You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by my...@apache.org on 2013/03/30 18:17:36 UTC
svn commit: r1462804 - in /sling/trunk/bundles:
api/src/main/java/org/apache/sling/api/security/
resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/
resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/...
Author: mykee
Date: Sat Mar 30 17:17:36 2013
New Revision: 1462804
URL: http://svn.apache.org/r1462804
Log:
SLING-2698 - resource access security service for resource providers without backing ACLs, Part 4
Modified:
sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java
sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
Modified: sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java (original)
+++ sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java Sat Mar 30 17:17:36 2013
@@ -19,35 +19,55 @@
package org.apache.sling.api.security;
import org.apache.sling.api.resource.Resource;
-
+import org.apache.sling.api.resource.ResourceResolver;
/**
- * The <code>ResourceAccessSecurity</code> defines a service API which might
- * be used in implementations of resource providers where the underlaying
- * persistence layer does not have any ACLs. The service should it make
- * easy to implement a lightweight access control in such sort of providers.
- *
- * - Expected to only be implemented once in the framework/application
- * (much like the OSGi LogService or Configuration Admin Service)
- * - ResourceProvider implementations are encouraged to use
- * this service for access control unless the underlying
- * storage already has it.
- *
+ * The <code>ResourceAccessSecurity</code> defines a service API which might be
+ * used in implementations of resource providers where the underlaying
+ * persistence layer does not have any ACLs. The service should it make easy to
+ * implement a lightweight access control in such sort of providers.
+ *
+ * - Expected to only be implemented once in the framework/application (much
+ * like the OSGi LogService or Configuration Admin Service) - ResourceProvider
+ * implementations are encouraged to use this service for access control unless
+ * the underlying storage already has it.
+ *
*/
public interface ResourceAccessSecurity {
-
- public Resource checkReadPermission( Resource resource );
- public boolean canCreate( String absPathName, String user );
- public boolean canUpdate( Resource resource );
- public boolean canDelete( Resource resource );
- public boolean canExecute( Resource resource );
-
- public boolean canReadValue( Resource resource, String valueName );
- public boolean canCreateValue( Resource resource, String valueName );
- public boolean canUpdateValue( Resource resource, String valueName );
- public boolean canDeleteValue( Resource resource, String valueName );
- public String sanitizeQuery( String query, String language, String user ) throws AccessSecurityException;
+ public Resource getReadableResource(Resource resource);
+
+ public boolean canCreate(String absPathName, ResourceResolver resourceResolver);
+
+ public boolean canUpdate(Resource resource);
+
+ public boolean canDelete(Resource resource);
+
+ public boolean canExecute(Resource resource);
+
+ public boolean canReadValue(Resource resource, String valueName);
+
+ public boolean canSetValue(Resource resource, String valueName);
+
+ public boolean canDeleteValue(Resource resource, String valueName);
+
+ /**
+ * Allows to transform the query based on the current
+ * user's credentials. Can be used to narrow down queries to omit results
+ * that the current user is not allowed to see anyway, speeding up
+ * downstream access control.
+ *
+ * Query transformations are not critical with respect to access control as results
+ * are checked using the canRead.. methods anyway.
+ *
+ * @param query the query
+ * @param language the language in which the query is expressed
+ * @param resourceResolver the resource resolver which resolves the query
+ * @return the transformed query
+ * @throws AccessSecurityException
+ */
+ public String transformQuery(String query, String language, ResourceResolver resourceResolver)
+ throws AccessSecurityException;
}
Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java (original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java Sat Mar 30 17:17:36 2013
@@ -19,6 +19,7 @@
package org.apache.sling.resourceaccesssecurity;
import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.security.AccessSecurityException;
@@ -131,7 +132,23 @@ public interface ResourceAccessGate {
public GateResult canUpdateValue( Resource resource, String valueName, String user );
public GateResult canDeleteValue( Resource resource, String valueName, String user );
- public String sanitizeQuery( String query, String language, String user ) throws AccessSecurityException;
+ /**
+ * Allows to transform the query based on the current
+ * user's credentials. Can be used to narrow down queries to omit results
+ * that the current user is not allowed to see anyway, speeding up
+ * downstream access control.
+ *
+ * Query transformations are not critical with respect to access control as results
+ * are checked using the canRead.. methods anyway.
+ *
+ * @param query the query
+ * @param language the language in which the query is expressed
+ * @param resourceResolver the resource resolver which resolves the query
+ * @return the transformed query
+ * @throws AccessSecurityException
+ */
+ public String transformQuery(String query, String language, ResourceResolver resourceResolver)
+ throws AccessSecurityException;
/* for convenience (and performance) */
public boolean hasReadRestrictions( String user );
Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java (original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java Sat Mar 30 17:17:36 2013
@@ -89,7 +89,7 @@ public class ResourceAccessSecurityImpl
}
@Override
- public Resource checkReadPermission(Resource resource) {
+ public Resource getReadableResource(Resource resource) {
Resource returnValue = resource;
ResourceResolver resResolver = resource.getResourceResolver();
String user = resResolver.getUserID();
@@ -142,7 +142,7 @@ public class ResourceAccessSecurityImpl
}
@Override
- public boolean canCreate(String absPathName, String user) {
+ public boolean canCreate(String absPathName, ResourceResolver resourceResolver) {
// TODO Auto-generated method stub
return false;
}
@@ -172,13 +172,7 @@ public class ResourceAccessSecurityImpl
}
@Override
- public boolean canCreateValue(Resource resource, String valueName) {
- // TODO Auto-generated method stub
- return false;
- }
-
- @Override
- public boolean canUpdateValue(Resource resource, String valueName) {
+ public boolean canSetValue(Resource resource, String valueName) {
// TODO Auto-generated method stub
return false;
}
@@ -190,7 +184,7 @@ public class ResourceAccessSecurityImpl
}
@Override
- public String sanitizeQuery(String query, String language, String user)
+ public String transformQuery(String query, String language, ResourceResolver resourceResolver)
throws AccessSecurityException {
return query;
}