jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject Re: UserManagement
Date Mon, 22 Feb 2010 16:59:55 GMT

On 22 Feb 2010, at 16:24, Cech. Ulrich wrote:

> Hello to all,
> 
> I played around with the "Authentication" methods in JackRabbit.
> For a future production environment, I need some hints for following issues:
> 
> 1. How can I change the password for the admin user? I read, that the admin user is important,
because JackRabbit otherwise cannot access some system nodes in the repo. But I don't find
a property for setting the password. If I look at the implementation it seems the the adminId
is equal to the password.
> Or would it be a option to set the adminId to some "generated value", so no one would
guess this account?
> Is there a "best practice"?

In general where there is an admistrative session established internal to the repository a
trusted credential should be used, either a SimpleCredential with null password and an attribute,
or a Credential implementation that indicates an Administrative login. Obviously there needs
to be a LoginModule that understand these objects.

This way its possible to establish an internal session that does not need a password, and
hence you can change the password. If you look at Sling I think you will find that this is
what is done there. There were also some threads on the subject [1]

1 http://markmail.org/thread/zqqcjqbne6zcdd5x
2 http://markmail.org/thread/ppvsmacmwnrateca
3 https://issues.apache.org/jira/browse/SLING-1282

> 
> 2. How do I remove the anonymous account? It is important, that only one user can even
read his "section", but not other "sections" of the repository, so anonymous would be a security
hit, because anonymous can read the whole repository.

You could add an ACL to the root node that dened jcr:all or jcr:read for anonymous ?


> 
> 3. I don't find a method for reading all "registered" users in the repository. I tried
to access the path "/rep:security/rep:authorizables/rep:users" but this node does not exist
(or I made some other mistake).

You have to  use the UserManager and the search capabilities in there, /rep:security is protected
so a normal session wont be able to get to it.

HTH
Ian


> 
> Thanks in advance for any help,
> Ulrich
> 
> 
> Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat


Mime
View raw message