From users-return-15715-apmail-jackrabbit-users-archive=jackrabbit.apache.org@jackrabbit.apache.org Wed Jul 28 08:34:12 2010 Return-Path: Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: (qmail 93127 invoked from network); 28 Jul 2010 08:34:12 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 28 Jul 2010 08:34:12 -0000 Received: (qmail 23470 invoked by uid 500); 28 Jul 2010 08:34:12 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 23051 invoked by uid 500); 28 Jul 2010 08:34:09 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 23042 invoked by uid 99); 28 Jul 2010 08:34:07 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Jul 2010 08:34:07 +0000 X-ASF-Spam-Status: No, hits=2.9 required=10.0 tests=HTML_MESSAGE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [150.101.137.131] (HELO ipmail07.adl2.internode.on.net) (150.101.137.131) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Jul 2010 08:34:01 +0000 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAO6GT0x20SjN/2dsb2JhbACfanK/TYIYcQEEgigEiG4 Received: from ppp118-209-40-205.lns20.mel4.internode.on.net (HELO crater.homelinux.net) ([118.209.40.205]) by ipmail07.adl2.internode.on.net with ESMTP; 28 Jul 2010 18:03:37 +0930 Received: from comet-wifi.chaos.lan.au (ppp118-209-40-205.lns20.mel4.internode.on.net [118.209.40.205]) by crater.homelinux.net (Postfix) with ESMTPSA id 4D83B6C9C24 for ; Wed, 28 Jul 2010 18:33:36 +1000 (EST) From: Cory Prowse Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: multipart/alternative; boundary=Apple-Mail-38--796378646 Subject: Re: DefaultAccessManager denies all access? Date: Wed, 28 Jul 2010 18:33:35 +1000 In-Reply-To: To: users@jackrabbit.apache.org References: Message-Id: <187BB696-7600-416D-B937-E557B47637CF@prowse.com> X-Mailer: Apple Mail (2.1081) --Apple-Mail-38--796378646 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Ok got to the bottom of it by stepping through the running application. You must have the following config for ACLs to work: Specifically the DefaultSecurityManager must be selected. Now I'm just trying to determine why although I have ACLs specifying who = can read, other users can read as well. -- Cory On 28/07/2010, at 4:08 PM, Cory Prowse wrote: > Ah it is probably worth mentioning I am deplying the JCA of JackRabbit = to Glassfish. >=20 > -- Cory >=20 > On 28/07/2010, at 3:32 PM, Cory Prowse wrote: >=20 >> I too have been struggling with security access in JackRabbit 2.1.0 = these past few days. >>=20 >> I am attempting a proof of concept which allows adding nodes and = specifying which users/groups can view them, so that only the nodes the = currently logged in user has access to will be shown. >>=20 >> When I attempt to use DefaultAccessManager I get: >> javax.jcr.AccessDeniedException: cannot read item = cafebabe-cafe-babe-cafe-babecafebabe >>=20 >> This is my config: >> >> >> >>=20 >> >> >> >> >>=20 >> This exception occurs when I ask the session for the root node. >>=20 >> Not quite following how to hook up security properly here, am I doing = something obviously wrong? >>=20 >> -- Cory >>=20 >>=20 >> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote: >>=20 >>> I am currently working on a wiki page for that: >>> http://wiki.apache.org/jackrabbit/AccessControl >>>=20 >>> Expect more in the coming days. >>>=20 >>> Regards, >>> Alex >>>=20 >>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra = wrote: >>>> Hi, >>>> I'm working on adding some authentication/authorization to our = application >>>> which uses Jackrabbit 2.1. How can I best control access to a node = (and it's >>>> children) so that one user has read/write access to the subtree, = but all >>>> other users don't have any access (not even read access). >>>>=20 >>>> I've looked at using the principal based ACLProvider, but I can't = find any >>>> examples detailing how to actually use it. >>>>=20 >>>> Thanks, >>>> Joel >>>> jrfeenst@gmail.com >>>>=20 >>>=20 >>>=20 >>>=20 >>> --=20 >>> Alexander Klimetschek >>> alexander.klimetschek@day.com >>=20 >=20 --Apple-Mail-38--796378646--