jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Belrose <kafe...@gmail.com>
Subject Re: On the topic of JackRabbit group management.
Date Fri, 12 Aug 2011 13:23:13 GMT
Hello,
Thanks for the pointers Angela. Regarding groups and users, I probably
want to be able to list them as well as search them. In both cases
what you suggest will be very useful.
I eventually found some information on the mailing list on how to
grant all rights to a administrators group that I created myself. In
case this is of any use, here is a test which shows what I've done:
https://gist.github.com/1142000
It would be nice to have this information on the Wiki somewhere in the
form of recipes for how to do security related things. I don't mind
contributing stuff.
Regards,
Guillaume.



On 12 August 2011 13:34, Angela Schreiber <anchela@adobe.com> wrote:
> hi guillaume
>
>> I am currently looking at leveraging the features of the JackRabbit
>> UserManager to be able to manage users, groups and give users
>> administrator privileges for my application.
>> First of all, is there an easy way to be able to list all users and
>> all groups that have been created on the system?
>
> yes.
> if i remember correctly you can use a 'null' simple filter for a
> common property such as rep:principalName to obtain a result
> containing all authorizables for the specified search-type.
>
> but as a general rule i would rather suggest to use a specific
> query... if you have a huge amount of users and/or groups listing
> all of them is probably not very useful.
>
>> All the findAuthorizable methods on the UserManager are search
>> oriented, so all I can think of is writing a wildcard search query for
>> groups or users whose name is like *. Am I on the right track?
>
> yes. see above.
>
>> Also, it seems the Jackrabbit does not pre-create the administrators
>> group by default.
>
> that's correct. we initially had that and decided to get rid for
> various reasons specifically as jackrabbit itself didn't had
> any need for it and we decided that it was rather the responsibility
> of an application on top of jackrabbit to define such a group.
> in addition there is usually the need for various different
> groups with some sort of administrative roles depending on the
> type and complexity of the application... in order words: limit
> the set of authorizables to built-in and avoid creating example
> user/group(s).
>
>> Please see the following test snippet written in
>> Scala with ScalaTest. The test fails when trying to get the
>> authorizable corresponding to the ADMINSTRATORS_NAME group.
>
> yep. that's a leftover. the constant should have been marked
> deprecated.
>
>> I guess I can just create that group and add a user to it, but is that
>> sufficient then to give that user all administrators privileges (i.e.
>> the right to create other users and groups, etc...). If not, what else
>> would I need to do?
>
> if you need an 'administrators' group, the best solution was
> to create it using UserManager#createGroup, then make sure
> the corresponding principal is granted sufficient permissions
> (according to your needs) and then add the required users to the
> administrators group.
>
>>       "The super user (i.e admin) should be able to create a user and
>> her to the administrators group" in {
>>          inSession(repository,superuser,password){session =>
>>        val um = session.getUserManager
>>            um.getAuthorizable(SecurityConstants.ADMINISTRATORS_NAME)
>> match{
>>              case null =>  fail("The authorizable for the administrators
>> group does not exist.")
>>              case g : Group =>
>>        val newadmin = "newadmin"
>>                g.addMember(um.createUser(newadmin,newadmin))
>
> if you want to have a group, that can have members, you have to
> call UserManager.createGroup
>
>>              case _ =>  fail("The administrators authorizable is not a
>> group")
>>            }
>>          }
>>       }
>
> regards
> angela
>

Mime
View raw message