org.apache.jackrabbit.core.security.user
Class UserAccessControlProvider

java.lang.Object
  org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider
      org.apache.jackrabbit.core.security.user.UserAccessControlProvider

All Implemented Interfaces:

AccessControlProvider, AccessControlUtils

public class UserAccessControlProvider
extends AbstractAccessControlProvider

Implementation of the AccessControlProvider interface that is used to protected the 'security workspace' containing the user and group data. It applies special care to make sure that modifying user data (e.g. password), group membership and impersonation is properly controlled.

This provider creates upon initialization the following 2 groups:

• User administrator
• Group administrator

The default access control policy defined by this provider has the following characteristics:

• everybody has READ permission to all items,
• every known user is allowed to modify it's own properties except for her/his group membership,
• members of the 'User administrator' group are allowed to create, modify and remove those users whose node representation is within the subtree defined by the node representation of the editing user,
• members of the 'Group administrator' group are allowed to create, modify and remove groups,
• group membership can only be edited by members of the 'Group administrator' and the 'User administrator' group. The range of users that can be added as member to any Group is limited to those that are editable according to the restrictions described above for the 'User administrator'.

Field Summary

static java.lang.String	AUTHORIZABLES_PATH
static java.lang.String	GROUP_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'GroupAdmin' group-principal
static java.lang.String	GROUPS_PATH
static NameFactory	NF
static Name	NT_REP_AUTHORIZABLE
static Name	NT_REP_AUTHORIZABLE_FOLDER
static Name	NT_REP_GROUP
static Name	NT_REP_USER
static Name	P_GROUPS
static Name	P_IMPERSONATORS Name of the user property containing the principal names of those allowed to impersonate.
static Name	P_PASSWORD
static Name	P_PRINCIPAL_NAME
static Name	P_REFEREES
static Name	P_USERID
static java.lang.String	SECURITY_ROOT_PATH root-path to security related content e.g.
static java.lang.String	USER_ADMIN_GROUP_NAME Configuration key and default value for the the name of the 'UserAdmin' group-principal.
static java.lang.String	USERS_PATH

Fields inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

observationMgr, PARAM_OMIT_DEFAULT_PERMISSIONS, resolver, session

Constructor Summary

UserAccessControlProvider()

Method Summary

boolean	canAccessRoot(java.util.Set principals) Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.
CompiledPermissions	compilePermissions(java.util.Set principals) Compiles the effective policy for the specified set of Principals.
AccessControlEditor	getEditor(javax.jcr.Session session) Always returns null.
AccessControlPolicy[]	getEffectivePolicies(Path absPath) Returns the effective policies for the node at the given absPath.
void	init(javax.jcr.Session systemSession, java.util.Map configuration) Tests if the given systemSession is a SessionImpl and retrieves the observation manager.
boolean	isAcItem(ItemImpl item) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.
boolean	isAcItem(Path absPath) Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Methods inherited from class org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider

checkInitialized, close, getAdminPermissions, getReadOnlyPermissions, isAdminOrSystem, isReadOnly

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NF

public static final NameFactory NF

SECURITY_ROOT_PATH

public static final java.lang.String SECURITY_ROOT_PATH

root-path to security related content e.g. principals

See Also:

Constant Field Values

AUTHORIZABLES_PATH

public static final java.lang.String AUTHORIZABLES_PATH

See Also:

Constant Field Values

USERS_PATH

public static final java.lang.String USERS_PATH

See Also:

Constant Field Values

GROUPS_PATH

public static final java.lang.String GROUPS_PATH

See Also:

Constant Field Values

USER_ADMIN_GROUP_NAME

public static final java.lang.String USER_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'UserAdmin' group-principal.

See Also:

Constant Field Values

GROUP_ADMIN_GROUP_NAME

public static final java.lang.String GROUP_ADMIN_GROUP_NAME

Configuration key and default value for the the name of the 'GroupAdmin' group-principal

See Also:

Constant Field Values

P_REFEREES

public static final Name P_REFEREES

P_PRINCIPAL_NAME

public static final Name P_PRINCIPAL_NAME

P_USERID

public static final Name P_USERID

P_PASSWORD

public static final Name P_PASSWORD

P_GROUPS

public static final Name P_GROUPS

P_IMPERSONATORS

public static final Name P_IMPERSONATORS

Name of the user property containing the principal names of those allowed to impersonate.

