Class ReadOnlyAuthorizationConfiguration

  • All Implemented Interfaces:
    AuthorizationConfiguration, SecurityConfiguration

    public final class ReadOnlyAuthorizationConfiguration
    extends ConfigurationBase
    implements AuthorizationConfiguration

    Read Only Authorization Model

    This authorization module forms part of the training material provided by the oak-exercise module and must not be used in a productive environment!

    Overview

    This simplistic authorization model is limited to permission evaluation and doesn't support access control management. The permission evaluation is hardcoded to only allow read access to every single item in the repository (even access control content). All other permissions are denied for every set of principals. There exists a single exception to that rule: For the internal SystemPrincipal permission evaluation is not enforced by this module i.e. this module is skipped.

    Intended Usage

    This authorization model is intended to be used in 'AND' combination with the default authorization setup defined by Oak (and optionally additional models such as e.g. oak-authorization-cug. It is not intended to be used as standalone model as it would grant full read access to everyone.

    Limitations

    Experimental model for training purpose and not intended for usage in production.

    Key Features

    Access Control Management

    FeatureDescription
    Supported Privilegesall
    Supports Custom Privilegesyes
    Management by Pathnot supported
    Management by Principalsnot supported
    Owned PoliciesNone
    Effective Policies by Pathfor every path a single effective policy of type NamedAccessControlPolicy
    Effective Policies by Principalsfor every set of principals a single effective policy of type NamedAccessControlPolicy

    Permission Evaluation

    FeatureDescription
    Supported Permissionsall
    Aggregated Permission Provideryes

    Representation in the Repository

    There exists no dedicated access control or permission content for this authorization model as it doesn't persist any information into the repository. SecurityConfiguration.getContext() therefore returns the default.

    Configuration

    This model comes with a single mandatory configurable property: - configurationRanking : CompositeConfiguration.PARAM_RANKING, no default value.

    Installation Instructions

    The following steps are required to install this authorization model in an OSGi based Oak setup.
    • Upload the oak-exercise bundle
    • Edit configuration of 'ReadOnlyAuthorizationConfiguration' specifying the mandatory ranking property
    • Edit configuration of SecurityProviderRegistration
      • add org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration to the list of required service IDs
      • make sure the 'Authorization Composition Type' is set to AND
    • Wait for the SecurityProvider to be successfully registered again.