You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2013/03/01 11:57:53 UTC
svn commit: r1451563 - in
/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak:
core/ security/authorization/ security/authorization/permission/
Author: angela
Date: Fri Mar 1 10:57:52 2013
New Revision: 1451563
URL: http://svn.apache.org/r1451563
Log:
OAK-527: permissions (wip)
Modified:
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/core/RootImpl.java Fri Mar 1 10:57:52 2013
@@ -227,7 +227,7 @@ public class RootImpl implements Root {
purgePendingChanges();
branch.rebase();
rootTree = TreeImpl.createRoot(this);
- permissionProvider = createPermissionProvider();
+ permissionProvider = null;
}
}
@@ -237,9 +237,7 @@ public class RootImpl implements Root {
branch = store.branch();
rootTree = TreeImpl.createRoot(this);
modCount = 0;
- if (permissionProvider == null) {
- permissionProvider = createPermissionProvider();
- } else {
+ if (permissionProvider != null) {
permissionProvider.refresh();
}
}
@@ -396,6 +394,9 @@ public class RootImpl implements Root {
@Nonnull
PermissionProvider getPermissionProvider() {
+ if (permissionProvider == null) {
+ permissionProvider = createPermissionProvider();
+ }
return permissionProvider;
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java Fri Mar 1 10:57:52 2013
@@ -93,12 +93,13 @@ public class AccessControlManagerImpl im
private final PrivilegeManager privilegeManager;
private final PrincipalManager principalManager;
- private final PermissionProvider permissionProvider;
private final RestrictionProvider restrictionProvider;
private final ReadOnlyNodeTypeManager ntMgr;
- public AccessControlManagerImpl(Root root, NamePathMapper namePathMapper,
- SecurityProvider securityProvider) {
+ private PermissionProvider permissionProvider;
+
+ public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper,
+ @Nonnull SecurityProvider securityProvider) {
this.root = root;
this.namePathMapper = namePathMapper;
@@ -106,10 +107,6 @@ public class AccessControlManagerImpl im
principalManager = securityProvider.getPrincipalConfiguration().getPrincipalManager(root, namePathMapper);
acConfig = securityProvider.getAccessControlConfiguration();
-
- Subject subject = Subject.getSubject(AccessController.getContext());
- Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
- permissionProvider = acConfig.getPermissionProvider(root, principals);
restrictionProvider = acConfig.getRestrictionProvider(namePathMapper);
ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
}
@@ -130,15 +127,13 @@ public class AccessControlManagerImpl im
@Override
public boolean hasPrivileges(@Nullable String absPath, @Nonnull Privilege[] privileges) throws RepositoryException {
- permissionProvider.refresh();
- return hasPrivileges(absPath, privileges, permissionProvider);
+ return hasPrivileges(absPath, privileges, getPermissionProvider());
}
@Nonnull
@Override
public Privilege[] getPrivileges(@Nullable String absPath) throws RepositoryException {
- permissionProvider.refresh();
- return getPrivileges(absPath, permissionProvider);
+ return getPrivileges(absPath, getPermissionProvider());
}
@Nonnull
@@ -362,6 +357,18 @@ public class AccessControlManagerImpl im
return tree;
}
+ @Nonnull
+ private PermissionProvider getPermissionProvider() {
+ if (permissionProvider == null) {
+ Subject subject = Subject.getSubject(AccessController.getContext());
+ Set<Principal> principals = (subject != null) ? subject.getPrincipals() : Collections.<Principal>emptySet();
+ permissionProvider = acConfig.getPermissionProvider(root, principals);
+ } else {
+ permissionProvider.refresh();
+ }
+ return permissionProvider;
+ }
+
private void checkPermission(@Nonnull Tree tree) throws AccessDeniedException {
// TODO
}
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.java Fri Mar 1 10:57:52 2013
@@ -20,53 +20,81 @@ import java.security.Principal;
import java.security.acl.Group;
import java.util.Collections;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
+import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSortedMap;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
-import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
+import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
+import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.base.Preconditions.checkNotNull;
/**
* TODO
*/
-class CompiledPermissionImpl implements CompiledPermissions, AccessControlConstants {
+class CompiledPermissionImpl implements CompiledPermissions, PermissionConstants {
private final Set<Principal> principals;
+ private final RestrictionProvider restrictionProvider;
private final Map<String, ReadOnlyTree> trees;
private PrivilegeBitsProvider bitsProvider;
- private Map<Key, Entry> userEntries;
- private Map<Key, Entry> groupEntries;
+ private Map<Key, PermissionEntry> userEntries;
+ private Map<Key, PermissionEntry> groupEntries;
CompiledPermissionImpl(@Nonnull Set<Principal> principals,
@Nonnull ReadOnlyTree permissionsTree,
- @Nonnull PrivilegeBitsProvider bitsProvider) {
- this.principals = checkNotNull(principals);
+ @Nonnull PrivilegeBitsProvider bitsProvider,
+ @Nonnull RestrictionProvider restrictionProvider) {
checkArgument(!principals.isEmpty());
+ this.principals = principals;
+ this.restrictionProvider = restrictionProvider;
this.trees = new HashMap<String, ReadOnlyTree>(principals.size());
- update(permissionsTree, bitsProvider);
+ refresh(permissionsTree, bitsProvider);
}
- void update(@Nullable ReadOnlyTree permissionsTree, @Nonnull PrivilegeBitsProvider bitsProvider) {
- // TODO: determine if entries need to be reloaded due to changes to the
- // TODO: affected permission-nodes.
