Package org.mycore.access.mcrimpl
Class MCRAccessControlSystem
java.lang.Object
org.mycore.access.MCRAccessBaseImpl
org.mycore.access.mcrimpl.MCRAccessControlSystem
- All Implemented Interfaces:
MCRAccessInterface
,MCRRuleAccessInterface
MyCoRe-Standard Implementation of the MCRAccessInterface Maps object ids to rules
- Author:
- Matthias Kramm, Heiko Helmbrecht
-
Field Summary
Fields inherited from class org.mycore.access.MCRAccessBaseImpl
ACCESS_PERMISSIONS
-
Method Summary
Modifier and TypeMethodDescriptionvoid
adds an access rule for an ID to an access system.void
adds an access rule for an "a priori-permission" like "create-document"boolean
checkAccess
(String objID, String permission, String userID, MCRIPAddress ip) Deprecated.boolean
checkAccess
(String objID, String permission, MCRUserInformation userInfo, MCRIPAddress ip) Validator methods to validate access definition for given object and poolboolean
checkPermission
(String permission) determines whether the current user has the permission to perform a certain action.boolean
checkPermission
(String id, String permission, MCRUserInformation userInfo) determines whether a given user has the permission to perform a certain action. no session data will be checked here.boolean
checkPermission
(Element rule) determines whether the current user has the permission to perform a certain action.boolean
checkPermissionForUser
(String permission, String userID) Deprecated.boolean
checkPermissionForUser
(String permission, MCRUserInformation userInfo) determines whether a given user has the permission to perform a certain action. no session data will be checked here.void
createRule
(String ruleString, String creator, String description) create an access rule in the rulestore using an rule string in plain textvoid
createRule
(Element rule, String creator, String description) create an access rule in the rulestore using an rule string in plain textgetAccessRule
(String objID, String pool) returns a MCRAccessRule which could be validated All information regarding the current user is capsulated by aMCRSession
instance which can be retrieved bylists all String IDs, a permission is assigned to.getAutoGeneratedRuleMapping
(Element rule, String creator, String pool, String id, String description) returns a auto-generated MCRRuleMapping, needed to create Access DefinitionsgetNextFreeRuleID
(String prefix) method that delivers the next free ruleID for a given Prefix and sets the counter to counter + 1delivers the rule as string, after normalizing it via sorting with MCRAccessConditionsComparatorlists all a-priori permissions like "create-document".getPermissionsForID
(String objid) lists all permissions defined for theid
.exports a access rule for a "a priori permission" as JDOM element.exports a access rule as JDOM element.getRuleDescription
(String permission) returns the prosa description of a defined rule for a "a priori" permission like "create-document".getRuleDescription
(String objID, String permission) returns the prosa description of a defined rule.boolean
checks wether a rule with the id is defined.boolean
checks wether a rule with the id and permission is defined.static MCRRuleAccessInterface
instance()
boolean
method, that normalizes the jdom-representation of a mycore access conditionvoid
removeAllRules
(String id) removes all rules of theid
.void
removeRule
(String permission) removes a rule for an "a priori permission" like "create-document"void
removeRule
(String id, String pool) removes a rule.void
updateRule
(String id, String pool, Element rule, String description) updates an access rule for an ID to an access system.void
updateRule
(String permission, Element rule, String description) updates an access rule for an "a priori permission" of an access system like "create-document".Methods inherited from class org.mycore.access.MCRAccessBaseImpl
checkPermission, getAccessPermissionsFromConfiguration
-
Field Details
-
SYSTEM_RULE_PREFIX
- See Also:
-
POOL_PRIVILEGE_ID
- See Also:
-
LEXICOGRAPHICAL_PATTERN
- See Also:
-
-
Method Details
-
instance
-
createRule
Description copied from interface:MCRRuleAccessInterface
create an access rule in the rulestore using an rule string in plain text- Specified by:
createRule
in interfaceMCRRuleAccessInterface
- Overrides:
createRule
in classMCRAccessBaseImpl
- Parameters:
ruleString
- the rule string in plain textdescription
- a String description of the rule in prosa
-
createRule
Description copied from interface:MCRRuleAccessInterface
create an access rule in the rulestore using an rule string in plain text- Specified by:
createRule
in interfaceMCRRuleAccessInterface
- Overrides:
createRule
in classMCRAccessBaseImpl
- Parameters:
rule
- the rule string as xmldescription
- a String description of the rule in prosa
-
addRule
Description copied from interface:MCRRuleAccessInterface
adds an access rule for an ID to an access system. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
addRule
in interfaceMCRRuleAccessInterface
- Overrides:
addRule
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the objectpool
- the access permission for the rulerule
- the access ruledescription
- a String description of the rule in prosa- Throws:
MCRException
- if an error occured
-
addRule
Description copied from interface:MCRRuleAccessInterface
adds an access rule for an "a priori-permission" like "create-document"- Specified by:
addRule
in interfaceMCRRuleAccessInterface
- Overrides:
addRule
in classMCRAccessBaseImpl
- Parameters:
permission
- the access permission for the rule (e.g. "create-document")rule
- the access ruledescription
- a String description of the rule in prosa
-
removeRule
Description copied from interface:MCRRuleAccessInterface
removes a rule. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
removeRule
in interfaceMCRRuleAccessInterface
- Overrides:
removeRule
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the objectpool
- the access permission for the rule- Throws:
MCRException
- if an error occured
-
removeRule
Description copied from interface:MCRRuleAccessInterface
removes a rule for an "a priori permission" like "create-document"- Specified by:
removeRule
in interfaceMCRRuleAccessInterface
- Overrides:
removeRule
in classMCRAccessBaseImpl
- Parameters:
permission
- the access permission for the rule- Throws:
MCRException
- if an error occured
-
removeAllRules
Description copied from interface:MCRRuleAccessInterface
removes all rules of theid
. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
removeAllRules
in interfaceMCRRuleAccessInterface
- Overrides:
removeAllRules
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the object- Throws:
MCRException
- if an errow was occured
-
updateRule
public void updateRule(String id, String pool, Element rule, String description) throws MCRException Description copied from interface:MCRRuleAccessInterface
updates an access rule for an ID to an access system. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
updateRule
in interfaceMCRRuleAccessInterface
- Overrides:
updateRule
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the objectpool
- the access permission for the rulerule
- the access ruledescription
- a String description of the rule in prosa- Throws:
MCRException
- if an errow was occured
-
updateRule
Description copied from interface:MCRRuleAccessInterface
updates an access rule for an "a priori permission" of an access system like "create-document".- Specified by:
updateRule
in interfaceMCRRuleAccessInterface
- Overrides:
updateRule
in classMCRAccessBaseImpl
- Parameters:
permission
- the access permission for the rulerule
- the access ruledescription
- a String description of the rule in prosa- Throws:
MCRException
- if an errow was occured
-
checkPermission
Description copied from interface:MCRAccessInterface
determines whether a given user has the permission to perform a certain action. no session data will be checked here. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
checkPermission
in interfaceMCRAccessInterface
- Overrides:
checkPermission
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the objectpermission
- the permission/action to be granted, e.g. "read"userInfo
- the MCRUser, whose permissions are checked- Returns:
- true if the permission is granted, else false
-
checkPermission
Description copied from interface:MCRAccessInterface
