Class UserAccessControlProvider
- java.lang.Object
-
- org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
-
- org.apache.jackrabbit.core.security.user.UserAccessControlProvider
-
- All Implemented Interfaces:
AccessControlConstants,AccessControlProvider,AccessControlUtils
public class UserAccessControlProvider extends AbstractAccessControlProvider
Implementation of theAccessControlProviderinterface that is used to protected the 'security workspace' containing the user and group data. It applies special care to make sure that modifying user data (e.g. password), group membership and impersonation is properly controlled.This provider creates upon initialization the following 2 groups:
- User administrator
- Group administrator
- All authenticated users have READ permission to all items. If {link #PARAM_ANONYMOUS_ACCESS}
is configured to be
truethis also applies to the anonymous user. - every known user is allowed to modify it's own properties except for her/his group membership,
- members of the 'User administrator' group are allowed to create, modify and remove users,
- members of the 'Group administrator' group are allowed to create, modify and remove groups,
- group membership can only be edited by members of the 'Group administrator' and the 'User administrator' group.
-
-
Field Summary
Fields Modifier and Type Field Description static StringAUTHORIZABLES_PATHstatic StringGROUP_ADMIN_GROUP_NAMEConfiguration key and default value for the the name of the 'GroupAdmin' group-principalstatic StringGROUPS_PATHstatic NameMIX_REP_IMPERSONATABLEstatic NameN_MEMBERSstatic NameFactoryNFstatic NameNT_REP_AUTHORIZABLEstatic NameNT_REP_AUTHORIZABLE_FOLDERstatic NameNT_REP_GROUPstatic NameNT_REP_MEMBERSstatic NameNT_REP_USERstatic NameP_DISABLEDstatic NameP_GROUPSDeprecated.As of 2.0 group membership is stored with the group node.static NameP_IMPERSONATORSName of the user property containing the principal names of those allowed to impersonate.static NameP_MEMBERSstatic NameP_PASSWORDstatic NameP_PRINCIPAL_NAMEstatic NameP_USERIDDeprecated.As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant.static StringPARAM_ANONYMOUS_ACCESSConstant for the name of the configuration option "anonymousAccess".static StringPARAM_ANONYMOUS_IDConstant for the name of the configuration option "anonymousId".static StringSECURITY_ROOT_PATHroot-path to security related content e.g.static StringUSER_ADMIN_GROUP_NAMEConfiguration key and default value for the the name of the 'UserAdmin' group-principal.static StringUSERS_PATH-
Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privilegeManager, session
-
Fields inherited from interface org.apache.jackrabbit.core.security.authorization.AccessControlConstants
N_ACCESSCONTROL, N_POLICY, N_REPO_POLICY, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, NT_REP_REPO_ACCESS_CONTROLLABLE, P_GLOB, P_PRINCIPAL_NAME, P_PRIVILEGES
-
-
Constructor Summary
Constructors Constructor Description UserAccessControlProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description booleancanAccessRoot(Set<Principal> principals)Returnstrueif the given set of principals can access the root node of the workspace this provider has been built for;falseotherwise.CompiledPermissionscompilePermissions(Set<Principal> principals)Compiles the effective policy for the specified set ofPrincipals.AccessControlEditorgetEditor(Session session)Always returnsnull.AccessControlPolicy[]getEffectivePolicies(Set<Principal> principals, CompiledPermissions permission)Returns the effective policies for the given principals.AccessControlPolicy[]getEffectivePolicies(Path absPath, CompiledPermissions permissions)Returns the effective policies for the node at the given absPath.voidinit(Session systemSession, Map configuration)Tests if the givensystemSessionis a SessionImpl and retrieves the observation manager.booleanisAcItem(ItemImpl item)Always returns false, since this ac provider does not use content stored in items to evaluate AC information.booleanisAcItem(Path absPath)Always returns false, since this ac provider does not use content stored in items to evaluate AC information.-
Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
checkInitialized, close, getAdminPermissions, getPrivilegeManagerImpl, getReadOnlyPermissions, isAdminOrSystem, isLive, isReadOnly
-
-
-
-
Field Detail
-
PARAM_ANONYMOUS_ID
public static final String PARAM_ANONYMOUS_ID
Constant for the name of the configuration option "anonymousId". The option is a flag indicating the name of the anonymous user id.- See Also:
- Constant Field Values
-
PARAM_ANONYMOUS_ACCESS
public static final String PARAM_ANONYMOUS_ACCESS
Constant for the name of the configuration option "anonymousAccess".- See Also:
- Constant Field Values
-
NF
public static final NameFactory NF
-
SECURITY_ROOT_PATH
public static final String SECURITY_ROOT_PATH
root-path to security related content e.g. principals- See Also:
- Constant Field Values
-
AUTHORIZABLES_PATH
public static final String AUTHORIZABLES_PATH
- See Also:
- Constant Field Values
-
USERS_PATH
public static final String USERS_PATH
- See Also:
- Constant Field Values
-
GROUPS_PATH
public static final String GROUPS_PATH
- See Also:
- Constant Field Values
-
USER_ADMIN_GROUP_NAME
public static final String USER_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the 'UserAdmin' group-principal.- See Also:
- Constant Field Values
-
GROUP_ADMIN_GROUP_NAME
public static final String GROUP_ADMIN_GROUP_NAME
Configuration key and default value for the the name of the 'GroupAdmin' group-principal- See Also:
- Constant Field Values
-
P_PRINCIPAL_NAME
public static final Name P_PRINCIPAL_NAME
-
P_USERID
public static final Name P_USERID
Deprecated.As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant. It has been removed from the node type definition.
