jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Carriedo Scher <fcarrie...@gmail.com>
Subject Re: Setting permissions
Date Sun, 18 Sep 2011 20:20:16 GMT
Thank you very much Toby,

the problem was related with other issue. It results that i needed to use
DefaultLoginModule, DefaultAccessManager and DefaultSecurityManager and the
default repository.xml file created in the standalone declares
SimpleAccessManager, Simple... And it just doesn't work. Now assigning ACLs
works ok for the EveryonePrincipal, but not for any other user. I guess that
i am not correctly creating users like this:

    public boolean createUser(String name, String pass) throws
AuthorizableExistsException, RepositoryException{

        User u;
        PrincipalImpl p = new PrincipalImpl(name);
        String usersPath = "/" + name;

        u = um.createUser(name, pass, p, null);
        // "HOME" folder for the brand new user
        createUsersFolder(name, session);

        return true;


After executing this code, i try to log in with the new user and i get a
exception: javax.jcr.LoginException: LoginModule ignored Credentials

In addition, i can not set ACEs on a folder for any user when creating a

    private void setAcl(Principal p, String path) throws
UnsupportedRepositoryOperationException, RepositoryException {

        AccessControlManager aMgr = session.getAccessControlManager();

        // create a privilege set with jcr:all
        Privilege [] privileges = new Privilege[3];
        privileges[0] = aMgr.privilegeFromName(Privilege.JCR_READ);
        privileges[1] =
        privileges[2] =
        AccessControlList acl;
        try {
            // get first applicable policy (for nodes w/o a policy)
            acl = (AccessControlList)
        } catch (NoSuchElementException e) {
            // else node already has a policy, get that one
            acl = (AccessControlList) aMgr.getPolicies(path)[0];
        // remove all existing entries
        for (AccessControlEntry e : acl.getAccessControlEntries()) {
        // add a new one for the special "everyone" principal
*        _acl.addAccessControlEntry(p, privileges); // THIS LINE CAUSES THE

        // the policy must be re-set
        aMgr.setPolicy(path, acl);

        // and the session must be saved for the changes to be applied


On the code above i get the Principal p instance like this:

um.getPrincipal(new SimpleCredentials(username, username.toCharArray()))

where username is the username and password of the user i want to assign the
ACL to and the usermanager is instantiated with admin:admin credentials like

UserManagerImpl um = new UserManagerImpl((SessionImpl) session, "admin");

Summing up, i see it like this:

- i start an admin session and get a user manager instance as admin.
- i create users correctly
- i create folders correctly and try to set ACLs to the users i create but
it doesn't work (because it throws a javax.jcr.security.AccessControlException:
Principal sol3 does not exist.

Is there something i am missing? Thanks in advance for your attention!

2011/9/17 Tobias Bocanegra <tripod@adobe.com>

> hi francisco,
> if you are using normal resource based ACLs you can manage them with
> the provided interfaces.
> example to grant all rights to everyone:
> AccessControlManager aMgr = session.getAccessControlManager();
> Privilege[] privileges = new
> Privilege[]{aMgr.privilegeFromName(Privilege.JCR_ALL)};
> // find the ACL policy
> JackrabbitAccessControlList acl;
> try {
>   acl = (JackrabbitAccessControlList)
> aMgr.getApplicablePolicies(path).nextAccessControlPolicy();
> } catch (NoSuchElementException e) {
>   acl = (JackrabbitAccessControlList) aMgr.getPolicies(path)[0];
> }
> // remove all existing ACEs
> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>  acl.removeAccessControlEntry(e);
> }
> acl.addEntry(EveryonePrincipal.getInstance(), privileges, true);
> aMgr.setPolicy(path, acl);
> session.save();
> (the above code is a bit a hack, as it catches the
> NoSuchElementException from the iterator.next - but i hadn't a nicer
> example ready)
> the point here is, that 'getApplicablePolicies' will return an empty
> iterator if there is already a policy defined on that path. usually
> (in the default implementation) there is only 1 policy, the
> JackrabbitAccessControlList. And either it's applicable, or already
> defined. the rock solid approach would be do iterate over applicable
> or getPolicies until you find a 'JackrabbitAccessControlList'.
> hope this helps.
> regards, toby
> On Tue, Sep 13, 2011 at 12:04 AM, Francisco Carriedo Scher
> <fcarriedos@gmail.com> wrote:
> > Ok, guessing that i need to extend AbstractAccessManager with my own
> class
> > and override setPolicyMethod, which is exactly the best way to bind a
> Policy
> > object to a Node object? Is it up to the designer?
> >
> > Thanks for your attention, greetings!
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message