jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yusuf Aaji <yusuf.a...@gmail.com>
Subject Re: Using Jboss LdapLoginConfig and DefaultAccessManager
Date Sat, 11 Dec 2010 07:16:46 GMT
Hi Angela,

Thanks a lot for your reply.

what do you mean by my loginconfig doesn't respect the system users setup? I
set up in my ldap an admin user with the same default password 'pw' and
configured my login config to use anonymous for the unauthenticated
Identity. Is there anything else I can do?

I'm unable to access the root to set required privileges using the admin
user. See what i'm getting in the log:

10:05:18,395 DEBUG [gso.wcm.action.ContentSession] Open JCR Session
10:05:18,587 INFO  [org.apache.jackrabbit.core.RepositoryImpl] Starting
repository...
10:05:19,943 INFO  [org.apache.jackrabbit.core.nodetype.NodeTypeRegistry] no
custom node type definitions found
10:05:20,790 INFO
[org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
Database: Oracle / Oracle Database 10g Express Edition Release 10.2.0.1.0 -
Production
10:05:20,791 INFO
[org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
Driver: Oracle JDBC driver / 10.2.0.1.0XE
10:05:21,430 INFO  [org.apache.jackrabbit.core.RepositoryImpl] initializing
workspace 'wcm'...
10:05:21,544 INFO
[org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
Database: Oracle / Oracle Database 10g Express Edition Release 10.2.0.1.0 -
Production
10:05:21,544 INFO
[org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
Driver: Oracle JDBC driver / 10.2.0.1.0XE
10:05:24,000 INFO  [org.apache.jackrabbit.core.query.lucene.MultiIndex]
Created initial index for 1 nodes
10:05:24,003 INFO  [org.apache.jackrabbit.core.query.lucene.SearchIndex]
Index initialized: /home/yusuf/repo/workspaces/wcm/index Version: 3
10:05:24,031 INFO  [org.apache.jackrabbit.core.RepositoryImpl] workspace
'wcm' initialized
10:05:24,032 INFO  [org.apache.jackrabbit.core.RepositoryImpl] Repository
started
10:05:24,032 INFO  [org.apache.jackrabbit.core.TransientRepository]
Transient repository initialized
10:05:24,049 INFO  [org.apache.jackrabbit.core.DefaultSecurityManager] init:
use JAAS login-configuration for gso
10:05:24,123 INFO
[org.apache.jackrabbit.core.security.user.UserManagerImpl] Admin user does
not exist.
10:05:24,881 INFO
[org.apache.jackrabbit.core.security.user.UserManagerImpl] ... created admin
user with id 'admin' and default pw.
10:05:25,017 INFO  [org.apache.jackrabbit.core.DefaultSecurityManager] ...
created anonymous user with id 'anonymous' ...
10:05:25,040 INFO  [org.apache.jackrabbit.core.RepositoryImpl]
SecurityManager = class org.apache.jackrabbit.core.DefaultSecurityManager
10:05:26,145 INFO
[org.apache.jackrabbit.core.security.authorization.acl.ACLProvider]
*Administrators
principal group is missing -> omitting initialization of default
permissions.*
10:05:26,219 INFO  [org.apache.jackrabbit.core.TransientRepository] Session
opened
10:05:26,219 INFO
[org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local] Created
session (org.apache.jackrabbit.core.XASessionImpl@13c3750)
10:05:26,345 DEBUG [gso.wcm.action.ContentService] CONTENTS SESSION USER ID:
admin
10:05:26,352 ERROR [STDERR] javax.jcr.AccessDeniedException: Access denied
at /
10:05:26,353 ERROR [STDERR]     at
org.apache.jackrabbit.core.security.DefaultAccessManager.checkPermission(DefaultAccessManager.java:461)
10:05:26,353 ERROR [STDERR]     at
org.apache.jackrabbit.core.security.DefaultAccessManager.getPolicies(DefaultAccessManager.java:299)
10:05:26,353 ERROR [STDERR]     at
gso.wcm.action.ContentService.init(ContentService.java:55)

I can login to the repository but when I try access the root access manager

AccessControlManager acm = contentSession.getAccessControlManager();
AccessControlPolicy[] policies = acm.getPolicies("/");

I get the previous exception.


even thoug I changed my repo config as you said:

    <Security appName="gso">
        <SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="wcm" >
               <WorkspaceAccessManager
class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>