-
P_PASSWORD
public static final Name P_PASSWORD
-
P_DISABLED
public static final Name P_DISABLED
-
P_GROUPS
public static final Name P_GROUPS
Deprecated.As of 2.0 group membership is stored with the group node.- See Also:
P_MEMBERS
-
P_MEMBERS
public static final Name P_MEMBERS
-
N_MEMBERS
public static final Name N_MEMBERS
-
P_IMPERSONATORS
public static final Name P_IMPERSONATORS
Name of the user property containing the principal names of those allowed to impersonate.
-
NT_REP_AUTHORIZABLE
public static final Name NT_REP_AUTHORIZABLE
-
NT_REP_AUTHORIZABLE_FOLDER
public static final Name NT_REP_AUTHORIZABLE_FOLDER
-
NT_REP_USER
public static final Name NT_REP_USER
-
NT_REP_GROUP
public static final Name NT_REP_GROUP
-
NT_REP_MEMBERS
public static final Name NT_REP_MEMBERS
-
MIX_REP_IMPERSONATABLE
public static final Name MIX_REP_IMPERSONATABLE
-
-
Method Detail
-
isAcItem
public boolean isAcItem(Path absPath) throws RepositoryException
Always returns false, since this ac provider does not use content stored in items to evaluate AC information.- Specified by:
isAcItemin interfaceAccessControlUtils- Overrides:
isAcItemin classAbstractAccessControlProvider- Parameters:
absPath- Path to an item.- Returns:
- true if the item at the specified
absPathcontains access control information. - Throws:
RepositoryException- If an error occurs.- See Also:
AccessControlUtils.isAcItem(Path)
-
isAcItem
public boolean isAcItem(ItemImpl item) throws RepositoryException
Always returns false, since this ac provider does not use content stored in items to evaluate AC information.- Specified by:
isAcItemin interfaceAccessControlUtils- Overrides:
isAcItemin classAbstractAccessControlProvider- Parameters:
item- An item.- Returns:
- true if the item at the specified
itemdefines access control related information is should therefore be considered protected. - Throws:
RepositoryException- If an error occurs.- See Also:
AccessControlUtils.isAcItem(ItemImpl)
-
init
public void init(Session systemSession, Map configuration) throws RepositoryException
Description copied from class:AbstractAccessControlProviderTests if the givensystemSessionis a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.- Specified by:
initin interfaceAccessControlProvider- Overrides:
initin classAbstractAccessControlProvider- Parameters:
systemSession- System session.configuration- Configuration used to initialize this provider.- Throws:
RepositoryException- If the specified session is not aSessionImplor if retrieving the observation manager fails.- See Also:
AccessControlProvider.init(Session, Map)
-
getEffectivePolicies
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException
Description copied from interface:AccessControlProviderReturns the effective policies for the node at the given absPath.- Specified by:
getEffectivePoliciesin interfaceAccessControlProvider- Parameters:
absPath- an absolute path.permissions- The effective permissions of the editing sessions that attempts to view the effective policies.- Returns:
- The effective policies that apply at
absPathor an empty array if the implementation cannot determine the effective policy at the given path. - Throws:
ItemNotFoundException- If no Node with the specifiedabsPathexists.RepositoryException- If another error occurs.- See Also:
AccessControlProvider.getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
-
getEffectivePolicies
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals, CompiledPermissions permission) throws ItemNotFoundException, RepositoryException
Description copied from interface:AccessControlProviderReturns the effective policies for the given principals.- Specified by:
getEffectivePoliciesin interfaceAccessControlProvider- Parameters:
principals- A set of principal.permission- The effective permissions of the editing sessions that attempts to view the effective policies. @return The effective policies that are in effect for the givenprincipalor an empty array.- Throws:
RepositoryException- If error occurs.ItemNotFoundException- See Also:
AccessControlProvider.getEffectivePolicies(java.util.Set, CompiledPermissions)
-
getEditor
public AccessControlEditor getEditor(Session session)
Always returnsnull.- Specified by:
getEditorin interfaceAccessControlProvider- Parameters:
session- The editing session.- Returns:
- the ACL editor or
null. - See Also:
AccessControlProvider.getEditor(Session)
-
compilePermissions
public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException
Description copied from interface:AccessControlProviderCompiles the effective policy for the specified set ofPrincipals.- Specified by:
compilePermissionsin interfaceAccessControlProvider- Parameters:
principals- Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller should pass a Set that respects the order of insertion.- Returns:
- The effective, compiled CompiledPolicy that applies for the specified set of principals.
- Throws:
RepositoryException- If an error occurs.- See Also:
AccessControlProvider.compilePermissions(Set)
-
canAccessRoot
public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException
Description copied from interface:AccessControlProviderReturnstrueif the given set of principals can access the root node of the workspace this provider has been built for;falseotherwise.- Specified by:
canAccessRootin interfaceAccessControlProvider- Parameters:
principals- Set of principals to be tested for being allowed to access the root node.- Returns:
trueif the given set of principals can access the root node of the workspace this provider has been built for;falseotherwise.- Throws:
RepositoryException- If an error occurs.- See Also:
AccessControlProvider.canAccessRoot(Set)
-
-