Oak Documentation

JCR API

As of JSR 283 the API contains the following privilege related interfaces and methods:

• Privilege: exposes the name and characteristics of a given privilege and provides constants for privilege names defined by JCR.
• AccessControlManager.getSupportedPrivileges(String) (see also PrivilegeManager.getRegisteredPrivileges())
• AccessControlManager.privilegeFromName(String) equivalent to PrivilegeManager.getPrivilege(String)

Jackrabbit API

Privilege management is outside of the scope provided by JCR and therefore provided by the extensions defined by the Jackrabbit API. It consists of a single interface:

• PrivilegeManager: privilege discovery and registration of new custom privileges.
  • getRegisteredPrivileges()
  • getPrivilege(String)
  • `registerPrivilege(String, boolean, String[])
• PrivilegeCollection: Wraps around a set of privileges allowing for testing if one or multiple privilege names are part of the given set without having to manually resolve the aggregation. Since Oak 1.42.0. For additional details see OAK-9494 as well as JackrabbitAccessControlManager.getPrivilegeCollection(String) and JackrabbitAccessControlManager.getPrivilegeCollection(String,Set).

PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();

Root root = contentSession.getLatestRoot();
PrivilegeConfiguration config = securityProvider.getConfiguration(PrivilegeConfiguration.class);
PrivilegeManager privilegeManage = config.getPrivilegeManager(root, namePathMapper));

PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
String privilegeName = ...
boolean isAbstract = ...
String[] declaredAggregateNames = ...
// NOTE: workspace operation that doesn't require Session#save()
privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);

API Extensions

• PrivilegeConfiguration : Oak level entry point to retrieve PrivilegeManager and privilege related configuration options.
• PrivilegeConstants : Constants related to privilege management such as Oak names of the built-in privileges.
• PrivilegeBitsProvider : Internal provider to read PrivilegeBits from the repository content and map names to internal representation (and vice versa).
• PrivilegeBits: Internal representation of JCR privileges.

Utilities

The jcr-commons module present with Jackrabbit provide some privilege related utility methods:

• AccessControlUtils
  • privilegesFromNames(Session session, String... privilegeNames)
  • privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)

Oak Privilege Management Implementation

The behavior of the default privilege management implementation is described in section Privilege Management: The Default Implementation.

Configuration

The PrivilegeConfiguration is the Oak level entry point to obtain a new PrivilegeManager as well as privilege related configuration options. The default implementation of the PrivilegeManager interface is based on Oak API and can equally be used for privilege related tasks in the Oak layer.

Pluggability

Please note: While it's in theory possible to replace the default privilege management implementation in Oak, this is only recommended if you have in depth knowledge and understanding of Jackrabbit/Oak internals and are familiar with the security risk associated with it. Doing so, will most likely require a re-write of the default access control and permission evaluation.

Further Reading

• Differences wrt Jackrabbit 2.x
• Privilege Management : The Default Implementation
• Mapping Privileges to Items and API Calls
  • Mapping Privileges to Items
  • Mapping API Calls to Privileges
• Mapping JCR/Jackrabbit Actions
  • Mapping Privileges to JCR/Jackrabbit Actions
  • Mapping of JCR Actions to Oak Permissions