svn commit: r1828446 - /jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/
Author: angela Date: Thu Apr 5 15:33:48 2018 New Revision: 1828446 URL: http://svn.apache.org/viewvc?rev=1828446=rev Log: OAK-5122 : Exercise for Custom Authorization Models (wip) Added: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/ jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L1_IntroductionTest.java - copied, changed from r1828439, jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L1_IntroductionTest.java jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L2_SetupAggregationTest.java (with props) jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L3_UnderstandAggregationTest.java (with props) jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L4_CustomAuthorizationTest.java (with props) jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L5_CustomAccessControlManagementTest.java (with props) jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L6_CustomPermissionEvaluationTest.java (with props) Copied: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L1_IntroductionTest.java (from r1828439, jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L1_IntroductionTest.java) URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L1_IntroductionTest.java?p2=jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L1_IntroductionTest.java=jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L1_IntroductionTest.java=1828439=1828446=1828446=diff == --- jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L1_IntroductionTest.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L1_IntroductionTest.java Thu Apr 5 15:33:48 2018 @@ -14,68 +14,29 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.jackrabbit.oak.exercise.security.authorization.accesscontrol; +package org.apache.jackrabbit.oak.exercise.security.authorization.advanced; import org.apache.jackrabbit.oak.AbstractSecurityTest; /** * - * Module: Authorization (Access Control Management) + * Module: Advanced Authorization Topics * = * - * Title: Introduction to Access Control Management + * Title: Introduction to Advanced Authorization Topics * - * * Goal: - * Become familiar with the JCR Access Control Management API and the extensions - * provided by Jackrabbit API. Understand how access control management is - * used and exposed in Oak and finally gain insight into some details of the - * default implementation. + * Become familiar with the following advanced authorization topics: * - * Exercises: - * - * - Overview and Usages of AccessControl Management - * Search for usage of the access control management API (e.g. {@link javax.jcr.security.AccessControlManager}) - * in Oak _and_ Jackrabbit JCR Commons. - * - * Question: Where is the access control manager being used for? - * Question: Who is the expected API consumer? - * Question: What are the characteristics of this areas? - * Question: Can you identify areas where oak-jcr and oak-core actually make use of the access control management API? - * - * - Configuration - * Look at the default implementation(s) of the {@link org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration} - * and try to identify the configurable parts with respect to access control. - * Compare your results with the Oak documentation. - * - * Question: Can you provide a list of configuration options for access control s.str.? - * Question: Can you identify where these configuration options are being evaluated? - * Question: Which options also affect the permission evaluation? - * - * - Pluggability - * Become familar with the pluggable parts of the access control management
svn commit: r1828445 - /jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java
Author: stillalex Date: Thu Apr 5 15:29:49 2018 New Revision: 1828445 URL: http://svn.apache.org/viewvc?rev=1828445=rev Log: OAK-5122 Exercise for Custom Authorization Models - javadocs Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java?rev=1828445=1828444=1828445=diff == --- jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Thu Apr 5 15:29:49 2018 @@ -74,7 +74,7 @@ import static org.apache.jackrabbit.oak. * This authorization module forms part of the training material provided by the * oak-exercise module and must not be used in a productive environment! * - * Overview + * Overview * This simplistic authorization model is limited to permission evaluation and * doesn't support access control management. * @@ -85,7 +85,7 @@ import static org.apache.jackrabbit.oak. * There exists a single exception to that rule: For the internal {@link SystemPrincipal} * permission evaluation is not