jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "C. K. Ponnappa" <ckponna...@gmail.com>
Subject Re: How should a Custom AccessManager access a Node ?
Date Tue, 10 Oct 2006 07:31:50 GMT

I've been pairing with Sriram while he was working on authorization. I'd
like to add some business context so our requirements are a little clearer.

The core issue  is that our customers have visualized their data as
having unix-ish permission strings on every node - every node has a
'permissions' property which has a value like'-rw-rw-rw-' or some such.
They've already got a db with data which we migrate into jackrabbit and
the migration process currently adds the permissions property to every node.

The solution we're proposing in order to deal with this specific issue
is to place a Session into JNDI, pick it up in the AccessManager, do
session.login()  and get hold of the node using  itemId.
Of course, this will call AccessManager again in order to validate
AccessManager's own permissions. We're proposing that we create some
kind of root user who has global read permissions and who will only be
used by AccessManager. AccessManager will have this hardcoded in - an
authenticated 'root' user will have full read access. This will give
AccessManager the ability to lookup the permissions for the Node
referenced by itemId and to approve or deny access.

Something like:


if(subject == "our_access_manager" && action =="READ")
    return; // grant ourselves permissions

repository = getRepositoryFromJNDI();
session = repository.login(new
Node node = session.getNodeByUUID(itemID.getUUID());
String permissions = node.getProperty("permissions").getValue();

throw new AccessDeniedException();

We know this is an ugly solution, but until we can externalise
authorization meta data (or talk our customers into it, rather) this was
the best we could come up with. We'd value all suggestions.

We'd also like to talk about how exactly one would externalize
authorization meta data. One approach Sriram and I were toying with
would be to have a parallel tree in the jcr with every data node having
a parallel permissions node. AccessManager will only have read perms for
the permissions tree (consequentially isolating the data) with some
other component being responsible for allowing mods to permissions. The
latter could probably be managed by giving users/subjects the
appropriate principals so they can change permissions for data nodes on
which they already have write permissions by allowing writing to the
parallel node on the permissions tree.


View raw message