org.apache.jackrabbit.core.security.authorization.acl
Class ACLProvider

java.lang.Object
  org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
      org.apache.jackrabbit.core.security.authorization.acl.ACLProvider

All Implemented Interfaces:

AccessControlConstants, AccessControlProvider, AccessControlUtils

public class ACLProvider
extends AbstractAccessControlProvider
implements AccessControlConstants

The ACLProvider generates access control policies out of the items stored in the workspace applying the following rules:

• A Node is considered access controlled if an ACL has been explicitely assigned to it by adding the mixin type rep:AccessControllable and adding child node of type rep:acl that forms the acl.
• a Property is considered 'access controlled' if its parent Node is.
• An ACL is never assigned to a Property item.
• A Node that is not access controlled may inherit the ACL. The ACL is inherited from the closest access controlled ancestor.
• It may be possible that a given Node has no effective ACL, in which case some a default policy is returned that grants READ privilege to any principal and denies all other privileges.
• an item is considered an ACL item if it is used to define an ACL. ACL items inherit the ACL from node they defined the ACL for.

See Also:

for additional information.

Field Summary

Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privAll, privRead, resolver, session

Fields inherited from interface org.apache.jackrabbit.core.security.authorization.AccessControlConstants

N_ACCESSCONTROL, N_POLICY, NF, NT_REP_ACCESS_CONTROL, NT_REP_ACCESS_CONTROLLABLE, NT_REP_ACE, NT_REP_ACL, NT_REP_DENY_ACE, NT_REP_GRANT_ACE, NT_REP_PRINCIPAL_ACCESS_CONTROL, P_PRINCIPAL_NAME, P_PRIVILEGES

Constructor Summary

ACLProvider()

Method Summary

boolean	canAccessRoot(Set<Principal> principals) Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.
CompiledPermissions	compilePermissions(Set<Principal> principals) Compiles the effective policy for the specified set of Principals.
AccessControlEditor	getEditor(Session session) Returns an AccessControlEditor for the given Session object or null if the implementation does not support editing of access control policies.
AccessControlPolicy[]	getEffectivePolicies(Path absPath) Returns the effective policies for the node at the given absPath.
void	init(Session systemSession, Map configuration) Tests if the given systemSession is a SessionImpl and retrieves the observation manager.
boolean	isAcItem(ItemImpl item) Test if the given node is itself a rep:ACL or a rep:ACE node.
boolean	isAcItem(Path absPath) Test if the specified path points to an item that defines AC information.
protected Iterator<AccessControlEntry>	retrieveResultEntries(NodeImpl node, List<String> principalNames) Retrieve an iterator of AccessControlEntry to be evaluated upon AbstractCompiledPermissions.buildResult(org.apache.jackrabbit.spi.Path).

Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

checkInitialized, close, getAdminPermissions, getReadOnlyPermissions, isAdminOrSystem, isLive, isReadOnly

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ACLProvider

public ACLProvider()

Method Detail

isAcItem

public boolean isAcItem(Path absPath)
                 throws RepositoryException

Description copied from interface: AccessControlUtils

Test if the specified path points to an item that defines AC information.

Specified by:

isAcItem in interface AccessControlUtils

Parameters:

absPath - Path to an item.

Returns:

true if the item at the specified absPath contains access control information.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(Path)

isAcItem

public boolean isAcItem(ItemImpl item)
                 throws RepositoryException

Test if the given node is itself a rep:ACL or a rep:ACE node.

Specified by:

isAcItem in interface AccessControlUtils

Parameters:

item - An item.

Returns:

true if the item at the specified item defines access control related information is should therefore be considered protected.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(ItemImpl)

init

public void init(Session systemSession,
                 Map configuration)
          throws RepositoryException

Description copied from class: AbstractAccessControlProvider

Tests if the given systemSession is a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.

Specified by:

init in interface AccessControlProvider

Overrides:

init in class AbstractAccessControlProvider

Parameters:

systemSession - System session.

configuration - Configuration used to initialize this provider.

Throws:

RepositoryException - If the specified session is not a SessionImpl or if retrieving the observation manager fails.

See Also:

AccessControlProvider.init(Session, Map)

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(Path absPath)
                                           throws ItemNotFoundException,
                                                  RepositoryException

Description copied from interface: AccessControlProvider

Returns the effective policies for the node at the given absPath.

Specified by:

getEffectivePolicies in interface AccessControlProvider

Parameters:

absPath - absolute path

Returns:

The effective policies that apply at absPath or an empty array if the implementation cannot determine the effective policy at the given path.

Throws:

ItemNotFoundException - If no Node with the specified absPath exists.

RepositoryException - If another error occurs.

See Also:

AccessControlProvider.getEffectivePolicies(Path)

getEditor

public AccessControlEditor getEditor(Session session)

Description copied from interface: AccessControlProvider

Returns an AccessControlEditor for the given Session object or null if the implementation does not support editing of access control policies.

Specified by:

getEditor in interface AccessControlProvider

Parameters:

session - The editing session.

Returns:

the ACL editor or null.

See Also:

AccessControlProvider.getEditor(Session)

compilePermissions

public CompiledPermissions compilePermissions(Set<Principal> principals)
                                       throws RepositoryException

Description copied from interface: AccessControlProvider

Compiles the effective policy for the specified set of Principals.

Specified by:

compilePermissions in interface AccessControlProvider

Parameters:

principals - Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller is adviced to pass a Set that respects the order of insertion.

Returns:

The effective, compiled CompiledPolicy that applies for the specified set of principals.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.compilePermissions(Set)

canAccessRoot

public boolean canAccessRoot(Set<Principal> principals)
                      throws RepositoryException

Description copied from interface: AccessControlProvider

Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Specified by:

canAccessRoot in interface AccessControlProvider

Parameters:

principals - Set of principals to be tested for being allowed to access the root node.

Returns:

true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.canAccessRoot(Set)

retrieveResultEntries

protected Iterator<AccessControlEntry> retrieveResultEntries(NodeImpl node,
                                                             List<String> principalNames)
                                                      throws RepositoryException

Retrieve an iterator of AccessControlEntry to be evaluated upon AbstractCompiledPermissions.buildResult(org.apache.jackrabbit.spi.Path).

Parameters:

node - Target node.

principalNames - List of principal names.

Returns:

an iterator of AccessControlEntry.

Throws:

RepositoryException - If an error occurs.