enforced by this module i.e. this module is skipped. * - * Intended Usage + * Intended Usage * This authorization model is intended to be used in 'AND' combination with the * default authorization setup defined by Oak (and optionally additional models * such as e.g. oak-authorization-cug. @@ -93,14 +93,14 @@ import static org.apache.jackrabbit.oak. * It is not intended to be used as standalone model as it would grant full read * access to everyone. * - * Limitations + * Limitations * Experimental model for training purpose and not intended for usage in production. * - * Key Features + * Key Features * - * Access Control Management + * Access Control Management * - * + * * FeatureDescription * Supported Privilegesall * Supports Custom Privilegesyes @@ -111,25 +111,25 @@ import static org.apache.jackrabbit.oak. * Effective Policies by Principalsfor every set of principals a single effective policy of type {@link NamedAccessControlPolicy} * * - * Permission Evaluation + * Permission Evaluation * - * + * * FeatureDescription * Supported Permissionsall * Aggregated Permission Provideryes * * - * Representation in the Repository + * Representation in the Repository * * There exists no dedicated access control or permission content for this * authorization model as it doesn't persist any information into the repository. * {@link SecurityConfiguration#getContext()} therefore returns the {@link Context#DEFAULT default}. * - * Configuration + * Configuration * * This model doesn't come with any configuration options. * - * Installation Instructions + * Installation Instructions * * The following steps are required to install this authorization model in an OSGi based Oak setup. * @@ -142,7 +142,7 @@ import static org.apache.jackrabbit.oak. * make sure the 'Authorization Composition Type' is set to AND * * - * Wait for the {@link SecurityProvider} to be successfully registered again. + * Wait for the {@link org.apache.jackrabbit.oak.spi.security.SecurityProvider} to be successfully registered again. * * */
svn commit: r1828444 - /jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java
Author: stillalex Date: Thu Apr 5 15:28:12 2018 New Revision: 1828444 URL: http://svn.apache.org/viewvc?rev=1828444=rev Log: OAK-7384 SegmentNodeStoreStats should expose stats for previous minute per thread group - javadocs Modified: jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java Modified: jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java?rev=1828444=1828443=1828444=diff == --- jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java (original) +++ jackrabbit/oak/trunk/oak-segment-tar/src/main/java/org/apache/jackrabbit/oak/segment/SegmentNodeStoreStatsMBean.java Thu Apr 5 15:28:12 2018 @@ -47,21 +47,21 @@ public interface SegmentNodeStoreStatsMB CompositeData getQueuingTimes(); /** - * @return tabular data of the formcollected + * @return tabular data of the form commits,writerGroup collected * in the last minute * @throws OpenDataException if data is not available */ TabularData getCommitsCountPerWriterGroupLastMinute() throws OpenDataException; /** - * @return tabular data of the form for writers + * @return tabular data of the form commits,writer for writers * not included in groups * @throws OpenDataException if data is not available */ TabularData getCommitsCountForOtherWriters() throws OpenDataException; /** - * @return tabular data of the form for each writer + * @return tabular data of the form writer,writerDetails for each writer * currently in the queue * @throws OpenDataException if data is not available */
svn commit: r1828443 - /jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java
Author: stillalex Date: Thu Apr 5 15:26:48 2018 New Revision: 1828443 URL: http://svn.apache.org/viewvc?rev=1828443=rev Log: OAK-7024 java.security.acl deprecated in Java 10, marked for removal in Java 12 - more javadocs Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java Modified: jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java?rev=1828443=1828442=1828443=diff == --- jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.java Thu Apr 5 15:26:48 2018 @@ -69,7 +69,7 @@ import org.slf4j.LoggerFactory; /** * Implementation of the {@code PrincipalConfiguration} interface that provides - * principal management for {@link Group principals} associated with + * principal management for {@code Group principals} associated with * {@link org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity external identities} * managed outside of the scope of the repository by an * {@link org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider}.