         </SecurityManager>
        <AccessManager
class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
    </Security>

    <Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="wcm"/>

     <Workspace name="${wsp.name}">
        <FileSystem
class="org.apache.jackrabbit.core.fs.db.OracleFileSystem">
        .....
        ...


and here is my ldaploginmodule config in jboss loginconfig

<application-policy name="gso">
         <authentication>
            <login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
                <module-option name="java.naming.factory.initial">
                    com.sun.jndi.ldap.LdapCtxFactory
                </module-option>
                <module-option name="java.naming.provider.url">
                    ldap://www.gso.org.sa:389/
                </module-option>
                <module-option name="java.naming.security.authentication">
                    simple
                </module-option>
                <module-option
name="principalDNPrefix">cn=</module-option>
                <module-option
name="principalDNSuffix">,cn=users,dc=gso,dc=org,dc=sa</module-option>

                <module-option
name="rolesCtxDN">cn=groups,dc=gso,dc=org,dc=sa</module-option>
                <module-option
name="uidAttributeID">uniquemember</module-option>
                <module-option name="matchOnUserDN">true</module-option>

                <module-option name="roleAttributeID">cn</module-option>
                <module-option
name="roleAttributeIsDN">false</module-option>

        <module-option name="roleAttributeIsDN">false</module-option>

        <module-option name =
"unauthenticatedIdentity">anonymous</module-option>
            </login-module>
        </authentication>
    </application-policy>


I guess the default security manager fails to set up the privileges for
admin and the group Administrators. Should I create that group? and where?

rehards,
Yusuf



On Fri, Dec 10, 2010 at 2:43 PM, Angela Schreiber <anchela@adobe.com> wrote:

