuthorizableExistsException, RepositoryException
Group
from the given groupID
and
principal
. It will be created below the defined
group path
.rep:AuthorizableFolder
.createGroup
in interface UserManager
groupID
- A groupID that hasn't been used before for another
user or group.principal
- A principal that doesn't yet represent an existing user
or group.intermediatePath
- Is always ignored.AuthorizableExistsException
RepositoryException
UserManager.createGroup(String, java.security.Principal, String)
public boolean isAutoSave()
true
as by default the autoSave behavior
cannot be altered (see also autoSave(boolean)
.isAutoSave
in interface UserManager
true
.UserManager.isAutoSave()
public void autoSave(boolean enable) throws UnsupportedRepositoryOperationException, RepositoryException
unsupportedRepositoryOperationException
as
modification of the autosave behavior is not supported.autoSave
in interface UserManager
enable
- If true
changes made through this API will
be automatically saved; otherwise an explicit call to
Session.save()
is required in order to persist changes.UnsupportedRepositoryOperationException
- If the implementation
does not allow to change the auto save behavior.RepositoryException
- If some other error occurs.UserManager.autoSave(boolean)
protected User doCreateUser(NodeImpl node) throws RepositoryException
node
- user nodeRepositoryException
- if an error occursprotected Group doCreateGroup(NodeImpl node) throws RepositoryException
node
- group nodeRepositoryException
- if an error occurspublic void loggingOut(SessionImpl session)
SessionListener
Session
is about to be 'closed' by
calling Session.logout()
. At this
moment the session is still valid.loggingOut
in interface SessionListener
session
- the Session
that is about to be 'closed'SessionListener.loggingOut(org.apache.jackrabbit.core.SessionImpl)
public void loggedOut(SessionImpl session)
SessionListener
Session
has been 'closed' by
calling Session.logout()
.loggedOut
in interface SessionListener
session
- the Session
that has been 'closed'SessionListener.loggedOut(org.apache.jackrabbit.core.SessionImpl)
Copyright © 2004–2022 The Apache Software Foundation. All rights reserved.