svn commit: r1828441 - /jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java
Author: angela Date: Thu Apr 5 15:10:08 2018 New Revision: 1828441 URL: http://svn.apache.org/viewvc?rev=1828441=rev Log: minor improvement (typo) Modified: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java Modified: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java?rev=1828441=1828440=1828441=diff == --- jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/accesscontrol/L7_RestrictionsTest.java Thu Apr 5 15:10:08 2018 @@ -80,7 +80,7 @@ import org.apache.jackrabbit.test.NotExe * - * * While the restriction API provided by Jackrabbit API is rather limited the - * Oak internal way to handle, store and read these restictions is a bit + * Oak internal way to handle, store and read these restrictions is a bit * more elaborate. * * Use the Oak code base and the documentation at
svn commit: r1828439 - /jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java
Author: reschke Date: Thu Apr 5 14:52:58 2018 New Revision: 1828439 URL: http://svn.apache.org/viewvc?rev=1828439=rev Log: OAK-7268: Create charset encoding utility that detects malformed input - Javadoc fix Modified: jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java Modified: jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java?rev=1828439=1828438=1828439=diff == --- jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java (original) +++ jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/util/UTF8Encoder.java Thu Apr 5 14:52:58 2018 @@ -69,7 +69,7 @@ public class UTF8Encoder { } /** - * @see {@link CharsetEncoder#canEncode(CharSequence) + * See {@link CharsetEncoder#canEncode(CharSequence)}. */ public static boolean canEncode(CharSequence input) { CharsetEncoder e = CSE.get();
svn commit: r1828437 - /jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java
Author: stillalex Date: Thu Apr 5 14:30:11 2018 New Revision: 1828437 URL: http://svn.apache.org/viewvc?rev=1828437=rev Log: OAK-7024 java.security.acl deprecated in Java 10, marked for removal in Java 11 - fixed javadocs Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java Modified: jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java?rev=1828437=1828436=1828437=diff == --- jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java (original) +++ jackrabbit/oak/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java Thu Apr 5 14:30:11 2018 @@ -76,7 +76,7 @@ public interface PrincipalProvider { /** * Returns an iterator over all group principals for which the given * principal is either direct or indirect member of. Thus for any principal - * returned in the iterator {@link GroupPrincipal#isMember(Principal)} + * returned in the iterator {@link org.apache.jackrabbit.api.security.principal.GroupPrincipal#isMember(Principal)} * must return {@code true}. * * Example: @@ -85,7 +85,7 @@ public interface PrincipalProvider { * * @param principal the principal to return it's membership from. * @return an iterator returning all groups the given principal is member of. - * @see GroupPrincipal#isMember(java.security.Principal) + * @see org.apache.jackrabbit.api.security.principal.GroupPrincipal#isMember(java.security.Principal) */ @Nonnull default Set getMembershipPrincipals(@Nonnull Principal principal) {
svn commit: r1828434 - /jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java
Author: angela Date: Thu Apr 5 13:51:03 2018 New Revision: 1828434 URL: http://svn.apache.org/viewvc?rev=1828434=rev Log: OAK-3008 : Training material for Oak security (wip) Modified: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java Modified: jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java?rev=1828434=1828433=1828434=diff == --- jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/permission/L7_PermissionContentTest.java Thu Apr 5 13:51:03 2018 @@ -16,9 +16,17 @@ */ package org.apache.jackrabbit.oak.exercise.security.authorization.permission; +import javax.jcr.GuestCredentials; + import org.apache.jackrabbit.oak.AbstractSecurityTest; +import org.apache.jackrabbit.oak.api.ContentSession; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; import org.junit.Test; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + /** * * Module: Authorization (Permission Evaluation) @@ -62,20 +70,41 @@ import org.junit.Test; * Question: Can you explain why the permission store is read-only? * Question: Can you identify the class(es) responsible for enforcing the read-only nature? * - * - {@link #TODO} - * * */ public class L7_PermissionContentTest extends