jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marian Schedenig (qs)" <Marian.Schede...@qualysoft.com>
Subject WebDAV and ACLs
Date Mon, 02 Mar 2009 13:07:54 GMT


We are using WebDAV (exclusively) to access our JackRabbit repository and my
current task is to add ACL support to the server. As there doesn't seem to
be support for WebDAV ACLs in JackRabbit at this point, I have begun to
implement a simplified version that meets our demands (see #1 below). While
working on this implementation, I came across some classes and mailing list
entries which suggest that JackRabbit actually does support some sort of ACL
and principal management (#2). I currently don't quite see how to finish a
working solution for our requirements with either option though.

Our repository will most likely depend on an LDAP directory to provide the
available principals (users and groups). I have written a simple layer to
query principals from a configurable LDAP directory, so this layer should be
used to authenticate users. ACLs should be available on each file or
directory node to control permissions on a per-user/per-node basis. We have
a graphical client (modelled after typical file browsers) for comfortably
accessing the repository, which should also allow users to modify ACLs by
querying principals and editing the ACLs. Currently, the client gets the
LDAP configuration through the DAV server and then directly accesses the
LDAP server for user queries.

These are my two current options:

#1) This is the solution I have been working on so far. I use sub nodes to
store ACLs and a custom property handler to transfer ACLs between the WebDAV
server and clients as XML, roughly similar to the properties described in
the WebDAV ACL RFC. I'm stuck though implementing a matching AccessManager.
To verify if a principal has certain privileges on a resource, I have to
access that resource's ACL on the server side (within the AccessManager),
i.e. I have to read the sub nodes of the requested node. I assume I have to
do that through a different context than the one belonging to the principal
in question, as trying to access the ACL through that context obviously
leads to endless recursions (when the AccessManager is implicitly invoked to
verify the access rights on the ACL nodes). Is there a way to get "direct"
access (without going through a context) to nodes on the server side, or can
I somehow construct a "superuser context" to read these nodes?

#2) While looking for a way to solve #1, I discovered that, apparently,
JackRabbit does already support ACLs now (when actively looking for it
before attempting #1, all I could find were client-side WebDAV ACL methods
which the server couldn't handle), including principal management. I have,
however, failed to find any useful documentation or guide on how to use
these classes. Is there a howto or something describing if and how I can use
these classes to efficiently read my principals from a large LDAP directory,
set and query ACLs through WebDAV and verify these permissions on the server


View this message in context: http://www.nabble.com/WebDAV-and-ACLs-tp22287762p22287762.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

View raw message