Class ACLProvider
- java.lang.Object
-
- org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
-
- org.apache.jackrabbit.core.security.authorization.acl.ACLProvider
-
- All Implemented Interfaces:
AccessControlConstants
,AccessControlProvider
,AccessControlUtils
public class ACLProvider extends AbstractAccessControlProvider implements AccessControlConstants
The ACLProvider generates access control policies out of the items stored in the workspace applying the following rules:- A
Node
is considered access controlled if an ACL has been explicitly assigned to it by adding the mixin typerep:AccessControllable
and adding child node of typerep:acl
that forms the acl. - a Property is considered 'access controlled' if its parent Node is.
- An ACL is never assigned to a
Property
item. - A
Node
that is not access controlled may inherit the ACL. The ACL is inherited from the closest access controlled ancestor. - It may be possible that a given
Node
has no effective ACL, in which case some a default policy is returned that grants READ privilege to any principal and denies all other privileges. - an item is considered an ACL item if it is used to define an ACL. ACL items inherit the ACL from node they defined the ACL for.
- See Also:
for additional information.
-
-
Field Summary
Fields Modifier and Type Field Description static String
PARAM_ALLOW_UNKNOWN_PRINCIPALS
Constant for the name of the configuration optionallow-unknown-principals
.-
Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privilegeManager, session
-
Fields inherited from interface org.apache.jackrabbit.core.security.authorization.AccessControlConstants
N_ACCESSCONTROL, N_POLICY, N_REPO_POLICY, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, NT_REP_REPO_ACCESS_CONTROLLABLE, P_GLOB, P_PRINCIPAL_NAME, P_PRIVILEGES
-
-
Constructor Summary
Constructors Constructor Description ACLProvider()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
canAccessRoot(Set<Principal> principals)
Returnstrue
if the given set of principals can access the root node of the workspace this provider has been built for;false
otherwise.void
close()
Closes this provider when it is no longer used by the respective workspace and release resources bound by this provider.CompiledPermissions
compilePermissions(Set<Principal> principals)
Compiles the effective policy for the specified set ofPrincipal
s.protected EntryCollector
createEntryCollector(SessionImpl systemSession)
Create theEntryCollector
instance that is used by this provider to gather the effective ACEs for a given list of principals at a given node during AC evaluation.AccessControlEditor
getEditor(Session session)
Returns anAccessControlEditor
for the given Session object ornull
if the implementation does not support editing of access control policies.AccessControlPolicy[]
getEffectivePolicies(Set<Principal> principals, CompiledPermissions permissions)
Returns the effective policies for the given principals.AccessControlPolicy[]
getEffectivePolicies(Path absPath, CompiledPermissions permissions)
Returns the effective policies for the node at the given absPath.void
init(Session systemSession, Map configuration)
Tests if the givensystemSession
is a SessionImpl and retrieves the observation manager.-
Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
checkInitialized, getAdminPermissions, getPrivilegeManagerImpl, getReadOnlyPermissions, isAcItem, isAcItem, isAdminOrSystem, isLive, isReadOnly
-
-
-
-
Field Detail
-
PARAM_ALLOW_UNKNOWN_PRINCIPALS
public static final String PARAM_ALLOW_UNKNOWN_PRINCIPALS
Constant for the name of the configuration optionallow-unknown-principals
. The option is a flag indicating whether access control entries with principals not known to the system can be added to an ACL. the default isfalse
.Please note that the current implementation does only check principal existence when adding a new access control entry, but does not validate all ACEs when removing a principal. So even if this flag is
false
, it's possible to create an ACL with a unknown principal.- See Also:
- Constant Field Values
-
-
Method Detail
-
init
public void init(Session systemSession, Map configuration) throws RepositoryException
Description copied from class:AbstractAccessControlProvider
Tests if the givensystemSession
is a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.- Specified by:
init
in interfaceAccessControlProvider
- Overrides:
init
in classAbstractAccessControlProvider
- Parameters:
systemSession
- System session.configuration
