You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2021/07/21 09:39:59 UTC
[jackrabbit-oak] branch trunk updated: OAK-9494 : Check if a
privilege name is included in a set/array of Privileges obtained from
AccessControlManager.getPrivileges (documentation) OAK-9506 : Oak Security
Documentation : links to Jackrabbit-API point to svn OAK-9507 : link to
PrincipalProvider points to wrong resource
This is an automated email from the ASF dual-hosted git repository.
angela pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
The following commit(s) were added to refs/heads/trunk by this push:
new 111c0af OAK-9494 : Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges (documentation) OAK-9506 : Oak Security Documentation : links to Jackrabbit-API point to svn OAK-9507 : link to PrincipalProvider points to wrong resource
111c0af is described below
commit 111c0af1407402bd4eafd5a7a621e1dd57ef6841
Author: angela <an...@adobe.com>
AuthorDate: Wed Jul 21 11:39:46 2021 +0200
OAK-9494 : Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges (documentation)
OAK-9506 : Oak Security Documentation : links to Jackrabbit-API point to svn
OAK-9507 : link to PrincipalProvider points to wrong resource
---
.../src/site/markdown/security/accesscontrol/editing.md | 2 +-
oak-doc/src/site/markdown/security/authentication.md | 2 +-
.../site/markdown/security/authentication/differences.md | 4 ++--
.../markdown/security/authentication/token/default.md | 2 +-
.../markdown/security/authentication/tokenmanagement.md | 2 +-
.../security/permission/permissionsandprivileges.md | 13 ++++++++++++-
oak-doc/src/site/markdown/security/principal.md | 2 +-
.../src/site/markdown/security/principal/differences.md | 2 +-
oak-doc/src/site/markdown/security/privilege.md | 7 ++++++-
oak-doc/src/site/markdown/security/user/membership.md | 4 ++--
oak-doc/src/site/markdown/security/user/query.md | 4 ++--
.../api/security/authorization/PrivilegeCollection.java | 15 +++++++++++++++
12 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/oak-doc/src/site/markdown/security/accesscontrol/editing.md b/oak-doc/src/site/markdown/security/accesscontrol/editing.md
index 2865c0d..1adf3f0 100644
--- a/oak-doc/src/site/markdown/security/accesscontrol/editing.md
+++ b/oak-doc/src/site/markdown/security/accesscontrol/editing.md
@@ -287,4 +287,4 @@ or alternatively use `AccessControlUtils`:
}
<!-- hidden references -->
-[OPTION_USER_MANAGEMENT_SUPPORTED]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java
+[OPTION_USER_MANAGEMENT_SUPPORTED]: /oak/docs/apidocs/org/apache/jackrabbit/api/JackrabbitRepository.html
diff --git a/oak-doc/src/site/markdown/security/authentication.md b/oak-doc/src/site/markdown/security/authentication.md
index af0ac6d..8578803 100644
--- a/oak-doc/src/site/markdown/security/authentication.md
+++ b/oak-doc/src/site/markdown/security/authentication.md
@@ -284,7 +284,7 @@ implementation on various levels:
[javax.jcr.GuestCredentials]: https://docs.adobe.com/docs/en/spec/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html
[javax.jcr.SimpleCredentials]: https://docs.adobe.com/docs/en/spec/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html
[javax.jcr.Repository]: https://docs.adobe.com/docs/en/spec/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html
-[org.apache.jackrabbit.api.JackrabbitRepository]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java
+[org.apache.jackrabbit.api.JackrabbitRepository]: /oak/docs/apidocs/org/apache/jackrabbit/api/JackrabbitRepository.html
[AuthInfoImpl]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.html
[AuthInfo]: /oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html
[AbstractLoginModule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html
diff --git a/oak-doc/src/site/markdown/security/authentication/differences.md b/oak-doc/src/site/markdown/security/authentication/differences.md
index ffb53af..17acfe6 100644
--- a/oak-doc/src/site/markdown/security/authentication/differences.md
+++ b/oak-doc/src/site/markdown/security/authentication/differences.md
@@ -112,7 +112,7 @@ contains the following changes compared to Jackrabbit 2.x:
<!-- references -->
[TokenLoginModule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html
-[TokenCredentials]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java
-[GuestLoginModule]:/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.html
+[TokenCredentials]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.html
+[GuestLoginModule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.html
[JSR_333-27]: https://java.net/jira/browse/JSR_333-27
[ImpersonationCredentials]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html
diff --git a/oak-doc/src/site/markdown/security/authentication/token/default.md b/oak-doc/src/site/markdown/security/authentication/token/default.md
index 0f1e6be..e306f4d 100644
--- a/oak-doc/src/site/markdown/security/authentication/token/default.md
+++ b/oak-doc/src/site/markdown/security/authentication/token/default.md
@@ -298,7 +298,7 @@ for an example.
