The RepositorySetupService generally provided with Composum Nodes allows the configuration of the JCR repository's Access Control Lists (ACLs) through JSON configuration files stored in the repository. Each module can provide such configurations via deployment and also automatically execute them during installation if required.

In addition, descriptive meta-information about these script files can be provided. These are collected in the ACL view of the Composum Browser and offered for selection or execution.

The ACL Setup View

In the ACL view of the browser, two actions are available since Nodes release 2.2.1 to control the execution of the ACL setup scripts in the browser.

If a node is detected as an ACL setup script, then the action for direct execution of the selected script is activated:

The execution of the selected script is possible directly in the script view ('Run Current...'). The log messages of the RespositorySetupService logged during the execution appear in the lower view.

The Setup Script Configuration View presents all the scripts for which configuration data could be determined. The view can be filtered using the categories defined in the meta data. Several of the displayed scripts can be selected and executed as a block in the predefined order.

Here, too, the log of the execution is displayed in the lower area.

As meta data for determining the available predefined script files, all resources with the matching resource type are automatically determined and combined into a view of all preconfigured options.

The ACL Setup Configuration

Setup Script Meta Data

Each resource of resource type

composum/nodes/commons/components/security/config

is interpreted as a descriptive configuration of a set of ACL setup scripts.

The resource itself describes the entire set. Each child resource in it describes a single setup script.

The following is an example of the configuration for the ACL setup scripts of the Composum Platform module.

Composum Platform Script Meta Data xml

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0"
        xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
        xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
        jcr:primaryType="nt:unstructured"
        sling:resourceType="composum/nodes/commons/components/security/config"
        jcr:title="Composum Platform Security Setup"
        jcr:description="the Composum Platform security configuration set"
        category="[composum,platform]"
        rank="{Long}20">
    <everyone jcr:primaryType="nt:unstructured"
            category="[everyone,ondemand]"
            autoSetup="{Boolean}false"
            jcr:title="Composum Platform 'everyone' ACL script"
            jcr:description="the access control rule script to setup the Composum Platform rules for 'everyone'"
            script="/conf/composum/platform/security/acl/everyone.json"/>
    <login jcr:primaryType="nt:unstructured"
            category="[login,setup]"
            autoSetup="{Boolean}true"
            jcr:title="Composum Platform 'login' ACL script"
            jcr:description="the access control rule script to setup rules to enable login for 'anonymous'"
            script="/conf/composum/platform/security/acl/login.json"/>
    <service jcr:primaryType="nt:unstructured"
            category="[service,setup]"
            autoSetup="{Boolean}true"
            jcr:title="Composum Platform 'service' ACL script"
            jcr:description="the access control rule script to setup the rules for the Composum Platform service users"
            script="/conf/composum/platform/security/acl/service.json"/>
</jcr:root>

/conf/composum/platform/security/config

the configuration set resource

the attributes of the configurations set resource are:

jcr:title
the title in the sets view
jcr:description
a more descriptive (longer) text displayed also in the set view
category
a multi value of category keys for all scripts described by this set
rank
the rank in the order of all declared configurations sets (to determine the execution order)

the configuration set child resources

the attributes of each child (of each JSON script reference) in the configuration set are:

jcr:title
a short title for the described script file
jcr:description
a longer text to describe the purpose of the setup script
category
a multi value of category keys for the described script only
script
the repository path of the JSON setup script
autoSetup (bool)
a hint for the user; 'true' if the script is executed automatically during module (package) setup

Setup Script JSON format

A JSON ACL setup script is a simple array of JSON objects. Each object defines ACL rules to a set of repository paths, example:

the platform ACL setup script for 'everyone' json

[
  {
    "description": "allows a 'walk through' the given paths for 'everyone'",
    "path": [
      "/",
      "/apps",
      "/libs",
      "/libs/sling",
      "/libs/sling/servlet",
      "/libs/composum",
      "/libs/composum/nodes",
      "/var",
      "/var/composum"
    ],
    "jcr:primaryType": "sling:Folder",
    "acl": {
      "principal": "everyone",
      "reset": true,
      "rule": {
        "grant": "jcr:read",
        "restrictions": {
          "rep:glob": ""
        }
      }
    }
  },
  {
    "description": "removes each rule for 'everyone' from the given paths",
    "path": "/content",
    "jcr:primaryType": "sling:Folder",
    "acl": {
      "principal": "everyone",
      "reset": true
    }
  },
  {
    "description": "allows the access to clientlib resources for 'everyone' at the given paths",
    "path": "/apps",
    "acl": {
      "principal": "everyone",
      "rule": {
        "grant": "jcr:read",
        "restrictions": [
          {
            "rep:glob": "/*/clientlib"
          },
          {
            "rep:glob": "/*/clientlib/*"
          },
          {
            "rep:glob": "/*/clientlibs"
          },
          {
            "rep:glob": "/*/clientlibs/*"
          },
          {
            "rep:glob": "/*/*.css"
          },
          {
            "rep:glob": "/*/*.css/jcr:content"
          },
          {
            "rep:glob": "/*/*.js"
          },
          {
            "rep:glob": "/*/*.js/jcr:content"
          }
        ]
      }
    }
  },
  {
    "description": "allows read access for 'everyone' at the given paths",
    "path": [
      "/libs/sling/servlet/errorhandler",
      "/libs/composum/nodes/commons",
      "/var/composum/clientlibs"
    ],
    "jcr:primaryType": "sling:Folder",
    "acl": {
      "principal": "everyone",
      "rule": {
        "grant": "jcr:read"
      }
    }
  }
]

/conf/composum/platform/security/acl/everyone.json

A single path or a list of paths can be specified.

Optionally, it is possible to specify a primaryType which is applied if one of the paths does not exist. In this case the path will be created if the primaryType is specified.

Each of the objects in the JSON array contains an 'acl' object, which can be a single object or an array of objects.

ACL object ('acl')

Each 'acl' object defines a set of rules about one or more principals.

For 'principal' a single value or an array of names can be specified.

The ACL rule is an object or an array of rule objects.

If all existing rules for the given principals should be removed before applying the rules defined in the script, then this can be specified with 'reset'=true in the ACL object.

the 'rule' or 'rules' object

Each object in the 'rules' list (or the 'rule' object) defines either a 'grant' or a 'deny' rule. The value for the 'grant' or 'deny' rule can also be a single value or an array of privileges.

OAK Privilege Management

Optionally, a 'restrictions' object or an array of such objects can be specified. Each 'restrictions' object is a map of restriction keys and matching values.

OAK Restriction Management