> hi yusuf
>
> i never tried that specific combination but as far as i know it should
> work if you take care of the following:
>
> the defaultsecuritymanager with default configuration
> - uses usermanagement as defined by jackrabbit
> - creates default users (admin, anonymous)
> - sets up permissions for those default users and for
>  the 'everyone' principal
> - defines a workspaceaccessmanager that only allows to access a
>  workspace if the root-node is readable to the user that is trying
>  to login to the repository.
>
> i assume that your loginconfig does not respect the system-users
> setup in the default initialization process and thus you cannot login
> as admin in order to set the permissions accordingly.
>
> my guess would be that defining a less strict workspace-access-manager
> should solve your problem e.g. the SimpleWorkspaceAccessManager that
> allows workspace access everywhere.
> this can be configured as part of the security manager configuration in
> the repository xml:
>
>   <Security appName="Jackrabbit">
>        <SecurityManager ...>
>            <<WorkspaceAccessManager
> class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
>
>
> hope that helps
> angela
>
>
> On 12/8/10 12:57 PM, Yusuf Aaji wrote:
>
>> Hi,
>>
>> I have configure jackrabbit 2.1.2 as a jboss jca and used ldapLoginConfig
>> for security. I was using the SimpleAccessManager and
>> SimpleSecurityManager
>> for security and all was fine.
>>
>> Now I need to put some security restrections on the nodes I tries the
>> SimpleJBossAccessManager but it is not enough as I need specific ACL for
>> each node.
>>
>> So, I guess I need to use the DefaultAccessManager. When I configure the
>> repository to use the DefaultAccessManager and the DefaultSecurityManager
>> without the DefaultLoginConfig as the loginConfig I'm using is defined in
>> jboss login-config.xml I get this in the log:
>>
>> ...
>> 14:46:31,936 INFO  [org.apache.jackrabbit.core.RepositoryImpl] created
>> system workspace: security
>> 14:46:31,936 INFO  [org.apache.jackrabbit.core.RepositoryImpl] Repository
>> started
>> 14:46:31,936 INFO  [org.apache.jackrabbit.core.TransientRepository]
>> Transient repository initialized
>> 14:46:31,936 INFO  [org.apache.jackrabbit.core.RepositoryImpl]
>> initializing
>> workspace 'security'...
>> 14:46:33,026 INFO
>> [org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
>> Database: Oracle / Oracle Database 10g Express Edition Release 10.2.0.1.0
>> -
>> Production
>> 14:46:33,027 INFO
>> [org.apache.jackrabbit.core.persistence.bundle.ConnectionRecoveryManager]
>> Driver: Oracle JDBC driver / 10.2.0.1.0XE
>> 14:46:34,530 INFO  [org.apache.jackrabbit.core.query.lucene.MultiIndex]
>> Created initial index for 1 nodes
>> 14:46:34,533 INFO  [org.apache.jackrabbit.core.query.lucene.SearchIndex]
>> Index initialized: /home/yusuf/repo/workspaces/security/index Version: 3
>> 14:46:34,533 INFO  [org.apache.jackrabbit.core.RepositoryImpl] workspace
>> 'security' initialized
>> 14:46:34,551 INFO  [org.apache.jackrabbit.core.DefaultSecurityManager]
>> init:
>> *use JAAS login-configuration for gso*
>> 14:46:34,618 INFO
>> [org.apache.jackrabbit.core.security.user.UserManagerImpl] *Admin user
>> does
>> not exist.*
>> 14:46:35,319 INFO
>> [org.apache.jackrabbit.core.security.user.UserManagerImpl] ... *created
>> admin user with id 'admin' and default pw.*
>> 14:46:35,408 INFO  [org.apache.jackrabbit.core.DefaultSecurityManager]
>> ... *created
>> anonymous user with id 'anonymous' ...*
>> 14:46:35,430 INFO  [org.apache.jackrabbit.core.RepositoryImpl]
>> SecurityManager = class org.apache.jackrabbit.core.DefaultSecurityManager
>> 14:46:36,387 INFO
>> [org.apache.jackrabbit.core.security.authorization.acl.ACLProvider]
>> *Administrators
>> principal group is missing ->  omitting initialization of default
>> permissions
>> .*
>> 14:46:36,475 INFO  [org.apache.jackrabbit.core.RepositoryImpl] Shutting
>> down
>> repository...
>> 14:46:36,487 INFO  [org.apache.jackrabbit.core.RepositoryImpl] shutting
>> down
>> workspace 'wcm'...
>> 14:46:36,488 INFO
>> [org.apache.jackrabbit.core.observation.ObservationDispatcher]
>> Notification
>> of EventListeners stopped.
>> 14:46:36,509 INFO  [org.apache.jackrabbit.core.query.lucene.SearchIndex]
>> Index closed: /home/yusuf/repo/workspaces/wcm/index
>> 14:46:36,539 INFO  [org.apache.jackrabbit.core.RepositoryImpl] workspace
>> 'wcm' has been shutdown
>> 14:46:36,539 INFO  [org.apache.jackrabbit.core.RepositoryImpl] shutting
>> down
>> workspace 'security'...
>> 14:46:36,540 INFO
>> [org.apache.jackrabbit.core.observation.ObservationDispatcher]
>> Notification
>> of EventListeners stopped.
>> 14:46:36,631 INFO  [org.apache.jackrabbit.core.query.lucene.SearchIndex]
>> Index closed: /home/yusuf/repo/workspaces/security/index
>> 14:46:36,657 INFO  [org.apache.jackrabbit.core.RepositoryImpl] workspace
>> 'security' has been shutdown
>> 14:46:36,659 INFO  [org.apache.jackrabbit.core.RepositoryImpl] Repository
>> has been shutdown
>> 14:46:36,660 INFO  [org.apache.jackrabbit.core.TransientRepository]
>> Transient repository shut down
>> 14:46:36,660 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local] Failed
>> to
>> create session
>> 14:46:36,660 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]
>> javax.jcr.LoginException: Workspace access denied
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>> org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1517)
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>>
>> org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:380)
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>>
>> org.apache.jackrabbit.jca.JCAManagedConnectionFactory.openSession(JCAManagedConnectionFactory.java:153)
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>>
>> org.apache.jackrabbit.jca.JCAManagedConnectionFactory.createManagedConnection(JCAManagedConnectionFactory.java:189)
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>>
>> org.apache.jackrabbit.jca.JCAManagedConnectionFactory.createManagedConnection(JCAManagedConnectionFactory.java:181)
>> 14:46:36,661 INFO
>> [org.apache.jackrabbit.jca.JCAManagedConnectionFactory.jcr/local]     at
>>
>> org.jboss.resource.connectionmanager.InternalManagedConnectionPool.createConnectionEventListener(InternalManagedConnectionPool.java:584)
>>
>>
>>
>> So, can I use the DefaultAccessManager and the DefaultSecurityManager
>> without the DefaultLoginConfig??
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message