jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Joschko <markus.josc...@gmail.com>
Subject Re: ACLs, GlobPattern and move
Date Tue, 27 Sep 2011 20:53:30 GMT
Hi Mark,

there was a huge misunderstanding on my part: I somehow thought that
the rep:nodepath entry in the restrictionsmap is mandatory.
But after trying it without rep:nodepath and only rep:glob it works
fine except for two issues:

1) I have to relogin with the user when I move the node in a parallel
session with the admin.
    Otherwise I get exceptions like
javax.jcr.RepositoryException: Failed to list child nodes of node /test2
        at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2186)
        at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2177)
        at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:188)
        at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
        at org.apache.jackrabbit.core.NodeImpl.getNodes(NodeImpl.java:2177)
        at .<init>(<console>:16)
        at .<clinit>(<console>)
        at .<init>(<console>:11)
        at .<clinit>(<console>)
        at $print(<console>)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at scala.tools.nsc.interpreter.IMain$ReadEvalPrint.call(IMain.scala:704)
        at scala.tools.nsc.interpreter.IMain$Request$$anonfun$14.apply(IMain.scala:920)
        at scala.tools.nsc.interpreter.Line$$anonfun$1.apply$mcV$sp(Line.scala:43)
        at scala.tools.nsc.io.package$$anon$2.run(package.scala:25)
        at java.lang.Thread.run(Thread.java:662)
Caused by: javax.jcr.AccessDeniedException: cannot read item
5f182290-2be6-4b05-8731-8efbabc3750e
        at org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:387)
        at org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:337)
        at org.apache.jackrabbit.core.ItemManager.getChildNodes(ItemManager.java:727)
        at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2181)
        ... 20 more

I read somewhere, that permissions are cached in the session and I
guess it has something to do with that.

2) If I am connected with the standalone client via webdav, this
relogin has to happen on the "serverside". If I just do a logout and
login again in the cli client,
    I can't see the changed state. As soon as I've done a relogin with
that user on the server directly, I can relogin with the client and
everything is fine.
    That's a bit annoying.

Have you also done a logout/login in the CRX UI?


Thanks for caring,
 Markus

On Mon, Sep 26, 2011 at 11:13 PM, Mark Herman <MHerman@nbme.org> wrote:
>
> Markus Joschko wrote:
>>
>> The policy (Resourcebased not Pathbased)
>>
>
> What do you mean Pathbased? I'm used to Resource based vs Principal based
> [0]
>
>
> Markus Joschko wrote:
>>
>> Should GlobPattern be used at all with Resourcebased Policies?
>>
> According to [1], it is not necessary because keeping it null just means all
> descendants. Note the differences between null, "", and *.
>
>
> Markus Joschko wrote:
>>
>> And if yes, how should the move operation be dealt with?
>>
>
> I was able to create desired behavior using CRX's GUI, so I imagine it is
> how jackrabbit works. Could you send the code you're using to apply the
> security, or maybe what your
> JackrabbitAccessControlList.getAccessControlEntries() contains before and
> after the move?
>
> [0] http://wiki.apache.org/jackrabbit/AccessControl#Resource-based_ACLs
> [1]
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
>
> --
> View this message in context: http://jackrabbit.510166.n4.nabble.com/ACLs-GlobPattern-and-move-tp3845190p3845418.html
> Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
>

Mime
View raw message