Package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol

Class AbstractAccessControlManager

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager

All Implemented Interfaces:

AccessControlManager, JackrabbitAccessControlManager, AccessControlConstants

Direct Known Subclasses:

AccessControlManagerImpl

@ProviderType
public abstract class AbstractAccessControlManager
extends Object
implements JackrabbitAccessControlManager, AccessControlConstants

Default implementation of the JackrabbitAccessControlManager interface. This implementation covers both editing access control content by path and by Principal resulting both in the same content structure.

Field Summary

Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants

AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_CURRENT, REP_GLOB, REP_GLOBS, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS, REP_SUBTREES

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	AbstractAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper, @NotNull SecurityProvider securityProvider)

Method Summary

Modifier and Type	Method	Description
protected @NotNull AuthorizationConfiguration	getConfig()
protected @NotNull Root	getLatestRoot()
protected @NotNull NamePathMapper	getNamePathMapper()
protected @Nullable String	getOakPath(@Nullable String jcrPath)
protected @NotNull Collection<String>	getOakPaths(@Nullable String... jcrPaths)
protected @NotNull PermissionProvider	getPermissionProvider()
protected @NotNull PrivilegeBitsProvider	getPrivilegeBitsProvider()
@NotNull PrivilegeCollection	getPrivilegeCollection(@Nullable String absPath)	Returns the PrivilegeCollection for editing session at the given absolute path, which must be an existing node.
@NotNull PrivilegeCollection	getPrivilegeCollection(@Nullable String absPath, @NotNull Set<Principal> principals)	Returns the PrivilegeCollection for the given set of principals at the given absolute path, which must be an existing node.
protected @NotNull PrivilegeManager	getPrivilegeManager()
@NotNull Privilege[]	getPrivileges(@Nullable String absPath)
@NotNull Privilege[]	getPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals)	Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.
protected @NotNull Root	getRoot()
@NotNull Privilege[]	getSupportedPrivileges(@Nullable String absPath)
protected @NotNull Tree	getTree(@Nullable String oakPath, long permissions, boolean checkAcContent)
boolean	hasPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals, @Nullable Privilege[] privileges)	Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.
boolean	hasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges)
@NotNull PrivilegeCollection	privilegeCollectionFromNames(@NotNull String... privilegeNames)	Returns the PrivilegeCollection for the specified privilegeNames.
@NotNull Privilege	privilegeFromName(@NotNull String privilegeName)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.jcr.security.AccessControlManager

getApplicablePolicies, getEffectivePolicies, getPolicies, removePolicy, setPolicy

Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlManager

getApplicablePolicies, getEffectivePolicies, getEffectivePolicies, getPolicies

Constructor Detail

AbstractAccessControlManager

protected AbstractAccessControlManager(@NotNull
                                       @NotNull Root root,
                                       @NotNull
                                       @NotNull NamePathMapper namePathMapper,
                                       @NotNull
                                       @NotNull SecurityProvider securityProvider)

Method Detail

getSupportedPrivileges

@NotNull
public @NotNull Privilege[] getSupportedPrivileges(@Nullable
                                                   @Nullable String absPath)
                                            throws RepositoryException

Specified by:

getSupportedPrivileges in interface AccessControlManager

Throws:

RepositoryException

privilegeFromName

@NotNull
public @NotNull Privilege privilegeFromName(@NotNull
                                            @NotNull String privilegeName)
                                     throws RepositoryException

Specified by:

privilegeFromName in interface AccessControlManager

Throws:

RepositoryException

hasPrivileges

public boolean hasPrivileges(@Nullable
                             @Nullable String absPath,
                             @Nullable
                             @Nullable Privilege[] privileges)
                      throws RepositoryException

Specified by:

hasPrivileges in interface AccessControlManager

Throws:

RepositoryException

getPrivileges

@NotNull
public @NotNull Privilege[] getPrivileges(@Nullable
                                          @Nullable String absPath)
                                   throws RepositoryException

Specified by:

getPrivileges in interface AccessControlManager

Throws:

RepositoryException

hasPrivileges

public boolean hasPrivileges(@Nullable
                             @Nullable String absPath,
                             @NotNull
                             @NotNull Set<Principal> principals,
                             @Nullable
                             @Nullable Privilege[] privileges)
                      throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.

Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling Privilege.getAggregatePrivileges() for that privilege.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Specified by:

hasPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the given privileges are tested.

privileges - an array of Privileges.

Returns:

true if the session has the specified privileges; false otherwise.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - if another error occurs.

getPrivileges

@NotNull
public @NotNull Privilege[] getPrivileges(@Nullable
                                          @Nullable String absPath,
                                          @NotNull
                                          @NotNull Set<Principal> principals)
                                   throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.

The returned privileges are those for which JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[]) would return true.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.

Specified by:

getPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the privileges are retrieved.

Returns:

an array of Privileges.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - if another error occurs.

getPrivilegeCollection

@NotNull
public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable
                                                           @Nullable String absPath)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for editing session at the given absolute path, which must be an existing node. This is equivalent to AccessControlManager.getPrivileges(String) and AccessControlManager.hasPrivileges(String, Privilege[]) but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

getPrivilegeCollection in interface JackrabbitAccessControlManager

Parameters:

absPath - An absolute path to an existing JCR node.

Returns:

A PrivilegeCollection wrapping around the privileges granted for the editing session at absPath.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

RepositoryException - If another error occurs.

getPrivilegeCollection

@NotNull
public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable
                                                           @Nullable String absPath,
                                                           @NotNull
                                                           @NotNull Set<Principal> principals)
                                                    throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for the given set of principals at the given absolute path, which must be an existing node. This is equivalent to JackrabbitAccessControlManager.getPrivileges(String,Set) and JackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[]) but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

getPrivilegeCollection in interface JackrabbitAccessControlManager

Parameters:

absPath - An absolute path to an existing JCR node.

principals - A set of principals for which the PrivilegeCollection should be created.

Returns:

A PrivilegeCollection wrapping around the privileges granted for the editing session at absPath.

Throws:

PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.

AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

RepositoryException - If another error occurs.

privilegeCollectionFromNames

@NotNull
public @NotNull PrivilegeCollection privilegeCollectionFromNames(@NotNull
                                                                 @NotNull String... privilegeNames)
                                                          throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the PrivilegeCollection for the specified privilegeNames. Since the privilege names are JCR names, they may be passed in either qualified or expanded form (see specification for details on JCR names).

Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.

Specified by:

privilegeCollectionFromNames in interface JackrabbitAccessControlManager

Parameters:

privilegeNames - the names of existing privilege.

Returns:

the PrivilegeCollection representing the specified privilegeNames.

Throws:

AccessControlException - if no privilege with any of the specified names exists.

RepositoryException - If another error occurs.

getConfig

@NotNull
protected @NotNull AuthorizationConfiguration getConfig()

getRoot

@NotNull
protected @NotNull Root getRoot()

getLatestRoot

@NotNull
protected @NotNull Root getLatestRoot()

getNamePathMapper

@NotNull
protected @NotNull NamePathMapper getNamePathMapper()

getPrivilegeManager

@NotNull
protected @NotNull PrivilegeManager getPrivilegeManager()

getPrivilegeBitsProvider

@NotNull
protected @NotNull PrivilegeBitsProvider getPrivilegeBitsProvider()

getOakPath

@Nullable
protected @Nullable String getOakPath(@Nullable
                                      @Nullable String jcrPath)
                               throws RepositoryException

Throws:

RepositoryException

getOakPaths

@NotNull
protected @NotNull Collection<String> getOakPaths(@Nullable
                                                  @Nullable String... jcrPaths)
                                           throws RepositoryException

Throws:

RepositoryException

getTree

@NotNull
protected @NotNull Tree getTree(@Nullable
                                @Nullable String oakPath,
                                long permissions,
                                boolean checkAcContent)
                         throws RepositoryException

Throws:

RepositoryException

getPermissionProvider

@NotNull
protected @NotNull PermissionProvider getPermissionProvider()