Package org.apache.jackrabbit.oak.spi.security.user.action

Class AccessControlAction

java.lang.Object
org.apache.jackrabbit.oak.spi.security.user.action.AbstractAuthorizableAction
org.apache.jackrabbit.oak.spi.security.user.action.AccessControlAction
All Implemented Interfaces:
AuthorizableAction
public class AccessControlAction extends AbstractAuthorizableAction
The AccessControlAction allows to setup permissions upon creation of a new authorizable; namely the privileges the new authorizable should be granted on it's own 'home directory' being represented by the new node associated with that new authorizable.

The following to configuration parameters are available with this implementation:

  • groupPrivilegeNames: the value is expected to be a comma separated list of privileges that will be granted to the new group on the group node
  • userPrivilegeNames: the value is expected to be a comma separated list of privileges that will be granted to the new user on the user node.

Example configuration: 

    groupPrivilegeNames : ["jcr:read"]
    userPrivilegeNames  : ["jcr:read,rep:write"]

This configuration could for example lead to the following content structure upon user or group creation. Note however that the resulting structure depends on the actual access control management being in place: 

     UserManager umgr = ((JackrabbitSession) session).getUserManager();
     User user = umgr.createUser("testUser", "t");

     + t                           rep:AuthorizableFolder
       + te                        rep:AuthorizableFolder
         + testUser                rep:User, mix:AccessControllable
           + rep:policy            rep:ACL
             + allow               rep:GrantACE
               - rep:principalName = "testUser"
               - rep:privileges    = ["jcr:read","rep:write"]
           - rep:password
           - rep:principalName     = "testUser"
 
     UserManager umgr = ((JackrabbitSession) session).getUserManager();
     Group group = umgr.createGroup("testGroup");

     + t                           rep:AuthorizableFolder
       + te                        rep:AuthorizableFolder
         + testGroup               rep:Group, mix:AccessControllable
           + rep:policy            rep:ACL
             + allow               rep:GrantACE
               - rep:principalName = "testGroup"
               - rep:privileges    = ["jcr:read"]
           - rep:principalName     = "testGroup"

  • Field Details

  • Constructor Details

    • AccessControlAction

      public AccessControlAction()

  • Method Details

    • init

      public void init(@NotNull @NotNull SecurityProvider securityProvider, @NotNull @NotNull ConfigurationParameters config)
      Description copied from class: AbstractAuthorizableAction
      Doesn't perform any action.
      Specified by:
      init in interface AuthorizableAction
      Overrides:
      init in class AbstractAuthorizableAction
      Parameters:
      securityProvider - The security provider present with the repository
      config - The configuration parameters for this action.

    • onCreate

      public void onCreate(@NotNull @NotNull org.apache.jackrabbit.api.security.user.Group group, @NotNull @NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull @NotNull org.apache.jackrabbit.oak.namepath.NamePathMapper namePathMapper) throws RepositoryException
      Description copied from class: AbstractAuthorizableAction
      Doesn't perform any action.
      Specified by:
      onCreate in interface AuthorizableAction
      Overrides:
      onCreate in class AbstractAuthorizableAction
      Parameters:
      group - The new group that has not yet been persisted; e.g. the associated tree is still 'NEW'.
      root - The root associated with the user manager.
      Throws:
      RepositoryException - If an error occurs.

    • onCreate

      public void onCreate(@NotNull @NotNull org.apache.jackrabbit.api.security.user.User user, @Nullable @Nullable String password, @NotNull @NotNull org.apache.jackrabbit.oak.api.Root root, @NotNull @NotNull org.apache.jackrabbit.oak.namepath.NamePathMapper namePathMapper) throws RepositoryException
      Description copied from class: AbstractAuthorizableAction
      Doesn't perform any action.
      Specified by:
      onCreate in interface AuthorizableAction
      Overrides:
      onCreate in class AbstractAuthorizableAction
      Parameters:
      user - The new user that has not yet been persisted; e.g. the associated tree is still 'NEW'.
      password - The password that was specified upon user creation.
      root - The root associated with the user manager.
      Throws:
      RepositoryException - If an error occurs.