You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2016/07/26 14:36:16 UTC

svn commit: r1754136 - /sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext

Author: rombert
Date: Tue Jul 26 14:36:16 2016
New Revision: 1754136

URL: http://svn.apache.org/viewvc?rev=1754136&view=rev
Log:
SLING-5890 - Documentation for the new sling oak restrictions from SLING-5768

Fixed formatting.

Submitted-By: Georg Henzler

Modified:
    sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext

Modified: sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext
URL: http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext?rev=1754136&r1=1754135&r2=1754136&view=diff
==============================================================================
--- sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext (original)
+++ sling/site/trunk/content/documentation/bundles/sling-oak-restrictions.mdtext Tue Jul 26 14:36:16 2016
@@ -3,7 +3,7 @@ Title: Sling Oak Restrictions
 
 
 ## Introduction
-Oak introduced plugability of restrictions as described in [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability). The bundle sling-oak-restrictions provides additional restrictions that make sense to all sling application. Currently sling restrictions for exact resource type match and resource type match including all children are supplied.
+Oak introduced plugability of restrictions as described in [Oak Restriction Management](https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html#Pluggability). The bundle sling-oak-restrictions provides additional restrictions that generally make sense for sling applications. Currently sling restrictions for exact resource type match and resource type match including all children are supplied.
 
 **Important:** Using the sling restrictions (as well as standard oak restrictions) is not as performant as simple path based ACE entries without any restrictions. Permission setups should always mostly work with path based ACEs and only use ACEs with restrictions for special cases. 
 
@@ -12,88 +12,80 @@ This restriction allows to match against
 
 The following example allows `myAuthorizable` to write to all nodes that have either resource type `myproj/comp1` or `myproj/comp2`:
 
-```
-- /content/myprj/mynode 
-   - rep:policy (rep:ACL)
-     - allow (rep:GrantACE)
-       + principalName (String) = "myAuthorizable"
-       + rep:privileges (Name[]) = "rep:write"
-       - rep:restrictions (rep:Restrictions)
-          + 	sling:resourceTypes (String[]) = [myproj/comp1,myproj/comp2]
-```
+    - /content/myprj/mynode 
+       - rep:policy (rep:ACL)
+         - allow (rep:GrantACE)
+           + principalName (String) = "myAuthorizable"
+           + rep:privileges (Name[]) = "rep:write"
+           - rep:restrictions (rep:Restrictions)
+              + sling:resourceTypes (String[]) = [myproj/comp1,myproj/comp2]
+
 
 Assuming the following structure
 
-```
-- /content/myprj 
-   + sling:resourceType (String) = "myproj/siteroot"
-   - mynode
-     + sling:resourceType (String) = "myproj/comp1"
-     - mysubnode 
-       + sling:resourceType (String) = "myproj/comp3"
+    - /content/myprj 
+       + sling:resourceType (String) = "myproj/siteroot"
+       - mynode
+         + sling:resourceType (String) = "myproj/comp1"
+         - mysubnode 
+           + sling:resourceType (String) = "myproj/comp3"
 
-```
 
-the rule from above will match `/content/myprj/mynode` and not `/content/myprj` nor `/content/myprj/mynode/mysubnode`
+the rule from above will match `/content/myprj/mynode` and not `/content/myprj` (parent) nor `/content/myprj/mynode/mysubnode` (child).
 
 Naturally (as with any oak restrictions), the rule is limited to its base path. In case the node `/content/myprj/othernode` is of resource type `myproj/comp1`, it will still not match.
 
 ## Restriction sling:resourceTypesWithChildren
-This restriction matches against resource types in the same way as `sling:resourceTypes`, except that it will also match all children of a matched node.
+This restriction matches against resource types in the same way as [sling:resourceTypes](#restriction-slingresourcetype), except that it will also match all children of a matched node.
+
+The following example allows `myAuthorizable` to write to all nodes that have either resource type `myproj/comp1` or `myproj/comp2` **or are a child of a node, that has one of these resource types**:
 
-The folowing example allows `myAuthorizable` to write to all nodes that have either resource type `myproj/comp1` or `myproj/comp2` **or are a child of a node, that has one of these resource types**:
+    - /content/myprj/mynode 
+       - rep:policy (rep:ACL)
+         - allow (rep:GrantACE)
+           + principalName (String) = "myAuthorizable"
+           + rep:privileges (Name[]) = "rep:write"
+             - rep:restrictions (rep:Restrictions)
+               + sling:resourceTypesWithChildren (String[]) = [myproj/comp1,myproj/comp2]
 
