jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bilobag <bilo...@hotmail.com>
Subject Re: RepositoryImpl in the AccessManager
Date Wed, 31 Oct 2007 17:07:03 GMT

Well i attempted a solution I found that instantiated a subclassed
AccessManager.  This AccessManager uses a system user to access the
repository which would allow full access to any repository node.  However, I
ran into issues trying to get a reference to my RepositoryImpl inside my
AccessManager and I had the same concerns about performance due to the
number node lookups being done.  My initial strategy was to load an Access
Control List(ACL) into the session when a user logged in.  Then i could use
the AccessManager to check the node uuid against this ACL and allow access
if the uuid was in the ACL.  However, the AccessManager is run for every
type of node including version nodes and nt:resource nodes.  Now this would
mean that I would have to load every single type of node at login which
included version nodes etc... and this could possibly take forever.  I
really only wanted to restrict access to certain types of nodes and let
everything else through.  Therefore the only extra piece of information I
really needed was the primary node type of the uuid that was passed to the
AccessManager.  Then I could check the nodeType and restrict access against
my ACL if it was a nodeType that needed restriction...unlike the version and
resource nodes.  After much pain trying to implement an AccessManager that
could get the nodeType, i decided to move on and implement a less elegant
solution which involved restricting nodes in multiple places instead of in
one place like the AcessManager.  If anyone has an update or advice on this,
I would love to try to implement it again as I think it is the ideal place
to put node restriction.  I just think the current jackrabbit AccessManager
should provide a way to access more specific node information which  in my
case is the nodeType.  I understand that it could be a potential performance
issue, but there must be ways to optimize it.  Otherwise I can not use the
AccessManager to control node specific access.  Any ideas or comments?

(Berry) A.W. van Halderen wrote:
> On Tue, Oct 23, 2007 at 11:47:27AM -0700, bilobag wrote:
>> So I am attempting to create a SessionImpl with a system subject so that
>> it
>> can have full access to the repository.  I want to use this SessionImpl
>> in
>> my custom AccessManager to query properties of the nodes(ie. node type)
>> to
>> determine whether a user should have access to a particular node.  I am
>> using spring with jackrabbit and I'm not sure what the best way is to get
>> a
>> ref to a RepositoryImpl.  Can someone please give some advise.  i have
>> been
>> working on this for a week straight now.  Thanks in advance.
> Check out our AccessManager, source available in public available SVN:
> http://svn.hippocms.org/repos/hippo/hippo-ecm/branches/Release-HREPTWO-v2_01_00-M1/repository/engine/src/main/java/org/hippoecm/repository/security/SimpleAccessManager.java
> The trick is that you have to extend a number of JackRabbit classes,
> such that you are using your own, extended, RepositoryImpl, SessionImpl,
> etcetera, in order to create a own (extended) version of a
> HierarchyManager.
> This HierarchyManager can then expose, the otherwise protected method
> which allows you to get the actual ItemState.
> HOWEVER: be very aware that there may be severe implications with this
> approach.  I think (but maybe a jackrabbit architect can comment) that
> it is not by change that you have only access to ItemId in the access
> manager, and not to ItemState as well.  This because an access manager
> might be required to quickly filter out non accessible items (nodes or
> properties) before returning.  If it would need to constantly access
> the actual state, it might have fatal performance consequences.
> We don't have experience with this yet, but it is on our mid-term to-do
> list.
> So if you gain further experience, let us (all) know.
> \Berry
> -- 
> Berry A.W. van Halderen           b.vanhalderen@hippo.nl /
> berry@halderen.net
> Disclaimer: the above is the author's personal opinion and is not the
> opinion
> or policy of his employer or of the little green men that have been
> following
> him all day.

View this message in context: http://www.nabble.com/RepositoryImpl-in-the-AccessManager-tf4679552.html#a13514098
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

View raw message