Jackrabbit Content Repository
  1. Jackrabbit Content Repository
  2. JCR-2887

Split PrivilegeRegistry in a per-session manager instance and a repository level registry

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.5
    • Component/s: jackrabbit-core, security
    • Labels:
      None

      Description

      in order to resolve the privilegeregistry related TODOs within jackrabbit-core, i would like to split off those
      methods from PrivilegeRegistry that are used on a per-session level (including jcr-names) and add them
      to a manager class that was present with each session context. consequently the responsibility of the
      registry was then limited to read/build the privilege definitions and would be present on the repositorycontext
      deprecating those methods that would be covered by the manager).
      in addition the naming was then consistent with what we use to have for nodetypes and namespaces.

        Issue Links

        There are no Sub-Tasks for this issue.

          Activity

          Hide
          Jukka Zitting added a comment -

          Updated target version to 2.4 as the next stable release. Set to the next 2.3.x release if this gets resolved before 2.4 is branched.

          Show
          Jukka Zitting added a comment - Updated target version to 2.4 as the next stable release. Set to the next 2.3.x release if this gets resolved before 2.4 is branched.
          Hide
          angela added a comment -

          resolving this issue fixed. the former PrivilegeRegistry has been split into
          a per-session PrivilegeManager and a repository unique PrivilegeRegistry.
          Those methods of PrivilegeRegistry that relied on Session-level namespace
          mappings got deprecated. The corresponding methods on PrivilegeManager
          should be used instead.

          The new privilege manager is exposed as interface in
          org.apache.jackrabbit.api.security.authorization.PrivilegeManager.
          It provides methods to retrieve existing privileges and register new custom
          privileges and aggregates of custom and built-in privileges. Registration of new
          privileges works similar to namespace or node type registration as it requires
          no Session.save() call and the new privileges are immediately effective on
          the repository level.
          Note however, that Jackrabbit internal permission evaluation does not take
          custom privileges into account. Applications that want to make use of the access
          control evaluation associated with custom privileges are in charge of the
          corresponding validation. Up to now un-registration of custom privileges is
          not supported.

          The PrivilegeManager may be obtained by calling
          JackrabbitWorkspace.getPrivilegeManager() which similar to Workspace#getNodeTypeManager() reflects the fact changes don't require a Session.save in order to be persisted.

          In order to register custom privileges a given editing Session must be allowed
          to manage privileges. This permission may be granted by editing the repository
          level access control using a 'null' path (see also JCR-2774 for details).

          Show
          angela added a comment - resolving this issue fixed. the former PrivilegeRegistry has been split into a per-session PrivilegeManager and a repository unique PrivilegeRegistry. Those methods of PrivilegeRegistry that relied on Session-level namespace mappings got deprecated. The corresponding methods on PrivilegeManager should be used instead. The new privilege manager is exposed as interface in org.apache.jackrabbit.api.security.authorization.PrivilegeManager. It provides methods to retrieve existing privileges and register new custom privileges and aggregates of custom and built-in privileges. Registration of new privileges works similar to namespace or node type registration as it requires no Session.save() call and the new privileges are immediately effective on the repository level. Note however, that Jackrabbit internal permission evaluation does not take custom privileges into account. Applications that want to make use of the access control evaluation associated with custom privileges are in charge of the corresponding validation. Up to now un-registration of custom privileges is not supported. The PrivilegeManager may be obtained by calling JackrabbitWorkspace.getPrivilegeManager() which similar to Workspace#getNodeTypeManager() reflects the fact changes don't require a Session.save in order to be persisted. In order to register custom privileges a given editing Session must be allowed to manage privileges. This permission may be granted by editing the repository level access control using a 'null' path (see also JCR-2774 for details).

            People

            • Assignee:
              angela
              Reporter:
              angela
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development