org.apache.jackrabbit.core.security.user
Class UserAccessControlProvider

java.lang.Object
  org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
      org.apache.jackrabbit.core.security.user.UserAccessControlProvider

All Implemented Interfaces:

AccessControlProvider, AccessControlUtils

public class UserAccessControlProvider
extends AbstractAccessControlProvider

Implementation of the AccessControlProvider interface that is used to protected the 'security workspace' containing the user and group data. It applies special care to make sure that modifying user data (e.g. password), group membership and impersonation is properly controlled.

This provider creates upon initialization the following 2 groups:

• User administrator
• Group administrator

The default access control policy defined by this provider has the following characteristics:

• everybody has READ permission to all items,
• every known user is allowed to modify it's own properties except for her/his group membership,
• members of the 'User administrator' group are allowed to create, modify and remove users,
• members of the 'Group administrator' group are allowed to create, modify and remove groups,
• group membership can only be edited by members of the 'Group administrator' and the 'User administrator' group.

Field Summary

static String	AUTHORIZABLES_PATH
static String	GROUP_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'GroupAdmin' group-principal
static String	GROUPS_PATH
static Name	MIX_REP_IMPERSONATABLE
static NameFactory	NF
static Name	NT_REP_AUTHORIZABLE
static Name	NT_REP_AUTHORIZABLE_FOLDER
static Name	NT_REP_GROUP
static Name	NT_REP_USER
static Name	P_GROUPS Deprecated. As of 2.0 group membership is stored with the group node.
static Name	P_IMPERSONATORS Name of the user property containing the principal names of those allowed to impersonate.
static Name	P_MEMBERS
static Name	P_PASSWORD
static Name	P_PRINCIPAL_NAME
static Name	P_USERID Deprecated. As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant. It has been removed from the node type definition.
static String	SECURITY_ROOT_PATH root-path to security related content e.g.
static String	USER_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'UserAdmin' group-principal.
static String	USERS_PATH

Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, privAll, privRead, resolver, session

Constructor Summary

UserAccessControlProvider()

Method Summary

boolean	canAccessRoot(Set<Principal> principals) Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.
CompiledPermissions	compilePermissions(Set<Principal> principals) Compiles the effective policy for the specified set of Principals.
AccessControlEditor	getEditor(Session session) Always returns null.
AccessControlPolicy[]	getEffectivePolicies(Path absPath) Returns the effective policies for the node at the given absPath.
void	init(Session systemSession, Map configuration) Tests if the given systemSession is a SessionImpl and retrieves the observation manager.
boolean	isAcItem(ItemImpl item) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.
boolean	isAcItem(Path absPath) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

checkInitialized, close, getAdminPermissions, getReadOnlyPermissions, isAdminOrSystem, isLive, isReadOnly

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NF

public static final NameFactory NF

SECURITY_ROOT_PATH

public static final String SECURITY_ROOT_PATH

root-path to security related content e.g. principals

See Also:

Constant Field Values

AUTHORIZABLES_PATH

public static final String AUTHORIZABLES_PATH

See Also:

Constant Field Values

USERS_PATH

public static final String USERS_PATH

See Also:

Constant Field Values

GROUPS_PATH

public static final String GROUPS_PATH

See Also:

Constant Field Values

USER_ADMIN_GROUP_NAME

public static final String USER_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'UserAdmin' group-principal.

See Also:

Constant Field Values

GROUP_ADMIN_GROUP_NAME

public static final String GROUP_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'GroupAdmin' group-principal

See Also:

Constant Field Values

P_PRINCIPAL_NAME

public static final Name P_PRINCIPAL_NAME

P_USERID

public static final Name P_USERID

Deprecated. As of 2.0 the id-hash is stored with the jcr:uuid making the rep:userId property redundant. It has been removed from the node type definition.

P_PASSWORD

public static final Name P_PASSWORD

P_GROUPS

public static final Name P_GROUPS

Deprecated. As of 2.0 group membership is stored with the group node.

See Also:

P_MEMBERS

P_MEMBERS

public static final Name P_MEMBERS

P_IMPERSONATORS

public static final Name P_IMPERSONATORS

Name of the user property containing the principal names of those allowed to impersonate.

NT_REP_AUTHORIZABLE

public static final Name NT_REP_AUTHORIZABLE

NT_REP_AUTHORIZABLE_FOLDER

public static final Name NT_REP_AUTHORIZABLE_FOLDER

NT_REP_USER

public static final Name NT_REP_USER

NT_REP_GROUP

public static final Name NT_REP_GROUP

MIX_REP_IMPERSONATABLE

public static final Name MIX_REP_IMPERSONATABLE

Constructor Detail

UserAccessControlProvider

public UserAccessControlProvider()

Method Detail

isAcItem

public boolean isAcItem(Path absPath)
                 throws RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Parameters:

absPath - Path to an item.

Returns:

true if the item at the specified absPath contains access control information.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(Path)

isAcItem

public boolean isAcItem(ItemImpl item)
                 throws RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Parameters:

item - An item.

Returns:

true if the item at the specified item defines access control related information is should therefore be considered protected.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlUtils.isAcItem(ItemImpl)

init

public void init(Session systemSession,
                 Map configuration)
          throws RepositoryException

Description copied from class: AbstractAccessControlProvider

Tests if the given systemSession is a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.

Specified by:

init in interface AccessControlProvider

Overrides:

init in class AbstractAccessControlProvider

Parameters:

systemSession - System session.

configuration - Configuration used to initialize this provider.

Throws:

RepositoryException - If the specified session is not a SessionImpl or if retrieving the observation manager fails.

See Also:

AccessControlProvider.init(Session, Map)

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(Path absPath)
                                           throws ItemNotFoundException,
                                                  RepositoryException

Description copied from interface: AccessControlProvider

Returns the effective policies for the node at the given absPath.

Specified by:

getEffectivePolicies in interface AccessControlProvider

Parameters:

absPath - an absolute path.

Returns:

The effective policies that apply at absPath or an empty array if the implementation cannot determine the effective policy at the given path.

Throws:

ItemNotFoundException - If no Node with the specified absPath exists.

RepositoryException - If another error occurs.

See Also:

AccessControlProvider.getEffectivePolicies(Path)

getEditor

public AccessControlEditor getEditor(Session session)

Always returns null.

Specified by:

getEditor in interface AccessControlProvider

Parameters:

session - The editing session.

Returns:

the ACL editor or null.

See Also:

AccessControlProvider.getEditor(Session)

compilePermissions

public CompiledPermissions compilePermissions(Set<Principal> principals)
                                       throws RepositoryException

Description copied from interface: AccessControlProvider

Compiles the effective policy for the specified set of Principals.

Specified by:

compilePermissions in interface AccessControlProvider

Parameters:

principals - Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller is adviced to pass a Set that respects the order of insertion.

Returns:

The effective, compiled CompiledPolicy that applies for the specified set of principals.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.compilePermissions(Set)

canAccessRoot

public boolean canAccessRoot(Set<Principal> principals)
                      throws RepositoryException

Description copied from interface: AccessControlProvider

Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Specified by:

canAccessRoot in interface AccessControlProvider

Parameters:

principals - Set of principals to be tested for being allowed to access the root node.

Returns:

true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Throws:

RepositoryException - If an error occurs.

See Also:

AccessControlProvider.canAccessRoot(Set)