@ProviderType
public interface ResourceAccessSecurity
ResourceAccessSecurity
defines a service API which is
used in two different context: for securing resource providers which
have no own access control and on the application level to further
restrict the access to resources in general.
A resource access security service is registered with the service
property CONTEXT
. Allowed values are APPLICATION_CONTEXT
and PROVIDER_CONTEXT
. If the value is missing or invalid,
the service will be ignored.
In the context of resource providers, this service might be used
for implementations of resource providers where the underlying persistence
layer does not implement access control. The goal is to make it easy to implement
a lightweight access control for such providers. For example, a JCR resource
providers should *not* use the provider context resource access security - in a
JCR context, security is fully delegated to the underlying repository, and
mixing security models would be a bad idea.
In the context of the application, this service might be used to add
additional or temporary constraints across the whole resource tree.
It is expected to only have a single service per context in the
framework/application (much like the OSGi LogService or ConfigurationAdmin Service).
In the case of multiple services per context, the one with the highest
service ranking is used.Modifier and Type | Field and Description |
---|---|
static java.lang.String |
APPLICATION_CONTEXT
Allowed value for the
CONTEXT service registration property. |
static java.lang.String |
CONTEXT
The name of the service registration property containing the context
of this service.
|
static java.lang.String |
PROVIDER_CONTEXT
Allowed value for the
CONTEXT service registration property. |
Modifier and Type | Method and Description |
---|---|
boolean |
canCreate(@NotNull java.lang.String absPathName,
@NotNull ResourceResolver resourceResolver)
Check whether a resource can be created at the path.
|
boolean |
canDelete(@NotNull Resource resource)
Check whether a resource can be deleted at the path.
|
boolean |
canDeleteValue(@NotNull Resource resource,
@NotNull java.lang.String valueName)
Check whether a value can be deleted
|
boolean |
canExecute(@NotNull Resource resource)
Check whether a resource can be executed at the path.
|
boolean |
canReadValue(@NotNull Resource resource,
@NotNull java.lang.String valueName)
Check whether a value can be read
|
boolean |
canSetValue(@NotNull Resource resource,
@NotNull java.lang.String valueName)
Check whether a value can be set
|
boolean |
canUpdate(@NotNull Resource resource)
Check whether a resource can be updated at the path.
|
@Nullable Resource |
getReadableResource(Resource resource)
If supplied Resource can be read, return it (or a wrapped
variant of it).
|
@NotNull java.lang.String |
transformQuery(@NotNull java.lang.String query,
@NotNull java.lang.String language,
@NotNull ResourceResolver resourceResolver)
Optionally transform a query based on the current
user's credentials.
|
static final java.lang.String CONTEXT
APPLICATION_CONTEXT
and
PROVIDER_CONTEXT
.
This property is required and has no default value.
(value is "access.context")static final java.lang.String APPLICATION_CONTEXT
CONTEXT
service registration property.
Services marked with this context are applied to all resources.static final java.lang.String PROVIDER_CONTEXT
CONTEXT
service registration property.
Services marked with this context are only applied to resource
providers which indicate the additional checks with the
ResourceProvider.USE_RESOURCE_ACCESS_SECURITY
property.@Nullable @Nullable Resource getReadableResource(Resource resource)
resource
- The resource to test.Resource
cannot be readboolean canCreate(@NotNull @NotNull java.lang.String absPathName, @NotNull @NotNull ResourceResolver resourceResolver)
absPathName
- The path to createresourceResolver
- The resource resolverResource
can be created at the supplied
absolute path.boolean canUpdate(@NotNull @NotNull Resource resource)
resource
- The resource to test.Resource
can be updatedboolean canDelete(@NotNull @NotNull Resource resource)
resource
- The resource to test.Resource
can be deletedboolean canExecute(@NotNull @NotNull Resource resource)
resource
- The resource to test.Resource
can be executed as a scriptboolean canReadValue(@NotNull @NotNull Resource resource, @NotNull @NotNull java.lang.String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be readboolean canSetValue(@NotNull @NotNull Resource resource, @NotNull @NotNull java.lang.String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be setboolean canDeleteValue(@NotNull @NotNull Resource resource, @NotNull @NotNull java.lang.String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be deleted@NotNull @NotNull java.lang.String transformQuery(@NotNull @NotNull java.lang.String query, @NotNull @NotNull java.lang.String language, @NotNull @NotNull ResourceResolver resourceResolver) throws AccessSecurityException
query
- the querylanguage
- the language in which the query is expressedresourceResolver
- the resource resolver which resolves the queryAccessSecurityException
- If access is deniedCopyright © 2018 The Apache Software Foundation. All rights reserved.