Package org.apache.jackrabbit.api.security.authorization

Interface PrincipalAccessControlList

All Superinterfaces:

AccessControlList, AccessControlPolicy, JackrabbitAccessControlList, JackrabbitAccessControlPolicy

@ProviderType
public interface PrincipalAccessControlList
extends JackrabbitAccessControlList

Extension of the JackrabbitAccessControlList that is bound to a Principal. Consequently, all entries returned by AccessControlList.getAccessControlEntries() will return the same value as getPrincipal() and only entries associated with this very principal can be added/removed from this list. In addition this implies that each entry contained within the PrincipalAccessControlList defines the target object where it will take effect, which can either be an absolute path to a node or null if the entry takes effect at the repository level.

Typically applicable, existing and effective policies of this type of access control list are expected to be obtained through calls of JackrabbitAccessControlManager.getApplicablePolicies(Principal), JackrabbitAccessControlManager.getPolicies(Principal) and JackrabbitAccessControlManager.getEffectivePolicies(Set), respectively.

Whether or not accessing PrincipalAccessControlList policies by path is supported is an implementation detail. If it is supported the absPath parameter specified with AccessControlManager.getApplicablePolicies(String) and AccessControlManager.getPolicies(String) will correspond to the path of the policy.

As far as the best-effort method AccessControlManager.getEffectivePolicies(String) is concerned, the effective path defined with the individual entries will be consulted in order to compute the policies that take effect at a given path. Irrespective on whether access by path is supported or not the path of the policy points to the access controlled node it is bound to and will be used to set and remove the policy. This access controlled node may or may not be associated with an (optional) representation of the associated Principal inside the repository.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static interface	PrincipalAccessControlList.Entry	Extension of the JackrabbitAccessControlEntry that additionally defines the target object where this entry will take effect.

Method Summary

Modifier and Type	Method	Description
boolean	addEntry(@Nullable String effectivePath, @NotNull Privilege[] privileges)	Adds an access control entry to this policy consisting of the specified effectivePath and the specified privileges and indicates upon return if the policy was modified.
boolean	addEntry(@Nullable String effectivePath, @NotNull Privilege[] privileges, @NotNull Map<String,Value> restrictions, @NotNull Map<String,Value[]> mvRestrictions)	Adds an access control entry to this policy consisting of the specified effectivePath, the specified privileges as well as the specified single and multivalued restrictions and indicates upon return if the policy was modified.
@NotNull Principal	getPrincipal()	Returns the Principal this policy is bound to.

Methods inherited from interface javax.jcr.security.AccessControlList

addAccessControlEntry, getAccessControlEntries, removeAccessControlEntry

Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlList

addEntry, addEntry, addEntry, getRestrictionNames, getRestrictionType, isEmpty, isMultiValueRestriction, orderBefore, size

Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy

getPath

Method Detail

getPrincipal

@NotNull
@NotNull Principal getPrincipal()

Returns the Principal this policy is bound to. It will be the same all entries contained in this list. An attempt to add an entry associated with a different principal than the one returned by this method will fail.

Returns:

the target principal of this access control list.

See Also:

AccessControlEntry.getPrincipal()

addEntry

boolean addEntry(@Nullable
                 @Nullable String effectivePath,
                 @NotNull
                 @NotNull Privilege[] privileges)
          throws RepositoryException

Adds an access control entry to this policy consisting of the specified effectivePath and the specified privileges and indicates upon return if the policy was modified.

The effectivePath defines the object where the privileges will take effect. If effectivePath is an absolute path then the specified object is a Node. If it is null the object is the repository as a whole and the privileges in question are those that are not associated with any particular node (e.g. privilege to register a namespace). Whether or not an absolute path must point to an accessible node is an implementation detail.

How the entries are grouped within the list is an implementation detail. An implementation may e.g. combine the specified privileges with those added by a previous call for the same effectivePath but it will not remove Privileges added by a previous call.

Modifications to this policy will not take effect until this policy has been written back by calling AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy) followed by Session.save() to persist the transient modifications.

This method is equivalent to calling addEntry(String, Privilege[], Map, Map) with empty restriction maps.

Parameters:

effectivePath - An absolute path or null to indicate where this entry will take effect.

privileges - an array of Privilege.

Returns:

true if this policy was modify; false otherwise.

Throws:

AccessControlException - if the specified path or any of the privileges is not valid or if some other access control related exception occurs.

RepositoryException - If another error occurs

addEntry

boolean addEntry(@Nullable
                 @Nullable String effectivePath,
                 @NotNull
                 @NotNull Privilege[] privileges,
                 @NotNull
                 @NotNull Map<String,Value> restrictions,
                 @NotNull
                 @NotNull Map<String,Value[]> mvRestrictions)
          throws RepositoryException

Adds an access control entry to this policy consisting of the specified effectivePath, the specified privileges as well as the specified single and multivalued restrictions and indicates upon return if the policy was modified.

The effectivePath defines the object where the privileges will take effect. If effectivePath is an absolute path then the specified object is a Node. If it is null the object is the repository as a whole and the privileges in question are those that are not associated with any particular node (e.g. privilege to register a namespace). Whether or not an absolute path must point to an accessible node is an implementation detail.

The names of the supported restrictions can be obtained by calling JackrabbitAccessControlList.getRestrictionNames(), while JackrabbitAccessControlList.getRestrictionType(String) and JackrabbitAccessControlList.isMultiValueRestriction(String) will reveal the expected value type and cardinality.

How the entries are grouped within the list is an implementation detail. An implementation may e.g. combine the specified privileges with those added by a previous call for the same effectivePath but it will not remove a Privilege or restrictions added by a previous call.

Modifications to this policy will not take effect until this policy has been written back by calling AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy) followed by Session.save() to persist the transient modifications.

Parameters:

effectivePath - An absolute path or null to indicate where this entry will take effect.

privileges - an array of Privilege.

restrictions - The single valued restrictions associated with the entry to be created or an empty map.

mvRestrictions - the multi-valued restrictions associated with the entry to be created or an empty map.

Returns:

true if this policy was modify; false otherwise.

Throws:

AccessControlException - if the specified path, any of the privileges or the restrictions are not valid or if some other access control related exception occurs.

RepositoryException - If another error occurs