Package org.apache.sling.api.security
Interface ResourceAccessSecurity
@ProviderType
public interface ResourceAccessSecurity
The
ResourceAccessSecurity
defines a service API which is
used in two different context: for securing resource providers which
have no own access control and on the application level to further
restrict the access to resources in general.
A resource access security service is registered with the service
property CONTEXT
. Allowed values are APPLICATION_CONTEXT
and PROVIDER_CONTEXT
. If the value is missing or invalid,
the service will be ignored.
In the context of resource providers, this service might be used
for implementations of resource providers where the underlying persistence
layer does not implement access control. The goal is to make it easy to implement
a lightweight access control for such providers. For example, a JCR resource
providers should *not* use the provider context resource access security - in a
JCR context, security is fully delegated to the underlying repository, and
mixing security models would be a bad idea.
In the context of the application, this service might be used to add
additional or temporary constraints across the whole resource tree.
It is expected to only have a single service per context in the
framework/application (much like the OSGi LogService or ConfigurationAdmin Service).
In the case of multiple services per context, the one with the highest
service ranking is used.-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Allowed value for theCONTEXT
service registration property.static final String
The name of the service registration property containing the context of this service.static final String
Allowed value for theCONTEXT
service registration property. -
Method Summary
Modifier and TypeMethodDescriptionboolean
canCreate
(@NotNull String absPathName, @NotNull ResourceResolver resourceResolver) Check whether a resource can be created at the path.boolean
Check whether a resource can be deleted at the path.boolean
canDeleteValue
(@NotNull Resource resource, @NotNull String valueName) Check whether a value can be deletedboolean
canExecute
(@NotNull Resource resource) Check whether a resource can be executed at the path.default boolean
canOrderChildren
(@NotNull Resource resource) Check whether child resources can be ordered.boolean
canReadValue
(@NotNull Resource resource, @NotNull String valueName) Check whether a value can be readboolean
canSetValue
(@NotNull Resource resource, @NotNull String valueName) Check whether a value can be setboolean
Check whether a resource can be updated at the path.@Nullable Resource
getReadableResource
(Resource resource) If supplied Resource can be read, return it (or a wrapped variant of it).@NotNull String
transformQuery
(@NotNull String query, @NotNull String language, @NotNull ResourceResolver resourceResolver) Optionally transform a query based on the current user's credentials.
-
Field Details
-
CONTEXT
The name of the service registration property containing the context of this service. Allowed values areAPPLICATION_CONTEXT
andPROVIDER_CONTEXT
. This property is required and has no default value. (value is "access.context")- See Also:
-
APPLICATION_CONTEXT
Allowed value for theCONTEXT
service registration property. Services marked with this context are applied to all resources.- See Also:
-
PROVIDER_CONTEXT
Allowed value for theCONTEXT
service registration property. Services marked with this context are only applied to resource providers which indicate the additional checks with theResourceProvider.USE_RESOURCE_ACCESS_SECURITY
property.- See Also:
-
-
Method Details
-
getReadableResource
If supplied Resource can be read, return it (or a wrapped variant of it). The returned Resource should then be used instead of the one that was passed into the method.- Parameters:
resource
- The resource to test.- Returns:
- null if
Resource
cannot be read
-
canCreate
boolean canCreate(@NotNull @NotNull String absPathName, @NotNull @NotNull ResourceResolver resourceResolver) Check whether a resource can be created at the path.- Parameters:
absPathName
- The path to createresourceResolver
- The resource resolver- Returns:
- true if a
Resource
can be created at the supplied absolute path.
-
canOrderChildren
Check whether child resources can be ordered.- Parameters:
resource
- The resource to test.- Returns:
- true if child resources can be ordered below the supplied resource
- Since:
- 1.1.0 (Sling API Bundle 2.24.0)
-
canUpdate
Check whether a resource can be updated at the path.- Parameters:
resource
- The resource to test.- Returns:
- true if supplied
Resource
can be updated
-
canDelete
Check whether a resource can be deleted at the path.- Parameters:
resource
- The resource to test.- Returns:
- true if supplied
Resource
can be deleted
-
canExecute
Check whether a resource can be executed at the path.- Parameters:
resource
- The resource to test.- Returns:
- true if supplied
Resource
can be executed as a script
-
canReadValue
Check whether a value can be read- Parameters:
resource
- The resource to test.valueName
- The name of the value- Returns:
- true if the "valueName" value of supplied
Resource
can be read
-
canSetValue
Check whether a value can be set- Parameters:
resource
- The resource to test.valueName
- The name of the value- Returns:
- true if the "valueName" value of supplied
Resource
can be set
-
canDeleteValue
Check whether a value can be deleted- Parameters:
resource
- The resource to test.valueName
- The name of the value- Returns:
- true if the "valueName" value of supplied
Resource
can be deleted
-
transformQuery
@NotNull @NotNull String transformQuery(@NotNull @NotNull String query, @NotNull @NotNull String language, @NotNull @NotNull ResourceResolver resourceResolver) throws AccessSecurityException Optionally transform a query based on the current user's credentials. Can be used to narrow down queries to omit results that the current user is not allowed to see anyway, to speed up downstream access control. Query transformations are not critical with respect to access control as results are filtered downstream using the canRead.. methods.- Parameters:
query
- the querylanguage
- the language in which the query is expressedresourceResolver
- the resource resolver which resolves the query- Returns:
- the transformed query
- Throws:
AccessSecurityException
- If access is denied
-