- Configuration used to initialize this provider.- Throws:
RepositoryException
- If the specified session is not aSessionImpl
or if retrieving the observation manager fails.- See Also:
AccessControlProvider.init(Session, Map)
-
close
public void close()
Description copied from interface:AccessControlProvider
Closes this provider when it is no longer used by the respective workspace and release resources bound by this provider.- Specified by:
close
in interfaceAccessControlProvider
- Overrides:
close
in classAbstractAccessControlProvider
- See Also:
AccessControlProvider.close()
-
getEffectivePolicies
public AccessControlPolicy[] getEffectivePolicies(Path absPath, CompiledPermissions permissions) throws ItemNotFoundException, RepositoryException
Description copied from interface:AccessControlProvider
Returns the effective policies for the node at the given absPath.- Specified by:
getEffectivePolicies
in interfaceAccessControlProvider
- Parameters:
absPath
- an absolute path.permissions
- The effective permissions of the editing sessions that attempts to view the effective policies.- Returns:
- The effective policies that apply at
absPath
or an empty array if the implementation cannot determine the effective policy at the given path. - Throws:
ItemNotFoundException
- If no Node with the specifiedabsPath
exists.RepositoryException
- If another error occurs.- See Also:
AccessControlProvider.getEffectivePolicies(org.apache.jackrabbit.spi.Path,org.apache.jackrabbit.core.security.authorization.CompiledPermissions)
-
getEffectivePolicies
public AccessControlPolicy[] getEffectivePolicies(Set<Principal> principals, CompiledPermissions permissions) throws RepositoryException
Description copied from interface:AccessControlProvider
Returns the effective policies for the given principals.- Specified by:
getEffectivePolicies
in interfaceAccessControlProvider
- Parameters:
principals
- A set of principal.permissions
- The effective permissions of the editing sessions that attempts to view the effective policies. @return The effective policies that are in effect for the givenprincipal
or an empty array.- Throws:
RepositoryException
- If error occurs.- See Also:
AccessControlProvider.getEffectivePolicies(java.util.Set, CompiledPermissions)
-
getEditor
public AccessControlEditor getEditor(Session session)
Description copied from interface:AccessControlProvider
Returns anAccessControlEditor
for the given Session object ornull
if the implementation does not support editing of access control policies.- Specified by:
getEditor
in interfaceAccessControlProvider
- Parameters:
session
- The editing session.- Returns:
- the ACL editor or
null
. - See Also:
AccessControlProvider.getEditor(Session)
-
compilePermissions
public CompiledPermissions compilePermissions(Set<Principal> principals) throws RepositoryException
Description copied from interface:AccessControlProvider
Compiles the effective policy for the specified set ofPrincipal
s.- Specified by:
compilePermissions
in interfaceAccessControlProvider
- Parameters:
principals
- Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller should pass a Set that respects the order of insertion.- Returns:
- The effective, compiled CompiledPolicy that applies for the specified set of principals.
- Throws:
RepositoryException
- If an error occurs.- See Also:
AccessControlProvider.compilePermissions(Set)
-
canAccessRoot
public boolean canAccessRoot(Set<Principal> principals) throws RepositoryException
Description copied from interface:AccessControlProvider
Returnstrue
if the given set of principals can access the root node of the workspace this provider has been built for;false
otherwise.- Specified by:
canAccessRoot
in interfaceAccessControlProvider
- Parameters:
principals
- Set of principals to be tested for being allowed to access the root node.- Returns:
true
if the given set of principals can access the root node of the workspace this provider has been built for;false
otherwise.- Throws:
RepositoryException
- If an error occurs.- See Also:
AccessControlProvider.canAccessRoot(Set)
-
createEntryCollector
protected EntryCollector createEntryCollector(SessionImpl systemSession) throws RepositoryException
Create theEntryCollector
instance that is used by this provider to gather the effective ACEs for a given list of principals at a given node during AC evaluation.- Parameters:
systemSession
- The system session to create the entry collector for.- Returns:
- A new instance of
CachingEntryCollector
. - Throws:
RepositoryException
- If an error occurs.
-
-