<!-- references -->
-[TokenCredentials]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java
+[TokenCredentials]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.html
[AuthInfo]: /oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html
[ContentSession]: /oak/docs/apidocs/org/apache/jackrabbit/oak/api/ContentSession.html
[TokenProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html
diff --git a/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md b/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
index 5a438f0..1662542 100644
--- a/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
+++ b/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
@@ -153,7 +153,7 @@ token provider implementation:
<!-- references -->
[TokenLoginModule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html
-[TokenCredentials]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java
+[TokenCredentials]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.html
[AuthInfo]: /oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html
[ContentSession]: /oak/docs/apidocs/org/apache/jackrabbit/oak/api/ContentSession.html
[TokenProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html
diff --git a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
index f803518..79bb580 100644
--- a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
+++ b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
@@ -32,7 +32,16 @@ In order to test permissions that are not reflected in the action constants
defined on `Session` or `JackrabbitSession`, the default implementation also allows
to pass the names of the Oak internal permission.
-Alternatively, `AccessControlManager.hasPrivileges(String, Privilege[])` can be used.
+To evaluate privileges granted for a given editing session `AccessControlManager.hasPrivileges(String, Privilege[])`,
+`AccessControlManager.getPrivileges(String)` can be used. The `JackrabbitAccessControlManager` defines variants of both
+methods that in addition take a set of `Principal`. If the editing session as sufficient permissions these methods can
+be used to evaluate/obtain privileges for a different set of principals than associated with the editing session.
+
+Since Oak 1.42.0 `JackrabbitAccessControlManager` defines `JackrabbitAccessControlManager.getPrivilegeCollection(String)`
+and `JackrabbitAccessControlManager.getPrivilegeCollection(String, Set)` which allows for efficient evaluation if a given set
+of privileges are granted at a given path. It allows to avoid repeated calls to `hasPrivileges` for the same path or
+manual resolution of privilege aggregation (see [OAK-9494](https://issues.apache.org/jira/browse/OAK-9494)
+for details).
The subtle differences between the permission-testing `Session` and the evaluation
of privileges on `AccessControlManager` are listed below.
@@ -68,6 +77,7 @@ list and the mapping from actions to permissions.
- `AccessControlManager.hasPrivileges(String absPath, Privilege[] privileges)`
- `AccessControlManager.getPrivileges(String absPath)`
+- `JackrabbitAccessControlManager.getPrivilegeCollection(String absPath)` followed by `PrivilegeCollection.includes(String...)`
Where
@@ -81,6 +91,7 @@ requires the ability to read access control content on the target path.
- `JackrabbitAccessControlManager.hasPrivileges(String absPath, Set<Principal> principals, Privilege[] privileges)`
- `JackrabbitAccessControlManager.getPrivileges(String absPath, Set<Principal> principals)`
+- `JackrabbitAccessControlManager.getPrivilegeCollection(String absPath, Set<Principal> principals)` (see also section [Privilege Management](../privilege.html))
#### Characteristics
diff --git a/oak-doc/src/site/markdown/security/principal.md b/oak-doc/src/site/markdown/security/principal.md
index 2e30429..a2a52b3 100644
--- a/oak-doc/src/site/markdown/security/principal.md
+++ b/oak-doc/src/site/markdown/security/principal.md
@@ -168,7 +168,7 @@ provider implementation:
<!-- references -->
-[PrincipalManager]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/principal/PrincipalManager.java
+[PrincipalManager]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/principal/PrincipalManager.html
[PrincipalProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.html
[CompositePrincipalProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/CompositePrincipalProvider.html
[AdminPrincipal]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/AdminPrincipal.html
diff --git a/oak-doc/src/site/markdown/security/principal/differences.md b/oak-doc/src/site/markdown/security/principal/differences.md
index 4ce1695..783abb0 100644
--- a/oak-doc/src/site/markdown/security/principal/differences.md
+++ b/oak-doc/src/site/markdown/security/principal/differences.md
@@ -37,7 +37,7 @@ See section [Pluggability](../principal.html#pluggability) for an example.
