jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Carriedo Scher <fcarrie...@gmail.com>
Subject Re: Creating users
Date Tue, 20 Sep 2011 12:25:00 GMT
Dear Angela,

i can create users but not logging in with them (javax.jcr.LoginException:
LoginModule ignored Credentials) neither setting ACEs to them
(javax.jcr.security.AccessControlException: Principal dummyusername does not

First of all, i am using the DefaultSecurityManager, DefaultAccessManager,
DefaultLoginModule). About the first issue, as you said in a previous
response to one of my mails, i would like to rely on Jackrabbit's user
management instead of asking an external database for it. What is your
recommendation? Extending DefaultLoginModule and overriding
getAuthentication method? Should this mean extending as well
DefaultSecurityManager and / or DefaultAccessManager? Any orientation will
be helpful!!!

About the second issue (exception when adding an ACE for an existing user),
the line which causes the second exception in my code is:

acl.addAccessControlEntry(p, privileges);

and the method where the exception is effectively thrown is:

    protected void checkValidEntry(Principal principal, Privilege[]
                                 boolean isAllow, Map<String, Value>
            throws AccessControlException {
        // validate principal
        if (principal instanceof UnknownPrincipal) {
            log.debug("Consider fallback principal as valid: {}",
        } else if (!principalMgr.hasPrincipal(principal.getName())) {
            throw new AccessControlException("Principal " +
principal.getName() + " does not exist.");

I obtain a valid object p (Principal) like this (but internally Jackrabbit
doesn't achieve it):

User u = um.getUser(username);

The object um is a UserManagerImpl object obtained through an admin session:

new UserManagerImpl((SessionImpl) session, "admin")

and i create users with this single line:

u = um.createUser(name, pass, p, null);

Finally a conceptual question just to be sure whether i got it or not:

Authorizable class: any object which might be granted with permissions over
nodes, such as users and groups
Principal: a kind of role, so to say an identity card shown when trying to
perform operations inside JR. Every brand new user has a Principal object
asociated to him and it is recoverable through user.getPrincipal() (for
example it get them so in my code) method and through input credentials (for
example JR tries it so, and in my case it throws the mentioned exception).

Thank you very much for your attention and help!

2011/9/20 Angela Schreiber <anchela@adobe.com>

> On 9/15/11 12:41 PM, Francisco Carriedo Scher wrote:
>> Hi there,
>> finally setting permissions through resource-based ACLs is achieved. Now i
>> am trying to create users and test ACLs with them, but i found problems.
>> First of all, creating users (that will be affected by the set ACLs for
>> them) should be straight forward isn't it?
> yes... jackrabbit provides user management API in it's own
> extensions of the JCR API. this allow you to create users,
> groups, add members to groups etc...
> since access control such as defined by the JCR API deals
> with principals rather than users, jackrabbit also defines
> principal management API, where the default implementation
> is backed by the user management.
> not sure how your repository configuration looks like.
> but if you have something else than the simplesecuritymanager
> you should get everything for free.
> angela

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message