You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/05/09 12:54:36 UTC
svn commit: r1593512 - in
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security:
accesscontrol/restriction.md user/authorizableaction.md
Author: angela
Date: Fri May 9 10:54:36 2014
New Revision: 1593512
URL: http://svn.apache.org/r1593512
Log:
OAK-301 : oak docu
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md?rev=1593512&r1=1593511&r2=1593512&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md Fri May 9 10:54:36 2014
@@ -22,28 +22,147 @@ Restriction Management
_todo_
+### Restriction API
-### Default Restrictions
+The following public interfaces are provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.authorization.restriction`:
+
+- [RestrictionProvider]
+- [Restriction]
+- [RestrictionDefinition]
+- [RestrictionPattern]
+
+### Default Implementation
+
+Oak 1.0 provides the following base implementations:
+
+- `AbstractRestrictionProvider`: abstract base implementation of the provider interface.
+- `RestrictionDefinitionImpl`: default implementation of the `RestrictionDefinition` interface.
+- `RestrictionImpl`: default implementation of the `Restriction` interface.
+- `CompositeRestrictionProvider`: Allows to aggregate multiple provider implementations.
+- `CompositePattern`: Allows to aggregate multiple restriction patterns.
+
+#### Changes wrt Jackrabbit 2.x
+
+_todo_
+
+#### Built-in Restriction Implementations
The default implementations of the `Restriction` interface are present with
-Oak 1.0:
+Oak 1.0 access control management:
* `rep:glob`:
* `rep:ntNames`:
* `rep:prefixes`:
-### Pluggability
-
-_todo_
+### Pluggability
-#### Examples
+The default security setup as present with Oak 1.0 is able to track custom
+`RestrictionProvider` implementations and will automatically combine the
+different implementations using the `CompositeRestrictionProvider`.
-##### Custom RestrictionProvider
+In an OSGi setup the following steps are required in order to add a action provider
+implementation:
-_todo_
+- implement `RestrictionProvider` interface exposing your custom restriction(s).
+- make the provider implementation an OSGi service and make it available to the Oak repository.
-##### Custom Restriction
+#### Examples
-_todo_
+##### Example RestrictionProvider
+Simple example of a `RestrictionProvider` that defines a single time-based `Restriction`,
+which is expected to have 2 values defining a start and end date, which can then be used
+to allow or deny access within the given time frame.
+
+ @Component
+ @Service(RestrictionProvider.class)
+ public class MyRestrictionProvider extends AbstractRestrictionProvider {
+
+ public MyRestrictionProvider() {
+ super(supportedRestrictions());
+ }
+
+ private static Map<String, RestrictionDefinition> supportedRestrictions() {
+ RestrictionDefinition dates = new RestrictionDefinitionImpl("dates", Type.DATES, false);
+ return Collections.singletonMap(dates.getName(), dates);
+ }
+
+ //------------------------------------------------< RestrictionProvider >---
+
+ @Override
+ public RestrictionPattern getPattern(String oakPath, Tree tree) {
+ if (oakPath != null) {
+ PropertyState property = tree.getProperty("dates");
+ if (property != null) {
+ return DatePattern.create(property);
+ }
+ }
+ return RestrictionPattern.EMPTY;
+ }
+
+ @Nonnull
+ @Override
+ public RestrictionPattern getPattern(@Nullable String oakPath, @Nonnull Set<Restriction> restrictions) {
+ if (oakPath != null) {
+ for (Restriction r : restrictions) {
+ String name = r.getDefinition().getName();
+ if ("dates".equals(name)) {
+ return DatePattern.create(r.getProperty());
+ }
+ }
+ }
+ return RestrictionPattern.EMPTY;
+ }
+
+ // TODO: implementing 'validateRestrictions(String oakPath, Tree aceTree)' would allow to make sure the property contains 2 date values.
+ }
+
+##### Example RestrictionPattern
+
+The time-based `RestrictionPattern` used by the example provider above.
+
+ class DatePattern implements RestrictionPattern {
+
+ private final Date start;
+ private final Date end;
+
+ private DatePattern(@Nonnull Calendar start, @Nonnull Calendar end) {
+ this.start = start.getTime();
+ this.end = end.getTime();
+ }
+
+ static RestrictionPattern create(PropertyState timeProperty) {
+ if (timeProperty.count() == 2) {
+ return new DatePattern(
+ Conversions.convert(timeProperty.getValue(Type.DATE, 0), Type.DATE).toCalendar(),
+ Conversions.convert(timeProperty.getValue(Type.DATE, 1), Type.DATE).toCalendar()
+ );
+ } else {
+ return RestrictionPattern.EMPTY;
+ }
+ }
+
+ @Override
+ public boolean matches(@Nonnull Tree tree, @Nullable PropertyState property) {
+ return matches();
+ }
+
+ @Override
+ public boolean matches(@Nonnull String path) {
+ return matches();
+ }
+
+ @Override
+ public boolean matches() {
+ Date d = new Date();
+ return d.after(start) && d.before(end);
+ }
+ };
+
+
+<!-- hidden references -->
+[Restriction]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.html
+[RestrictionDefinition]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.html
+[RestrictionPattern]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.html
+[RestrictionProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionProvider.html
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md?rev=1593512&r1=1593511&r2=1593512&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md Fri May 9 10:54:36 2014
@@ -36,7 +36,7 @@ the handling of implementation specific
### AuthorizableAction API
-The following public interfaces are provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.user.action.*`:
+The following public interfaces are provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.user.action`:
- [AuthorizableAction]
- [AuthorizableActionProvider]
@@ -55,6 +55,11 @@ Oak 1.0 provides the following base impl
- `DefaultAuthorizableActionProvider`: default action provider service that allows to enable the built-in actions provided with oak.
- `CompositeActionProvider`: Allows to aggregate multiple provider implementations.
+#### Changes wrt Jackrabbit 2.x
+
+- actions no longer operate on JCR API but rather on the Oak API direct.
+- provider interface simplifies pluggability
+
#### Built-in AuthorizableAction Implementations
The following implementations of the `AuthorizableAction` interface are provided:
@@ -169,7 +174,6 @@ that will later be used to store various
}
-
<!-- hidden references -->
[AuthorizableAction]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.html
[AuthorizableActionProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableActionProvider.html