AbstractSecurityTest { -@Test -public void testReadOnly() { -// TODO -} +String permissionStorePath = null; // EXERCISE: specify the path to the permission store root node @Test public void testAdministrativeAccessOnly() { -// TODO +Root root = adminSession.getLatestRoot(); +Tree permissionStoreTree = root.getTree(permissionStorePath); +assertTrue(permissionStoreTree.exists()); + +// EXERCISE : explain the content structure of the permission store +Tree wspTree = permissionStoreTree.getChild(adminSession.getWorkspaceName()); +for (Tree t : wspTree.getChildren()) { +System.out.println(t.getName()); +} + +// EXERCISE : pick one child tree above and inspect the subtree +//- what does the name of the child stand for? +//- explain the structure +String name = null; // EXERCISE +Tree child = wspTree.getChild(name); + +// EXERCISE: walk through the tree structure and look at the properties } +@Test +public void testReadOnly() throws Exception { +ContentSession guestSession = login(new GuestCredentials()); + +Root root = guestSession.getLatestRoot(); +Tree permissionStoreTree = root.getTree(permissionStorePath); + +// EXERCISE: explain the fact that the tree does not exist +assertFalse(permissionStoreTree.exists()); +} } \ No newline at end of file
svn commit: r1828429 - in /jackrabbit/oak/trunk: oak-search/ oak-segment-azure/
Author: mreutegg Date: Thu Apr 5 13:02:32 2018 New Revision: 1828429 URL: http://svn.apache.org/viewvc?rev=1828429=rev Log: Ignore target folder Modified: jackrabbit/oak/trunk/oak-search/ (props changed) jackrabbit/oak/trunk/oak-segment-azure/ (props changed) Propchange: jackrabbit/oak/trunk/oak-search/ -- --- svn:ignore (added) +++ svn:ignore Thu Apr 5 13:02:32 2018 @@ -0,0 +1 @@ +target Propchange: jackrabbit/oak/trunk/oak-segment-azure/ -- --- svn:ignore (added) +++ svn:ignore Thu Apr 5 13:02:32 2018 @@ -0,0 +1 @@ +target
svn commit: r1828423 - /jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java
Author: angela Date: Thu Apr 5 12:30:03 2018 New Revision: 1828423 URL: http://svn.apache.org/viewvc?rev=1828423=rev Log: OAK-5122 : Exercise for Custom Authorization Models (wip) Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java?rev=1828423=1828422=1828423=diff == --- jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Thu Apr 5 12:30:03 2018 @@ -21,8 +21,7 @@ import java.util.List; import java.util.Set; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import javax.jcr.RepositoryException; -import javax.jcr.UnsupportedRepositoryOperationException; +import javax.jcr.security.AccessControlException; import javax.jcr.security.AccessControlManager; import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.AccessControlPolicyIterator; @@ -136,10 +135,10 @@ import static org.apache.jackrabbit.oak. * * * Upload the oak-exercise bundle - * Go to the configuration of {@link org.apache.jackrabbit.oak.security.internal.SecurityProviderRegistration} + * Edit configuration of {@link org.apache.jackrabbit.oak.security.internal.SecurityProviderRegistration} * * add {@code org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly.ReadOnlyAuthorizationConfiguration} - * to the list of required service IDs + * to the list of required service IDs * make sure the 'Authorization Composition Type' is set to AND * * @@ -177,13 +176,13 @@ public final class ReadOnlyAuthorization } @Override -public void setPolicy(String absPath, AccessControlPolicy policy) throws UnsupportedRepositoryOperationException { -throw new UnsupportedRepositoryOperationException(); +public void setPolicy(String absPath, AccessControlPolicy policy) throws AccessControlException { +throw new AccessControlException(); } @Override -public void removePolicy(String absPath, AccessControlPolicy policy) throws UnsupportedRepositoryOperationException { -throw new UnsupportedRepositoryOperationException(); +public void removePolicy(String absPath, AccessControlPolicy policy) throws AccessControlException { +throw new AccessControlException(); } @Override @@ -217,12 +216,10 @@ public final class ReadOnlyAuthorization } else { return new AggregatedPermissionProvider() { -private Root immutableRoot = getRootProvider().createReadOnlyRoot(root); - @Nonnull @Override public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) { -return (privilegeBits != null) ? privilegeBits : new PrivilegeBitsProvider(immutableRoot).getBits(PrivilegeConstants.JCR_ALL); +return (privilegeBits != null) ? privilegeBits : new PrivilegeBitsProvider(root).getBits(PrivilegeConstants.JCR_ALL); } @Override @@ -253,7 +250,6 @@ public final class ReadOnlyAuthorization @Override public void refresh() { -immutableRoot = getRootProvider().createReadOnlyRoot(root); } @Nonnull @@ -399,7 +395,7 @@ public final class ReadOnlyAuthorization private static final NamedAccessControlPolicy INSTANCE = new ReadOnlyPolicy(); @Override -public String getName() throws RepositoryException { +public String getName() { return "Read-only Policy defined by 'ReadOnlyAuthorizationConfiguration'"; } }
