jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: Multiple workspaces and access control question
Date Wed, 13 Apr 2011 06:54:57 GMT

> My app will have 1-n workspaces.
> Requirement 1: Each workspace will have its own set of users. User's from
> one workspace cannot access other workspaces.
> Requirement 2: In some exceptional cases, users may access other workspace

userperworkspace usermanager would be the right option. if you combine 
it with the corresponding security manager then users will only be
allowed to access the workspace if the user exists therein (in contrast 
to e.g. the simple-workspace-ac-mgr which allows everyone to access
every workspace, see below).

> To highlight this with an example: say the workspaces are Legal, Marketing
> and Sales. They will have their own users and they cannot see each others
> stuff. Now a new workspace Cafeteria is added, that users from all other
> workspaces should be able to see [and perhaps write comments on the menu
> etc] that workspace.

you can either create users with the same userID in the cafeteria
workspace (the user nodes will be 'corresponding' to those in the other
workspaces based on the nodeID which stores the hashed identifier) or
simply clone the nodes.

> Since, Jackrabbit gives everyone read access to all workspaces, using the
> DefaultSecurityManager was not an option. I ended up using

this configurable (omit-default-permissions parameter with the access
control provider which can be configured for each workspace) and not 
related to the user manager at all.

> UserPerWorkspaceSecurityManager, which now allows me to fulfill requirement

see above. that's fine but not related to the default permission
setup which depends on the per workspace ac provider.

> 1.
> However I am puzzling over how to get to requirement 2.

see above.

> I tried giving a user from workspace 1 access to workspace 2, but obviously
> it does not work, since users are per workspace. I tried using

as stated above you have to make sure that the users are present
in the workspace. that's the default if you use the u-p-w-security
if you can't deal with this, you optionally could change the the
security configuration to use a different workspace-access-mgr
that applies a different logic to determine if a given user can
access the workspace... but that you potentially have to fiddle
around with a custom loginmodule and/or principal provider if the
users were not present in the cafeteria workspace but still
need to have access and access control entries assigned.

> DefaultSecurityManager, but that then gives everyone access to all
> workspaces.

see above.

> So, is there a mechanism to fulfill the requirements or is it asking too
> much of jackrabbit ??

not at all.

> PS: Please don't ask me to use a single workspace. Due to requirements of
> total isolation, strong file system level security requirements and possible
> future migration of workspaces independently to other machines, our
> architects have decided on separate workspaces per community of users. I
> cannot change that requirement.

that shouldn't be a problem from my point of view.


View raw message