jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marian Schedenig (qs)" <Marian.Schede...@qualysoft.com>
Subject WebDAV ACLs referring to deleted principals
Date Wed, 12 Aug 2009 11:44:31 GMT


I have extended the WebDAV servlet classes to deal with DAV's ACL methods
(as defined by the AclResource interface). This allows me to set and query
ACLs on my files and folders. However, I run into trouble when I change the
user store.

In my alterAcl() method, I retrieve the current ACL by first calling
AccessControlManager#getPolicies [1] to determine the resource's current
ACL, and then, if it has none, AccessControlManager#getApplicablePolicies()
[2] to find an empty ACL I can work with. The problems appear if the
resource's ACL contains an entry for a principal which has since be deleted
(we're using an LDAP server to manage our principals, so we have no control
over who will when delete users), since in this case both methods will throw
a NoSuchPrincipalException.

For [1], this means that I cannot *modify* an ACL which contains an obsolete
entry; I would have to throw away the entire ACL and build a new one, losing
the old definitions for also the still valid remaining users (I also fear
that this could mean deleting a user will immediately disable access control
on the resouce, but I haven't verified that). Worse yet, for [2] this means
that once a resource's ACL has been damaged, I cannot create a new ACL on
the same resource because I have no means to retrieve a fresh ACL.
Effectively, access control settings on this resource have been destroyed,
and all I can do to fix that is delete the resource and recreate it.

I don't think I can blame my principal manager, because I can't expect it to
return principals which no longer exists. Everything from that point on
seems to happen in the depths of Jackrabbit's access management classes.

I'm tempted to add this as a Jira issue, but I'm not sure how to classify
it. From the implications, I would file it as a bug, but it probably doesn't
refer to any of Jackrabbit's specifications, so it might be a major issue

Hints appreciated. (Workarounds as well :)

View this message in context: http://www.nabble.com/WebDAV-ACLs-referring-to-deleted-principals-tp24934748p24934748.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

View raw message