Interface AccessControlConstants
-
- All Known Implementing Classes:
AbstractAccessControlManager
,AbstractRestrictionProvider
,AccessControlImporter
,AccessControlManagerImpl
,MountPermissionProvider
,PermissionHook
,PermissionProviderImpl
,PrincipalRestrictionProvider
,RestrictionProviderImpl
public interface AccessControlConstants
Constants for the default access control management implementation and and for built-in access control related node types.
-
-
Field Summary
Fields Modifier and Type Field Description static Collection<String>
AC_NODETYPE_NAMES
static Collection<String>
ACE_PROPERTY_NAMES
static String
MIX_REP_ACCESS_CONTROLLABLE
static String
MIX_REP_REPO_ACCESS_CONTROLLABLE
static String
NT_REP_ACE
static String
NT_REP_ACL
static String
NT_REP_DENY_ACE
static String
NT_REP_GRANT_ACE
static String
NT_REP_POLICY
static String
NT_REP_RESTRICTIONS
static String
PARAM_RESTRICTION_PROVIDER
static Collection<String>
POLICY_NODE_NAMES
static String
REP_CURRENT
Name of the optional multivalued access control restriction that limits access to a single level i.e.static String
REP_GLOB
static String
REP_GLOBS
Name of the optional multi-valued access control restriction that allows to combine more than oneREP_GLOB
restriction.static String
REP_ITEM_NAMES
Name of the optional multivalued access control restriction by item name.static String
REP_NODE_PATH
static String
REP_NT_NAMES
Name of the optional multivalued access control restriction by node type name.static String
REP_POLICY
static String
REP_PREFIXES
Name of the optional multivalued access control restriction which matches by name space prefix.static String
REP_PRINCIPAL_NAME
static String
REP_PRIVILEGES
static String
REP_REPO_POLICY
static String
REP_RESTRICTIONS
static String
REP_SUBTREES
Name of the optional multi-valued access control restriction that allows to limit the effect to one or multiple subtrees.
-
-
-
Field Detail
-
REP_POLICY
static final String REP_POLICY
- See Also:
- Constant Field Values
-
REP_REPO_POLICY
static final String REP_REPO_POLICY
- See Also:
- Constant Field Values
-
REP_PRIVILEGES
static final String REP_PRIVILEGES
- See Also:
- Constant Field Values
-
REP_PRINCIPAL_NAME
static final String REP_PRINCIPAL_NAME
- See Also:
- Constant Field Values
-
REP_GLOB
static final String REP_GLOB
- See Also:
- Constant Field Values
-
REP_NODE_PATH
static final String REP_NODE_PATH
- See Also:
- Constant Field Values
-
REP_NT_NAMES
static final String REP_NT_NAMES
Name of the optional multivalued access control restriction by node type name. The corresponding restriction type isType.NAMES
.- Since:
- OAK 1.0
- See Also:
- Constant Field Values
-
REP_PREFIXES
static final String REP_PREFIXES
Name of the optional multivalued access control restriction which matches by name space prefix. The corresponding restriction type isType.STRINGS
.- Since:
- OAK 1.0
- See Also:
- Constant Field Values
-
REP_ITEM_NAMES
static final String REP_ITEM_NAMES
Name of the optional multivalued access control restriction by item name. The corresponding restriction type isType.NAMES
.- Since:
- OAK 1.3.8
- See Also:
- Constant Field Values
-
REP_CURRENT
static final String REP_CURRENT
Name of the optional multivalued access control restriction that limits access to a single level i.e. the target node where the access control entry takes effect and optionally all or a subset of it's properties. An empty value array will make this restriction matching the target node only (i.e. equivalent to rep:glob=""). An array of property names will extend the effect of the restriction to properties of the target node that match the specified names. The
residual name '*'
will match the target node and all it's properties.The corresponding restriction type is
Type.STRINGS
Note: due to the support of
NodeTypeConstants.RESIDUAL_NAME
, which isn't a valid JCR name, this restriction is defined to be ofType.STRINGS
instead ofType.NAMES
. Like the rep:glob restriction it will therefore not work with expanded JCR names or with remapped namespace prefixes.Note: In case of permission evaluation for a path pointing to a non-existing JCR item (see e.g.
