jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Klein <roland.kl...@mtg-marinetechnik.de>
Subject Re: Access control on property level?
Date Fri, 21 Nov 2008 09:04:37 GMT
Angela Schreiber schrieb:
> hi roland
>
>> Sorry maybe i wasn't clear enough. i meant grant or deny acces to an
>> individual property of a node.
>
> yes... that's what i understood.
>
>> Will this be possible in Jackrabbit 1.6 or 2.0?
>
> that should be possible with jackrabbit 1.5.0 already.
> despite the fact that it is still work in progress...
>
>> Because i just checked out the trunk for 1.6-SNAPSHOT and tried to
>> restrict the access but got an PathNotFoundException.
>> Than i realized ACL's could only be assigned to nodes, but how do i
>> build a correct ACL which i can assign to the node?
>> am i missing something?
>
> ACLs can only be assigned to Nodes. Similarly a Session
> holds a set of Privileges on a given Node (and never on
> a Property). this is defined by the JSR 283 access control.
>
> however, you still may have finer grained permissions
> even for individual properties or nodes:
>
> quote from the specification:
> "
> In repositories that do support access control management, the
> permissions encompass the restrictions imposed by privileges, but also
> include any additional policy-internal refinements with effects too
> fine-grained to be exposed through privilege discovery. A common cases
> may be to provide finer-grained access restrictions to individual
> properties or child nodes of the node to which the policy applies.
> "
>
> for this purpose jackrabbit defines refined ACL/ACE
> interfaces that allow to pass additional restrictions
> when creating an ACE. which restrictions are understood
> and/or respected is left to the implementation.
>
Could You direct me to a place where i can find more documentation,
about the supported restrictions in Jackrabbit?
I think it has something to do with "rep:glob", but how do i use it?
> you may take a look at
> http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
>
>
How could i configure a repository to use
org.apache.jackrabbit.core.security.authorization.principalbased.ACLTemplate
?
I tried this in my repository.xml, using "DefaultSecurityManager",
"DefaultAccessManager" and "DefaultLoginModule". But it seems the i am not
able to select the principalbased.ACLTemplate. i always get the
acl.ACLTemplate from "AccessControlProviderFactoryImpl.createProvider()"
and i had
a look in that method, so me idea was to configure my repository to use
an principalbased.ACLProvider (line 76-78 in
AccessControlProviderFactoryImpl).



    <Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
    <!--
        workspace configuration template:
        used to create the initial workspace if there's no workspace yet
    -->
    <Workspace name="${wsp.name}">
        <!--
            virtual file system of the workspace:
            class: FQN of class implementing the FileSystem interface
        -->
        <FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
            <param name="path" value="${wsp.home}"/>
        </FileSystem>
        <!--
            persistence manager of the workspace:
            class: FQN of class implementing the PersistenceManager interface
        -->
        <PersistenceManager class="org.apache.jackrabbit.core.persistence.bundle.DerbyPersistenceManager">
          <param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
          <param name="schemaObjectPrefix" value="${wsp.name}_"/>
        </PersistenceManager>
        <!--
            Search index and the file system it uses.
            class: FQN of class implementing the QueryHandler interface
        -->
        <SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
            <param name="path" value="${wsp.home}/index"/>
            <param name="textFilterClasses" value="org.apache.jackrabbit.extractor.PlainTextExtractor,org.apache.jackrabbit.extractor.MsWordTextExtractor,org.apache.jackrabbit.extractor.MsExcelTextExtractor,org.apache.jackrabbit.extractor.MsPowerPointTextExtractor,org.apache.jackrabbit.extractor.PdfTextExtractor,org.apache.jackrabbit.extractor.OpenOfficeTextExtractor,org.apache.jackrabbit.extractor.RTFTextExtractor,org.apache.jackrabbit.extractor.HTMLTextExtractor,org.apache.jackrabbit.extractor.XMLTextExtractor"/>
            <param name="extractorPoolSize" value="2"/>
            <param name="supportHighlighting" value="true"/>
        </SearchIndex>
        <WorkspaceSecurity>
          <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
          </AccessControlProvider>
        </WorkspaceSecurity>
    </Workspace>

> it is still sort of a draft but you will get the idea.
>
> hope that helps
> angela
>
>
thanks in advance
roland

-- 
Roland Klein
Tel: +49 40 65803 209
Fax: +49 40 65803 392
roland.klein@mtg-marinetechnik.de

MTG Marinetechnik GmbH - Wandsbeker Koenigstr. 62 - D 22041 Hamburg

GF Dipl.-Ing. Ullrich Keil
Handelsregister: Abt. B Nr. 11 500 - Amtsgericht Hamburg Abt. 66
USt.-IdNr.: DE 1186 70571


Mime
View raw message