jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guillaume Belrose <kafe...@gmail.com>
Subject Re: On the topic of JackRabbit group management.
Date Fri, 12 Aug 2011 13:23:13 GMT
Thanks for the pointers Angela. Regarding groups and users, I probably
want to be able to list them as well as search them. In both cases
what you suggest will be very useful.
I eventually found some information on the mailing list on how to
grant all rights to a administrators group that I created myself. In
case this is of any use, here is a test which shows what I've done:
It would be nice to have this information on the Wiki somewhere in the
form of recipes for how to do security related things. I don't mind
contributing stuff.

On 12 August 2011 13:34, Angela Schreiber <anchela@adobe.com> wrote:
> hi guillaume
>> I am currently looking at leveraging the features of the JackRabbit
>> UserManager to be able to manage users, groups and give users
>> administrator privileges for my application.
>> First of all, is there an easy way to be able to list all users and
>> all groups that have been created on the system?
> yes.
> if i remember correctly you can use a 'null' simple filter for a
> common property such as rep:principalName to obtain a result
> containing all authorizables for the specified search-type.
> but as a general rule i would rather suggest to use a specific
> query... if you have a huge amount of users and/or groups listing
> all of them is probably not very useful.
>> All the findAuthorizable methods on the UserManager are search
>> oriented, so all I can think of is writing a wildcard search query for
>> groups or users whose name is like *. Am I on the right track?
> yes. see above.
>> Also, it seems the Jackrabbit does not pre-create the administrators
>> group by default.
> that's correct. we initially had that and decided to get rid for
> various reasons specifically as jackrabbit itself didn't had
> any need for it and we decided that it was rather the responsibility
> of an application on top of jackrabbit to define such a group.
> in addition there is usually the need for various different
> groups with some sort of administrative roles depending on the
> type and complexity of the application... in order words: limit
> the set of authorizables to built-in and avoid creating example
> user/group(s).
>> Please see the following test snippet written in
>> Scala with ScalaTest. The test fails when trying to get the
>> authorizable corresponding to the ADMINSTRATORS_NAME group.
> yep. that's a leftover. the constant should have been marked
> deprecated.
>> I guess I can just create that group and add a user to it, but is that
>> sufficient then to give that user all administrators privileges (i.e.
>> the right to create other users and groups, etc...). If not, what else
>> would I need to do?
> if you need an 'administrators' group, the best solution was
> to create it using UserManager#createGroup, then make sure
> the corresponding principal is granted sufficient permissions
> (according to your needs) and then add the required users to the
> administrators group.
>>       "The super user (i.e admin) should be able to create a user and
>> her to the administrators group" in {
>>          inSession(repository,superuser,password){session =>
>>        val um = session.getUserManager
>>            um.getAuthorizable(SecurityConstants.ADMINISTRATORS_NAME)
>> match{
>>              case null =>  fail("The authorizable for the administrators
>> group does not exist.")
>>              case g : Group =>
>>        val newadmin = "newadmin"
>>                g.addMember(um.createUser(newadmin,newadmin))
> if you want to have a group, that can have members, you have to
> call UserManager.createGroup
>>              case _ =>  fail("The administrators authorizable is not a
>> group")
>>            }
>>          }
>>       }
> regards
> angela

View raw message