Return-Path: Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: (qmail 44387 invoked from network); 31 Mar 2010 20:38:42 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 31 Mar 2010 20:38:42 -0000 Received: (qmail 84592 invoked by uid 500); 31 Mar 2010 20:38:42 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 84570 invoked by uid 500); 31 Mar 2010 20:38:42 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 84561 invoked by uid 99); 31 Mar 2010 20:38:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 20:38:42 +0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=AWL,HTML_MESSAGE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [74.125.82.42] (HELO mail-ww0-f42.google.com) (74.125.82.42) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 31 Mar 2010 20:38:35 +0000 Received: by wwc33 with SMTP id 33so349548wwc.1 for ; Wed, 31 Mar 2010 13:38:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.131.21 with HTTP; Wed, 31 Mar 2010 13:38:13 -0700 (PDT) Date: Wed, 31 Mar 2010 21:38:13 +0100 Received: by 10.216.174.193 with SMTP id x43mr2950357wel.139.1270067893137; Wed, 31 Mar 2010 13:38:13 -0700 (PDT) Message-ID: Subject: Users and Groups From: Ben Short To: users Content-Type: multipart/alternative; boundary=0016e649862a9c714604831eb940 --0016e649862a9c714604831eb940 Content-Type: text/plain; charset=ISO-8859-1 I'm trying to only allow a group full access to a node. Anon and everyone else can read it. My code is shown below. Node websites = testRootNode.addNode("websites"); Node mccSite = websites.addNode("mcc"); Node mccHome = mccSite.addNode("home"); Node crbSite = websites.addNode("crb"); superuser.save(); Principal mccPrincipal = new PrincipalImpl("mccGroup"); Principal crbPrincipal = new PrincipalImpl("crbGroup"); PrincipalManager pm = ((JackrabbitSession)superuser).getPrincipalManager(); UserManager um = ((JackrabbitSession)superuser).getUserManager(); Group mccGroup = um.createGroup(mccPrincipal); User mccUser = um.createUser("mcc_user", "1234"); mccGroup.addMember(mccUser); Group crbGroup = um.createGroup(crbPrincipal); User crbUser = um.createUser("crb_user", "1234"); crbGroup.addMember(crbUser); AccessControlManager adminAcm = getAccessControlManager(superuser); AccessControlPolicyIterator it = adminAcm.getApplicablePolicies(mccSite.getPath()); while ( it.hasNext() ) { AccessControlPolicy acp = it.nextAccessControlPolicy(); Privilege[] readWritePrivileges = new Privilege[]{adminAcm.privilegeFromName(Privilege.JCR_ALL)}; Privilege[] readOnlyPrivileges = new Privilege[]{adminAcm.privilegeFromName(Privilege.JCR_READ)}; ((AccessControlList)acp).addAccessControlEntry(pm.getPrincipal(SecurityConstants.ANONYMOUS_ID), readOnlyPrivileges); ((AccessControlList)acp).addAccessControlEntry(pm.getEveryone(), readOnlyPrivileges); ((AccessControlList)acp).addAccessControlEntry(pm.getPrincipal("mccGroup"), readWritePrivileges); adminAcm.setPolicy(mccSite.getPath(), acp); } superuser.save(); Session mccSession = repository.login(mccUser.getCredentials()); mccSession.getNode(mccHome.getPath()).addNode("test") ; mccSession.save(); Session crbSession = repository.login(crbUser.getCredentials()); crbSession.getNode(mccHome.getPath()).addNode("test1") ; crbSession.save(); I get the following exception thrown when I try to save the mccSession after adding the test node. javax.jcr.AccessDeniedException: /test_1270067658863/websites/mcc/home/test: not allowed to add or modify item Now I have added the mccUser to the mccGroup and thought that would be enough to make it work. Has anyone got any ideas? Regards Ben Short --0016e649862a9c714604831eb940--