Index: oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java =================================================================== --- oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (revision 1828585) +++ oak-authorization-cug/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.java (working copy) @@ -192,13 +192,17 @@ return CugContext.INSTANCE; } + @Override + public void setParameters(ConfigurationParameters config) { + super.setParameters(config); + supportedPaths = CugUtil.getSupportedPaths(config, mountInfoProvider); + } + //----------------------------------------------------< SCR Integration >--- @SuppressWarnings("UnusedDeclaration") @Activate protected void activate(Map properties) { - ConfigurationParameters params = ConfigurationParameters.of(properties); - setParameters(params); - supportedPaths = CugUtil.getSupportedPaths(params, mountInfoProvider); + setParameters(ConfigurationParameters.of(properties)); } @SuppressWarnings("UnusedDeclaration") Index: oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java =================================================================== --- oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java (revision 1828585) +++ oak-authorization-cug/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugSecurityProvider.java (working copy) @@ -33,7 +33,7 @@ CugConfiguration cugConfiguration = new CugConfiguration(); ConfigurationParameters params = configuration.getConfigValue(AuthorizationConfiguration.NAME, ConfigurationParameters.EMPTY); - cugConfiguration.activate(params); + cugConfiguration.setParameters(params); SecurityProvider sp = SecurityProviderBuilder.newBuilder().with(configuration).build(); SecurityProviderHelper.updateConfig(sp, cugConfiguration, AuthorizationConfiguration.class); Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImplTest.java =================================================================== --- oak-core/src/test/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImplTest.java (revision 1828585) +++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/principal/PrincipalConfigurationImplTest.java (working copy) @@ -24,11 +24,16 @@ import org.apache.jackrabbit.oak.AbstractSecurityTest; import org.apache.jackrabbit.oak.api.Root; import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder; import org.apache.jackrabbit.oak.security.user.UserConfigurationImpl; +import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration; +import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; import org.apache.jackrabbit.oak.spi.security.Context; import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; import org.apache.jackrabbit.oak.spi.security.SecurityProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.principal.EmptyPrincipalProvider; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalManagerImpl; import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider; @@ -148,4 +153,35 @@ PrincipalProvider pp = pc3.getPrincipalProvider(root, NamePathMapper.DEFAULT); assertTrue(pp instanceof PrincipalProviderImpl); } + + @Test + public void testGetPrincipalProvider5() { + PrincipalProvider pp = EmptyPrincipalProvider.INSTANCE; + + PrincipalConfigurationImpl pc = new PrincipalConfigurationImpl() { + + @Override + public PrincipalProvider getPrincipalProvider(Root root, NamePathMapper namePathMapper) { + return pp; + } + }; + + ConfigurationParameters params = ConfigurationParameters.EMPTY; + pc.setParameters(params); + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(params).build(); + + CompositeConfiguration composite = (CompositeConfiguration) securityProvider + .getConfiguration(PrincipalConfiguration.class); + PrincipalConfiguration defConfig = composite.getDefaultConfig(); + + pc.setSecurityProvider(securityProvider); + pc.setRootProvider(((ConfigurationBase) defConfig).getRootProvider()); + pc.setTreeProvider(((ConfigurationBase) defConfig).getTreeProvider()); + + composite.addConfiguration(pc); + composite.addConfiguration(defConfig); + + PrincipalProvider ppt = pc.getPrincipalProvider(root, NamePathMapper.DEFAULT); + assertEquals(pp, ppt); + } } \ No newline at end of file Index: oak-doc/src/site/markdown/security/authorization/composite.md =================================================================== --- oak-doc/src/site/markdown/security/authorization/composite.md (revision 1828585) +++ oak-doc/src/site/markdown/security/authorization/composite.md (working copy) @@ -164,15 +164,15 @@ `requiredServicePids` property of the `SecurityProviderRegistration` _("Apache Jackrabbit Oak SecurityProvider")_ i.e. forcing the recreation of the `SecurityProvider`. - in a non-OSGi setup this requires adding the configuration - to the `SecurityProvider` (e.g. _SecurityProviderImpl.bindAuthorizationConfiguration_) + to the `SecurityProvider` (e.g. _SecurityProviderBuilder.newBuilder().with(params).build()_) and subsequently creating the JCR/Oak repository object. - + **Important Note** Despite the fact that Oak supports the aggregation of multiple authorization models, this extension is only recommended for experts that have in-depth knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so might otherwise result in severe security issues and heavily impact overall performance. - + [PolicyOwner]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.html [AggregatedPermissionProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html Index: oak-doc/src/site/markdown/security/authorization/cug.md =================================================================== --- oak-doc/src/site/markdown/security/authorization/cug.md (revision 1828585) +++ oak-doc/src/site/markdown/security/authorization/cug.md (working copy) @@ -276,18 +276,27 @@ CugConfiguration cug = new CugConfiguration(); cug.setParameters(params); - // bind it to the security provider (simplified => subclassing required due to protected access) - SecurityProviderImpl securityProvider = new SecurityProviderImpl(); - securityProvider.bindAuthorizationConfiguration(cug); + // bind it to