Privilege Management
JCR API
As of JSR 283 the API contains the following privilege related interfaces and methods:
Privilege
: exposes the name and characteristics of a given privilege and provides constants for privilege names defined by JCR.AccessControlManager.getSupportedPrivileges(String)
(see alsoPrivilegeManager.getRegisteredPrivileges()
)AccessControlManager.privilegeFromName(String)
equivalent toPrivilegeManager.getPrivilege(String)
Jackrabbit API
Privilege management is outside of the scope provided by JCR and therefore provided by the extensions defined by the Jackrabbit API. It consists of a single interface:
- PrivilegeManager: privilege discovery and registration of new custom privileges.
getRegisteredPrivileges()
getPrivilege(String)
- `registerPrivilege(String, boolean, String[])
- PrivilegeCollection: Wraps around a set of privileges allowing for testing if one or multiple privilege
names are part of the given set without having to manually resolve the aggregation. Since Oak 1.42.0. For additional details
see OAK-9494 as well as
JackrabbitAccessControlManager.getPrivilegeCollection(String)
andJackrabbitAccessControlManager.getPrivilegeCollection(String,Set)
.
Examples
Access PrivilegeManager in JCR
PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
Access PrivilegeManager in Oak
Root root = contentSession.getLatestRoot();
PrivilegeConfiguration config = securityProvider.getConfiguration(PrivilegeConfiguration.class);
PrivilegeManager privilegeManage = config.getPrivilegeManager(root, namePathMapper));
Register Custom Privilege
PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
String privilegeName = ...
boolean isAbstract = ...
String[] declaredAggregateNames = ...
// NOTE: workspace operation that doesn't require Session#save()
privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
API Extensions
- PrivilegeConfiguration : Oak level entry point to retrieve
PrivilegeManager
and privilege related configuration options. - PrivilegeConstants : Constants related to privilege management such as Oak names of the built-in privileges.
- PrivilegeBitsProvider : Internal provider to read
PrivilegeBits
from the repository content and map names to internal representation (and vice versa). - PrivilegeBits: Internal representation of JCR privileges.
Utilities
The jcr-commons module present with Jackrabbit provide some privilege related utility methods:
AccessControlUtils
privilegesFromNames(Session session, String... privilegeNames)
privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)
Oak Privilege Management Implementation
The behavior of the default privilege management implementation is described in section Privilege Management: The Default Implementation.
Configuration
The PrivilegeConfiguration is the Oak level entry point to obtain a new
PrivilegeManager
as well as privilege related configuration options. The default
implementation of the PrivilegeManager
interface is based on Oak API and can
equally be used for privilege related tasks in the Oak layer.
Pluggability
Please note: While it's in theory possible to replace the default privilege management implementation in Oak, this is only recommended if you have in depth knowledge and understanding of Jackrabbit/Oak internals and are familiar with the security risk associated with it. Doing so, will most likely require a re-write of the default access control and permission evaluation.
Further Reading
- Differences wrt Jackrabbit 2.x
- Privilege Management : The Default Implementation
- Mapping Privileges to Items and API Calls
- Mapping JCR/Jackrabbit Actions