cleanup and documentation
diff --git a/src/site/markdown/filter.md b/src/site/markdown/filter.md
index 2e1d83c..3dce8b9 100644
--- a/src/site/markdown/filter.md
+++ b/src/site/markdown/filter.md
@@ -140,6 +140,10 @@
1. since version 3.4.4 ([JCRVLT-417](https://issues.apache.org/jira/browse/JCRVLT-417)) created with the ancestor node type's default child type or if that is not set or prior to version 3.4.4 created with node type `nt:folder` (in case the the node type is *not* given with a `.content.xml` at the right location and the node does not yet exist in the repo) or
1. not touched at all (in case they are already existing in the repo, no matter which node type is given with a `.content.xml` at the according location)
+### Effect on Access Control Lists (ACLs)
+
+In order for ACLs to be installed the [ACL serialization node path](vaultfs.html#Authorization_Serialization) must be contained in the filter as well.
+
### Example
Content Package Filter
diff --git a/src/site/markdown/vaultfs.md b/src/site/markdown/vaultfs.md
index ef16e51..ce87dd0 100644
--- a/src/site/markdown/vaultfs.md
+++ b/src/site/markdown/vaultfs.md
@@ -291,6 +291,16 @@
1. a direct data serialization for the contents of file or binary artifacts and
2. an enhanced _docview_ serialization for the rest. The [_enhanced docview_ serialization][enhanceddocview] that is used allows multi-value properties and explicit types in contrast to regular [document view XML defined by JCR 2.0][docview].
+### Authorization Serialization
+
+As JCR 2.0 does not define if/how access control information is stored in the repository, FileVault only supports the Oak-specific implementation leveraging its internal repository format. It support the following node names:
+
+1. `rep:policy` or `repo:policy` (for repository-level ACLs) with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation-in-the-repository>
+1. `rep:cugPolicy` with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/authorization/cug.html#representation-in-the-repository>
+1. `rep:principalPolicy` with structure as defined in <https://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html#representation-in-the-repository>
+
+Those are serialized as [enhanced docview][enhanceddocview].
+
Deserialization
---------------
Although for exporting only 2 serialization types are used this is a bit different for importing. The importer analyzes the provided input sources and determines the following serialization types:
@@ -310,6 +320,9 @@
**generic data** produces a `nt:file` having the data as `nt:resource` content.
+### Authorization Deserialization
+
+Only the Oak-specific serializations as defined above are deserialized leveraging the [JCR 2.0 API defined in chapter 16][authorization].
Terminology
-----------
@@ -332,4 +345,5 @@
[enhanceddocview]: docview.html
[docview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.3%20Document%20View
-[sysview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.2%20System%20View
\ No newline at end of file
+[sysview]: https://s.apache.org/jcr-2.0-spec/7_Export.html#7.2%20System%20View
+[authorization]: https://s.apache.org/jcr-2.0-spec/16_Access_Control_Management.html
\ No newline at end of file
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
index bd2ab78..0c4a683 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JcrACLManagement.java
@@ -34,6 +34,7 @@
* {@inheritDoc}
*/
public boolean isACLNodeType(String name) {
+ // all those inherit from rep:Policy
return name.equals("rep:ACL") || name.equals("rep:CugPolicy") || name.equals("rep:PrincipalPolicy");
}
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
index a18e589..d8e47db 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/packaging/integration/ACLAndMergeIT.java
@@ -478,10 +478,11 @@
extractVaultPackageStrict("/test-packages/ac_outside_filter.zip");
assertNodeExists("/testroot/node_a");
- // this ACL is not contained in the filter and not installed because ancestor is no filter root
+ // this ACL is not contained in the filter neither is its direct ancestor (node whose privileges are set)
+ // still nodes contained in the filter would be affected by the ACL
assertPermissionMissing("/testroot", false, new String[]{"jcr:all"}, "everyone", null);
- // this is not contained in the filter root but installed nevertheless (due to ancestor being a filter root)
+ // this ACL is not contained in the filter but its direct ancestor (the node whose privileges are set) is
assertPermissionMissing("/testroot/secured", false, new String[]{"jcr:all"}, "everyone", null);
}
}
\ No newline at end of file
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
deleted file mode 100644
index 94aad31..0000000
--- a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/definition/.content.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one or more
- ~ contributor license agreements. See the NOTICE file distributed with
- ~ this work for additional information regarding copyright ownership.
- ~ The ASF licenses this file to You under the Apache License, Version 2.0
- ~ (the "License"); you may not use this file except in compliance with
- ~ the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing, software
- ~ distributed under the License is distributed on an "AS IS" BASIS,
- ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- ~ See the License for the specific language governing permissions and
- ~ limitations under the License.
- -->
-
-<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
- jcr:created="{Date}2018-05-17T17:41:46.815+02:00"
- jcr:createdBy="admin"
- jcr:description="AC Handling: OverWrite"
- jcr:lastModified="{Date}2018-05-17T17:41:46.815+02:00"
- jcr:lastModifiedBy="admin"
- jcr:primaryType="vlt:PackageDefinition"
- acHandling="overwrite"
- buildCount="1"
- builtWith=""
- fixedBugs=""
- group="support"
- lastUnwrapped="{Date}2018-05-17T17:41:46.815+02:00"
- lastUnwrappedBy="admin"
- lastWrapped="{Date}2018-05-17T17:41:46.815+02:00"
- lastWrappedBy="admin"
- name=""
- providerLink=""
- providerName=""
- providerUrl=""
- testedWith=""
- version="">
- <filter jcr:primaryType="nt:unstructured">
- <f0
- jcr:primaryType="nt:unstructured"
- mode="replace"
- root="/testroot/secured"
- rules="[]"/>
- </filter>
- <screenshots jcr:primaryType="nt:unstructured"/>
-</jcr:root>
diff --git a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
index c6d3ce0..84ea8ff 100644
--- a/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
+++ b/vault-core/src/test/resources/test-packages/ac_outside_filter.zip/META-INF/vault/filter.xml
@@ -21,4 +21,5 @@
<include pattern="/testroot/secured/jcr:content"/>
<include pattern="/testroot/node_a(/.*)?"/>
</filter>
+ <filter root="/test2root/child/grandchild" />
</workspaceFilter>
