Package org.apache.jackrabbit.oak.jcr.delegate

Class JackrabbitAccessControlManagerDelegator

java.lang.Object

org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator

All Implemented Interfaces:

AccessControlManager, JackrabbitAccessControlManager

public class JackrabbitAccessControlManagerDelegator
extends Object
implements JackrabbitAccessControlManager

This implementation of JackrabbitAccessControlManager delegates back to a delegatee wrapping each call into a SessionOperation closure.

See Also:

SessionDelegate.perform(SessionOperation)

Constructor Summary

Constructors

Constructor	Description
JackrabbitAccessControlManagerDelegator(@NotNull SessionDelegate delegate, @NotNull JackrabbitAccessControlManager acManager)

Method Summary

Modifier and Type	Method	Description
@NotNull JackrabbitAccessControlPolicy[]	getApplicablePolicies(@NotNull Principal principal)	Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.
AccessControlPolicyIterator	getApplicablePolicies(String absPath)
@NotNull AccessControlPolicy[]	getEffectivePolicies(@NotNull Set<Principal> principals)	Returns the AccessControlPolicy objects that are in effect for the given Principals.
@NotNull Iterator<AccessControlPolicy>	getEffectivePolicies(@NotNull Set<Principal> principals, @Nullable String... absPaths)	Returns the AccessControlPolicy objects that are in effect for the given Principals at the specified absolute paths.
AccessControlPolicy[]	getEffectivePolicies(String absPath)
@NotNull JackrabbitAccessControlPolicy[]	getPolicies(@NotNull Principal principal)	Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set.
AccessControlPolicy[]	getPolicies(String absPath)
@NotNull PrivilegeCollection	getPrivilegeCollection(@Nullable String absPath)	Returns the PrivilegeCollection for editing session at the given absolute path, which must be an existing node.
@NotNull PrivilegeCollection	getPrivilegeCollection(@Nullable String absPath, @NotNull Set<Principal> principals)	Returns the PrivilegeCollection for the given set of principals at the given absolute path, which must be an existing node.
@NotNull Privilege[]	getPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals)	Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.
Privilege[]	getPrivileges(String absPath)
Privilege[]	getSupportedPrivileges(String absPath)
boolean	hasPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals, @NotNull Privilege[] privileges)	Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.
boolean	hasPrivileges(String absPath, Privilege[] privileges)
@NotNull PrivilegeCollection	privilegeCollectionFromNames(@NotNull String... privilegeNames)	Returns the PrivilegeCollection for the specified privilegeNames.
Privilege	privilegeFromName(String privilegeName)
void	removePolicy(String absPath, AccessControlPolicy policy)
void	setPolicy(String absPath, AccessControlPolicy policy)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JackrabbitAccessControlManagerDelegator

public JackrabbitAccessControlManagerDelegator(@NotNull
                                               @NotNull SessionDelegate delegate,
                                               @NotNull
                                               @NotNull JackrabbitAccessControlManager acManager)

Method Detail

getApplicablePolicies

@NotNull
public @NotNull JackrabbitAccessControlPolicy[] getApplicablePolicies(@NotNull
                                                                      @NotNull Principal principal)
                                                               throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.

Specified by:

getApplicablePolicies in interface JackrabbitAccessControlManager

Parameters:

principal - A principal known to the editing session.

Returns:

array of policies for the specified principal. Note that the policy object returned must reveal the path of the node where they can be applied later on using AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy).

Throws:

AccessDeniedException - if the session lacks MODIFY_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - if another error occurs.

See Also:

JackrabbitAccessControlPolicy.getPath()

getPolicies

@NotNull
public @NotNull JackrabbitAccessControlPolicy[] getPolicies(@NotNull
                                                            @NotNull Principal principal)
                                                     throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set. This method reflects the binding state, including transient policy modifications.

Specified by:

getPolicies in interface JackrabbitAccessControlManager

Parameters:

principal - A valid principal.

Returns:

The policies defined for the given principal or an empty array.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - If another error occurs.

getEffectivePolicies

@NotNull
public @NotNull AccessControlPolicy[] getEffectivePolicies(@NotNull
                                                           @NotNull Set<Principal> principals)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that are in effect for the given Principals. This may be policies set through this API or some implementation specific (default) policies.

Specified by:

getEffectivePolicies in interface JackrabbitAccessControlManager

Parameters:

principals - A set of valid principals.

Returns:

The policies defined for the given principal or an empty array.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - If another error occurs.

getEffectivePolicies

@NotNull
public @NotNull Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull
                                                                   @NotNull Set<Principal> principals,
                                                                   @Nullable
                                                                   @Nullable String... absPaths)
                                                            throws AccessDeniedException,
                                                                   AccessControlException,
                                                                   UnsupportedRepositoryOperationException,
                                                                   RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that are in effect for the given Principals at the specified absolute paths. This may be policies set through this API or some implementation specific (default) policies. Note, that this method will make a best effort approach to reflect the effects of the existing access control setup. For backwards compatibility this new method comes with a default implementation that calls JackrabbitAccessControlManager.getEffectivePolicies(Set) followed by a best effort approach to determine effect on any of specified paths, which does not take the effect of restrictions into account.

