Return-Path: Delivered-To: apmail-jackrabbit-users-archive@locus.apache.org Received: (qmail 51953 invoked from network); 21 Jan 2009 15:17:56 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 21 Jan 2009 15:17:56 -0000 Received: (qmail 15994 invoked by uid 500); 21 Jan 2009 15:17:55 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 15980 invoked by uid 500); 21 Jan 2009 15:17:55 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 15969 invoked by uid 99); 21 Jan 2009 15:17:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Jan 2009 07:17:55 -0800 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of todd.seiber@gmail.com designates 209.85.198.235 as permitted sender) Received: from [209.85.198.235] (HELO rv-out-0506.google.com) (209.85.198.235) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 21 Jan 2009 15:17:48 +0000 Received: by rv-out-0506.google.com with SMTP id k40so4008588rvb.31 for ; Wed, 21 Jan 2009 07:17:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=Cj9+7r6ksJqTI9TJQP5eRJlnpTT59uXkVNVykiT39yE=; b=nW+8mtymCPtg49kx+Hm703mYYIAr4YiGptlgttb7iUSxTq8PkQSefpAhEFX/B0WFkd l88QDI3xrYB70BkXNkH7I5+DEA1VaB316GiBnThLp2OaGHGElpOeowdkfoT4I6MuTDft u9bL8yjZKHeAucAnZMfUQFCqwZQeVj0cV5/2o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=TjWVS2rjfFBT5y1RO4MrhBTcuFWvk4ieq7dpRvgUXVT+gj7uJjKVc8oWR9jdxR1EOZ iMtQ7Tf2NmXkB5XvbMFkJalTZ3mi9u7w0AuEyUXXTTTByEJ+N/39dBTFIMlppEow6WeV 1Df12jTqKrZLrXiX6G8JMTWWHrcEKqFUuAVS0= MIME-Version: 1.0 Received: by 10.141.28.4 with SMTP id f4mr1147014rvj.37.1232551048332; Wed, 21 Jan 2009 07:17:28 -0800 (PST) In-Reply-To: <49773a55.2dc.7f5e.982314108@webmaildh2.aruba.it> References: <49773a55.2dc.7f5e.982314108@webmaildh2.aruba.it> Date: Wed, 21 Jan 2009 10:17:28 -0500 Message-ID: <8ce7e61c0901210717v3a3d48c5p78f5f3d47ccf516@mail.gmail.com> Subject: Re: permission problem when call Node.getNode( ) From: Todd Seiber To: users@jackrabbit.apache.org Content-Type: multipart/alternative; boundary=000e0cd179fc6746f80460ffa734 X-Virus-Checked: Checked by ClamAV on apache.org --000e0cd179fc6746f80460ffa734 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit When calling root.getNode("documents/reviews") does it invoke the AccessManager's isGranted(ItemId arg0, int arg1) or isGranted(Path arg0, int arg1)? On Wed, Jan 21, 2009 at 10:08 AM, Alessandro Cosenza < alessandro.cosenza@itkey.it> wrote: > i'm using my own implementation. > > > ----- Original Message ----- > Da : Todd Seiber > A : users@jackrabbit.apache.org > Oggetto : Re: permission problem when call Node.getNode( ) > Data : Wed, 21 Jan 2009 09:54:58 -0500 > > > Are you using the DefaultAccessManager or your own > > implementation? > > > > On Wed, Jan 21, 2009 at 9:42 AM, Alessandro Cosenza < > > alessandro.cosenza@itkey.it> wrote: > > > > > no, there are two different sessions. > > > the first session is held by the admin which > > > revokes read permissions to USER role only for > > > "documents" but not for "reviews". > > > after logout this session, a simple user logs in and > > > tries to read the "music" node and he is able to do > > that. > > > > Simple user calls root.getNode("documents/reviews") and > > > he can read "reviews". > > > but if i transform call in > > > root.getNode("documents").getNode("reviews") > > > he can't read "reviews". > > > in the former it seems the "documents" part of the path > > > is passed by. > > > i don't know why. > > > > > > ----- Original Message ----- > > > Da : Todd Seiber > > > A : users@jackrabbit.apache.org > > > Oggetto : Re: permission problem when call Node.getNode( > > > ) Data : Wed, 21 Jan 2009 09:27:41 -0500 > > > > > > > Are you reusing a session? When I have ran into > > > > security issues such as this it has mostly been due to > > > > JackRabbit caching permissions. If within a session > > > > you read the document node prior to having read > > > > permission revoked you will be able to read it for the > > > > life of the session or perhaps until its permission is > > > > flushed from cache which is a LRUMap (I think). > > > > > > > > On Wed, Jan 21, 2009 at 9:16 AM, Alessandro Cosenza < > > > > alessandro.cosenza@itkey.it> wrote: > > > > > > > > > hi. > > > > > i have these folders node: > > > > > /documents/reviews > > > > > > > > > > when i revoke read permission on "documents" and > > > > > recursively on "reviews" and try to call > > > > > root.getNode("documents/reviews") it works fine. > > > > > (it throws an exception) > > > > > > > > > > but, when i revoke read permission only on > > > > > "documents", trying to call > > > > > root.getNode("documents/reviews") doesn't throw > > > > > exception, but i think that it should throws an > > > > > exception the same, because it > > > > > has however to first read to "documents" node. it > > > > > seems that it doesn't consider the "documents" node. > > > > > does anyone can explain me this strange behaviour? > > > > > thanks > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Todd Seiber > > 830 Fishing Creek Rd. > > New Cumberland, PA 17070 > > > > h. 717-938-5778 > > c. 717-497-1742 > > e. todd.seiber@gmail.com > > > -- Todd Seiber 830 Fishing Creek Rd. New Cumberland, PA 17070 h. 717-938-5778 c. 717-497-1742 e. todd.seiber@gmail.com --000e0cd179fc6746f80460ffa734--