jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: Security Questions
Date Fri, 24 Jun 2011 07:21:07 GMT
hi chad

On 6/23/11 8:16 PM, ChadDavis wrote:
> I'm trying to decide how to implement a simple security model around
> my remotely deployed repository.  My requirements are simple.
>
> REQUIREMENTS
>
> 1) I don't need external authorization of management of my JCR users.
> As I understand it, I can use the user management bit provided by
> Jackrabbit to store my JCR users.

correct

> 2) I want to have an admin user with full rights on the whole repo, an
> anonymous read only user, and a number of users for my various
> application / clients with subtree specific full rights (ACL).

that's a standard setup

> Right now, I'm trying to set this up with DefaultSecurityManager,
> DefaultAccessManager, and the DefaultLoginModule.
>
> QUESTIONS:
>
> 1) is this an appropriate set up for my use case

yes.
this setup stores all users in a separate, dedicated workspace.
alternatively you could use the UserPerWorkspaceSecurityManager and
omit the extra workspace attribute. in that case users are created
for each workspace separately (correspondence between wsps is then
asserted by the user nodes uuid).
which variant to use depends a bit on your needs/requirements.
for our commercial products we use the user-per-workspace setup.

> 2) I've somehow figured out that the DefaultLoginModule uses a couple
> of default users, with anonymous and admin rights, and the ID's for
> these users are configured via params to the default login module in
> repository.xml.  But I can't find any documentation of this user
> config, or documentation of other similar config.

the admin and the anonymous user a built in for the given setup
and will always be present. if you have a different login module
config or omit the ids there, the system defaults will be used
to create those 2 users.
if you want to disable anonymous login altogether you can disable
that user. that's the way prevent users from login into the
system. removal of users should be used for special cases (or
for test users) in order to assert that the uids are not being
recycled.

> 3) how do you configure the passowrd for the default admin and
> anonymous users?

the passwords cannot be configured.
as far as the anonymous is concerned: this authorizable represents
the user for 'guestlogin' (GuestCredentials) and login without any
credentials.

> 4) can I also declare other users in the repository.xml?

no, not with the setup described above. if you want to create
new users you have to use the jackrabbit user management API.

hope that helps
angela

Mime
View raw message