determines whether the current user has the permission to perform a certain action. All information regarding the current user is capsulated by aMCRSession
instance which can be retrieved byMCRSession currentSession = MCRSessionMgr.getCurrentSession();
This method is used for checking "a priori permissions" like "create-document" where a String ID does not exist yet- Specified by:
checkPermission
in interfaceMCRAccessInterface
- Overrides:
checkPermission
in classMCRAccessBaseImpl
- Parameters:
permission
- the permission/action to be granted, e.g. "create-document"- Returns:
- true if the permission is granted, else false
- See Also:
-
checkPermissionForUser
Deprecated.Description copied from interface:MCRRuleAccessInterface
determines whether a given user has the permission to perform a certain action. no session data will be checked here. This method is used for checking "a priori permissions" like "create-document" where a String ID does not exist yet- Specified by:
checkPermissionForUser
in interfaceMCRRuleAccessInterface
- Overrides:
checkPermissionForUser
in classMCRAccessBaseImpl
- Parameters:
permission
- the permission/action to be granted, e.g. "create-document"userID
- the MCRUser, whose permissions are checked- Returns:
- true if the permission is granted, else false
- See Also:
-
checkPermissionForUser
Description copied from interface:MCRAccessInterface
determines whether a given user has the permission to perform a certain action. no session data will be checked here. This method is used for checking "a priori permissions" like "create-document" where a String ID does not exist yet- Specified by:
checkPermissionForUser
in interfaceMCRAccessInterface
- Overrides:
checkPermissionForUser
in classMCRAccessBaseImpl
- Parameters:
permission
- the permission/action to be granted, e.g. "create-document"userInfo
- the MCRUser, whose permissions are checked- Returns:
- true if the permission is granted, else false
-
checkPermission
Description copied from interface:MCRRuleAccessInterface
determines whether the current user has the permission to perform a certain action. All information regarding the current user is capsulated by aMCRSession
instance which can be retrieved byMCRSession currentSession = MCRSessionMgr.getCurrentSession();
- Specified by:
checkPermission
in interfaceMCRRuleAccessInterface
- Overrides:
checkPermission
in classMCRAccessBaseImpl
- Parameters:
rule
- the jdom-representation of a mycore access rule- Returns:
- true if the permission is granted, else false
- See Also:
-
getRule
Description copied from interface:MCRRuleAccessInterface
exports a access rule as JDOM element.- Specified by:
getRule
in interfaceMCRRuleAccessInterface
- Overrides:
getRule
in classMCRAccessBaseImpl
- Parameters:
objID
- the ID-String of the objectpermission
- the access permission for the rule- Returns:
- the rule as jdom element, or
null
if no rule is defined
-
getRule
Description copied from interface:MCRRuleAccessInterface
exports a access rule for a "a priori permission" as JDOM element.- Specified by:
getRule
in interfaceMCRRuleAccessInterface
- Overrides:
getRule
in classMCRAccessBaseImpl
- Parameters:
permission
- the access permission for the rule- Returns:
- the rule as jdom element, or
null
if no rule is defined
-
getRuleDescription
Description copied from interface:MCRRuleAccessInterface
returns the prosa description of a defined rule for a "a priori" permission like "create-document".- Specified by:
getRuleDescription
in interfaceMCRRuleAccessInterface
- Overrides:
getRuleDescription
in classMCRAccessBaseImpl
- Parameters:
permission
- the access permission for the rule- Returns:
- the String of the description
-
getRuleDescription
Description copied from interface:MCRRuleAccessInterface
returns the prosa description of a defined rule.- Specified by:
getRuleDescription
in interfaceMCRRuleAccessInterface
- Overrides:
getRuleDescription
in classMCRAccessBaseImpl
- Parameters:
objID
- the ID-String of the objectpermission
- the access permission for the rule- Returns:
- the String of the description
-
getPermissionsForID
Description copied from interface:MCRRuleAccessInterface
lists all permissions defined for theid
. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
getPermissionsForID
in interfaceMCRRuleAccessInterface
- Overrides:
getPermissionsForID
in classMCRAccessBaseImpl
- Returns:
- a
List
of all forid
defined permission
-
getPermissions
Description copied from interface:MCRRuleAccessInterface
lists all a-priori permissions like "create-document".- Specified by:
getPermissions
in interfaceMCRRuleAccessInterface
- Overrides:
getPermissions
in classMCRAccessBaseImpl
- Returns:
- a
List
of all defined permissions
-
hasRule
Description copied from class:MCRAccessBaseImpl
checks wether a rule with the id and permission is defined. It's the same as calling(getRule(id, permission)!=null);
- Specified by:
hasRule
in interfaceMCRRuleAccessInterface
- Overrides:
hasRule
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the objectpermission
- the access permission for the rule- Returns:
- false, if getRule(id, permission) would return null, else true
- See Also:
-
hasRule
Description copied from class:MCRAccessBaseImpl
checks wether a rule with the id is defined. It's the same as calling(getPermissionsForID(id).size()>0);
- Specified by:
hasRule
in interfaceMCRRuleAccessInterface
- Overrides:
hasRule
in classMCRAccessBaseImpl
- Parameters:
id
- the ID-String of the object- Returns:
- false, if getPermissionsForID(id) would return an empty list, else true
- See Also:
-
getAllControlledIDs
Description copied from interface:MCRRuleAccessInterface
lists all String IDs, a permission is assigned to. The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
getAllControlledIDs
in interfaceMCRRuleAccessInterface
- Overrides:
getAllControlledIDs
in classMCRAccessBaseImpl
- Returns:
- a sorted and distinct
List
of allString
IDs
-
isDisabled
public boolean isDisabled() -
getAccessRule
Description copied from interface:MCRRuleAccessInterface
returns a MCRAccessRule which could be validated All information regarding the current user is capsulated by aMCRSession
instance which can be retrieved byMCRSession currentSession = MCRSessionMgr.getCurrentSession();
The parameterid
serves as an identifier for the concrete underlying rule, e.g. a MCRObjectID.- Specified by:
getAccessRule
in interfaceMCRRuleAccessInterface
- Overrides:
getAccessRule
in classMCRAccessBaseImpl
- Parameters:
objID
- the ID-String of the objectpool
- the permission/action to be granted, e.g. "read"- Returns:
- MCRAccessRule instance or null if no rule is defined;
- See Also:
-
checkAccess
@Deprecated public boolean checkAccess(String objID, String permission, String userID, MCRIPAddress ip) Deprecated.Validator methods to validate access definition for given object and pool- Parameters:
permission
- poolname as stringobjID
- MCRObjectID as stringuserID
- MCRUserip
- ip-Address- Returns:
- true if access is granted according to defined access rules
-
checkAccess
public boolean checkAccess(String objID, String permission, MCRUserInformation userInfo, MCRIPAddress ip) Validator methods to validate access definition for given object and pool- Parameters:
permission
- poolname as stringobjID
- MCRObjectID as stringuserInfo
- MCRUserip
- ip-Address- Returns:
- true if access is granted according to defined access rules
-
getNextFreeRuleID
method that delivers the next free ruleID for a given Prefix and sets the counter to counter + 1- Parameters:
prefix
- String- Returns:
- String
-
getNormalizedRuleString
delivers the rule as string, after normalizing it via sorting with MCRAccessConditionsComparator- Specified by:
getNormalizedRuleString
in interfaceMCRRuleAccessInterface
- Overrides:
getNormalizedRuleString
in classMCRAccessBaseImpl
- Parameters:
rule
- Jdom-Element- Returns:
- String
-
getAutoGeneratedRuleMapping
public MCRRuleMapping getAutoGeneratedRuleMapping(Element rule, String creator, String pool, String id, String description) returns a auto-generated MCRRuleMapping, needed to create Access Definitions- Parameters:
rule
- JDOM-Representation of a MCRAccess Rulecreator
- Stringpool
- Stringid
- String- Returns:
- MCRRuleMapping
-
normalize
method, that normalizes the jdom-representation of a mycore access condition- Parameters:
rule
- condition-JDOM of an access-rule- Returns:
- the normalized JDOM-Rule
-