org.apache.jackrabbit.core.security.user

Class UserAccessControlProvider

java.lang.Object

org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

org.apache.jackrabbit.core.security.user.UserAccessControlProvider

All Implemented Interfaces:

AccessControlConstants, AccessControlProvider, AccessControlUtils

public class UserAccessControlProvider
extends AbstractAccessControlProvider

Implementation of the AccessControlProvider interface that is used to protected the 'security workspace' containing the user and group data. It applies special care to make sure that modifying user data (e.g. password), group membership and impersonation is properly controlled.

This provider creates upon initialization the following 2 groups:

• User administrator
• Group administrator

The default access control policy defined by this provider has the following characteristics:

• All authenticated users have READ permission to all items. If {link #PARAM_ANONYMOUS_ACCESS} is configured to be true this also applies to the anonymous user.
• every known user is allowed to modify it's own properties except for her/his group membership,
• members of the 'User administrator' group are allowed to create, modify and remove users,
• members of the 'Group administrator' group are allowed to create, modify and remove groups,
• group membership can only be edited by members of the 'Group administrator' and the 'User administrator' group.

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHORIZABLES_PATH
static String	GROUP_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'GroupAdmin' group-principal
static String	GROUPS_PATH
static Name	MIX_REP_IMPERSONATABLE
static Name	N_MEMBERS
static NameFactory	NF
static Name	NT_REP_AUTHORIZABLE
static Name	NT_REP_AUTHORIZABLE_FOLDER
static Name	NT_REP_GROUP
static Name	NT_REP_MEMBERS
static Name	NT_REP_USER
static Name	P_DISABLED
static Name	P_GROUPS Deprecated. As of 2.0 group membership is stored with the group node.
static Name	P_IMPERSONATORS Name of the user property containing the principal names of those allowed to impersonate.
static Name	P_MEMBERS
static Name	P_PASSWORD
static Name	P_PRINCIPAL_NAME
static Name	P_USERID Deprecated. As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant. It has been removed from the node type definition.
static String	PARAM_ANONYMOUS_ACCESS Constant for the name of the configuration option "anonymousAccess".
static String	PARAM_ANONYMOUS_ID Constant for the name of the configuration option "anonymousId".
static String	SECURITY_ROOT_PATH root-path to security related content e.g.
static String	USER_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'UserAdmin' group-principal.
static String	USERS_PATH

Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privilegeManager, session

Fields inherited from interface org.apache.jackrabbit.core.security.authorization.AccessControlConstants

N_ACCESSCONTROL, N_POLICY, N_REPO_POLICY, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, NT_REP_REPO_ACCESS_CONTROLLABLE, P_GLOB, P_PRINCIPAL_NAME, P_PRIVILEGES

Constructor Summary

Constructors

Constructor and Description
UserAccessControlProvider()

Method Summary

Modifier and Type	Method and Description
boolean	canAccessRoot(Set<Principal> principals) Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.
CompiledPermissions	compilePermissions(Set<Principal> principals) Compiles the effective policy for the specified set of Principals.
AccessControlEditor	getEditor(Session session) Always returns null.
AccessControlPolicy[]	getEffectivePolicies(Path absPath, CompiledPermissions permissions) Returns the effective policies for the node at the given absPath.
AccessControlPolicy[]	getEffectivePolicies(Set<Principal> principals, CompiledPermissions permission) Returns the effective policies for the given principals.
void	init(Session systemSession, Map configuration) Tests if the given systemSession is a SessionImpl and retrieves the observation manager.
boolean	isAcItem(ItemImpl item) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.
boolean	isAcItem(Path absPath) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

checkInitialized, close, getAdminPermissions, getPrivilegeManagerImpl, getReadOnlyPermissions, isAdminOrSystem, isLive, isReadOnly

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

PARAM_ANONYMOUS_ID

public static final String PARAM_ANONYMOUS_ID

Constant for the name of the configuration option "anonymousId". The option is a flag indicating the name of the anonymous user id.

See Also:

Constant Field Values

PARAM_ANONYMOUS_ACCESS

public static final String PARAM_ANONYMOUS_ACCESS

Constant for the name of the configuration option "anonymousAccess".

See Also:

Constant Field Values

NF

public static final NameFactory NF

SECURITY_ROOT_PATH

public static final String SECURITY_ROOT_PATH

root-path to security related content e.g. principals

See Also:

Constant Field Values

AUTHORIZABLES_PATH

public static final String AUTHORIZABLES_PATH

See Also:

Constant Field Values

USERS_PATH

public static final String USERS_PATH

See Also:

Constant Field Values

GROUPS_PATH

public static final String GROUPS_PATH

See Also:

Constant Field Values

USER_ADMIN_GROUP_NAME

public static final String USER_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'UserAdmin' group-principal.

