Package org.apache.jackrabbit.oak.security.authorization.accesscontrol

Class AccessControlManagerImpl

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager

org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl

All Implemented Interfaces:

AccessControlManager, JackrabbitAccessControlManager, AccessControlConstants, PolicyOwner

public class AccessControlManagerImpl
extends AbstractAccessControlManager
implements PolicyOwner

Default implementation of the JackrabbitAccessControlManager interface. This implementation covers both editing access control content by path and by Principal resulting both in the same content structure.

Field Summary

Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants

AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_CURRENT, REP_GLOB, REP_GLOBS, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS, REP_SUBTREES

Constructor Summary

Constructors

Constructor	Description
AccessControlManagerImpl(@NotNull Root root, @NotNull NamePathMapper namePathMapper, @NotNull SecurityProvider securityProvider)

Method Summary

Modifier and Type	Method	Description
boolean	defines(String absPath, @NotNull AccessControlPolicy accessControlPolicy)	Determines if the implementing AccessManager defines the specified accessControlPolicy at the given absPath.
@NotNull JackrabbitAccessControlPolicy[]	getApplicablePolicies(@NotNull Principal principal)	Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.
@NotNull AccessControlPolicyIterator	getApplicablePolicies(@Nullable String absPath)
@NotNull AccessControlPolicy[]	getEffectivePolicies(@NotNull Set<Principal> principals)	Returns the AccessControlPolicy objects that are in effect for the given Principals.
@NotNull Iterator<AccessControlPolicy>	getEffectivePolicies(@NotNull Set<Principal> principals, @Nullable String... absPaths)	Returns the AccessControlPolicy objects that are in effect for the given Principals at the specified absolute paths.
@NotNull AccessControlPolicy[]	getEffectivePolicies(@Nullable String absPath)
@NotNull JackrabbitAccessControlPolicy[]	getPolicies(@NotNull Principal principal)	Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set.
@NotNull AccessControlPolicy[]	getPolicies(@Nullable String absPath)
void	removePolicy(@Nullable String absPath, @NotNull AccessControlPolicy policy)
void	setPolicy(@Nullable String absPath, @NotNull AccessControlPolicy policy)

Methods inherited from class org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager

getConfig, getLatestRoot, getNamePathMapper, getOakPath, getOakPaths, getPermissionProvider, getPrivilegeBitsProvider, getPrivilegeCollection, getPrivilegeCollection, getPrivilegeManager, getPrivileges, getPrivileges, getRoot, getSupportedPrivileges, getTree, hasPrivileges, hasPrivileges, privilegeCollectionFromNames, privilegeFromName

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AccessControlManagerImpl

public AccessControlManagerImpl(@NotNull
 @NotNull Root root,
 @NotNull
 @NotNull NamePathMapper namePathMapper,
 @NotNull
 @NotNull SecurityProvider securityProvider)

Method Details

getPolicies

@NotNull
public @NotNull AccessControlPolicy[] getPolicies(@Nullable
 @Nullable String absPath)
                                           throws RepositoryException

Specified by:

getPolicies in interface AccessControlManager

Throws:

RepositoryException

getEffectivePolicies

@NotNull
public @NotNull AccessControlPolicy[] getEffectivePolicies(@Nullable
 @Nullable String absPath)
                                                    throws RepositoryException

Specified by:

getEffectivePolicies in interface AccessControlManager

Throws:

RepositoryException

getApplicablePolicies

@NotNull
public @NotNull AccessControlPolicyIterator getApplicablePolicies(@Nullable
 @Nullable String absPath)
                                                           throws RepositoryException

Specified by:

getApplicablePolicies in interface AccessControlManager

Throws:

RepositoryException

setPolicy

public void setPolicy(@Nullable
 @Nullable String absPath,
 @NotNull
 @NotNull AccessControlPolicy policy)
               throws RepositoryException

Specified by:

setPolicy in interface AccessControlManager

Throws:

RepositoryException

removePolicy

public void removePolicy(@Nullable
 @Nullable String absPath,
 @NotNull
 @NotNull AccessControlPolicy policy)
                  throws RepositoryException

Specified by:

removePolicy in interface AccessControlManager

Throws:

RepositoryException

getApplicablePolicies

@NotNull
public @NotNull JackrabbitAccessControlPolicy[] getApplicablePolicies(@NotNull
 @NotNull Principal principal)
                                                               throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the applicable policies for the specified principal or an empty array if no additional policies can be applied.

Specified by:

getApplicablePolicies in interface JackrabbitAccessControlManager

Parameters:

principal - A principal known to the editing session.

Returns:

array of policies for the specified principal. Note that the policy object returned must reveal the path of the node where they can be applied later on using AccessControlManager.setPolicy(String, javax.jcr.security.AccessControlPolicy).

Throws:

AccessDeniedException - if the session lacks MODIFY_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - if another error occurs.

See Also:

• JackrabbitAccessControlPolicy.getPath()

getPolicies

@NotNull
public @NotNull JackrabbitAccessControlPolicy[] getPolicies(@NotNull
 @NotNull Principal principal)
                                                     throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that have been set for the given principal or an empty array if no policy has been set. This method reflects the binding state, including transient policy modifications.

Specified by:

getPolicies in interface JackrabbitAccessControlManager

Parameters:

principal - A valid principal.

Returns:

The policies defined for the given principal or an empty array.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - If another error occurs.

getEffectivePolicies

@NotNull
public @NotNull AccessControlPolicy[] getEffectivePolicies(@NotNull
 @NotNull Set<Principal> principals)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that are in effect for the given Principals. This may be policies set through this API or some implementation specific (default) policies.

Specified by:

getEffectivePolicies in interface JackrabbitAccessControlManager

Parameters:

principals - A set of valid principals.

Returns:

The policies defined for the given principal or an empty array.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal is not supported.

RepositoryException - If another error occurs.

getEffectivePolicies

@NotNull
public @NotNull Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull
 @NotNull Set<Principal> principals,
 @Nullable
 @Nullable String... absPaths)
                                                            throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the AccessControlPolicy objects that are in effect for the given Principals at the specified absolute paths. This may be policies set through this API or some implementation specific (default) policies. Note, that this method will make a best effort approach to reflect the effects of the existing access control setup. For backwards compatibility this new method comes with a default implementation that calls JackrabbitAccessControlManager.getEffectivePolicies(Set) followed by a best effort approach to determine effect on any of specified paths, which does not take the effect of restrictions into account.

Specified by:

getEffectivePolicies in interface JackrabbitAccessControlManager

Parameters:

principals - A set of valid principals for which the effective policies should be computed.

absPaths - The absolute paths for which the effective policies should be computed. In contrast to AccessControlManager.getEffectivePolicies(String) this method does not mandate the paths to point to existing nodes.

Returns:

The policies defined for the given principal or an empty iterator.

Throws:

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege to retrieve the information for the given principals or paths.

AccessControlException - if the specified principal does not exist or if another access control related exception occurs.

UnsupportedRepositoryOperationException - if editing access control policies by principal or path is not supported or if this method is not implemented.

RepositoryException - If another error occurs.

defines

public boolean defines(String absPath,
 @NotNull
 @NotNull AccessControlPolicy accessControlPolicy)

Description copied from interface: PolicyOwner

Determines if the implementing AccessManager defines the specified accessControlPolicy at the given absPath. If this method returns true it is expected that the given policy is valid to be set or removed with the manager.

Specified by:

defines in interface PolicyOwner

Parameters:

absPath - An absolute path.

accessControlPolicy - The access control policy to be tested.

Returns:

true If the AccessControlManager implementing this interface can handle the specified accessControlPolicy at the given path.