Interface AccessControlConstants
- All Known Implementing Classes:
AbstractAccessControlManager,AbstractRestrictionProvider
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Collection<String>static final Collection<String>static final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Collection<String>static final StringName of the optional multivalued access control restriction that limits access to a single level i.e.static final Stringstatic final StringName of the optional multi-valued access control restriction that allows to combine more than oneREP_GLOBrestriction.static final StringName of the optional multivalued access control restriction by item name.static final Stringstatic final StringName of the optional multivalued access control restriction by node type name.static final Stringstatic final StringName of the optional multivalued access control restriction which matches by name space prefix.static final Stringstatic final Stringstatic final Stringstatic final Stringstatic final StringName of the optional multi-valued access control restriction that allows to limit the effect to one or multiple subtrees.
-
Field Details
-
REP_POLICY
- See Also:
-
REP_REPO_POLICY
- See Also:
-
REP_PRIVILEGES
- See Also:
-
REP_PRINCIPAL_NAME
- See Also:
-
REP_GLOB
- See Also:
-
REP_NODE_PATH
- See Also:
-
REP_NT_NAMES
Name of the optional multivalued access control restriction by node type name. The corresponding restriction type isType.NAMES.- Since:
- OAK 1.0
- See Also:
-
REP_PREFIXES
Name of the optional multivalued access control restriction which matches by name space prefix. The corresponding restriction type isType.STRINGS.- Since:
- OAK 1.0
- See Also:
-
REP_ITEM_NAMES
Name of the optional multivalued access control restriction by item name. The corresponding restriction type isType.NAMES.- Since:
- OAK 1.3.8
- See Also:
-
REP_CURRENT
Name of the optional multivalued access control restriction that limits access to a single level i.e. the target node where the access control entry takes effect and optionally all or a subset of it's properties. An empty value array will make this restriction matching the target node only (i.e. equivalent to rep:glob=""). An array of property names will extend the effect of the restriction to properties of the target node that match the specified names. The
residual name '*'will match the target node and all it's properties.The corresponding restriction type is
Type.STRINGSNote: due to the support of
NodeTypeConstants.RESIDUAL_NAME, which isn't a valid JCR name, this restriction is defined to be ofType.STRINGSinstead ofType.NAMES. Like the rep:glob restriction it will therefore not work with expanded JCR names or with remapped namespace prefixes.Note: In case of permission evaluation for a path pointing to a non-existing JCR item (see e.g.
Session.hasPermission(String, String)) a best-effort attempt is made to determine if the path may point to a property, default being that the path points to a non-existing node.Example:
rep:current = [] => restriction applies to the target node only rep:current = [*] => restriction applies to the target node and all it's properties rep:current = [jcr:primaryType] => restriction applies to the target node and it's property jcr:primaryType rep:current = [a, b, prefix:c] => restriction applies to the target node and it's properties a, b and prefix:c
- Since:
- OAK 1.42.0
- See Also:
-
REP_GLOBS
Name of the optional multi-valued access control restriction that allows to combine more than one
REP_GLOBrestriction. The effect is equivalent to defining multiple access control entries with a singleREP_GLOBrestriction each and will match a given path or item if any of the specified glob-values matches.Note, that an empty value array will never match any path/item.
The corresponding restriction type is
Type.STRINGS- See Also:
-
REP_SUBTREES
Name of the optional multi-valued access control restriction that allows to limit the effect to one or multiple subtrees. It is a simplified variant of the common pattern using 2
REP_GLOBwildcard patterns to grant or deny access on a particular node in the subtree and all its descendent items.NodePath = "/foo" Restriction | Matches ----------------------------------------------------------------------------- /cat | all descendants of /foo whose path ends with "/cat" or that have an intermediate segment /cat/ /cat/ | all descendants of /foo that have an intermediate segment /cat/ cat | all siblings or descendants of /foo whose path ends with "cat" or that have an intermediate segment ending with "cat" cat/ | all siblings or descendants of /foo that have an intermediate segment ending with "cat"
Note, that variants of 'cat'-paths could also consist of multiple segments like e.g. '/cat/dog' or '/cat/dog'
Note, that in contrast to
REP_GLOBno wildcard characters are used to specify the restriction.Note, that an empty value array will never match any path/item.
Note, that null values and empty string values will be omitted.
- See Also:
-
REP_RESTRICTIONS
- Since:
- OAK 1.0
- See Also:
-
MIX_REP_ACCESS_CONTROLLABLE
- See Also:
-
MIX_REP_REPO_ACCESS_CONTROLLABLE
- See Also:
-
NT_REP_POLICY
- See Also:
-
NT_REP_ACL
- See Also:
-
NT_REP_ACE
- See Also:
-
NT_REP_GRANT_ACE
- See Also:
-
NT_REP_DENY_ACE
- See Also:
-
NT_REP_RESTRICTIONS
- Since:
- OAK 1.0
- See Also:
-
POLICY_NODE_NAMES
-
ACE_PROPERTY_NAMES
-
AC_NODETYPE_NAMES
-
PARAM_RESTRICTION_PROVIDER
- See Also:
-