See Also:

Constant Field Values

GROUP_ADMIN_GROUP_NAME

public static final String GROUP_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'GroupAdmin' group-principal

See Also:

Constant Field Values

P_PRINCIPAL_NAME

public static final Name P_PRINCIPAL_NAME

P_USERID

public static final Name P_USERID

Deprecated. As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant. It has been removed from the node type definition.

P_PASSWORD

public static final Name P_PASSWORD

P_DISABLED

public static final Name P_DISABLED

P_GROUPS

public static final Name P_GROUPS

Deprecated. As of 2.0 group membership is stored with the group node.

See Also:

P_MEMBERS

P_MEMBERS

public static final Name P_MEMBERS

N_MEMBERS

public static final Name N_MEMBERS

P_IMPERSONATORS

public static final Name P_IMPERSONATORS

Name of the user property containing the principal names of those allowed to impersonate.

NT_REP_AUTHORIZABLE

public static final Name NT_REP_AUTHORIZABLE

NT_REP_AUTHORIZABLE_FOLDER

public static final Name NT_REP_AUTHORIZABLE_FOLDER

NT_REP_USER

public static final Name NT_REP_USER

NT_REP_GROUP

public static final Name NT_REP_GROUP

NT_REP_MEMBERS

public static final Name NT_REP_MEMBERS

MIX_REP_IMPERSONATABLE

public static final Name MIX_REP_IMPERSONATABLE

Constructor Detail

UserAccessControlProvider

public UserAccessControlProvider()

Method Detail

isAcItem

public boolean isAcItem(Path absPath)
                 throws RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Overrides:

isAcItem in class AbstractAccessControlProvider

Parameters:

absPath - Path to an item.

Returns:

true if the item at the specified absPath contains access control information.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(Path)

isAcItem

public boolean isAcItem(ItemImpl item)
                 throws RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Overrides:

isAcItem in class AbstractAccessControlProvider

Parameters:

item - An item.

Returns:

true if the item at the specified item defines access control related information is should therefore be considered protected.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(ItemImpl)

init

public void init(Session systemSession,
                 Map configuration)
          throws RepositoryException

Description copied from class: AbstractAccessControlProvider

Tests if the given systemSession is a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.

Specified by:

init in interface AccessControlProvider

Overrides:

init in class AbstractAccessControlProvider

Parameters:

systemSession - System session.

configuration - Configuration used to initialize this provider.

Throws:

RepositoryException - If the specified session is not a SessionImpl or if retrieving the observation manager fails.

See Also:

AccessControlProvider.init(Session, Map)

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(Path absPath,
                                                  CompiledPermissions permissions)
                                           throws ItemNotFoundException,
                                                  RepositoryException

Description copied from interface: AccessControlProvider

Returns the effective policies for the node at the given absPath.

Specified by:

getEffectivePolicies in interface AccessControlProvider

Parameters:

absPath - an absolute path.

permissions - The effective permissions of the editing sessions that attempts to view the effective policies.

Returns:

The effective policies that apply at absPath or an empty array if the implementation cannot determine the effective policy at the given path.

Throws:

ItemNotFoundException - If no Node with the specified absPath exists.

RepositoryException - If another error occurs.

See Also:

AccessControlProvider.getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals,
                                                  CompiledPermissions permission)
                                           throws ItemNotFoundException,
                                                  RepositoryException

Description copied from interface: AccessControlProvider

Returns the effective policies for the given principals.

Specified by:

getEffectivePolicies in interface AccessControlProvider

Parameters:

principals - A set of principal.

permission - The effective permissions of the editing sessions that attempts to view the effective policies. @return The effective policies that are in effect for the given principal or an empty array.

Throws:

RepositoryException - If error occurs.

ItemNotFoundException

See Also:

AccessControlProvider.getEffectivePolicies(java.util.Set, CompiledPermissions)

getEditor

public AccessControlEditor getEditor(Session session)

Always returns null.

Specified by:

getEditor in interface AccessControlProvider

Parameters:

session - The editing session.

Returns:

the ACL editor or null.

See Also:

AccessControlProvider.getEditor(Session)

compilePermissions

public CompiledPermissions compilePermissions(Set<Principal> principals)
                                       throws RepositoryException

Description copied from interface: AccessControlProvider

Compiles the effective policy for the specified set of Principals.

Specified by:

compilePermissions in interface AccessControlProvider

Parameters:

principals - Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller should pass a Set that respects the order of insertion.

Returns:

The effective, compiled CompiledPolicy that applies for the specified set of principals.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.compilePermissions(Set)

canAccessRoot

public boolean canAccessRoot(Set<Principal> principals)
                      throws RepositoryException

Description copied from interface: AccessControlProvider

Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Specified by:

canAccessRoot in interface AccessControlProvider

Parameters:

principals - Set of principals to be tested for being allowed to access the root node.

Returns:

true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.canAccessRoot(Set)