jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vidar Ramdal" <vi...@idium.no>
Subject Limiting child node access in Jackrabbit 1.5
Date Wed, 21 May 2008 09:15:39 GMT
I want to set access control policies so that a parent node (e.g.
/node) is readable for Everyone, but a child node (/node/childnode) is
only readable for specific principals.

So I grant READ to Everyone on the parent node. This renders /node and
the entire subtree readable for everyone. Next, I want to specify
NO_PRIVILEGES for Everyone on the protected child node, and grant READ
access to a specific user on the child node:

session.getAccessControlManager().addAccessControlEntry("/node", new
PrincipalImpl("everyone"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
session.getAccessControlManager().addAccessControlEntry("/node/childnode",
new PrincipalImpl("everyone"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
session.getAccessControlManager().addAccessControlEntry("/node/childnode",
new PrincipalImpl("specificuser"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));

However, this strategy fails on line #2, with the following stacktrace:
org.apache.jackrabbit.api.jsr283.security.AccessControlException
	at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
	at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
	at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)

PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
array. This causes PrivilegeRegistry.getBits() to throw an exception,
because (PrivilegeRegistry lines 113..115):
        if (privileges == null || privileges.length == 0) {
            throw new AccessControlException();
        }

So is this a bug, or is there another recommended way of achieving my
goal: Having a publicly accessible parent node, and a protected child
node?



-- 
Vidar S. Ramdal <vidar@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway

Mime
View raw message