the security provider + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(configuration).build(); + CompositeConfiguration composite = (CompositeConfiguration) securityProvider + .getConfiguration(AuthorizationConfiguration.class); + AuthorizationConfiguration defConfig = composite.getDefaultConfig(); + + cug.setSecurityProvider(securityProvider); + cug.setRootProvider(((ConfigurationBase) defConfig).getRootProvider()); + cug.setTreeProvider(((ConfigurationBase) defConfig).getTreeProvider()); + composite.addConfiguration(cug); + composite.addConfiguration(defConfig); + // create the Oak repository (alternatively: create the JCR repository) Oak oak = new Oak() .with(new InitialContent()) // TODO: add all required editors .with(securityProvider); - withEditors(oak); - ContentRepository contentRepository = oak.createContentRepository(); - + withEditors(oak); + ContentRepository contentRepository = oak.createContentRepository(); + #### Customize CugExclude The following steps are required in order to customize the `CugExclude` implementation Index: oak-doc/src/site/markdown/security/authorization/restriction.md =================================================================== --- oak-doc/src/site/markdown/security/authorization/restriction.md (revision 1828585) +++ oak-doc/src/site/markdown/security/authorization/restriction.md (working copy) @@ -281,7 +281,7 @@ RestrictionProvider rProvider = CompositeRestrictionProvider.newInstance(new MyRestrictionProvider(), ...); Map authorizMap = ImmutableMap.of(PARAM_RESTRICTION_PROVIDER, rProvider); ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(AuthorizationConfiguration.NAME, ConfigurationParameters.of(authorizMap))); - SecurityProvider securityProvider = new SecurityProviderImpl(config)); + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build(); Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository(); Index: oak-doc/src/site/markdown/security/introduction.md =================================================================== --- oak-doc/src/site/markdown/security/introduction.md (revision 1828585) +++ oak-doc/src/site/markdown/security/introduction.md (working copy) @@ -91,8 +91,8 @@ NodeStore nodeStore = ... ConfigurationParameters params = ... // TODO: provide config options - SecurityProvider sp = new SecurityProviderImpl(params); - // Optional: bind additional/custom implementations of the supported `SecurityConfiguration`s + // Optional: set additional/custom implementations of the supported `SecurityConfiguration`s via the params + SecurityProvider sp = SecurityProviderBuilder.newBuilder().with(params).build(); Repository repository = new Jcr(nodeStore).with(sp).createRepository(); @@ -216,7 +216,7 @@ | Parameter | Type | Default | Description | |--------------------------|----------|-----------|------------------------| -| `Authorization Composition Type` | String (AND|OR) | AND | The Composite Authorization model uses this flag to determine what type of logic to apply to the existing providers| +| `Authorization Composition Type` | String (AND\|OR) | AND | The Composite Authorization model uses this flag to determine what type of logic to apply to the existing providers| Given a set of permission providers, the composite model can aggregate the results by applying an `AND` logic (for example all providers must allow a specific privilege in order to be granted), or an `OR` (for example any provider can allow a privilege). By default the `AND` version is used. @@ -294,9 +294,23 @@ Extend the default `SecurityProvider` with a custom `PrincipalConfiguration`. See also _oak-exercise_ module for an example. - SecurityProvider sp = new SecurityProviderImpl(); - sp.bindPrincipalConfiguration(new MyPrincipalConfiguration()); - Repository repository = new Jcr().with(sp).createRepository(); + MyPrincipalConfiguration pc = new MyPrincipalConfiguration(); + + ConfigurationParameters params = ConfigurationParameters.EMPTY; + pc.setParameters(params); + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(params).build(); + + CompositeConfiguration composite = (CompositeConfiguration) securityProvider + .getConfiguration(PrincipalConfiguration.class); + PrincipalConfiguration defConfig = composite.getDefaultConfig(); + + pc.setSecurityProvider(securityProvider); + pc.setRootProvider(((ConfigurationBase) defConfig).getRootProvider()); + pc.setTreeProvider(((ConfigurationBase) defConfig).getTreeProvider()); + composite.addConfiguration(pc); + composite.addConfiguration(defConfig); + + Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository(); ##### Initialization of SecurityConfiguration(s) Index: oak-doc/src/site/markdown/security/user/authorizableaction.md =================================================================== --- oak-doc/src/site/markdown/security/user/authorizableaction.md (revision 1828585) +++ oak-doc/src/site/markdown/security/user/authorizableaction.md (working copy) @@ -183,7 +183,7 @@ Map userParams = new HashMap(); userParams.put(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, new MyAuthorizableActionProvider()); ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams))); - SecurityProvider securityProvider = new SecurityProviderImpl(config)); + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build(); Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository(); Index: oak-doc/src/site/markdown/security/user/authorizablenodename.md =================================================================== --- oak-doc/src/site/markdown/security/user/authorizablenodename.md (revision 1828585) +++ oak-doc/src/site/markdown/security/user/authorizablenodename.md (working copy) @@ -101,7 +101,7 @@ Map userParams = new HashMap(); userParams.put(UserConstants.PARAM_AUTHORIZABLE_NODE_NAME, new UUIDNodeName()); ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams))); - SecurityProvider securityProvider = new SecurityProviderImpl(config)); + SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build(); Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository();