Interface ResourceAccessGate

All Known Implementing Classes:
AllowingResourceAccessGate

@ConsumerType public interface ResourceAccessGate
The ResourceAccessGate defines a service API which might be used to make some restrictions to accessing resources. Implementations of this service interface must be registered like ResourceProvider with a path (like provider.roots). If different ResourceAccessGateService services match a path, not only the ResourceAccessGateService with the longest path will be called, but all of them, that's in contrast to the ResourceProvider, but in this case more logical (and secure!). The gates will be called in the order of the service ranking. If one of the gates grants access for a given operation access will be granted. service properties:
  • path: regexp to define on which paths the service should be called (default .*)
  • operations: set of operations on which the service should be called ("read,create,update,delete,execute", default all of them)
  • finaloperations: set of operations on which the service answer is final and no further service should be called (default none of them), except the GateResult is ResourceAccessGate.GateResult.CANT_DECIDE
The resource access gate can either have the context PROVIDER_CONTEXT, in this case the gate is only applied to resource providers requesting the security checks. Or the context can be APPLICATION_CONTEXT. In this case the access gate is invoked for the whole resource tree. This is indicated by the required service property CONTEXT. If the property is missing or invalid, the service is ignored.
  • Field Details

    • SERVICE_NAME

      static final String SERVICE_NAME
      The service name to use when registering implementations of this interface as services (value is "org.apache.sling.api.resource.ResourceAccessGate").
    • CONTEXT

      static final String CONTEXT
      The name of the service registration property containing the context of this service. Allowed values are APPLICATION_CONTEXT and PROVIDER_CONTEXT. This property is required and has no default value. (value is "access.context")
      See Also:
    • APPLICATION_CONTEXT

      static final String APPLICATION_CONTEXT
      Allowed value for the CONTEXT service registration property. Services marked with this context are applied to all resources.
      See Also:
    • PROVIDER_CONTEXT

      static final String PROVIDER_CONTEXT
      Allowed value for the CONTEXT service registration property. Services marked with this context are only applied to resource providers which indicate the additional checks with the ResourceProvider.USE_RESOURCE_ACCESS_SECURITY property.
      See Also:
    • PATH

      static final String PATH
      The name of the service registration property containing the path as a regular expression for which the service should be called (value is "path").
      See Also:
    • OPERATIONS

      static final String OPERATIONS
      The name of the (multi-value) service registration property containing the operations for which the service should be called, defaults to all the operations (value is "operations").
      See Also:
    • FINALOPERATIONS

      static final String FINALOPERATIONS
      The name of the (multi-value) service registration property containing the operations for which the service should be called and no further service should be called after this, except the services returns DONTCARE as result, default is empty (none of them are final) (value is "finaloperations").
      See Also:
  • Method Details

    • canRead

      ResourceAccessGate.GateResult canRead(org.apache.sling.api.resource.Resource resource)
    • canCreate

      ResourceAccessGate.GateResult canCreate(String absPathName, org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • canOrderChildren

      default ResourceAccessGate.GateResult canOrderChildren(org.apache.sling.api.resource.Resource resource)
    • canUpdate

      ResourceAccessGate.GateResult canUpdate(org.apache.sling.api.resource.Resource resource)
    • canDelete

      ResourceAccessGate.GateResult canDelete(org.apache.sling.api.resource.Resource resource)
    • canExecute

      ResourceAccessGate.GateResult canExecute(org.apache.sling.api.resource.Resource resource)
    • canReadValue

      ResourceAccessGate.GateResult canReadValue(org.apache.sling.api.resource.Resource resource, String valueName)
    • canCreateValue

      ResourceAccessGate.GateResult canCreateValue(org.apache.sling.api.resource.Resource resource, String valueName)
    • canUpdateValue

      ResourceAccessGate.GateResult canUpdateValue(org.apache.sling.api.resource.Resource resource, String valueName)
    • canDeleteValue

      ResourceAccessGate.GateResult canDeleteValue(org.apache.sling.api.resource.Resource resource, String valueName)
    • transformQuery

      String transformQuery(String query, String language, org.apache.sling.api.resource.ResourceResolver resourceResolver) throws org.apache.sling.api.security.AccessSecurityException
      Allows to transform the query based on the current user's credentials. Can be used to narrow down queries to omit results that the current user is not allowed to see anyway, speeding up downstream access control. Query transformations are not critical with respect to access control as results are checked using the canRead.. methods anyway.
      Parameters:
      query - the query
      language - the language in which the query is expressed
      resourceResolver - the resource resolver which resolves the query
      Returns:
      the transformed query or the original query if no tranformation took place. This method should never return null
      Throws:
      org.apache.sling.api.security.AccessSecurityException
    • hasReadRestrictions

      boolean hasReadRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • hasCreateRestrictions

      boolean hasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • hasOrderChildrenRestrictions

      default boolean hasOrderChildrenRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • hasUpdateRestrictions

      boolean hasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • hasDeleteRestrictions

      boolean hasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • hasExecuteRestrictions

      boolean hasExecuteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver)
    • canReadAllValues

      boolean canReadAllValues(org.apache.sling.api.resource.Resource resource)
    • canCreateAllValues

      boolean canCreateAllValues(org.apache.sling.api.resource.Resource resource)
    • canUpdateAllValues

      boolean canUpdateAllValues(org.apache.sling.api.resource.Resource resource)
    • canDeleteAllValues

      boolean canDeleteAllValues(org.apache.sling.api.resource.Resource resource)