svn commit: r1828412 - /jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java
Author: angela Date: Thu Apr 5 10:11:48 2018 New Revision: 1828412 URL: http://svn.apache.org/viewvc?rev=1828412=rev Log: OAK-5122 : Exercise for Custom Authorization Models (wip) Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Modified: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java?rev=1828412=1828411=1828412=diff == --- jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java (original) +++ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Thu Apr 5 10:11:48 2018 @@ -21,10 +21,12 @@ import java.util.List; import java.util.Set; import javax.annotation.Nonnull; import javax.annotation.Nullable; +import javax.jcr.RepositoryException; import javax.jcr.UnsupportedRepositoryOperationException; import javax.jcr.security.AccessControlManager; import javax.jcr.security.AccessControlPolicy; import javax.jcr.security.AccessControlPolicyIterator; +import javax.jcr.security.NamedAccessControlPolicy; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; @@ -51,11 +53,13 @@ import org.apache.jackrabbit.oak.spi.sec import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager; import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; +import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants; @@ -66,7 +70,82 @@ import org.osgi.service.component.annota import static org.apache.jackrabbit.oak.spi.security.RegistrationConstants.OAK_SECURITY_NAME; /** - * TODO ADD DESCRIPTION + * Read Only Authorization Model + * + * This authorization module forms part of the training material provided by the + * oak-exercise module and must not be used in a productive environment! + * + * Overview + * This simplistic authorization model is limited to permission evaluation and + * doesn't support access control management. + * + * The permission evaluation is hardcoded to only allow read access to every single + * item in the repository (even access control content). All other permissions are + * denied for every set of principals. + * + * There exists a single exception to that rule: For the internal {@link SystemPrincipal} + * permission evaluation is not enforced by this module i.e. this module is skipped. + * + * Intended Usage + * This authorization model is intended to be used in 'AND' combination with the + * default authorization setup defined by Oak (and optionally additional models + * such as e.g. oak-authorization-cug. + * + * It is not intended to be used as standalone model as it would grant full read + * access to everyone. + * + * Limitations + * Experimental model for training purpose and not intended for usage in production. + * + * Key Features + * + * Access Control Management + * + * + * FeatureDescription + * Supported Privilegesall + * Supports Custom Privilegesyes + * Management by Pathnot supported + * Management by Principalsnot supported + * Owned PoliciesNone + * Effective Policies by Pathfor every path a single effective policy of type {@link NamedAccessControlPolicy} + * Effective Policies by Principalsfor every set of principals a single effective policy of type {@link NamedAccessControlPolicy} + * + * + * Permission Evaluation + * + * + * FeatureDescription + * Supported Permissionsall + * Aggregated
svn commit: r1828405 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query: QueryImpl.java UnionQueryImpl.java ast/JoinImpl.java ast/SelectorImpl.java ast/SourceImpl.java
