This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak.
If you are already familiar with the API and looking for examples you may directly read Using the Access Control Management API for a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository.
Access Control Management is an optional feature defined by JSR 283 consisting of
• Privilege discovery: Determining the privileges that a user has in relation to a node.
• Assigning access control policies: Setting the privileges that a user has in relation to a node using access control policies specific to the implementation.
Whether or not a given implementation supports access control management is defined by the Repository.OPTION_ACCESS_CONTROL_SUPPORTED
descriptor.
Since Oak comes with a dedicated privilege management this section focuses on reading and editing access control information. The main interfaces defined by JSR 283 are:
AccessControlManager
: Main entry point for access control related operationsAccessControlPolicy
: Marker interface for any kind of policies defined by the implementation.AccessControlList
: mutable policy that may have a list of entries.NamedAccessControlPolicy
: opaque immutable policy with a JCR name.AccessControlEntry
: association of privilege(s) with a given principal bound to a given node by the AccessControlList
.The JCR access control management has the following characteristics:
null
path identifies repository level policies.AccessControlManager.setPolicy
must be called.Session.save()
. Access to properties is defined by the their parent node.The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example:
The following interfaces and extensions are defined:
JackrabbitAccessControlManager
JackrabbitAccessControlPolicy
JackrabbitAccessControlList
JackrabbitAccessControlEntry
Oak defines the following interfaces extending the access control management API:
PolicyOwner
: Interface to improve pluggability of the access control management and allows to termine if a giving manager handles a given policy.AccessControlConstants
: Constants related to access control management.In addition it provides some access control related base classes in org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol
that may be used for a custom implementation:
AbstractAccessControlList
: abstract base implementation of the JackrabbitAccessControlList
interfaceImmutableACL
: immutable subclass of AbstractAccessControlList
ACE
: abstract subclass that implements common methods of a mutable access control list.ReadPolicy
: implementation of NamedAccessControlPolicy
used to represent the configured readable paths.Oak 1.0 defines a dedicated restriction management API. See Restriction Management for details and further information regarding extensibility and pluggability.
The jcr-commons module present with Jackrabbit provide some access control related utilities that simplify the creation of new policies and entries such as for example:
AccessControlUtils.getAccessControlList(Session, String)
AccessControlUtils.getAccessControlList(AccessControlManager, String)
AccessControlUtils.addAccessControlEntry(Session, String, Principal, String[], boolean)
See org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils for the complete list of methods.
String path = node.getPath(); JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, path); acl.addEntry(principal, privileges, true); acMgr.setPolicy(path, acl); session.save();
The behavior of the default access control implementation is described in sections Access Control Management: The Default Implementation
and Restriction Management.
The configuration of the access control management implementation is handled within the AuthorizationConfiguration, which is used for all authorization related matters. This class provides the following two access control related methods:
getAccessControlManager
: get a new ac manager instance.getRestrictionProvider
: get a new instance of the restriction provider.The supported configuration options of the default implementation are described in the corresponding section.