Class AbstractAccessControlManager
- java.lang.Object
-
- org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager
-
- All Implemented Interfaces:
AccessControlManager,JackrabbitAccessControlManager,AccessControlConstants
- Direct Known Subclasses:
AccessControlManagerImpl
@ProviderType public abstract class AbstractAccessControlManager extends Object implements JackrabbitAccessControlManager, AccessControlConstants
Default implementation of theJackrabbitAccessControlManagerinterface. This implementation covers both editing access control content by path and byPrincipalresulting both in the same content structure.
-
-
Field Summary
-
Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants
AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_CURRENT, REP_GLOB, REP_GLOBS, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS, REP_SUBTREES
-
-
Constructor Summary
Constructors Modifier Constructor Description protectedAbstractAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper, @NotNull SecurityProvider securityProvider)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected @NotNull AuthorizationConfigurationgetConfig()protected @NotNull RootgetLatestRoot()protected @NotNull NamePathMappergetNamePathMapper()protected @Nullable StringgetOakPath(@Nullable String jcrPath)protected @NotNull Collection<String>getOakPaths(@Nullable String... jcrPaths)protected @NotNull PermissionProvidergetPermissionProvider()protected @NotNull PrivilegeBitsProvidergetPrivilegeBitsProvider()@NotNull PrivilegeCollectiongetPrivilegeCollection(@Nullable String absPath)Returns thePrivilegeCollectionfor editing session at the given absolute path, which must be an existing node.@NotNull PrivilegeCollectiongetPrivilegeCollection(@Nullable String absPath, @NotNull Set<Principal> principals)Returns thePrivilegeCollectionfor the given set of principals at the given absolute path, which must be an existing node.protected @NotNull PrivilegeManagergetPrivilegeManager()@NotNull Privilege[]getPrivileges(@Nullable String absPath)@NotNull Privilege[]getPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals)Returns the privileges the given set ofPrincipals has for absolute pathabsPath, which must be an existing node.protected @NotNull RootgetRoot()@NotNull Privilege[]getSupportedPrivileges(@Nullable String absPath)protected @NotNull TreegetTree(@Nullable String oakPath, long permissions, boolean checkAcContent)booleanhasPrivileges(@Nullable String absPath, @NotNull Set<Principal> principals, @Nullable Privilege[] privileges)Returns whether the given set ofPrincipals has the specified privileges for absolute pathabsPath, which must be an existing node.booleanhasPrivileges(@Nullable String absPath, @Nullable Privilege[] privileges)@NotNull PrivilegeCollectionprivilegeCollectionFromNames(@NotNull String... privilegeNames)Returns thePrivilegeCollectionfor the specifiedprivilegeNames.@NotNull PrivilegeprivilegeFromName(@NotNull String privilegeName)-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface javax.jcr.security.AccessControlManager
getApplicablePolicies, getEffectivePolicies, getPolicies, removePolicy, setPolicy
-
Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
getApplicablePolicies, getEffectivePolicies, getEffectivePolicies, getPolicies
-
-
-
-
Constructor Detail
-
AbstractAccessControlManager
protected AbstractAccessControlManager(@NotNull @NotNull Root root, @NotNull @NotNull NamePathMapper namePathMapper, @NotNull @NotNull SecurityProvider securityProvider)
-
-
Method Detail
-
getSupportedPrivileges
@NotNull public @NotNull Privilege[] getSupportedPrivileges(@Nullable @Nullable String absPath) throws RepositoryException
- Specified by:
getSupportedPrivilegesin interfaceAccessControlManager- Throws:
RepositoryException
-
privilegeFromName
@NotNull public @NotNull Privilege privilegeFromName(@NotNull @NotNull String privilegeName) throws RepositoryException
- Specified by:
privilegeFromNamein interfaceAccessControlManager- Throws:
RepositoryException
-
hasPrivileges
public boolean hasPrivileges(@Nullable @Nullable String absPath, @Nullable @Nullable Privilege[] privileges) throws RepositoryException- Specified by:
hasPrivilegesin interfaceAccessControlManager- Throws:
RepositoryException
-
getPrivileges
@NotNull public @NotNull Privilege[] getPrivileges(@Nullable @Nullable String absPath) throws RepositoryException
- Specified by:
getPrivilegesin interfaceAccessControlManager- Throws:
RepositoryException
-
hasPrivileges
public boolean hasPrivileges(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals, @Nullable @Nullable Privilege[] privileges) throws RepositoryExceptionDescription copied from interface:JackrabbitAccessControlManagerReturns whether the given set ofPrincipals has the specified privileges for absolute pathabsPath, which must be an existing node.Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling
Privilege.getAggregatePrivileges()for that privilege.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()and are only then reflected in the results of the privilege test methods.Since this method allows to view the privileges of principals other than included in the editing session, this method must throw
AccessDeniedExceptionif the session lacksREAD_ACCESS_CONTROLprivilege for theabsPathnode.- Specified by:
hasPrivilegesin interfaceJackrabbitAccessControlManager- Parameters:
absPath- an absolute path.principals- a set ofPrincipals for which is the given privileges are tested.privileges- an array ofPrivileges.- Returns:
trueif the session has the specified privileges;falseotherwise.- Throws:
PathNotFoundException- if no node atabsPathexists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException- if the session lacksREAD_ACCESS_CONTROLprivilege for theabsPathnode.RepositoryException- if another error occurs.
-
getPrivileges
@NotNull public @NotNull Privilege[] getPrivileges(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManagerReturns the privileges the given set ofPrincipals has for absolute pathabsPath, which must be an existing node.The returned privileges are those for which
JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[])would returntrue.The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on
Session.save()and are only then reflected in the results of the privilege test methods.Since this method allows to view the privileges of principals other than included in the editing session, this method must throw
AccessDeniedExceptionif the session lacksREAD_ACCESS_CONTROLprivilege for theabsPathnode.Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.
- Specified by:
getPrivilegesin interfaceJackrabbitAccessControlManager- Parameters:
absPath- an absolute path.principals- a set ofPrincipals for which is the privileges are retrieved.- Returns:
- an array of
Privileges. - Throws:
PathNotFoundException- if no node atabsPathexists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException- if the session lacksREAD_ACCESS_CONTROLprivilege for theabsPathnode.RepositoryException- if another error occurs.
-
getPrivilegeCollection
@NotNull public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable @Nullable String absPath) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManagerReturns the
PrivilegeCollectionfor editing session at the given absolute path, which must be an existing node. This is equivalent toAccessControlManager.getPrivileges(String)andAccessControlManager.hasPrivileges(String, Privilege[])but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.Note: For backwards compatibility this method comes with a default implementation that computes the
PrivilegeCollectionusing regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManagerare therefore expected to overwrite the default.- Specified by:
getPrivilegeCollectionin interfaceJackrabbitAccessControlManager- Parameters:
absPath- An absolute path to an existing JCR node.- Returns:
- A
PrivilegeCollectionwrapping around the privileges granted for the editing session at absPath. - Throws:
PathNotFoundException- if no node atabsPathexists or the session does not have sufficient access to retrieve a node at that location.RepositoryException- If another error occurs.
-
getPrivilegeCollection
@NotNull public @NotNull PrivilegeCollection getPrivilegeCollection(@Nullable @Nullable String absPath, @NotNull @NotNull Set<Principal> principals) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManagerReturns the
PrivilegeCollectionfor the given set of principals at the given absolute path, which must be an existing node. This is equivalent toJackrabbitAccessControlManager.getPrivileges(String,Set)andJackrabbitAccessControlManager.hasPrivileges(String, Set, Privilege[])but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.Note: For backwards compatibility this method comes with a default implementation that computes the
PrivilegeCollectionusing regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManagerare therefore expected to overwrite the default.- Specified by:
getPrivilegeCollectionin interfaceJackrabbitAccessControlManager- Parameters:
absPath- An absolute path to an existing JCR node.principals- A set of principals for which thePrivilegeCollectionshould be created.- Returns:
- A
PrivilegeCollectionwrapping around the privileges granted for the editing session at absPath. - Throws:
PathNotFoundException- if no node atabsPathexists or the session does not have sufficient access to retrieve a node at that location.AccessDeniedException- if the session lacksREAD_ACCESS_CONTROLprivilege for theabsPathnode.RepositoryException- If another error occurs.
-
privilegeCollectionFromNames
@NotNull public @NotNull PrivilegeCollection privilegeCollectionFromNames(@NotNull @NotNull String... privilegeNames) throws RepositoryException
Description copied from interface:JackrabbitAccessControlManagerReturns the
PrivilegeCollectionfor the specifiedprivilegeNames. Since the privilege names are JCR names, they may be passed in either qualified or expanded form (see specification for details on JCR names).Note: For backwards compatibility this method comes with a default implementation that computes the
PrivilegeCollectionusing regular JCR/Jackrabbit API, which might not be efficient. Implementations ofJackrabbitAccessControlManagerare therefore expected to overwrite the default.- Specified by:
privilegeCollectionFromNamesin interfaceJackrabbitAccessControlManager- Parameters:
privilegeNames- the names of existing privilege.- Returns:
- the
PrivilegeCollectionrepresenting the specifiedprivilegeNames. - Throws:
AccessControlException- if no privilege with any of the specified names exists.RepositoryException- If another error occurs.
-
getConfig
@NotNull protected @NotNull AuthorizationConfiguration getConfig()
-
getRoot
@NotNull protected @NotNull Root getRoot()
-
getLatestRoot
@NotNull protected @NotNull Root getLatestRoot()
-
getNamePathMapper
@NotNull protected @NotNull NamePathMapper getNamePathMapper()
-
getPrivilegeManager
@NotNull protected @NotNull PrivilegeManager getPrivilegeManager()
-
getPrivilegeBitsProvider
@NotNull protected @NotNull PrivilegeBitsProvider getPrivilegeBitsProvider()
-
getOakPath
@Nullable protected @Nullable String getOakPath(@Nullable @Nullable String jcrPath) throws RepositoryException
- Throws:
RepositoryException
-
getOakPaths
@NotNull protected @NotNull Collection<String> getOakPaths(@Nullable @Nullable String... jcrPaths) throws RepositoryException
- Throws:
RepositoryException
-
getTree
@NotNull protected @NotNull Tree getTree(@Nullable @Nullable String oakPath, long permissions, boolean checkAcContent) throws RepositoryException
- Throws:
RepositoryException
-
getPermissionProvider
@NotNull protected @NotNull PermissionProvider getPermissionProvider()
-
-