Interface ResourceAccessGate
- All Known Implementing Classes:
AllowingResourceAccessGate
@ConsumerType
public interface ResourceAccessGate
The
ResourceAccessGate defines a service API which might be used
to make some restrictions to accessing resources.
Implementations of this service interface must be registered like
ResourceProvider with a path (like provider.roots). If different
ResourceAccessGateService services match a path, not only the
ResourceAccessGateService with the longest path will be called, but all of
them, that's in contrast to the ResourceProvider, but in this case more
logical (and secure!). The gates will be called in the order of the
service ranking.
If one of the gates grants access for a given operation access will be granted.
service properties:
- path: regexp to define on which paths the service should be called (default .*)
- operations: set of operations on which the service should be called ("read,create,update,delete,execute", default all of them)
- finaloperations: set of operations on which the service answer is
final and no further service should be called (default none of them), except
the GateResult is
ResourceAccessGate.GateResult.CANT_DECIDE
PROVIDER_CONTEXT,
in this case the gate is only applied to resource providers requesting the
security checks. Or the context can be APPLICATION_CONTEXT. In this
case the access gate is invoked for the whole resource tree.
This is indicated by the required service property CONTEXT. If the
property is missing or invalid, the service is ignored.-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic enumGateResultdefines 3 possible states which can be returned by the different canXXX methods of this interface.static enum -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringAllowed value for theCONTEXTservice registration property.static final StringThe name of the service registration property containing the context of this service.static final StringThe name of the (multi-value) service registration property containing the operations for which the service should be called and no further service should be called after this, except the services returns DONTCARE as result, default is empty (none of them are final) (value is "finaloperations").static final StringThe name of the (multi-value) service registration property containing the operations for which the service should be called, defaults to all the operations (value is "operations").static final StringThe name of the service registration property containing the path as a regular expression for which the service should be called (value is "path").static final StringAllowed value for theCONTEXTservice registration property.static final StringThe service name to use when registering implementations of this interface as services (value is "org.apache.sling.api.resource.ResourceAccessGate"). -
Method Summary
Modifier and TypeMethodDescriptionbooleancanCreateAllValues(org.apache.sling.api.resource.Resource resource) canCreateValue(org.apache.sling.api.resource.Resource resource, String valueName) canDelete(org.apache.sling.api.resource.Resource resource) booleancanDeleteAllValues(org.apache.sling.api.resource.Resource resource) canDeleteValue(org.apache.sling.api.resource.Resource resource, String valueName) canExecute(org.apache.sling.api.resource.Resource resource) default ResourceAccessGate.GateResultcanOrderChildren(org.apache.sling.api.resource.Resource resource) canRead(org.apache.sling.api.resource.Resource resource) booleancanReadAllValues(org.apache.sling.api.resource.Resource resource) canReadValue(org.apache.sling.api.resource.Resource resource, String valueName) canUpdate(org.apache.sling.api.resource.Resource resource) booleancanUpdateAllValues(org.apache.sling.api.resource.Resource resource) canUpdateValue(org.apache.sling.api.resource.Resource resource, String valueName) booleanhasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) booleanhasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) booleanhasExecuteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) default booleanhasOrderChildrenRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) booleanhasReadRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) booleanhasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) transformQuery(String query, String language, org.apache.sling.api.resource.ResourceResolver resourceResolver) Allows to transform the query based on the current user's credentials.
-
Field Details
-
SERVICE_NAME
The service name to use when registering implementations of this interface as services (value is "org.apache.sling.api.resource.ResourceAccessGate"). -
CONTEXT
The name of the service registration property containing the context of this service. Allowed values areAPPLICATION_CONTEXTandPROVIDER_CONTEXT. This property is required and has no default value. (value is "access.context")- See Also:
-
APPLICATION_CONTEXT
Allowed value for theCONTEXTservice registration property. Services marked with this context are applied to all resources.- See Also:
-
PROVIDER_CONTEXT
Allowed value for theCONTEXTservice registration property. Services marked with this context are only applied to resource providers which indicate the additional checks with theResourceProvider.USE_RESOURCE_ACCESS_SECURITYproperty.- See Also:
-
PATH
The name of the service registration property containing the path as a regular expression for which the service should be called (value is "path").- See Also:
-
OPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called, defaults to all the operations (value is "operations").- See Also:
-
FINALOPERATIONS
The name of the (multi-value) service registration property containing the operations for which the service should be called and no further service should be called after this, except the services returns DONTCARE as result, default is empty (none of them are final) (value is "finaloperations").- See Also:
-
-
Method Details
-
canRead
-
canCreate
ResourceAccessGate.GateResult canCreate(String absPathName, org.apache.sling.api.resource.ResourceResolver resourceResolver) -
canOrderChildren
default ResourceAccessGate.GateResult canOrderChildren(org.apache.sling.api.resource.Resource resource) -
canUpdate
-
canDelete
-
canExecute
-
canReadValue
ResourceAccessGate.GateResult canReadValue(org.apache.sling.api.resource.Resource resource, String valueName) -
canCreateValue
ResourceAccessGate.GateResult canCreateValue(org.apache.sling.api.resource.Resource resource, String valueName) -
canUpdateValue
ResourceAccessGate.GateResult canUpdateValue(org.apache.sling.api.resource.Resource resource, String valueName) -
canDeleteValue
ResourceAccessGate.GateResult canDeleteValue(org.apache.sling.api.resource.Resource resource, String valueName) -
transformQuery
String transformQuery(String query, String language, org.apache.sling.api.resource.ResourceResolver resourceResolver) throws org.apache.sling.api.security.AccessSecurityException Allows to transform the query based on the current user's credentials. Can be used to narrow down queries to omit results that the current user is not allowed to see anyway, speeding up downstream access control. Query transformations are not critical with respect to access control as results are checked using the canRead.. methods anyway.- Parameters:
query- the querylanguage- the language in which the query is expressedresourceResolver- the resource resolver which resolves the query- Returns:
- the transformed query or the original query if no tranformation
took place. This method should never return
null - Throws:
org.apache.sling.api.security.AccessSecurityException
-
hasReadRestrictions
boolean hasReadRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
hasCreateRestrictions
boolean hasCreateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
hasOrderChildrenRestrictions
default boolean hasOrderChildrenRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
hasUpdateRestrictions
boolean hasUpdateRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
hasDeleteRestrictions
boolean hasDeleteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
hasExecuteRestrictions
boolean hasExecuteRestrictions(org.apache.sling.api.resource.ResourceResolver resourceResolver) -
canReadAllValues
boolean canReadAllValues(org.apache.sling.api.resource.Resource resource) -
canCreateAllValues
boolean canCreateAllValues(org.apache.sling.api.resource.Resource resource) -
canUpdateAllValues
boolean canUpdateAllValues(org.apache.sling.api.resource.Resource resource) -
canDeleteAllValues
boolean canDeleteAllValues(org.apache.sling.api.resource.Resource resource)
-