jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paco Avila <pav...@git.es>
Subject Re: Limiting child node access in Jackrabbit 1.5
Date Thu, 22 May 2008 08:14:52 GMT
I implemented my own access manager to achive this behaviour. And I
created this mixin type:

[mix:accessControlled]
- okm:authUsersRead (string) multiple mandatory 
- okm:authUsersWrite (string) multiple mandatory 
- okm:authRolesRead (string) multiple mandatory 
- okm:authRolesWrite (string) multiple mandatory 


El jue, 22-05-2008 a las 09:27 +0200, Vidar Ramdal escribió:
> Does no-one really know how to achieve this?
> Maybe Angela Schreiber, who apparently is doing the
> authentication/authorization work for Jackrabbit 1.5, could give me a
> hint?
> Any information is valuable to me - if it's not possible to do this,
> I'd like to hear that as well.
> 
> On Wed, May 21, 2008 at 11:15 AM, Vidar Ramdal <vidar@idium.no> wrote:
> > I want to set access control policies so that a parent node (e.g.
> > /node) is readable for Everyone, but a child node (/node/childnode) is
> > only readable for specific principals.
> >
> > So I grant READ to Everyone on the parent node. This renders /node and
> > the entire subtree readable for everyone. Next, I want to specify
> > NO_PRIVILEGES for Everyone on the protected child node, and grant READ
> > access to a specific user on the child node:
> >
> > session.getAccessControlManager().addAccessControlEntry("/node", new
> > PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> > new PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> > new PrincipalImpl("specificuser"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> >
> > However, this strategy fails on line #2, with the following stacktrace:
> > org.apache.jackrabbit.api.jsr283.security.AccessControlException
> >        at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
> >        at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
> >        at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)
> >
> > PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
> > array. This causes PrivilegeRegistry.getBits() to throw an exception,
> > because (PrivilegeRegistry lines 113..115):
> >        if (privileges == null || privileges.length == 0) {
> >            throw new AccessControlException();
> >        }
> >
> > So is this a bug, or is there another recommended way of achieving my
> > goal: Having a publicly accessible parent node, and a protected child
> > node?
> 
> 
-- 
Paco Avila <pavila@git.es>
GIT Consultors


Mime
View raw message