As of JSR 283 the API contains the following privilege related interfaces and methods:
Privilege management is outside of the scope provided by JCR and therefore provided by the extensions defined by the Jackrabbit API. It consists of a single interface:
PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
Root root = contentSession.getLatestRoot(); PrivilegeConfiguration config = securityProvider.getConfiguration(PrivilegeConfiguration.class); PrivilegeManager privilegeManage = config.getPrivilegeManager(root, namePathMapper));
PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager(); String privilegeName = ... boolean isAbstract = ... String[] declaredAggregateNames = ... // NOTE: workspace operation that doesn't require Session#save() privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
The jcr-commons module present with Jackrabbit provide some privilege related utility methods:
The behavior of the default privilege management implementation is described in section Privilege Management: The Default Implementation.
The PrivilegeConfiguration is the Oak level entry point to obtain a new PrivilegeManager as well as privilege related configuration options. The default implementation of the PrivilegeManager interface is based on Oak API and can equally be used for privilege related tasks in the Oak layer.
Please note: While it’s in theory possible to replace the default privilege management implementation in Oak, this is only recommended if you have in depth knowledge and understanding of Jackrabbit/Oak internals and are familiar with the security risk associated with it. Doing so, will most likely require a re-write of the default access control and permission evaluation.