jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Joschko <markus.josc...@gmail.com>
Subject Re: Restrict read rights to root node and the davex connection
Date Fri, 23 Sep 2011 20:59:31 GMT
OK, I found the reason for the NullPointerException:
The restrictions do not allow any property to be sent to the client.
Therefore the nodeTypeName (jcr:primaryType) is null which should
(according to this comment in NodeImpl) never be the case:

  if (!session.getNodeTypeManager().hasNodeType(nodeTypeName)) {
            // should not occur. Since nodetypes are defined by the 'server'
            // its not possible to determine a fallback nodetype that is
            // always available.
            throw new IllegalArgumentException("Unknown nodetype " +
LogUtil.saveGetJCRName(nodeTypeName, session.getNameResolver()));
  }

If I allow in addition the jcr:primaryType to be read, the davex
client works fine.

Is this a bug or expected behaviour?

Regards,
 Markus



On Wed, Sep 21, 2011 at 10:57 PM, Markus Joschko
<markus.joschko@gmail.com> wrote:
> In my quest to secure the access to the repository I removed the
> everyone read access from the root node.
> That leads to the situation where my users can't login any longer (I
> guess it's the workspacemanager that denies the access as the users
> now don't have read rights to root any longer).
>
> I therefore tried to create some access rules to solely access the
> root node (not the descendants of it, as I don't want to work with
> denys).
> To get there I added a path based entry to the users AccessControlList
> that is valid for "/" and has a restriction which is rep:glob -> ""
>
> That seems to work fine when I login in code: I don't see a node below "/".
> However if I try to login via webdav with the cli, I get the exception:
>
> exception: java.lang.NullPointerException
> message: null
>
> display stack trace? [y/n]y
> java.lang.NullPointerException
>        at org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver.getJCRName(ParsingNameResolver.java:79)
>        at org.apache.jackrabbit.spi.commons.conversion.CachingNameResolver.getJCRName(CachingNameResolver.java:95)
>        at org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver.getJCRName(DefaultNamePathResolver.java:78)
>        at org.apache.jackrabbit.jcr2spi.util.LogUtil.saveGetJCRName(LogUtil.java:89)
>        at org.apache.jackrabbit.jcr2spi.NodeImpl.<init>(NodeImpl.java:104)
>        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.createNodeInstance(ItemManagerImpl.java:322)
>        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.created(ItemManagerImpl.java:347)
>        at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
>        at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.created(TransientISFactory.java:153)
>        at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
>        at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:349)
>        at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:101)
>        at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.createNodeState(TransientISFactory.java:97)
>        at org.apache.jackrabbit.jcr2spi.hierarchy.NodeEntryImpl.doResolve(NodeEntryImpl.java:990)
>        at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.resolve(HierarchyEntryImpl.java:134)
>        at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.getItemState(HierarchyEntryImpl.java:253)
>        at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.getItem(ItemManagerImpl.java:199)
>        at org.apache.jackrabbit.jcr2spi.SessionImpl.getRootNode(SessionImpl.java:233)
>        at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:84)
>        at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
>        at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
>        at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
>        at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
>
>
> Any idea what that is about? I also tried the resource based ACL
> instead of the path based with basically the same effect.
>
>
> Another thing I don't understand is what happens when I use rep:glob
> -> "*" instead. That gives me a
>
> exception: javax.jcr.RepositoryException
> message: Unauthorized
>
> display stack trace? [y/n]y
> javax.jcr.RepositoryException: Unauthorized
>        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
>        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
>        at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:45)
>        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:722)
>        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:666)
>        at org.apache.jackrabbit.spi2davex.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:273)
>        at org.apache.jackrabbit.jcr2spi.RepositoryImpl.login(RepositoryImpl.java:151)
>        at org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:123)
>        at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:79)
>        at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
>        at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
>        at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
>        at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
> Caused by: org.apache.jackrabbit.webdav.DavException: Unauthorized
>        at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseException(DavMethodBase.java:162)
>        at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseBodyAsMultiStatus(DavMethodBase.java:91)
>        at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:694)
>        ... 9 more
>
> According to the javadoc the "*" allows  "access to all siblings of
> foo and foo's and the siblings' descendants."
> Doesn't that include "/" in this case?
>
> Thanks,
>  Markus
>

Mime
View raw message