Package org.apache.jackrabbit.oak.spi.security.authorization.permission

Interface PermissionProvider

All Known Subinterfaces:

AggregatedPermissionProvider

All Known Implementing Classes:

AllPermissionProviderImpl, EmptyPermissionProvider, MountPermissionProvider, OpenPermissionProvider, PermissionProviderImpl

public interface PermissionProvider

Main entry point for permission evaluation in Oak. This provider covers permission validation upon read and write access on the Oak API as well as the various permission related methods defined by the JCR API, namely on AccessControlManager and Session.

See Also:

AuthorizationConfiguration.getPermissionProvider(org.apache.jackrabbit.oak.api.Root, String, java.util.Set)

Method Summary

Modifier and Type	Method	Description
@NotNull Set<String>	getPrivileges(@Nullable Tree tree)	Returns the set of privilege names which are granted to the set of Principals associated with this provider instance for the specified Tree.
@NotNull RepositoryPermission	getRepositoryPermission()	Return the RepositoryPermission for the set of Principals associated with this provider instance.
@NotNull TreePermission	getTreePermission(@NotNull Tree tree, @NotNull TreePermission parentPermission)	Return the TreePermission for the set of Principals associated with this provider at the specified tree.
boolean	hasPrivileges(@Nullable Tree tree, @NotNull String... privilegeNames)	Returns whether the principal set associated with this PrivilegeManager is granted the privileges identified by the specified privilege names for the given tree.
boolean	isGranted(@NotNull String oakPath, @NotNull String jcrActions)	Tests if the the specified actions are granted at the given path for the set of Principals associated with this provider instance.
boolean	isGranted(@NotNull Tree tree, @Nullable PropertyState property, long permissions)	Test if the specified permissions are granted for the set of Principals associated with this provider instance for the item identified by the given tree and optionally property.
void	refresh()	Refresh this PermissionProvider.

Method Detail

refresh

void refresh()

Refresh this PermissionProvider. The implementation is expected to subsequently return permission evaluation results that reflect the most recent revision of the repository.

getPrivileges

@NotNull
@NotNull Set<String> getPrivileges(@Nullable
                                   @Nullable Tree tree)

Returns the set of privilege names which are granted to the set of Principals associated with this provider instance for the specified Tree.

Parameters:

tree - The tree for which the privileges should be retrieved.

Returns:

set of privilege names

hasPrivileges

boolean hasPrivileges(@Nullable
                      @Nullable Tree tree,
                      @NotNull
                      @NotNull String... privilegeNames)

Returns whether the principal set associated with this PrivilegeManager is granted the privileges identified by the specified privilege names for the given tree. In order to test for privileges being granted on a repository level rather than on a particular tree a null tree should be passed to this method.

Testing a name identifying an aggregate privilege is equivalent to testing each non aggregate privilege name.

Parameters:

tree - The tree to test for privileges being granted.

privilegeNames - The name of the privileges.

Returns:

true if all privileges are granted; false otherwise.

getRepositoryPermission

@NotNull
@NotNull RepositoryPermission getRepositoryPermission()

Return the RepositoryPermission for the set of Principals associated with this provider instance.

Returns:

The RepositoryPermission for the set of Principals this provider instance has been created for.

getTreePermission

@NotNull
@NotNull TreePermission getTreePermission(@NotNull
                                          @NotNull Tree tree,
                                          @NotNull
                                          @NotNull TreePermission parentPermission)

Return the TreePermission for the set of Principals associated with this provider at the specified tree.

Parameters:

tree - The tree for which the TreePermission object should be built.

parentPermission - The TreePermission object that has been obtained before for the parent tree.

Returns:

The TreePermission object for the specified tree.

isGranted

boolean isGranted(@NotNull
                  @NotNull Tree tree,
                  @Nullable
                  @Nullable PropertyState property,
                  long permissions)

Test if the specified permissions are granted for the set of Principals associated with this provider instance for the item identified by the given tree and optionally property. This method will only return true if all permissions are granted.

Parameters:

tree - The Tree to test the permissions for.

property - A PropertyState if the item to test is a property or null if the item is a Tree.

permissions - The permissions to be tested.

Returns:

true if the specified permissions are granted for the item identified by the given tree and optionally property state.

isGranted

boolean isGranted(@NotNull
                  @NotNull String oakPath,
                  @NotNull
                  @NotNull String jcrActions)

Tests if the the specified actions are granted at the given path for the set of Principals associated with this provider instance.

The jcrActions parameter is a comma separated list of action strings such as defined by Session and passed to Session.hasPermission(String, String). When more than one action is specified in the jcrActions parameter, this method will only return true if all of them are granted on the specified path.

Parameters:

oakPath - A valid oak path.

jcrActions - The JCR actions that should be tested separated by ','

Returns:

true if all actions are granted at the specified path; false otherwise.