@ProviderType
public interface ResourceAccessSecurity
ResourceAccessSecurity
defines a service API which is
used in two different context: for securing resource providers which
have no own access control and on the application level to further
restrict the access to resources in general.
A resource access security service is registered with the service
property CONTEXT
. Allowed values are APPLICATION_CONTEXT
and PROVIDER_CONTEXT
. If the value is missing or invalid,
the service will be ignored.
In the context of resource providers, this service might be used
for implementations of resource providers where the underlying persistence
layer does not implement access control. The goal is to make it easy to implement
a lightweight access control for such providers. For example, a JCR resource
providers should *not* use the provider context resource access security - in a
JCR context, security is fully delegated to the underlying repository, and
mixing security models would be a bad idea.
In the context of the application, this service might be used to add
additional or temporary constraints across the whole resource tree.
It is expected to only have a single service per context in the
framework/application (much like the OSGi LogService or ConfigurationAdmin Service).
In the case of multiple services per context, the one with the highest
service ranking is used.Modifier and Type | Field and Description |
---|---|
static String |
APPLICATION_CONTEXT
Allowed value for the
CONTEXT service registration property. |
static String |
CONTEXT
The name of the service registration property containing the context
of this service.
|
static String |
PROVIDER_CONTEXT
Allowed value for the
CONTEXT service registration property. |
Modifier and Type | Method and Description |
---|---|
boolean |
canCreate(String absPathName,
ResourceResolver resourceResolver)
Check whether a resource can be created at the path.
|
boolean |
canDelete(Resource resource)
Check whether a resource can be deleted at the path.
|
boolean |
canDeleteValue(Resource resource,
String valueName)
Check whether a value can be deleted
|
boolean |
canExecute(Resource resource)
Check whether a resource can be executed at the path.
|
boolean |
canReadValue(Resource resource,
String valueName)
Check whether a value can be read
|
boolean |
canSetValue(Resource resource,
String valueName)
Check whether a value can be set
|
boolean |
canUpdate(Resource resource)
Check whether a resource can be updated at the path.
|
Resource |
getReadableResource(Resource resource)
If supplied Resource can be read, return it (or a wrapped
variant of it).
|
String |
transformQuery(String query,
String language,
ResourceResolver resourceResolver)
Optionally transform a query based on the current
user's credentials.
|
static final String CONTEXT
APPLICATION_CONTEXT
and
PROVIDER_CONTEXT
.
This property is required and has no default value.
(value is "access.context")static final String APPLICATION_CONTEXT
CONTEXT
service registration property.
Services marked with this context are applied to all resources.static final String PROVIDER_CONTEXT
CONTEXT
service registration property.
Services marked with this context are only applied to resource
providers which indicate the additional checks with the
ResourceProvider.USE_RESOURCE_ACCESS_SECURITY
property.@CheckForNull Resource getReadableResource(Resource resource)
resource
- The resource to test.Resource
cannot be readboolean canCreate(@Nonnull String absPathName, @Nonnull ResourceResolver resourceResolver)
absPathName
- The path to createresourceResolver
- The resource resolverResource
can be created at the supplied
absolute path.boolean canUpdate(@Nonnull Resource resource)
resource
- The resource to test.Resource
can be updatedboolean canDelete(@Nonnull Resource resource)
resource
- The resource to test.Resource
can be deletedboolean canExecute(@Nonnull Resource resource)
resource
- The resource to test.Resource
can be executed as a scriptboolean canReadValue(@Nonnull Resource resource, @Nonnull String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be readboolean canSetValue(@Nonnull Resource resource, @Nonnull String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be setboolean canDeleteValue(@Nonnull Resource resource, @Nonnull String valueName)
resource
- The resource to test.valueName
- The name of the valueResource
can be deleted@Nonnull String transformQuery(@Nonnull String query, @Nonnull String language, @Nonnull ResourceResolver resourceResolver) throws AccessSecurityException
query
- the querylanguage
- the language in which the query is expressedresourceResolver
- the resource resolver which resolves the queryAccessSecurityException
- If access is deniedCopyright © 2017 The Apache Software Foundation. All rights reserved.