Interface AccessControlConstants

    • Field Detail

      • REP_NT_NAMES

        static final String REP_NT_NAMES
        Name of the optional multivalued access control restriction by node type name. The corresponding restriction type is Type.NAMES.
        Since:
        OAK 1.0
        See Also:
        Constant Field Values
      • REP_PREFIXES

        static final String REP_PREFIXES
        Name of the optional multivalued access control restriction which matches by name space prefix. The corresponding restriction type is Type.STRINGS.
        Since:
        OAK 1.0
        See Also:
        Constant Field Values
      • REP_ITEM_NAMES

        static final String REP_ITEM_NAMES
        Name of the optional multivalued access control restriction by item name. The corresponding restriction type is Type.NAMES.
        Since:
        OAK 1.3.8
        See Also:
        Constant Field Values
      • REP_CURRENT

        static final String REP_CURRENT

        Name of the optional multivalued access control restriction that limits access to a single level i.e. the target node where the access control entry takes effect and optionally all or a subset of it's properties. An empty value array will make this restriction matching the target node only (i.e. equivalent to rep:glob=""). An array of property names will extend the effect of the restriction to properties of the target node that match the specified names. The residual name '*' will match the target node and all it's properties.

        The corresponding restriction type is Type.STRINGS

        Note: due to the support of NodeTypeConstants.RESIDUAL_NAME, which isn't a valid JCR name, this restriction is defined to be of Type.STRINGS instead of Type.NAMES. Like the rep:glob restriction it will therefore not work with expanded JCR names or with remapped namespace prefixes.

        Note: In case of permission evaluation for a path pointing to a non-existing JCR item (see e.g. Session.hasPermission(String, String)) a best-effort attempt is made to determine if the path may point to a property, default being that the path points to a non-existing node.

        Example:
         rep:current = []                => restriction applies to the target node only
         rep:current = [*]               => restriction applies to the target node and all it's properties
         rep:current = [jcr:primaryType] => restriction applies to the target node and it's property jcr:primaryType
         rep:current = [a, b, prefix:c]  => restriction applies to the target node and it's properties a, b and prefix:c
         
        Since:
        OAK 1.42.0
        See Also:
        Constant Field Values
      • REP_GLOBS

        static final String REP_GLOBS

        Name of the optional multi-valued access control restriction that allows to combine more than one REP_GLOB restriction. The effect is equivalent to defining multiple access control entries with a single REP_GLOB restriction each and will match a given path or item if any of the specified glob-values matches.

        Note, that an empty value array will never match any path/item.

        The corresponding restriction type is Type.STRINGS

        See Also:
        Constant Field Values
      • REP_SUBTREES

        static final String REP_SUBTREES

        Name of the optional multi-valued access control restriction that allows to limit the effect to one or multiple subtrees. It is a simplified variant of the common pattern using 2 REP_GLOB wildcard patterns to grant or deny access on a particular node in the subtree and all its descendent items.

         NodePath = "/foo"
         Restriction   |   Matches
         -----------------------------------------------------------------------------
         /cat          |   all descendants of /foo whose path ends with "/cat" or that have an intermediate segment /cat/
         /cat/         |   all descendants of /foo that have an intermediate segment /cat/
         cat           |   all siblings or descendants of /foo whose path ends with "cat" or that have an intermediate segment ending with "cat"
         cat/          |   all siblings or descendants of /foo that have an intermediate segment ending with "cat"
         

        Note, that variants of 'cat'-paths could also consist of multiple segments like e.g. '/cat/dog' or '/cat/dog'

        Note, that in contrast to REP_GLOB

        no wildcard characters are used to specify the restriction.

        Note, that an empty value array will never match any path/item.

        Note, that null values and empty string values will be omitted.

        See Also:
        Constant Field Values