+ void refresh(@Nonnull ReadOnlyTree permissionsTree,
+ @Nonnull PrivilegeBitsProvider bitsProvider) {
this.bitsProvider = bitsProvider;
- buildEntries(permissionsTree);
+ boolean refresh = false;
+ // test if a permission has been added for those principals that didn't have one before
+ if (trees.size() != principals.size()) {
+ for (Principal principal : principals) {
+ if (!trees.containsKey(principal.getName()) && getPrincipalRoot(permissionsTree, principal) != null) {
+ refresh = true;
+ break;
+ }
+ }
+ }
+ // test if any of the trees has been modified in the mean time
+ if (!refresh) {
+ for (Map.Entry<String, ReadOnlyTree> entry : trees.entrySet()) {
+ ReadOnlyTree t = entry.getValue();
+ ReadOnlyTree t2 = permissionsTree.getChild(t.getName());
+ // TODO: OAK-660 or equivalent comparision
+ if (!t.equals(t2)) {
+ refresh = true;
+ break;
+ }
+ }
+ }
+
+ if (refresh) {
+ buildEntries(permissionsTree);
+ }
}
//------------------------------------------------< CompiledPermissions >---
@@ -124,7 +152,7 @@ class CompiledPermissionImpl implements
ReadOnlyTree t = getPrincipalRoot(permissionsTree, principal);
if (t != null) {
trees.put(principal.getName(), t);
- builder.addEntry(principal, t);
+ builder.addEntry(principal, t, restrictionProvider);
}
}
userEntries = builder.userEntries.build();
@@ -155,8 +183,8 @@ class CompiledPermissionImpl implements
private long index;
private Key(Tree tree) {
- path = tree.getProperty("rep:accessControlledPath").getValue(Type.STRING);
- index = tree.getProperty("rep:index").getValue(Type.LONG);
+ path = Strings.emptyToNull(TreeUtil.getString(tree, REP_ACCESS_CONTROLLED_PATH));
+ index = tree.getProperty(REP_INDEX).getValue(Type.LONG);
}
@Override
@@ -166,16 +194,16 @@ class CompiledPermissionImpl implements
}
}
- private static final class Entry {
+ private static final class PermissionEntry {
private final boolean isAllow;
private final PrivilegeBits privilegeBits;
- private final List<String> restrictions;
+ private final Set<Restriction> restrictions;
- private Entry(Tree entryTree) {
- isAllow = ('a' == entryTree.getName().charAt(0));
- privilegeBits = PrivilegeBits.getInstance(entryTree.getProperty(REP_PRIVILEGES));
- restrictions = null; // TODO
+ private PermissionEntry(String accessControlledPath, Tree entryTree, RestrictionProvider restrictionsProvider) {
+ isAllow = (PREFIX_ALLOW == entryTree.getName().charAt(0));
+ privilegeBits = PrivilegeBits.getInstance(entryTree.getProperty(REP_PRIVILEGE_BITS));
+ restrictions = restrictionsProvider.readRestrictions(accessControlledPath, entryTree);
}
}
@@ -185,13 +213,15 @@ class CompiledPermissionImpl implements
*/
private static final class EntriesBuilder {
- private ImmutableSortedMap.Builder<Key, Entry> userEntries = ImmutableSortedMap.naturalOrder();
- private ImmutableSortedMap.Builder<Key, Entry> groupEntries = ImmutableSortedMap.naturalOrder();
+ private ImmutableSortedMap.Builder<Key, PermissionEntry> userEntries = ImmutableSortedMap.naturalOrder();
+ private ImmutableSortedMap.Builder<Key, PermissionEntry> groupEntries = ImmutableSortedMap.naturalOrder();
- private void addEntry(@Nonnull Principal principal, @Nonnull Tree entryTree) {
- Entry entry = new Entry(entryTree);
- if (entry.privilegeBits.isEmpty()) {
- Key key = new Key(entryTree);
+ private void addEntry(@Nonnull Principal principal,
+ @Nonnull Tree entryTree,
+ @Nonnull RestrictionProvider restrictionProvider) {
+ Key key = new Key(entryTree);
+ PermissionEntry entry = new PermissionEntry(key.path, entryTree, restrictionProvider);
+ if (!entry.privilegeBits.isEmpty()) {
if (principal instanceof Group) {
groupEntries.put(key, entry);
} else {
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionConstants.java Fri Mar 1 10:57:52 2013
@@ -41,6 +41,7 @@ interface PermissionConstants {
String PERMISSIONS_STORE_PATH = JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;
String REP_ACCESS_CONTROLLED_PATH = "rep:accessControlledPath";
+ String REP_PRIVILEGE_BITS = "rep:privileges";
String REP_INDEX = "rep:index";
char PREFIX_ALLOW = 'a';
char PREFIX_DENY = 'd';
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java Fri Mar 1 10:57:52 2013
@@ -16,7 +16,6 @@
*/
package org.apache.jackrabbit.oak.security.authorization.permission;
-import java.util.Collections;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
@@ -44,8 +43,6 @@ import org.apache.jackrabbit.oak.spi.sec
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateDiff;
-import org.apache.jackrabbit.oak.spi.state.PropertyBuilder;
-import org.apache.jackrabbit.oak.util.PropertyUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
@@ -122,7 +119,7 @@ public class PermissionHook implements C
return Lists.newArrayList(ordering.getValue(Type.STRINGS)).indexOf(aceName);
}
- private static String generateName(NodeBuilder principalRoot, Entry entry) {
+ private static String generateName(NodeBuilder principalRoot, PermissionEntry entry) {
StringBuilder name = new StringBuilder();
name.append((entry.isAllow) ? PREFIX_ALLOW : PREFIX_DENY).append('-').append(principalRoot.getChildNodeCount());
return name.toString();
@@ -204,12 +201,12 @@ public class PermissionHook implements C
}
private void addEntry(String name, NodeState ace) {
- Entry entry = createEntry(name, ace, parentAfter);
- entry.writeTo(permissionRoot.child(entry.principalName));
+ PermissionEntry entry = createPermissionEntry(name, ace, parentAfter);
+ entry.writeTo(permissionRoot);
}
private void removeEntry(String name, NodeState ace) {
- Entry entry = createEntry(name, ace, parentBefore);
+ PermissionEntry entry = createPermissionEntry(name, ace, parentBefore);
String permissionName = getPermissionNodeName(entry);
if (permissionName != null) {
permissionRoot.child(entry.principalName).removeNode(permissionName);
@@ -222,33 +219,33 @@ public class PermissionHook implements C
}
@CheckForNull
- private String getPermissionNodeName(Entry aceEntry) {
- if (permissionRoot.hasChildNode(aceEntry.principalName)) {
- NodeBuilder principalRoot = permissionRoot.child(aceEntry.principalName);
+ private String getPermissionNodeName(PermissionEntry permissionEntry) {
+ if (permissionRoot.hasChildNode(permissionEntry.principalName)) {
+ NodeBuilder principalRoot = permissionRoot.child(permissionEntry.principalName);
for (String childName : principalRoot.getChildNodeNames()) {
NodeState state = principalRoot.child(childName).getNodeState();
- if (aceEntry.isSame(childName, state)) {
+ if (permissionEntry.isSame(childName, state)) {
return childName;
}
}
- log.warn("No entry node for " + aceEntry);
+ log.warn("No permission entry for " + permissionEntry);
} else {
// inconsistency: removing an ACE that doesn't have a corresponding
// entry in the permission store.
