jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mat Lowery <mlow...@pentaho.com>
Subject Re: Access Control in Jackrabbit
Date Thu, 25 Feb 2010 17:50:41 GMT
All comments result from my experiences with Jackrabbit 1.6.  Version
1.6 is a weird beast because it contains a full JCR 1.0 implementation
with some JCR 2.0 implementation too.  (But the JCR 2.0 implementation
isn't against the standard JCR 2.0 interfaces.)  So AccessControlManager
(a JCR 2.0 interface) exists in Jackrabbit 1.6 but it doesn't implement
the standard interface.

There is no JCR API for configuring access control logic.  Jackrabbit's
SimpleAccessManager doesn't care about the "target of the user's
request."  Instead, I recommend turning on  DefaultAccessManager and
putting your breakpoint at
$AbstractCompiledPermissions#buildResult(Path).  The Path object is the
"target of the user's request."  This is where ACL decisions are made
with this manager.

AccessControlManager is the JCR 2.0 method of getting and setting the
policy for a given path.  The only policies that I have used are
javax.jcr.security.AccessControlList.  This is a traditional ACL.

On Thu, 2010-02-25 at 17:31 +0100, David Brossard wrote:

> Hi folks,
> I am new to this list and to Jackrabbit. My interest lies mainly in
> JCR rather than Jackrabbit per se...
> I downloaded and started running Jackrabbit on top of my own webapp.
> Very smooth beginning, no probs. I wanted to play around with security
> so I:
> (a) had a look at repository.xml
> (b) edited <AccessManager class=" to point to a class I wrote and that
> is an exact copy of
> org.apache.jackrabbit.core.security.simple.SimpleAccessManager
> (c) started looking at the session and the context objects
> From what I can see I can find the subject object which lets me know
> who authenticated. I can also retrieve the userid from the session...
> But I would now like to know what node the user is trying to access.
> If I want some smart access control, it should take into account the
> target of the user's request. I couldn't find anything like that.
> In addition, what is the AccessControlManager and what policies is it
> referring to?
> Cheers,
> David.

View raw message