Package org.apache.jackrabbit.api.security

Interface JackrabbitAccessControlManager

    • Method Detail

      • hasPrivileges

        boolean hasPrivileges​(@Nullable
                      @Nullable java.lang.String absPath,
                      @NotNull
                      @NotNull java.util.Set<java.security.Principal> principals,
                      @NotNull
                      @NotNull Privilege[] privileges)
               throws PathNotFoundException,
                      AccessDeniedException,
                      RepositoryException
        Returns whether the given set of Principals has the specified privileges for absolute path absPath, which must be an existing node.

        Testing an aggregate privilege is equivalent to testing each non aggregate privilege among the set returned by calling Privilege.getAggregatePrivileges() for that privilege.

        The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

        Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

        Parameters:
        absPath - an absolute path.
        principals - a set of Principals for which is the given privileges are tested.
        privileges - an array of Privileges.
        Returns:
        true if the session has the specified privileges; false otherwise.
        Throws:
        PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.
        AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.
        RepositoryException - if another error occurs.

      • getPrivileges

        @NotNull
@NotNull Privilege[] getPrivileges​(@Nullable
                                   @Nullable java.lang.String absPath,
                                   @NotNull
                                   @NotNull java.util.Set<java.security.Principal> principals)
                            throws PathNotFoundException,
                                   AccessDeniedException,
                                   RepositoryException
        Returns the privileges the given set of Principals has for absolute path absPath, which must be an existing node.

        The returned privileges are those for which hasPrivileges(java.lang.String, java.util.Set<java.security.Principal>, javax.jcr.security.Privilege[]) would return true.

        The results reported by the this method reflect the net effect of the currently applied control mechanisms. It does not reflect unsaved access control policies or unsaved access control entries. Changes to access control status caused by these mechanisms only take effect on Session.save() and are only then reflected in the results of the privilege test methods.

        Since this method allows to view the privileges of principals other than included in the editing session, this method must throw AccessDeniedException if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.

        Note that this method does not resolve any group membership, as this is the job of the user manager. nor does it augment the set with the "everyone" principal.

        Parameters:
        absPath - an absolute path.
        principals - a set of Principals for which is the privileges are retrieved.
        Returns:
        an array of Privileges.
        Throws:
        PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.
        AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.
        RepositoryException - if another error occurs.

      • getPrivilegeCollection

        @NotNull
default @NotNull PrivilegeCollection getPrivilegeCollection​(@Nullable
                                                            @Nullable java.lang.String absPath,
                                                            @NotNull
                                                            @NotNull java.util.Set<java.security.Principal> principals)
                                                     throws RepositoryException

        Returns the PrivilegeCollection for the given set of principals at the given absolute path, which must be an existing node. This is equivalent to getPrivileges(String,Set) and hasPrivileges(String, Set, Privilege[]) but allows for easy resolution of aggregated privileges (like e.g. jcr:all) and repeated evaluation if the editing session has privileges granted at the given target node.

        Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.
        Parameters:
        absPath - An absolute path to an existing JCR node.
        principals - A set of principals for which the PrivilegeCollection should be created.
        Returns:
        A PrivilegeCollection wrapping around the privileges granted for the editing session at absPath.
        Throws:
        PathNotFoundException - if no node at absPath exists or the session does not have sufficient access to retrieve a node at that location.
        AccessDeniedException - if the session lacks READ_ACCESS_CONTROL privilege for the absPath node.
        RepositoryException - If another error occurs.
        Since:
        Oak 1.42.0

      • privilegeCollectionFromNames

        @NotNull
default @NotNull PrivilegeCollection privilegeCollectionFromNames​(@NotNull
                                                                  @NotNull java.lang.String... privilegeNames)
                                                           throws RepositoryException

        Returns the PrivilegeCollection for the specified privilegeNames. Since the privilege names are JCR names, they may be passed in either qualified or expanded form (see specification for details on JCR names).

        Note: For backwards compatibility this method comes with a default implementation that computes the PrivilegeCollection using regular JCR/Jackrabbit API, which might not be efficient. Implementations of JackrabbitAccessControlManager are therefore expected to overwrite the default.
        Parameters:
        privilegeNames - the names of existing privilege.
        Returns:
        the PrivilegeCollection representing the specified privilegeNames.
        Throws:
        AccessControlException - if no privilege with any of the specified names exists.
        RepositoryException - If another error occurs.
        Since:
        Oak 1.42.0