-```
-- /content/myprj/mynode 
-   - rep:policy (rep:ACL)
-     - allow (rep:GrantACE)
-       + principalName (String) = "myAuthorizable"
-       + rep:privileges (Name[]) = "rep:write"
-       - rep:restrictions (rep:Restrictions)
-          + 	sling:resourceTypesWithChildren (String[]) = [myproj/comp1,myproj/comp2]
-```
 
-Assuming the structure example as mentioned in [sling:resourceTypes](#restriction-sling_resourceTypes), the rule from above will match `/content/myprj/mynode` and `/content/myprj/mynode/mysubnode` (and any other subnodes of `/content/myprj/mynode` with arbitrary resource types), but not `/content/myprj`.
+Assuming the structure example as mentioned in [sling:resourceTypes](#restriction-slingresourcetype), the rule from above will match `/content/myprj/mynode` and `/content/myprj/mynode/mysubnode` (and any other subnodes of `/content/myprj/mynode` with arbitrary resource types), but not `/content/myprj`.
 
 ## Advanced Path Matching
-Both [sling:resourceTypes](#restriction-sling_resourceTypes) and [sling:resourceTypesWithChildren](#restriction-sling_resourceTypesWithChildren) support advanced path matching by using `resourcetype@path`. That way instead of checking the resource type of the current node, the resource type of node at the relative path is checked. For instnace this is useful for the case where page content is stored in a `jcr:content` subnode of a hierarchy, the permission however is required to become effective on the parent node of `jcr:content`. 
+Both [sling:resourceTypes](#restriction-slingresourcetype) and [sling:resourceTypesWithChildren](#restriction-slingresourcetypeswithchildren) support advanced path matching by using `resourcetype@path`. That way instead of checking the resource type of the current node, the resource type of node at the relative path is checked. For instance this is useful for the case where page content is stored in a `jcr:content` subnode of a hierarchy, the permission however is required to become effective on the parent node of `jcr:content`. 
 
-The folowing example allows `myAuthorizable` to write to all nodes that have a subnode `jcr:content` with resource type `myproj/comp1` or `myproj/comp2` including their children:
+The following example allows `myAuthorizable` to write to all nodes that have a subnode `jcr:content` with resource type `myproj/comp1` or `myproj/comp2` including their children:
 
-```
-- /content/myprj/mynode 
-   - rep:policy (rep:ACL)
-     - allow (rep:GrantACE)
-       + principalName (String) = "myAuthorizable"
-       + rep:privileges (Name[]) = "rep:write"
-       - rep:restrictions (rep:Restrictions)
-          + 	sling:resourceTypesWithChildren (String[]) = [myproj/comp1@jcr:content,myproj/comp2@jcr:content]
-```
+    - /content/myprj/mynode 
+       - rep:policy (rep:ACL)
+         - allow (rep:GrantACE)
+           + principalName (String) = "myAuthorizable"
+           + rep:privileges (Name[]) = "rep:write"
+           - rep:restrictions (rep:Restrictions)
+              + sling:resourceTypesWithChildren (String[]) = [myproj/comp1@jcr:content,myproj/comp2@jcr:content]
 
 Assuming the following structure
 
-```
-- /content/myprj 
-   - jcr:content 
-      + sling:resourceType (String) = "myproj/siteroot"
-   - mynode1
-     - jcr:content 
-        + sling:resourceType (String) = "myproj/comp1"
-     - mysubnode1 
-       - jcr:content 
-          + sling:resourceType (String) = "myproj/comp3"
-          - contentsubnode1 
-            + sling:resourceType (String) = "myproj/comp4"
-          - contentsubnode2
-            + sling:resourceType (String) = "myproj/comp5"
-     - mysubnode2 
+    - /content/myprj 
        - jcr:content 
-          + sling:resourceType (String) = "myproj/comp3"
-   - mynode2
-     - jcr:content 
-        + sling:resourceType (String) = "myproj/comp7"
+          + sling:resourceType (String) = "myproj/siteroot"
+       - mynode1
+         - jcr:content 
+            + sling:resourceType (String) = "myproj/comp1"
+         - mysubnode1 
+           - jcr:content 
+              + sling:resourceType (String) = "myproj/comp3"
+              - contentsubnode1 
+                + sling:resourceType (String) = "myproj/comp4"
+              - contentsubnode2
+                + sling:resourceType (String) = "myproj/comp5"
+         - mysubnode2 
+           - jcr:content 
+              + sling:resourceType (String) = "myproj/comp3"
+       - mynode2
+         - jcr:content 
+            + sling:resourceType (String) = "myproj/comp7"
 
-```
 the rule from above will match 
 
 * `/content/myprj/mynode1` (because of the `@jcr:content` part of `myproj/comp1@jcr:content`)