Author: thomasm Date: Thu Apr 5 09:20:55 2018 New Revision: 1828405 URL: http://svn.apache.org/viewvc?rev=1828405=rev Log: OAK-7390 QueryResult.getSize() can be slow for many or or union conditions Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/UnionQueryImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/JoinImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SourceImpl.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java?rev=1828405=1828404=1828405=diff == --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/QueryImpl.java Thu Apr 5 09:20:55 2018 @@ -1261,7 +1261,7 @@ public class QueryImpl implements Query // "order by" was used, so we know the size return size; } -return Math.min(limit, source.getSize(precision, max)); +return Math.min(limit, source.getSize(context.getBaseState(), precision, max)); } @Override Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/UnionQueryImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/UnionQueryImpl.java?rev=1828405=1828404=1828405=diff == --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/UnionQueryImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/UnionQueryImpl.java Thu Apr 5 09:20:55 2018 @@ -173,14 +173,15 @@ public class UnionQueryImpl implements Q public long getSize(SizePrecision precision, long max) { // Note: for "unionAll == false", overlapping entries are counted twice // (this can result in a larger reported size, but it is not a security problem) - -// ensure the queries are both executed, otherwise the cursor is not set, -// and so the size would be -1 -left.executeQuery().getRows().iterator().hasNext(); -right.executeQuery().getRows().iterator().hasNext(); long a = left.getSize(precision, max); +if (a < 0) { +return -1; +} +if (a >= limit) { +return limit; +} long b = right.getSize(precision, max); -if (a < 0 || b < 0) { +if (b < 0) { return -1; } long total = QueryImpl.saturatedAdd(a, b); Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/JoinImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/JoinImpl.java?rev=1828405=1828404=1828405=diff == --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/JoinImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/JoinImpl.java Thu Apr 5 09:20:55 2018 @@ -281,7 +281,7 @@ public class JoinImpl extends SourceImpl } @Override -public long getSize(SizePrecision precision, long max) { +public long getSize(NodeState rootState, SizePrecision precision, long max) { // we don't know return -1; } Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java?rev=1828405=1828404=1828405=diff == --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java Thu Apr 5 09:20:55 2018 @@ -806,9 +806,9 @@ public class SelectorImpl extends Source } @Override -public long getSize(SizePrecision precision, long max) { +public long getSize(NodeState rootState, SizePrecision precision, long max) { if (cursor == null) { -return -1; +execute(rootState); } return cursor.getSize(precision, max); } Modified:
svn commit: r1828403 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/query: grammar-sql2.md.vm grammar-xpath.md.vm query-troubleshooting.md
Author: thomasm Date: Thu Apr 5 08:53:05 2018 New Revision: 1828403 URL: http://svn.apache.org/viewvc?rev=1828403=rev Log: OAK-5051 Document XPath (and SQL-2) syntax as supported by Oak Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-sql2.md.vm jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-xpath.md.vm jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/query-troubleshooting.md Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-sql2.md.vm URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-sql2.md.vm?rev=1828403=1828402=1828403=diff == --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-sql2.md.vm (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-sql2.md.vm Thu Apr 5 08:53:05 2018 @@ -271,6 +271,7 @@ The traversal option can be used to chan "index tag": by default, queries will use the index with the lowest expected cost (as in relational databases). To only consider some of the indexes, add tags (a multi-valued String property) to the index(es) of choice, and specify this tag in the query. +See Query Option Index Tag. Examples: Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-xpath.md.vm URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-xpath.md.vm?rev=1828403=1828402=1828403=diff == --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-xpath.md.vm (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/grammar-xpath.md.vm Thu Apr 5 08:53:05 2018 @@ -313,6 +313,7 @@ The traversal option can be used to chan "index tag": by default, queries will use the index with the lowest expected cost (as in relational databases). To only consider some of the indexes, add tags (a multi-valued String property) to the index(es) of choice, and specify this tag in the query. +See Query Option Index Tag. Examples: Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/query-troubleshooting.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/query-troubleshooting.md?rev=1828403=1828402=1828403=diff == --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/query-troubleshooting.