jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject Re: how to implement role based access control
Date Mon, 24 Aug 2009 09:26:23 GMT

On 24 Aug 2009, at 01:59, go canal wrote:

> Thanks Ian.
> Was thinking about the pros and cons of various options.
> Some questions:
>>> you will also need to protect the role property...
> Why this could potentially become a security concern? You mean  
> configuring loginModule in repository.xml is not good enough?

If you control all the code in the JVM and do not expose any mechanism  
which would allow the user to manipulate a  property on a node, then  
there is no need to protect the property,

however if any user entered data could represent the name of a  
property, and the user can modify that property, then you should think  
about protecting the role property.

> My other considerations for this approach (adding 'role' into node)  
> are:
>  - how should I reference the role definition (which is defined in  
> an SQL database)? reference the role ID - is it considered as bad or  
> accetptable design?
>  - 'roles' in my application are defined at run time, not simple  
> 'User' and 'Admin'.

The AccessControlManager (or AccessManager pre 1.5) is a high traffic  
part of the JCR, so you must cache in memory any lookups to anything  
and be very wary of doing anything that could consume resources inside  
the access control manager.

You should also be aware that if you try and read at properties on a  
node, with the same session as the one that generated the access  
control manager assertion, it will result in a recursive call.

>>> ... all configured by adding entries into repository.xml
> I did not find any 'Role' related configuration...or you mean  
> something else, Access Manager ?

I meant that you can customize repository.xml to use your classes.

>>> it will be hard to make this secure, as there are many ways to get  
>>> a node
> You mean WebDAV sort of stuff ? What if I do not enable it? What  
> else ?

anything that you allow into the JVM that can get hold of a jcr  
session or a jcr node.

If you are deploying standard Jackrabbit to Tomcat, then look for any  
servlets so you know what end points are there and what they do, and  
make certain no one has the ability to upload jsp's or do server side  
scripting in the JVM.

If you protect the role property, then you know the node is protected  
by the access manager and your security becomes core  (as it was  
intended) rather than boundary (which could be leaky)

> rgds,
> canal
> ________________________________
> From: Ian Boston <ieb@tfd.co.uk>
> To: users@jackrabbit.apache.org
> Sent: Monday, August 24, 2009 1:40:08 AM
> Subject: Re: how to implement role based access control
> On 23 Aug 2009, at 04:23, go canal wrote:
>> Hello,
>> would like to seek some advices on how to implement role based  
>> access control.
>> let's say I have several thousands of files, two roles defined A  
>> and B. users are assigned role A or B.
>> file access control is based on roles.
>> How should I implement this role based access control in Jackrabbit?
>> 1) should I add a 'role' property in the file node? and then  
>> implement my own access manager with isGranted() ?
> you could, however you will also need to protect the role property  
> to make certain that only authorized users can change it.
> There are a number of examples to play with, all configured by  
> adding entries into repository.xml
>> 2) or should I implement a filter which filters the returned list ?
> it will be hard to make this secure, as there are many ways to get a  
> node and it all depends on the level of access the "client" has to  
> the repository.
> For instance, approach 1 will generate valid sets of search results  
> for the user in question.
> 2 Would require a custom filter for points at which a search was made.
> Ian
>> thanks in advance !
>> canal

View raw message