jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torgeir Veimo <torg...@pobox.com>
Subject Re: implementing AccessManager
Date Sun, 02 Jul 2006 21:02:43 GMT
Pavel Jbanov wrote:
> Hi,
> I've just started with Jackrabbit and currently trying to get some security
> going.
> I'm trying to implement my own AccessManager. I took SimpleAccessManager as
> a base and following the @todo comments. I'm also going to implement (or
> hopefully find) a JAAS LoginModule to work with LDAP. The way I was 
> planning
> to check access to certain Node types is store a set of groups (that have
> access to that Node) as properties in those nodes and then compare those
> sets with the set of Principals (of Group class).
> First of all: does this approach make sense? Is there another/better
> approach or built in support for basic role/group based access management?
> Any examples, tutorials?
> Is it possible to get access to current Session from within AccessManager?
> Because I need it in order to get the list of groups from the current
> Node...

It's doable. Something along the lines of

public boolean isGranted(ItemId id, int permissions)
throws ItemNotFoundException, RepositoryException {
     if (super.isGranted(id, permissions)) {

         NamespaceResolver nsResolver = 
         String path = null;
         try {
             path = 
         } catch (NoPrefixDeclaredException npde) {
             log.error("unable to get JCR path: ", npde);
             return false;
         if (systemSession == null) {
             synchronized (this) {
                 try {

                     // obtain reference to repository to obtain a 
session instance
                     InitialContext context = new InitialContext();
                     Context environment = (Context) 
                     Repository repository = (Repository) 
		// replace with whatever method you use to retrieve your repository
                     systemSession = repository.login(new 
                 } catch (Exception e) {
                     log.error("unable to obtain a system session; ", e);
                     systemSession = null;
                     return false;

         // use systemSession to retrieve ACL nodes/properties

However, the general consensus on this list seems to be that it's better 
to implement it using a separate process that keeps track of mapping 
between nodeIds to ACLs for those nodes.

The process might very well implement this by reading repository content 
looking for ACL entries / properties, and storing these in a cache. It 
would register itself as an event listener on the repository, and update 
its caches on writes to the repository.


View raw message