Interface RepositorySecurityManager
HippoSession bound manager for accessing, and optionally managing, repository based security configuration.
The provided read-only and thread-safe providers are shared across all RepositorySecurityManager instances
(e.g. across multiple HippoSessions).
The provided managers are all dedicated and bound to this RepositorySecurityManager instance and use
(each) a dedicated system session for perform changes. These managers are NOT thread-safe and only to
be used on-behalf of their HippoSession (user).
-
Method Summary
Modifier and TypeMethodDescriptionThe ChangePasswordManager allows the {link HippoSession} user to change its passwordProvides administrative (crud) domain management; currently limited to onlyAuthRoles of an existing domain.Provides administrative (crud) roles management.Provides a read-only and thread-safe provider for accessing repository Role definitionsProvides administrative (crud) userroles management.Provides a read-only and thread-safe provider for accessing repository User Role definitions
-
Method Details
-
getRolesProvider
RolesProvider getRolesProvider()Provides a read-only and thread-safe provider for accessing repository Role definitions- Returns:
- the roles provider
-
getUserRolesProvider
UserRolesProvider getUserRolesProvider()Provides a read-only and thread-safe provider for accessing repository User Role definitions- Returns:
- the userroles provider
-
getChangePasswordManager
The ChangePasswordManager allows the {link HippoSession} user to change its password- Returns:
- the ChangePasswordManager
- Throws:
AccessDeniedException- for aHippoSession.isSystemSession(), aUser.isSystemUser()or aUser.isExternal().RepositoryException- if the underlying HippoSession is no longer live, or something else went wrong
-
getRolesManager
Provides administrative (crud) roles management.Accessing the
RolesManagerrequires the HippoSession to be in userroleSecurityConstants.USERROLE_SECURITY_VIEWERotherwise anAccessDeniedExceptionwill be raised.The HippoSession will be attached to a dedicated internal system session for performing the requested administrative tasks. The HippoSession itself is (only) used for (possibly) additional authorization checks, depending on the requested administrative task, and for (audit) logging purposes.
All of the managers provided by this RepositorySecurityManager share the same internal system session for its HippoSession, which is automatically logged out when the HippoSession logs out.
- Returns:
- the roles manager
- Throws:
AccessDeniedException- if the HippoSession isn't granted the userroleSecurityConstants.USERROLE_SECURITY_APPLICATION_ADMINRepositoryException- if the underlying HippoSession is no longer live, or something else went wrong
-
getUserRolesManager
Provides administrative (crud) userroles management.Accessing the
UserRolesManagerrequires the HippoSession to be in userroleSecurityConstants.USERROLE_SECURITY_VIEWERotherwise anAccessDeniedExceptionwill be raised.The HippoSession will be attached to a dedicated internal system session for performing the requested administrative tasks. The HippoSession itself is (only) used for (possibly) additional authorization checks, depending on the requested administrative task, and for (audit) logging purposes.
All of the managers provided by this RepositorySecurityManager share the same internal system session for its HippoSession, which is automatically logged out when the HippoSession logs out.
- Returns:
- the userroles manager
- Throws:
AccessDeniedException- if the provided HippoSession isn't granted the userroleSecurityConstants.USERROLE_SECURITY_APPLICATION_ADMINRepositoryException- if the underlying HippoSession is no longer live, or something else went wrong
-
getDomainsManager
Provides administrative (crud) domain management; currently limited to onlyAuthRoles of an existing domain.Accessing the
DomainsManagerrequires the HippoSession to be in userRoleSecurityConstants.USERROLE_SECURITY_VIEWERotherwise anAccessDeniedExceptionwill be raised.Note that this manager only provides and allows operations on
DomainAuths in a valid location!A domain location is valid if:
- it is a domain (directly) under a hipposys:domainfolder parent node below /hippo:configuration/hippo:domains
- it is a domain (directly) under a hipposys:federateddomainfolder parent node with depth >= 2
Likewise, access and operations on
AuthRoles is only provided for authroles directly under a valid domain location.All modifying operations require the underlying HippoSession to have userRole
SecurityConstants.USERROLE_SECURITY_APPLICATION_ADMINThe HippoSession will be attached to a dedicated internal system session for performing the requested administrative tasks. The HippoSession itself is (only) used for (possibly) additional authorization checks, depending on the requested administrative task, and for (audit) logging purposes.
All of the managers provided by this RepositorySecurityManager share the same internal system session for its HippoSession, which is automatically logged out when the HippoSession logs out.
- Returns:
- the DomainsManager
- Throws:
AccessDeniedException- if the provided HippoSession isn't granted the userroleSecurityConstants.USERROLE_SECURITY_VIEWERRepositoryException- if the underlying HippoSession is no longer live, or something else went wrong
-