<!-- references -->
-[org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/principal/PrincipalManager.java
+[org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.html
[CompositePrincipalProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/CompositePrincipalProvider.html
[org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/AdminPrincipal.html
[org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html
diff --git a/oak-doc/src/site/markdown/security/privilege.md b/oak-doc/src/site/markdown/security/privilege.md
index 589ec1e..97c90bf 100644
--- a/oak-doc/src/site/markdown/security/privilege.md
+++ b/oak-doc/src/site/markdown/security/privilege.md
@@ -37,6 +37,10 @@ by the extensions defined by the Jackrabbit API. It consists of a single interfa
- `getRegisteredPrivileges()`
- `getPrivilege(String)`
- `registerPrivilege(String, boolean, String[])
+- [PrivilegeCollection]: Wraps around a set of privileges allowing for testing if one or multiple privilege
+names are part of the given set without having to manually resolve the aggregation. Since Oak 1.42.0. For additional details
+see [OAK-9494](https://issues.apache.org/jira/browse/OAK-9494) as well as
+`JackrabbitAccessControlManager.getPrivilegeCollection(String)` and `JackrabbitAccessControlManager.getPrivilegeCollection(String,Set)`.
##### Examples
@@ -115,4 +119,5 @@ of the default access control and permission evaluation.
[PrivilegeConstants]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html
[PrivilegeBitsProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.html
[PrivilegeBits]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.html
-[PrivilegeManager]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManager.java
\ No newline at end of file
+[PrivilegeManager]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/authorization/PrivilegeManager.java
+[PrivilegeCollection]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/authorization/PrivilegeCollection.java
\ No newline at end of file
diff --git a/oak-doc/src/site/markdown/security/user/membership.md b/oak-doc/src/site/markdown/security/user/membership.md
index af8a885..11106b5 100644
--- a/oak-doc/src/site/markdown/security/user/membership.md
+++ b/oak-doc/src/site/markdown/security/user/membership.md
@@ -210,7 +210,7 @@ Consequently, the following configuration option `groupMembershipSplitSize` pres
with Jackrabbit 2.x is not supported anymore.
<!-- hidden references -->
-[org.apache.jackrabbit.api.security.user.Group]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Group.java
-[org.apache.jackrabbit.api.security.user.Authorizable]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Authorizable.java
+[org.apache.jackrabbit.api.security.user.Group]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Group.html
+[org.apache.jackrabbit.api.security.user.Authorizable]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Authorizable.html
[JCR-3880]: https://issues.apache.org/jira/browse/JCR-3880
[OAK-3170]: https://issues.apache.org/jira/browse/OAK-3170
diff --git a/oak-doc/src/site/markdown/security/user/query.md b/oak-doc/src/site/markdown/security/user/query.md
index 914deb7..f0faad8 100644
--- a/oak-doc/src/site/markdown/security/user/query.md
+++ b/oak-doc/src/site/markdown/security/user/query.md
@@ -309,6 +309,6 @@ a utility class provided by the jcr-commons module present with Jackrabbit.
<!-- hidden references -->
-[QueryBuilder]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/QueryBuilder.java
-[Query]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Query.java
+[QueryBuilder]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/user/QueryBuilder.html
+[Query]: /oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Query.html
[org.apache.jackrabbit.commons.jackrabbit.user.AuthorizableQueryManager]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/user/AuthorizableQueryManager.java
\ No newline at end of file
diff --git a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeCollection.java b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeCollection.java
index 9f2ea4b..d6802c4 100644
--- a/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeCollection.java
+++ b/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeCollection.java
@@ -28,6 +28,21 @@ import java.util.HashSet;
import java.util.Set;
import java.util.stream.Stream;
+/**
+ * <p>Wrapper around a set of {@link Privilege}s that allows to test if a given list of privilege names in included. This
+ * avoids repeated calls to {@link AccessControlManager#hasPrivileges(String, Privilege[])} or having to manually resolve
+ * the privilege aggregation when using {@link AccessControlManager#getPrivileges(String)}.</p>
+ *
+ * While a {@link PrivilegeCollection.Default default} is available for backwards compatibility, it uses regular
+ * JCR API. Therefore it is recommended to provide custom implementations of
+ * {@link org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivilegeCollection(String)} and
+ * {@link org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivilegeCollection(String, Set)} with
+ * efficient implementations of the {@code PrivilegeCollection}.
+ *
+ * @since Oak 1.42.0
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivilegeCollection(String)
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlManager#getPrivilegeCollection(String, Set)
+ */
public interface PrivilegeCollection {
/**