You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by my...@apache.org on 2013/03/30 18:17:36 UTC

svn commit: r1462804 - in /sling/trunk/bundles: api/src/main/java/org/apache/sling/api/security/ resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/...

Author: mykee
Date: Sat Mar 30 17:17:36 2013
New Revision: 1462804

URL: http://svn.apache.org/r1462804
Log:
SLING-2698 - resource access security service for resource providers without backing ACLs, Part 4

Modified:
    sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java
    sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
    sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java

Modified: sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java (original)
+++ sling/trunk/bundles/api/src/main/java/org/apache/sling/api/security/ResourceAccessSecurity.java Sat Mar 30 17:17:36 2013
@@ -19,35 +19,55 @@
 package org.apache.sling.api.security;
 
 import org.apache.sling.api.resource.Resource;
-
+import org.apache.sling.api.resource.ResourceResolver;
 
 /**
- * The <code>ResourceAccessSecurity</code> defines a service API which might 
- * be used in implementations of resource providers where the underlaying 
- * persistence layer does not have any ACLs. The service should it make
- * easy to implement a lightweight access control in such sort of providers.
- *
- * - Expected to only be implemented once in the framework/application
- *   (much like the OSGi LogService or Configuration Admin Service)
- * - ResourceProvider implementations are encouraged to use 
- *   this service for access control unless the underlying
- *   storage already has it.
- *
+ * The <code>ResourceAccessSecurity</code> defines a service API which might be
+ * used in implementations of resource providers where the underlaying
+ * persistence layer does not have any ACLs. The service should it make easy to
+ * implement a lightweight access control in such sort of providers.
+ * 
+ * - Expected to only be implemented once in the framework/application (much
+ * like the OSGi LogService or Configuration Admin Service) - ResourceProvider
+ * implementations are encouraged to use this service for access control unless
+ * the underlying storage already has it.
+ * 
  */
 
 public interface ResourceAccessSecurity {
-    
-    public Resource checkReadPermission( Resource resource );
-    public boolean canCreate( String absPathName, String user );
-    public boolean canUpdate( Resource resource );
-    public boolean canDelete( Resource resource );
-    public boolean canExecute( Resource resource );
-
-    public boolean canReadValue( Resource resource, String valueName );
-    public boolean canCreateValue( Resource resource, String valueName );
-    public boolean canUpdateValue( Resource resource, String valueName );
-    public boolean canDeleteValue( Resource resource, String valueName );
 
-    public String sanitizeQuery( String query, String language, String user ) throws AccessSecurityException;
+    public Resource getReadableResource(Resource resource);
+
+    public boolean canCreate(String absPathName, ResourceResolver resourceResolver);
+
+    public boolean canUpdate(Resource resource);
+
+    public boolean canDelete(Resource resource);
+
+    public boolean canExecute(Resource resource);
+
+    public boolean canReadValue(Resource resource, String valueName);
+
+    public boolean canSetValue(Resource resource, String valueName);
+
+    public boolean canDeleteValue(Resource resource, String valueName);
+
+    /**
+     * Allows to transform the query based on the current
+     * user's credentials. Can be used to narrow down queries to omit results
+     * that the current user is not allowed to see anyway, speeding up
+     * downstream access control.
+     * 
+     * Query transformations are not critical with respect to access control as results
+     * are checked using the canRead.. methods anyway. 
+     * 
+     * @param query the query
+     * @param language the language in which the query is expressed
+     * @param resourceResolver the resource resolver which resolves the query
+     * @return the transformed query
+     * @throws AccessSecurityException 
+     */
+    public String transformQuery(String query, String language, ResourceResolver resourceResolver)
+            throws AccessSecurityException;
 
 }

Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java (original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/ResourceAccessGate.java Sat Mar 30 17:17:36 2013
@@ -19,6 +19,7 @@
 package org.apache.sling.resourceaccesssecurity;
 
 import org.apache.sling.api.resource.Resource;
+import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.security.AccessSecurityException;
 
 
@@ -131,7 +132,23 @@ public interface ResourceAccessGate {
     public GateResult canUpdateValue( Resource resource, String valueName, String user );
     public GateResult canDeleteValue( Resource resource, String valueName, String user );
 
-    public String sanitizeQuery( String query, String language, String user ) throws AccessSecurityException;
+    /**
+     * Allows to transform the query based on the current
+     * user's credentials. Can be used to narrow down queries to omit results
+     * that the current user is not allowed to see anyway, speeding up
+     * downstream access control.
+     * 
+     * Query transformations are not critical with respect to access control as results
+     * are checked using the canRead.. methods anyway. 
+     * 
+     * @param query the query
+     * @param language the language in which the query is expressed
+     * @param resourceResolver the resource resolver which resolves the query
+     * @return the transformed query
+     * @throws AccessSecurityException 
+     */
+    public String transformQuery(String query, String language, ResourceResolver resourceResolver)
+            throws AccessSecurityException;
 
     /* for convenience (and performance) */
     public boolean hasReadRestrictions( String user );

Modified: sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java?rev=1462804&r1=1462803&r2=1462804&view=diff
==============================================================================
--- sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java (original)
+++ sling/trunk/bundles/resourceaccesssecurity/src/main/java/org/apache/sling/resourceaccesssecurity/impl/ResourceAccessSecurityImpl.java Sat Mar 30 17:17:36 2013
@@ -89,7 +89,7 @@ public class ResourceAccessSecurityImpl 
     }
 
     @Override
-    public Resource checkReadPermission(Resource resource) {
+    public Resource getReadableResource(Resource resource) {
         Resource returnValue = resource;
         ResourceResolver resResolver = resource.getResourceResolver();
         String user = resResolver.getUserID();
@@ -142,7 +142,7 @@ public class ResourceAccessSecurityImpl 
     }
 
     @Override
-    public boolean canCreate(String absPathName, String user) {
+    public boolean canCreate(String absPathName, ResourceResolver resourceResolver) {
         // TODO Auto-generated method stub
         return false;
     }
@@ -172,13 +172,7 @@ public class ResourceAccessSecurityImpl 
     }
 
     @Override
-    public boolean canCreateValue(Resource resource, String valueName) {
-        // TODO Auto-generated method stub
-        return false;
-    }
-
-    @Override
-    public boolean canUpdateValue(Resource resource, String valueName) {
+    public boolean canSetValue(Resource resource, String valueName) {
         // TODO Auto-generated method stub
         return false;
     }
@@ -190,7 +184,7 @@ public class ResourceAccessSecurityImpl 
     }
 
     @Override
-    public String sanitizeQuery(String query, String language, String user)
+    public String transformQuery(String query, String language, ResourceResolver resourceResolver)
             throws AccessSecurityException {
         return query;
     }