- log.warn("Missing permission node for principal " + aceEntry.principalName);
+ log.warn("Missing permission node for principal " + permissionEntry.principalName);
}
return null;
}
@Nonnull
- private Entry createEntry(String name, NodeState ace, BaseNode acl) {
+ private PermissionEntry createPermissionEntry(String name, NodeState ace, BaseNode acl) {
Tree aceTree = getTree(name, ace);
+ String accessControlledPath = getAccessControlledPath(acl);
String principalName = checkNotNull(TreeUtil.getString(aceTree, REP_PRINCIPAL_NAME));
PrivilegeBits privilegeBits = bitsProvider.getBits(TreeUtil.getStrings(aceTree, REP_PRIVILEGES));
boolean isAllow = NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(aceTree));
- String accessControlledPath = getAccessControlledPath(acl);
- return new Entry(accessControlledPath, getAceIndex(acl, name), principalName,
+ return new PermissionEntry(accessControlledPath, getAceIndex(acl, name), principalName,
privilegeBits, isAllow, getRestrictions(accessControlledPath, aceTree));
}
}
@@ -276,7 +273,7 @@ public class PermissionHook implements C
abstract NodeState getNodeState();
}
- private static class BeforeNode extends BaseNode {
+ private static final class BeforeNode extends BaseNode {
private final NodeState nodeState;
@@ -297,7 +294,7 @@ public class PermissionHook implements C
}
}
- private static class Node extends BaseNode {
+ private static final class Node extends BaseNode {
private final NodeBuilder builder;
@@ -321,7 +318,7 @@ public class PermissionHook implements C
}
}
- private final class Entry {
+ private final class PermissionEntry {
private final String accessControlledPath;
private final int index;
@@ -331,7 +328,7 @@ public class PermissionHook implements C
private final boolean isAllow;
private final Set<Restriction> restrictions;
- private Entry(@Nonnull String accessControlledPath,
+ private PermissionEntry(@Nonnull String accessControlledPath,
int index,
@Nonnull String principalName,
@Nonnull PrivilegeBits privilegeBits,
@@ -339,33 +336,23 @@ public class PermissionHook implements C
this.accessControlledPath = accessControlledPath;
this.index = index;
- this.principalName = principalName;
+ this.principalName = Text.escapeIllegalJcrChars(principalName);
this.privilegeBits = privilegeBits;
this.isAllow = isAllow;
this.restrictions = restrictions;
}
- private void writeTo(NodeBuilder principalRoot) {
+ private void writeTo(NodeBuilder permissionRoot) {
+ NodeBuilder principalRoot = permissionRoot.child(principalName);
String entryName = generateName(principalRoot, this);
NodeBuilder entry = principalRoot.child(entryName)
.setProperty(JCR_PRIMARYTYPE, NT_REP_PERMISSIONS)
.setProperty(REP_ACCESS_CONTROLLED_PATH, accessControlledPath)
.setProperty(REP_INDEX, index)
- .setProperty(privilegeBits.asPropertyState(REP_PRIVILEGES));
+ .setProperty(privilegeBits.asPropertyState(REP_PRIVILEGE_BITS));
for (Restriction restriction : restrictions) {
entry.setProperty(restriction.getProperty());
}
-
- PropertyState ordering = principalRoot.getProperty(TreeImpl.OAK_CHILD_ORDER);
- if (ordering == null) {
- principalRoot.setProperty(TreeImpl.OAK_CHILD_ORDER, Collections.singleton(entryName), Type.NAMES);
- } else {
- PropertyBuilder pb = PropertyUtil.getPropertyBuilder(Type.NAME, ordering);
- // TODO: determine ordering index
- int index = 0;
- pb.setValue(entryName, index);
- principalRoot.setProperty(pb.getPropertyState());
- }
}
private boolean isSame(String name, NodeState node) {
@@ -391,7 +378,7 @@ public class PermissionHook implements C
public String toString() {
StringBuilder sb = new StringBuilder();
- sb.append("entry: ").append(accessControlledPath);
+ sb.append("permission entry: ").append(accessControlledPath);
sb.append(';').append(principalName);
sb.append(';').append(isAllow ? "allow" : "deny");
sb.append(';').append(privilegeBits);
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java?rev=1451563&r1=1451562&r2=1451563&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.java Fri Mar 1 10:57:52 2013
@@ -32,11 +32,13 @@ import org.apache.jackrabbit.oak.api.Typ
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.ReadOnlyRoot;
import org.apache.jackrabbit.oak.core.ReadOnlyTree;
+import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
+import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
@@ -69,7 +71,8 @@ public class PermissionProviderImpl impl
public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> principals,
@Nonnull SecurityProvider securityProvider) {
this.root = root;
- this.acContext = securityProvider.getAccessControlConfiguration().getContext();
+ AccessControlConfiguration acConfig = securityProvider.getAccessControlConfiguration();
+ this.acContext = acConfig.getContext();
if (principals.contains(SystemPrincipal.INSTANCE) || isAdmin(principals)) {
compiledPermissions = AllPermissions.getInstance();
} else {
@@ -77,7 +80,7 @@ public class PermissionProviderImpl impl
if (permissionsTree == null || principals.isEmpty()) {
compiledPermissions = NoPermissions.getInstance();
} else {
- compiledPermissions = new CompiledPermissionImpl(principals, permissionsTree, getBitsProvider());
+ compiledPermissions = new CompiledPermissionImpl(principals, permissionsTree, getBitsProvider(), acConfig.getRestrictionProvider(NamePathMapper.DEFAULT));
}
}
}
@@ -85,7 +88,7 @@ public class PermissionProviderImpl impl
@Override
public void refresh() {
if (compiledPermissions instanceof CompiledPermissionImpl) {
- ((CompiledPermissionImpl) compiledPermissions).update(getPermissionsRoot(), getBitsProvider());
+ ((CompiledPermissionImpl) compiledPermissions).refresh(getPermissionsRoot(), getBitsProvider());
}
}