Specified by:

getEffectivePolicies in interface JackrabbitAccessControlManager

Parameters:

principals - A set of valid principals for which the effective policies should be computed.

absPaths - The absolute paths for which the effective policies should be computed. In contrast to AccessControlManager.getEffectivePolicies(String) this method does not mandate the paths to point to existing nodes.

Returns:

The policies defined for the given principal or an empty iterator.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege to retrieve the information for the given principals or paths.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal or path is not supported or if this method is not implemented.

RepositoryException - If another error occurs.

hasPrivileges

public boolean hasPrivileges(@Nullable
                             @Nullable String absPath,
                             @NotNull
                             @NotNull Set<Principal> principals,
                             @NotNull
                             @NotNull Privilege[] privileges)
                      throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.

Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling Privilege.getAggregatePrivileges() for that privilege.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Specified by:

hasPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the given privileges are tested.

privileges - an array of Privileges.

Returns:

true if the session has the specified privileges; false otherwise.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - if another error occurs.

getPrivileges

@NotNull
public @NotNull Privilege[] getPrivileges(@Nullable
                                          @Nullable String absPath,
                                          @NotNull
                                          @NotNull Set<Principal> principals)
                                   throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.

The returned privileges are those for which JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[]) would return true.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.

Specified by:

getPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the privileges are retrieved.

Returns:

an array of Privileges.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - if another error occurs.

getPrivilegeCollection

@NotNull
public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable
                                                           @Nullable String absPath)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for editing session at the given absolute path, which must be an existing node. This is equivalent to AccessControlManager.getPrivileges(String) and AccessControlManager.hasPrivileges(String, Privilege[]) but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

getPrivilegeCollection in interface JackrabbitAccessControlManager

Parameters:

absPath - An absolute path to an existing JCR node.

Returns:

A PrivilegeCollection wrapping around the privileges granted for the editing session at absPath.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

RepositoryException - If another error occurs.

getPrivilegeCollection

@NotNull
public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable
                                                           @Nullable String absPath,
                                                           @NotNull
                                                           @NotNull Set<Principal> principals)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for the given set of principals at the given absolute path, which must be an existing node. This is equivalent to JackrabbitAccessControlManager.getPrivileges(String,Set) and JackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[]) but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

getPrivilegeCollection in interface JackrabbitAccessControlManager

Parameters:

absPath - An absolute path to an existing JCR node.

principals - A set of principals for which the PrivilegeCollection should be created.

Returns:

A PrivilegeCollection wrapping around the privileges granted for the editing session at absPath.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - If another error occurs.

privilegeCollectionFromNames

@NotNull
public @NotNull PrivilegeCollection privilegeCollectionFromNames(@NotNull
                                                                 @NotNull String... privilegeNames)
                                                          throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for the specified privilegeNames. Since the privilege names are JCR names, they may be passed in either qualified or expanded form (see specification for details on JCR names).

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

privilegeCollectionFromNames in interface JackrabbitAccessControlManager

Parameters:

privilegeNames - the names of existing privilege.

Returns:

the PrivilegeCollection representing the specified privilegeNames.

Throws:

AccessControlException - if no privilege with any of the specified names exists.

RepositoryException - If another error occurs.

getSupportedPrivileges

public Privilege[] getSupportedPrivileges(String absPath)
                                   throws RepositoryException

Specified by:

getSupportedPrivileges in interface AccessControlManager

Throws:

RepositoryException

privilegeFromName

public Privilege privilegeFromName(String privilegeName)
                            throws RepositoryException

Specified by:

privilegeFromName in interface AccessControlManager

Throws:

RepositoryException

hasPrivileges

public boolean hasPrivileges(String absPath,
                             Privilege[] privileges)
                      throws RepositoryException

Specified by:

hasPrivileges in interface AccessControlManager

Throws:

RepositoryException

getPrivileges

public Privilege[] getPrivileges(String absPath)
                          throws RepositoryException

Specified by:

getPrivileges in interface AccessControlManager

Throws:

RepositoryException

getPolicies

public AccessControlPolicy[] getPolicies(String absPath)
                                  throws RepositoryException

Specified by:

getPolicies in interface AccessControlManager

Throws:

RepositoryException

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(String absPath)
                                           throws RepositoryException

Specified by:

getEffectivePolicies in interface AccessControlManager

Throws:

RepositoryException

getApplicablePolicies

public AccessControlPolicyIterator getApplicablePolicies(String absPath)
                                                  throws RepositoryException

Specified by:

getApplicablePolicies in interface AccessControlManager

Throws:

RepositoryException

setPolicy

public void setPolicy(String absPath,
                      AccessControlPolicy policy)
               throws RepositoryException

Specified by:

setPolicy in interface AccessControlManager

Throws:

RepositoryException

removePolicy

public void removePolicy(String absPath,
                         AccessControlPolicy policy)
                  throws RepositoryException

Specified by:

removePolicy in interface AccessControlManager

Throws:

RepositoryException