Access Control Extension
1 Prerequisites
This is an extension of eXo JCR Access Control features. Please read Access Control and JCR Extensions topics before.2 Overview
An extended Access Control system consists of:- Specifically configured custom Extended Access Manager which is called by eXo JCR internals to check if some user's Session (user) has some privilege to perform some operation
- The Action which sets the thread local Invocation Context at runtime. This invocation context is used by the Extended Access Manager to make a decision about the current Session's permission
- Invocation Context is a collection of properties which reflect the state of a current Session. For the time being it contains: the type of the current operation on Session (event), current Item (javax.jcr.Item) on which this operation is performed and the current eXo Container
3 Access Context Action
SetAccessContextAction implements Action and may be called by SessionActionInterceptor as a reaction of some event - usually before writing methods and after reading (getNode(), getProperty() etc). This SetAccessContextAction calls the AccessManager.setContext(InvocationContext context) method which sets the ThreadLocal invocation context for the current call. Action's Configuration may look like the following:<value> <object type="org.exoplatform.services.jcr.impl.ext.action.ActionConfiguration"> <field name="eventTypes"><string>addNode,read</string></field> <field name="workspace"><string>production</string></field > <field name="actionClassName"><string>org.exoplatform.services.jcr.ext.SetAccessContextAction</string></field> </object> </value>
4 The Invocation Context
The InvocationContext contains the current Item, the current ExoContainer and the current EventType like below:public interface InvocationContext extends ContextBase { Item getCurrentItem(); int getEventType(); ExoContainer getContainer(); }
5 Custom Extended Access Manager
By default all Workspaces share an AccessManager instance, created by RepositoryService at the startup (DefaultAccessManagerImpl) which supports default access control policy as described in the Access Control chapter. Custom Access Control policy can be applied to certain Workspace configuring access-manager element inside workspace as follows:<workspace name="ws"> ... <!-- after query-handler element --> <access-manager class="org.exoplatform.services.jcr.CustomAccessManagerImpl"> <properties> <property name="someProperty" value="value"/> ... </properties> </access-manager> ... </workspace>
6 Example of a custom Access Manager
The sample CustomAccessManagerImpl below extends the default access manager and uses some DecisionMakingService in the overloaded hasPermission method to find out if a current user has permission to use current item, event type, userID and some parameter of AccessManager. To make this Access manager work it is necessary to configure it in jcr configuration as mentioned in Custom Extended Access Manager as well as SetAccessContextAction should be configured in the way mentioned in Access Context Actiopublic class CustomAccessManagerImpl extends AccessManager { private String property; private DecisionMakingService theService; public CustomAccessManagerImpl (RepositoryEntry config, WorkspaceEntry wsConfig, OrganizationService orgService, DecisionMakingService someService) throws RepositoryException { super(config, wsConfig, orgService); this.property = wsConfig.getAccessManager().getParameterValue("someParam"); this.theService = someService; } @Override public boolean hasPermission(AccessControlList acl, String[] permission, String userId) { // call the default permission check if (super.hasPermission(acl, permission, userId)) { Item curItem = context().getCurrentItem(); int eventType = context().getEventType(); ExoContainer container = context().getContainer(); // call some service's method return theService.makeDecision(curItem, eventType, userId, property); } else { return false; } } }
on 04/10/2009 at 19:05