Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 45446 invoked from network); 2 Jun 2010 08:09:02 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Jun 2010 08:09:02 -0000 Received: (qmail 60908 invoked by uid 500); 2 Jun 2010 08:09:01 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 60809 invoked by uid 500); 2 Jun 2010 08:08:59 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 60802 invoked by uid 99); 2 Jun 2010 08:08:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jun 2010 08:08:58 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of anchela@day.com designates 207.126.148.91 as permitted sender) Received: from [207.126.148.91] (HELO eu3sys201amo010.postini.com) (207.126.148.91) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 02 Jun 2010 08:08:48 +0000 Received: from source ([72.14.220.152]) by eu3sys201aob104.postini.com ([207.126.154.11]) with SMTP ID DSNKTAYRer6na9RL+0pypxo4zJqibvSAKQdk@postini.com; Wed, 02 Jun 2010 08:08:28 UTC Received: by fg-out-1718.google.com with SMTP id d23so1116538fga.9 for ; Wed, 02 Jun 2010 01:08:26 -0700 (PDT) Received: by 10.87.35.20 with SMTP id n20mr13030879fgj.0.1275466106698; Wed, 02 Jun 2010 01:08:26 -0700 (PDT) Received: from Angela.local (bsl-rtr.day.com [62.192.10.254]) by mx.google.com with ESMTPS id e20sm10277462fga.1.2010.06.02.01.08.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Jun 2010 01:08:26 -0700 (PDT) Message-ID: <4C061175.5050107@day.com> Date: Wed, 02 Jun 2010 10:08:21 +0200 From: Angela Schreiber User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: dev@jackrabbit.apache.org Subject: Re: Workspace access denied exception References: <1275405401874-2238686.post@n4.nabble.com> In-Reply-To: <1275405401874-2238686.post@n4.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org W Wilson wrote: > Apologises in advance if this has already been covered but i have searched > extensively to try to solve my current problem. > > I have just started using Jackrabbit and JCR2.0. Following some of the > simple examples referred to in this forum i wanted to set up a simple ACL > example. Login as admin, create a node, create a user, enable that user to > add to the admins node. > > I have modified the repository xml file to include the > DefaultSecurityManager. DefaultAccessManager and the DefaultLoginModule: > > > workspaceName ="security"/> > class="org.apache.jackrabbit.core.security.DefaultAccessManager" /> > class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule"> > > > > > Here are some snippets of the code im trying: > > InitialContext initialContext = new InitialContext(env); > RegistryHelper.registerRepository(initialContext, "repo", configFile, > repHomeDir, true); > repository = (Repository)initialContext.lookup("repo"); > > SimpleCredentials credentials = new SimpleCredentials("admin", > "admin".toCharArray()); > session = repository.login(credentials); > Node root = session.getRootNode(); > root.addNode("test node"); > > UserManager um = ((JackrabbitSession)session).getUserManager(); > String userName = "jon"; > String pwd = "doe"; > User user = (User)um.getAuthorizable(userName); > if(user == null) > { > user = um.createUser("jon", "doe"); > } > > Node testNode = root.getNode("test node"); > System.out.println("Test node"); > Utils.dump(testNode); > > // Assign ACL to user w.r.t testNode > AccessControlManager acm = session.getAccessControlManager(); > AccessControlPolicyIterator it = > acm.getApplicablePolicies(testNode.getPath()); > while(it.hasNext()) > { > AccessControlPolicy acp = it.nextAccessControlPolicy(); > Privilege[] privileges = new > Privilege[]{acm.privilegeFromName(Privilege.JCR_WRITE)}; > ((AccessControlList)acp).addAccessControlEntry(new > PrincipalImpl(user.getID()), privileges); > acm.setPolicy(testNode.getPath(), acp); > } > > System.out.println("\nRepository after permissions change"); > Utils.dump(testNode); > session.save(); > > userSession = repository.login(user.getCredentials()); *** > Node anonRoot = userSession.getRootNode(); > System.out.println("\nRepository contents from jon doe"); > Utils.dump(anonRoot); > > // Output after delete > Utils.removeAllNodesWithName("test node", session); > System.out.println("\nRepository contents post delete"); > Utils.dump(root); > > Unfortunately the code is failing at *** > > javax.jcr.LoginException: Workspace access denied. > >>>From printouts of the actual node it appears that the user has been added to > the ACL for test node but not to the workspace? in the setup you configured the users are being created in a separate workspace which is then used by all workspaces to retrieve users and groups. then, workspace access is asserted by the wsp-access-mgr. unless configured otherwise, the defaultsecuritymgr uses an impl. that checks if the root node of that workspace can be read. there is another impl. that always allows access. and finally, the User#getCredentials is defined to be used for internal validation process and should not be usable nor used for Repository#login. hope that helps. regards angela