Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 17937 invoked from network); 2 Mar 2007 14:24:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Mar 2007 14:24:22 -0000 Received: (qmail 53037 invoked by uid 500); 2 Mar 2007 14:24:29 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 53014 invoked by uid 500); 2 Mar 2007 14:24:29 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 53005 invoked by uid 99); 2 Mar 2007 14:24:29 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Mar 2007 06:24:29 -0800 X-ASF-Spam-Status: No, hits=0.3 required=10.0 tests=MAILTO_TO_SPAM_ADDR,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of stefan.guggisberg@gmail.com designates 64.233.182.189 as permitted sender) Received: from [64.233.182.189] (HELO nf-out-0910.google.com) (64.233.182.189) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Mar 2007 06:24:17 -0800 Received: by nf-out-0910.google.com with SMTP id x4so1310323nfb for ; Fri, 02 Mar 2007 06:23:56 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mMcaf+uCIykafoMjcoD1MHD5npHLJTFvkC3lDQ+p5l3Be/5AXz3wzgpEzJ9CXzpxpLplSy6F3+JDiuvr6GmxbJdAy7cOzV4/Bwn3JnGyldg4p3ip10CBwuqznjr6BYTXTd5e1uWErapjzk9sm2kQRtOwkQeaxNsYFBRJqzCv+MA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DYUchmLBzKoYii3TwPziOo3kGvcLAthPb4bdMeuDMF3mQBzEvo5L88ldVYC18QXkUjGS2MiqLx6c8DLSHeO60cmiUqdezT7kIBluGGZraX9cTqxCTJb3Q3Vyd19Ti882Wjl9681XzFmH8K8/9zS89AamrHVNx0JVqhdsP/Mww0E= Received: by 10.49.57.1 with SMTP id j1mr7844941nfk.1172845436020; Fri, 02 Mar 2007 06:23:56 -0800 (PST) Received: by 10.49.3.2 with HTTP; Fri, 2 Mar 2007 06:23:55 -0800 (PST) Message-ID: <90a8d1c00703020623y6f88fa42td5f03f5149bf429@mail.gmail.com> Date: Fri, 2 Mar 2007 15:23:55 +0100 From: "Stefan Guggisberg" To: dev@jackrabbit.apache.org Subject: Re: Jackrabbit access manager question In-Reply-To: <20070301170325.46864.qmail@web53711.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070301170325.46864.qmail@web53711.mail.yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org hi xiaohua On 3/1/07, xiaohua lu wrote: > Hi, > We are working on a prototype based on Jackrabbit and encoutered some problems with access manager. > > The use case we have is we are trying to create a node with some properties, the code looks like this > > javax.jcr.Node newJCRNode = node.addNode(relPath, primaryNodeTypeName); > newJCRNode.setProperty(propName, propValue); > newJCRNode.save(); please note that the previous line will throw a ConstraintViolationException since you need to save the modified parent of the new node. but i guess that's just a typo in your code sample... > > We > noticed that after we hookup the access manager, the setProperty always > failed, The way our access manager works is we will do a repository > lookup of the node by uuid (if it is a property, we will check the > parent node id), and depending on the path of the node, we decide if > the current user has permission or not. The failure of setProperty is > due to denial of access on its parent node newJCRNode. Since it has not > been saved to repository yet, we can't resolve the path through > repository lookup by uuid (we also tried HierachyManager and it can't > resolve the path as well) > hmm... i tested the following on trunk: i added the following lines at the beginning of the SimpleAccessManager#isGranted(ItemId, int) method: try { String path = PathFormat.format(hierMgr.getPath(id), nsResolver); System.out.println("checking permission on " + path); } catch (RepositoryException re) { re.printStackTrace(System.out); } catch (NameException ne) { // erm } when i run the follwoing code: Node foo = root.addNode("foo"); foo.setProperty("bar", "blah blah"); root.save(); i get the following console output: checking permission on / checking permission on /foo/bar checking permission on /foo/jcr:primaryType so everything seems to be working as expected. note that i used the SimpleAccessManager's hierarchy manager for resolving the paths. cheers stefan > I > was wondering if the permission check should be done before the save is > called. Also I would like to know any workaround to this problem. > > Thanks. > > Xiaohua > > > P.S. > > Caused by: javax.jcr.ItemNotFoundException: {http://abc.com/acr/1.0}name > at org.apache.jackrabbit.core.NodeImpl.getOrCreateProperty(NodeImpl.java:453) > at org.apache.jackrabbit.core.NodeImpl.getOrCreateProperty(NodeImpl.java:407) > at org.apache.jackrabbit.core.NodeImpl.setProperty(NodeImpl.java:2218) > > > > > > > > > > ____________________________________________________________________________________ > We won't tell. Get more on shows you hate to love > (and love to hate): Yahoo! TV's Guilty Pleasures list. > http://tv.yahoo.com/collections/265