jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Joschko <markus.josc...@gmail.com>
Subject Restrict read rights to root node and the davex connection
Date Wed, 21 Sep 2011 20:57:56 GMT
In my quest to secure the access to the repository I removed the
everyone read access from the root node.
That leads to the situation where my users can't login any longer (I
guess it's the workspacemanager that denies the access as the users
now don't have read rights to root any longer).

I therefore tried to create some access rules to solely access the
root node (not the descendants of it, as I don't want to work with
denys).
To get there I added a path based entry to the users AccessControlList
that is valid for "/" and has a restriction which is rep:glob -> ""

That seems to work fine when I login in code: I don't see a node below "/".
However if I try to login via webdav with the cli, I get the exception:

exception: java.lang.NullPointerException
message: null

display stack trace? [y/n]y
java.lang.NullPointerException
        at org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver.getJCRName(ParsingNameResolver.java:79)
        at org.apache.jackrabbit.spi.commons.conversion.CachingNameResolver.getJCRName(CachingNameResolver.java:95)
        at org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver.getJCRName(DefaultNamePathResolver.java:78)
        at org.apache.jackrabbit.jcr2spi.util.LogUtil.saveGetJCRName(LogUtil.java:89)
        at org.apache.jackrabbit.jcr2spi.NodeImpl.<init>(NodeImpl.java:104)
        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.createNodeInstance(ItemManagerImpl.java:322)
        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.created(ItemManagerImpl.java:347)
        at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
        at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.created(TransientISFactory.java:153)
        at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
        at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:349)
        at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:101)
        at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.createNodeState(TransientISFactory.java:97)
        at org.apache.jackrabbit.jcr2spi.hierarchy.NodeEntryImpl.doResolve(NodeEntryImpl.java:990)
        at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.resolve(HierarchyEntryImpl.java:134)
        at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.getItemState(HierarchyEntryImpl.java:253)
        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.getItem(ItemManagerImpl.java:199)
        at org.apache.jackrabbit.jcr2spi.SessionImpl.getRootNode(SessionImpl.java:233)
        at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:84)
        at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
        at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
        at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
        at org.apache.jackrabbit.standalone.Main.main(Main.java:61)


Any idea what that is about? I also tried the resource based ACL
instead of the path based with basically the same effect.


Another thing I don't understand is what happens when I use rep:glob
-> "*" instead. That gives me a

exception: javax.jcr.RepositoryException
message: Unauthorized

display stack trace? [y/n]y
javax.jcr.RepositoryException: Unauthorized
        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:45)
        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:722)
        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:666)
        at org.apache.jackrabbit.spi2davex.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:273)
        at org.apache.jackrabbit.jcr2spi.RepositoryImpl.login(RepositoryImpl.java:151)
        at org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:123)
        at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:79)
        at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
        at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
        at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
        at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
Caused by: org.apache.jackrabbit.webdav.DavException: Unauthorized
        at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseException(DavMethodBase.java:162)
        at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseBodyAsMultiStatus(DavMethodBase.java:91)
        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:694)
        ... 9 more

According to the javadoc the "*" allows  "access to all siblings of
foo and foo's and the siblings' descendants."
Doesn't that include "/" in this case?

Thanks,
 Markus

Mime
View raw message