jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@day.com>
Subject Re: WebDAV and ACLs
Date Tue, 03 Mar 2009 15:14:37 GMT
> I've written a basic PrincipalProvider that wraps around my LDAP access
> layer. I can't figure out how to configure Jackrabbit to use this provider
> though.

as part of the LoginModuleConfig

> I assume I also need a custom login module (as the principal provider
> possibly can't work without valid credentials, and because I need to specify
> how to authenticate a user anyway).

how login credentials are mapped to a principal is not defined by
the AbstractLoginModule. the default implementation make use of
the UserManager (see DefaultLoginModule#getPrincipal).
the AbstractLoginModule uses the principal provider to retrieve all
principals that will be present with the subject created upon login.
those are used to - later on - evaluate the permission of the user/session.

> Once these two are in place, can I
> simply rely on the default principal, access and security managers to use
> the ACL privileges already provided by Jackrabbit?

i'm not sure if i understand what you mean by "use the ACL privileges
authentication is just one side and isn't part of the jsr 170/283 specification.
authorization on the other hand is - to a certain extend - defined by
jsr 283 through the means of
an AccessControlManager that allows to view, set, remove access
control policies.
which policies can be applied depends on the implementation. and so is
the nature
of the policies. for simplicity jsr283 defines a policy sub-interface
if an implementation chooses to support ACL-policies, the API user is
enabled to modify the
privileges for a specific principal on a specific node by creating
access control
entries. otherwise (no ACLs supported) permission can only be changed
by modifying
the policies present on a node.

> When all of this works, I suppose I just have to change my WebDAV handler
> extensions to access Jackrabbit's ACLs through an ACLProvider instead of
> accessing my own custom nodes.

you should access the access control policies through the AccessControlManager.

after all i'd say the prefered way would be to make your webdav
resource implement
the org.apache.jackrabbit.webdav.security.AclResource and let the
act on the AccessControlManager. but that's just my feeling... i
didn't check whether
it's feasible.


View raw message