jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vidar Ramdal" <vi...@idium.no>
Subject Re: Limiting child node access in Jackrabbit 1.5
Date Thu, 22 May 2008 07:27:13 GMT
Does no-one really know how to achieve this?
Maybe Angela Schreiber, who apparently is doing the
authentication/authorization work for Jackrabbit 1.5, could give me a
hint?
Any information is valuable to me - if it's not possible to do this,
I'd like to hear that as well.

On Wed, May 21, 2008 at 11:15 AM, Vidar Ramdal <vidar@idium.no> wrote:
> I want to set access control policies so that a parent node (e.g.
> /node) is readable for Everyone, but a child node (/node/childnode) is
> only readable for specific principals.
>
> So I grant READ to Everyone on the parent node. This renders /node and
> the entire subtree readable for everyone. Next, I want to specify
> NO_PRIVILEGES for Everyone on the protected child node, and grant READ
> access to a specific user on the child node:
>
> session.getAccessControlManager().addAccessControlEntry("/node", new
> PrincipalImpl("everyone"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> new PrincipalImpl("everyone"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
> session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> new PrincipalImpl("specificuser"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
>
> However, this strategy fails on line #2, with the following stacktrace:
> org.apache.jackrabbit.api.jsr283.security.AccessControlException
>        at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
>        at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
>        at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)
>
> PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
> array. This causes PrivilegeRegistry.getBits() to throw an exception,
> because (PrivilegeRegistry lines 113..115):
>        if (privileges == null || privileges.length == 0) {
>            throw new AccessControlException();
>        }
>
> So is this a bug, or is there another recommended way of achieving my
> goal: Having a publicly accessible parent node, and a protected child
> node?


-- 
Vidar S. Ramdal <vidar@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway

Mime
View raw message