You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "angela (Resolved) (JIRA)" <ji...@apache.org> on 2011/11/30 14:05:39 UTC

[jira] [Resolved] (JCR-2887) Split PrivilegeRegistry in a per-session manager instance and a repository level registry

     [ https://issues.apache.org/jira/browse/JCR-2887?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved JCR-2887.
-------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.4)
                   2.3.5

resolving this issue fixed. the former PrivilegeRegistry has been split into
a per-session PrivilegeManager and a repository unique PrivilegeRegistry.
Those methods of PrivilegeRegistry that relied on Session-level namespace
mappings got deprecated. The corresponding methods on PrivilegeManager
should be used instead.

The new privilege manager is exposed as interface in 
org.apache.jackrabbit.api.security.authorization.PrivilegeManager.
It provides methods to retrieve existing privileges and register new custom 
privileges and aggregates of custom and built-in privileges. Registration of new
privileges works similar to namespace or node type registration as it requires 
no Session.save() call and the new privileges are immediately effective on 
the repository level.
Note however, that Jackrabbit internal permission evaluation does not take 
custom privileges into account. Applications that want to make use of the access 
control evaluation associated with custom privileges are in charge of the
corresponding validation. Up to now un-registration of custom privileges is
not supported.

The PrivilegeManager may be obtained by calling
JackrabbitWorkspace.getPrivilegeManager() which similar to Workspace#getNodeTypeManager() reflects the fact changes don't require a Session.save in order to be persisted.

In order to register custom privileges a given editing Session must be allowed
to manage privileges. This permission may be granted by editing the repository
level access control using a 'null' path (see also JCR-2774 for details). 

                
> Split PrivilegeRegistry in a per-session manager instance and a repository level registry
> -----------------------------------------------------------------------------------------
>
>                 Key: JCR-2887
>                 URL: https://issues.apache.org/jira/browse/JCR-2887
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>            Reporter: angela
>            Assignee: angela
>             Fix For: 2.3.5
>
>
> in order to resolve the privilegeregistry related TODOs within jackrabbit-core, i would like to split off those 
> methods from PrivilegeRegistry  that are used on a per-session level (including jcr-names) and add them
> to a manager class that was present with each session context. consequently the responsibility of the
> registry was then limited to read/build the privilege definitions and would be present on the repositorycontext
> deprecating those methods that would be covered by the manager).
> in addition the naming was then consistent with what we use to have for nodetypes and namespaces.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira