org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol

Class AbstractAccessControlManager

java.lang.Object

org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager

All Implemented Interfaces:

JackrabbitAccessControlManager, AccessControlConstants

public abstract class AbstractAccessControlManager
extends java.lang.Object
implements JackrabbitAccessControlManager, AccessControlConstants

Default implementation of the JackrabbitAccessControlManager interface. This implementation covers both editing access control content by path and by Principal resulting both in the same content structure.

Field Summary

Fields inherited from interface org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants

AC_NODETYPE_NAMES, ACE_PROPERTY_NAMES, MIX_REP_ACCESS_CONTROLLABLE, MIX_REP_REPO_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_POLICY, NT_REP_RESTRICTIONS, PARAM_RESTRICTION_PROVIDER, POLICY_NODE_NAMES, REP_GLOB, REP_ITEM_NAMES, REP_NODE_PATH, REP_NT_NAMES, REP_POLICY, REP_PREFIXES, REP_PRINCIPAL_NAME, REP_PRIVILEGES, REP_REPO_POLICY, REP_RESTRICTIONS

Method Summary

Modifier and Type	Method and Description
Privilege[]	getPrivileges(java.lang.String absPath)
Privilege[]	getPrivileges(java.lang.String absPath, java.util.Set<java.security.Principal> principals) Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.
Privilege[]	getSupportedPrivileges(java.lang.String absPath)
boolean	hasPrivileges(java.lang.String absPath, Privilege[] privileges)
boolean	hasPrivileges(java.lang.String absPath, java.util.Set<java.security.Principal> principals, Privilege[] privileges) Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.
Privilege	privilegeFromName(java.lang.String privilegeName)

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.jackrabbit.api.security.JackrabbitAccessControlManager

getApplicablePolicies, getEffectivePolicies, getPolicies

Method Detail

getSupportedPrivileges

public Privilege[] getSupportedPrivileges(java.lang.String absPath)
                                   throws RepositoryException

Throws:

RepositoryException

privilegeFromName

public Privilege privilegeFromName(java.lang.String privilegeName)
                            throws RepositoryException

Throws:

RepositoryException

hasPrivileges

public boolean hasPrivileges(java.lang.String absPath,
                             Privilege[] privileges)
                      throws RepositoryException

Throws:

RepositoryException

getPrivileges

public Privilege[] getPrivileges(java.lang.String absPath)
                          throws RepositoryException

Throws:

RepositoryException

hasPrivileges

public boolean hasPrivileges(java.lang.String absPath,
                             java.util.Set<java.security.Principal> principals,
                             Privilege[] privileges)
                      throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.

Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling Privilege.getAggregatePrivileges() for that privilege.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Specified by:

hasPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the given privileges are tested.

privileges - an array of Privileges.

Returns:

true if the session has the specified privileges; false otherwise.

Throws:

RepositoryException - if another error occurs.

getPrivileges

public Privilege[] getPrivileges(java.lang.String absPath,
                                 java.util.Set<java.security.Principal> principals)
                          throws RepositoryException

Description copied from interface: JackrabbitAccessControlManager

Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.

The returned privileges are those for which JackrabbitAccessControlManager.hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, Privilege[]) would return true.

The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.

Specified by:

getPrivileges in interface JackrabbitAccessControlManager

Parameters:

absPath - an absolute path.

principals - a set of Principals for which is the privileges are retrieved.

Returns:

an array of Privileges.

Throws:

RepositoryException - if another error occurs.