Example:Session.hasPermission(String, String)
) a best-effort attempt is made to determine if the path may point to a property, default being that the path points to a non-existing node.rep:current = [] => restriction applies to the target node only rep:current = [*] => restriction applies to the target node and all it's properties rep:current = [jcr:primaryType] => restriction applies to the target node and it's property jcr:primaryType rep:current = [a, b, prefix:c] => restriction applies to the target node and it's properties a, b and prefix:c
- Since:
- OAK 1.42.0
- See Also:
- Constant Field Values
-
REP_GLOBS
static final String REP_GLOBS
Name of the optional multi-valued access control restriction that allows to combine more than one
REP_GLOB
restriction. The effect is equivalent to defining multiple access control entries with a singleREP_GLOB
restriction each and will match a given path or item if any of the specified glob-values matches.Note, that an empty value array will never match any path/item.
The corresponding restriction type is
Type.STRINGS
- See Also:
- Constant Field Values
-
REP_SUBTREES
static final String REP_SUBTREES
Name of the optional multi-valued access control restriction that allows to limit the effect to one or multiple subtrees. It is a simplified variant of the common pattern using 2
REP_GLOB
wildcard patterns to grant or deny access on a particular node in the subtree and all its descendent items.NodePath = "/foo" Restriction | Matches ----------------------------------------------------------------------------- /cat | all descendants of /foo whose path ends with "/cat" or that have an intermediate segment /cat/ /cat/ | all descendants of /foo that have an intermediate segment /cat/ cat | all siblings or descendants of /foo whose path ends with "cat" or that have an intermediate segment ending with "cat" cat/ | all siblings or descendants of /foo that have an intermediate segment ending with "cat"
Note, that variants of 'cat'-paths could also consist of multiple segments like e.g. '/cat/dog' or '/cat/dog'
Note, that in contrast to
no wildcard characters are used to specify the restriction.REP_GLOB
Note, that an empty value array will never match any path/item.
Note, that null values and empty string values will be omitted.
- See Also:
- Constant Field Values
-
REP_RESTRICTIONS
static final String REP_RESTRICTIONS
- Since:
- OAK 1.0
- See Also:
- Constant Field Values
-
MIX_REP_ACCESS_CONTROLLABLE
static final String MIX_REP_ACCESS_CONTROLLABLE
- See Also:
- Constant Field Values
-
MIX_REP_REPO_ACCESS_CONTROLLABLE
static final String MIX_REP_REPO_ACCESS_CONTROLLABLE
- See Also:
- Constant Field Values
-
NT_REP_POLICY
static final String NT_REP_POLICY
- See Also:
- Constant Field Values
-
NT_REP_ACL
static final String NT_REP_ACL
- See Also:
- Constant Field Values
-
NT_REP_ACE
static final String NT_REP_ACE
- See Also:
- Constant Field Values
-
NT_REP_GRANT_ACE
static final String NT_REP_GRANT_ACE
- See Also:
- Constant Field Values
-
NT_REP_DENY_ACE
static final String NT_REP_DENY_ACE
- See Also:
- Constant Field Values
-
NT_REP_RESTRICTIONS
static final String NT_REP_RESTRICTIONS
- Since:
- OAK 1.0
- See Also:
- Constant Field Values
-
POLICY_NODE_NAMES
static final Collection<String> POLICY_NODE_NAMES
-
ACE_PROPERTY_NAMES
static final Collection<String> ACE_PROPERTY_NAMES
-
AC_NODETYPE_NAMES
static final Collection<String> AC_NODETYPE_NAMES
-
PARAM_RESTRICTION_PROVIDER
static final String PARAM_RESTRICTION_PROVIDER
- See Also:
- Constant Field Values
-
-