NT_REP_AUTHORIZABLE

public static final Name NT_REP_AUTHORIZABLE

NT_REP_AUTHORIZABLE_FOLDER

public static final Name NT_REP_AUTHORIZABLE_FOLDER

NT_REP_USER

public static final Name NT_REP_USER

NT_REP_GROUP

public static final Name NT_REP_GROUP

Constructor Detail

UserAccessControlProvider

public UserAccessControlProvider()

Method Detail

isAcItem

public boolean isAcItem(Path absPath)
                 throws javax.jcr.RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Returns:

true if the item at the specified absPath contains access control information.

Throws:

javax.jcr.RepositoryException

See Also:

AccessControlUtils.isAcItem(Path)

isAcItem

public boolean isAcItem(ItemImpl item)
                 throws javax.jcr.RepositoryException

Always returns false, since this ac provider does not use content stored in items to evaluate AC information.

Specified by:

isAcItem in interface AccessControlUtils

Returns:

true if the item at the specified item defines access control related information is should therefore be considered protected.

Throws:

javax.jcr.RepositoryException

See Also:

AccessControlUtils.isAcItem(ItemImpl)

init

public void init(javax.jcr.Session systemSession,
                 java.util.Map configuration)
          throws javax.jcr.RepositoryException

Description copied from class: AbstractAccessControlProvider

Tests if the given systemSession is a SessionImpl and retrieves the observation manager. The it sets the internal 'initialized' field to true.

Specified by:

init in interface AccessControlProvider

Overrides:

init in class AbstractAccessControlProvider

Throws:

javax.jcr.RepositoryException - If the specified session is not a SessionImpl or if retrieving the observation manager fails.

See Also:

AccessControlProvider.init(Session, Map)

getEffectivePolicies

public AccessControlPolicy[] getEffectivePolicies(Path absPath)
                                           throws javax.jcr.ItemNotFoundException,
                                                  javax.jcr.RepositoryException

Description copied from interface: AccessControlProvider

Returns the effective policies for the node at the given absPath.

Specified by:

getEffectivePolicies in interface AccessControlProvider

Parameters:

absPath - an absolute path.

Returns:

The effective policies that apply at absPath.

Throws:

javax.jcr.ItemNotFoundException - If no Node with the specified absPath exists.

javax.jcr.RepositoryException - If another error occurs.

See Also:

AccessControlProvider.getEffectivePolicies(Path)

getEditor

public AccessControlEditor getEditor(javax.jcr.Session session)

Always returns null.

Specified by:

getEditor in interface AccessControlProvider

Returns:

the ACL editor or null

See Also:

AccessControlProvider.getEditor(Session)

compilePermissions

public CompiledPermissions compilePermissions(java.util.Set principals)
                                       throws javax.jcr.RepositoryException

Description copied from interface: AccessControlProvider

Compiles the effective policy for the specified set of Principals.

Specified by:

compilePermissions in interface AccessControlProvider

Parameters:

principals - Set of principals to compile the permissions for. If the order of evaluating permissions for principals is meaningful, the caller is adviced to pass a Set that respects the order of insertion.

Returns:

The effective, compiled CompiledPolicy that applies for the specified set of principals.

Throws:

javax.jcr.RepositoryException - If an error occurs.

See Also:

AccessControlProvider.compilePermissions(Set)

canAccessRoot

public boolean canAccessRoot(java.util.Set principals)
                      throws javax.jcr.RepositoryException

Description copied from interface: AccessControlProvider

Returns true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Specified by:

canAccessRoot in interface AccessControlProvider

Returns:

true if the given set of principals can access the root node of the workspace this provider has been built for; false otherwise.

Throws:

javax.jcr.RepositoryException

See Also:

AccessControlProvider.canAccessRoot(Set)