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/query/query-troubleshooting.md Thu Apr 5 08:53:05 2018 @@ -199,3 +199,60 @@ So in this case, only the fulltext restr but this might already be sufficient. If it is not, then the fulltext index might be changed to also index `commerceType`, or possibly to use `evaluatePathRestrictions`. + + Queries With Many OR or UNION Conditions + +Queries that contain many "or" conditions, or with many "union" subqueries, +can be slow as they have to read a lot of data. +Example query: + +/jcr:root/content/(a|b|c|d|e)//element(*, cq:Page)[ +jcr:contains(@jcr:title, 'some text') +or jcr:contains(jcr:content/@keywords, 'some text') +or jcr:contains(jcr:content/@cq:tags, 'some text') +or jcr:contains(jcr:content/@team, 'some text') +or jcr:contains(jcr:content/@topics, 'some text') +or jcr:contains(jcr:content/@jcr:description, 'some text')] + +This query will be internally converted into 5 subqueries, due to the "union" clause (a|b|c|d|e). +Then, each of the 5 subqueries will run 6 subqueries: one for each jcr:contains condition. +So, the index will be contacted 30 times. + +To avoid this overhead, the index could be changed (or a new index created) to do aggregation +on the required properties (here: jcr:title, jcr:content/keywords,...). +This will simplify the query to: + +/jcr:root/content/(a|b|c|d|e)//element(*, cq:Page)[jcr:contains(., 'some text')] + +This should resolve most problems. +To further speed up the query by avoiding to running 5 subqueries, +it might be better to use a less specific path constraint, +but instead use a different way to filter results, such as: + +/jcr:root/content//element(*, cq:Page)[jcr:contains(., 'some text') and @category='x'] + + Ordering by Score Combined With OR / UNION Conditions + +Queries that expect results to be sorted by score ("order by @jcr:score descending"), +and use "union" or "or" conditions, may not return the result in the expected order, +depending on the index(es) used. Example: + +/jcr:root/conent/products/(indoor|outdoor)//*[jcr:contains(., 'test')] +order by @jcr:score descending + +Here, the query is converted to a "union", and the result of both subqueries is combined. +If the score for each subquery is not comparable (which is often the case for Lucene indexes), +then the order of the results may not match the
svn commit: r1828399 - /jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md
Author: mreutegg Date: Thu Apr 5 07:20:23 2018 New Revision: 1828399 URL: http://svn.apache.org/viewvc?rev=1828399=rev Log: OAK-7359: Update to MongoDB Java driver 3.6 Update documentation on socketKeepAlive Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md?rev=1828399=1828398=1828399=diff == --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/osgi_config.md Thu Apr 5 07:20:23 2018 @@ -244,7 +244,7 @@ db : Name of the database in Mongo socketKeepAlive -: Default - false +: Default - true (was 'false' before 1.10) : Enables socket keep-alive for MongoDB connections : Since 1.8.0, 1.6.2, 1.4.16
svn commit: r1828398 - in /jackrabbit/oak/trunk/oak-store-document/src: main/java/org/apache/jackrabbit/oak/plugins/document/ main/java/org/apache/jackrabbit/oak/plugins/document/mongo/ test/java/org/
Author: mreutegg Date: Thu Apr 5 07:19:50 2018 New Revision: 1828398 URL: http://svn.apache.org/viewvc?rev=1828398=rev Log: OAK-7359: Update to MongoDB Java driver 3.6 Change socket keep-alive default to enabled in accordance with new MongoDB Java driver 3.6.x Added: jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderTest.java (with props) Modified: jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStoreService.java jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderBase.java Modified: jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStoreService.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStoreService.java?rev=1828398=1828397=1828398=diff == --- jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStoreService.java (original) +++ jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStoreService.java Thu Apr 5 07:19:50 2018 @@ -135,7 +135,7 @@ public class DocumentNodeStoreService { static final int DEFAULT_CACHE = (int) (DEFAULT_MEMORY_CACHE_SIZE / MB); static final int DEFAULT_BLOB_CACHE_SIZE = 16; static final String DEFAULT_DB = "oak"; -static final boolean DEFAULT_SO_KEEP_ALIVE = false; +static final boolean DEFAULT_SO_KEEP_ALIVE = true; static final String DEFAULT_PERSISTENT_CACHE = "cache"; static final String DEFAULT_JOURNAL_CACHE = "diff-cache"; static final boolean DEFAULT_CUSTOM_BLOB_STORE = false; Modified: jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderBase.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderBase.java?rev=1828398=1828397=1828398=diff == --- jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderBase.java (original) +++ jackrabbit/oak/trunk/oak-store-document/src/main/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderBase.java Thu Apr 5 07:19:50 2018 @@ -53,7 +53,7 @@ public abstract class MongoDocumentNodeS private static final Logger LOG = LoggerFactory.getLogger(MongoDocumentNodeStoreBuilder.class); private String mongoUri; -private boolean socketKeepAlive; +private boolean socketKeepAlive = true; private MongoStatus mongoStatus; private long maxReplicationLagMillis = TimeUnit.HOURS.toMillis(6); @@ -149,10 +149,10 @@ public abstract class MongoDocumentNodeS } /** - * Enables the socket keep-alive option for MongoDB. The default is - * disabled. + * Enables or disables the socket keep-alive option for MongoDB. The default + * is enabled. * - * @param enable whether to enable it. + * @param enable whether to enable or disable it. * @return this */ public T setSocketKeepAlive(boolean enable) { @@ -160,6 +160,13 @@ public abstract class MongoDocumentNodeS return thisBuilder(); } +/** + * @return whether socket keep-alive is enabled. + */ +public boolean isSocketKeepAlive() { +return socketKeepAlive; +} + public T setMaxReplicationLag(long duration, TimeUnit unit){ maxReplicationLagMillis = unit.toMillis(duration); return thisBuilder(); Added: jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderTest.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderTest.java?rev=1828398=auto == --- jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderTest.java (added) +++ jackrabbit/oak/trunk/oak-store-document/src/test/java/org/apache/jackrabbit/oak/plugins/document/mongo/MongoDocumentNodeStoreBuilderTest.java Thu Apr 5 07:19:50 2018 @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright
svn commit: r1828397 - in /jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models: ./ readonly/ readonly/ReadOnlyAuthorizationConfiguration.ja
Author: angela Date: Thu Apr 5 07:12:06 2018 New Revision: 1828397 URL: http://svn.apache.org/viewvc?rev=1828397=rev Log: OAK-5122 : Exercise for Custom Authorization Models (wip) Added: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java (with props) Added: jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java?rev=1828397=auto == --- jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java (added) +++ jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authorization/models/readonly/ReadOnlyAuthorizationConfiguration.java Thu Apr 5 07:12:06 2018 @@ -0,0 +1,313 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.oak.exercise.security.authorization.models.readonly; + +import java.security.Principal; +import java.util.List; +import java.util.Set; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; +import javax.jcr.UnsupportedRepositoryOperationException; +import javax.jcr.security.AccessControlManager; +import javax.jcr.security.AccessControlPolicy; +import javax.jcr.security.AccessControlPolicyIterator; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Iterators; +import com.google.common.collect.Sets; +import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy; +import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter; +import org.apache.jackrabbit.oak.api.PropertyState; +import org.apache.jackrabbit.oak.api.Root; +import org.apache.jackrabbit.oak.api.Tree; +import org.apache.jackrabbit.oak.namepath.NamePathMapper; +import org.apache.jackrabbit.oak.plugins.tree.TreeLocation; +import org.apache.jackrabbit.oak.plugins.tree.TreeType; +import org.apache.jackrabbit.oak.spi.commit.CommitHook; +import org.apache.jackrabbit.oak.spi.commit.MoveTracker; +import org.apache.jackrabbit.oak.spi.commit.ThreeWayConflictHandler; +import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider; +import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer; +import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer; +import org.apache.jackrabbit.oak.spi.security.ConfigurationBase; +import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters; +import org.apache.jackrabbit.oak.spi.security.Context; +import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration; +import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission; +import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission; +import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits; +import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider; +import