jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: using workspaceaccessmanager with removed read-access for everyone from a principal ACL based workspace
Date Wed, 30 May 2012 08:23:03 GMT
hi

well... either you place your implementation in a package that
has access to the internals. or you could create a security
manager extensions and use the protected method or you don't
use the access control provider to retrieve the information
needed. e.g. you could also check if the acl node you are
looking for really exists... again these are again just
suggestions, how you could get there...

regards
angela

On 5/25/12 11:28 AM, Malzer Ferdinand OSP sIT wrote:
> hello angela,
> we have investigated a lot of hours without any useable result. we find no way to get
to the AccessControlProvider from WorkspaceAccessManager#grants method.
>
> do you have any idea how to get the AccessControlProvider?
>
>
>
> to get a look behind the scene we made some tests with the SimpleAccessWorkspacemanager.
>
> we use the following configuration:
>
> 1.repository config:
>
>      <Security appName="Jackrabbit">
>          <!--
>              security manager:
>              class: FQN of class implementing the JackrabbitSecurityManager interface
>          -->
>          <SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="security">
>              <WorkspaceAccessManager class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
>          </SecurityManager>
>
> 2. workspace config
>
>          <WorkspaceSecurity>
>              <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
>                  <param name="omit-default-permission" value="true"/>
>              </AccessControlProvider>
>
>          </WorkspaceSecurity>
>
> when we use the org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager
instead of our own implementation we got the following exception when trying to read the root-node
of the respective workspace.
>
> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
> 	at org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:844)
> 	at org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:391)
> 	at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:328)
> 	at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:622)
> 	at org.apache.jackrabbit.core.ItemManager.getRootNode(ItemManager.java:531)
> 	at org.apache.jackrabbit.core.SessionImpl.getRootNode(SessionImpl.java:760)
> 	at at.spardat.jackrabbit.test.DumpRepository.main(DumpRepository.java:96)
>
> Do you have any further hints?
>
> best regards
> ferry
>
>
> -----Urspr√ľngliche Nachricht-----
> Von: Malzer Ferdinand OSP sIT
> Gesendet: Mittwoch, 23. Mai 2012 12:13
> An: users@jackrabbit.apache.org
> Betreff: AW: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL
based workspace
>
> hello angela,
> the configuration you mentioned in the last mail is exactly what we mean.
>
> Implementing the grants(Set<Principal>  principals, String workspaceName) I wonder
how I could manage to implement a
> getAccessControlProvider(workspaceName) too.
>
> Is there any possibility to remember the AccessControlProvider in the init() method using
the session parameter object?
>
> best regards
> ferry
>
> -----Urspr√ľngliche Nachricht-----
> Von: Angela Schreiber [mailto:anchela@adobe.com]
> Gesendet: Mittwoch, 23. Mai 2012 09:38
> An: users@jackrabbit.apache.org
> Betreff: Re: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL
based workspace
>
> hi ferry
>
>> we don't want to define users per workspace because most of our users
>> will have access to different workspaces.
>> Therefore we would like to use the security workspace which comes with the DefaultSecurityManager.
>
> ok.
>
>> Furthermore a user should only access workspaces where he has a defined ACL in that
workspace.
>
> ... so your implementation of the WorkspaceAccessManager would need to
> verify in some way if there are any acls applying for that subject
> in the target workspace, right?
>
> the implementation of the WorkspaceAccessManager#grants method in
> your custom wsp-ac-manager could for example look something like:
>
> public boolean grants(Set<Principal>  principals, String workspaceName) {
>     AccessControlProvider pvd = getAccessControlProvider(workspaceName);
>     CompiledPermissions cp = ... /* granting everything */
>     AccessControlPolicy[] acls = pvd.getEffectivePolicies(principals, cp);
>     return acls.length>  0;
> }
>
>> to avoid that every user could read every workspace, we create a new workspace
>> with ACLProvider as Workspace-AccessControlProvider with option omit-default-permission=true.
>
> no sure i understand what you do mean with
> Workspace-AccessControlProvider.... imo your config should look as follows:
>
> 1. repository config:
>
> <Repository>
>     [...]
>     <Security appName="...">
>       <SecurityManager
> class="org.apache.jackrabbit.core.DefaultSecurityManager"
> workspaceName="security">
>         <WorkspaceAccessManager class="**your-custom-wsp-access-mgr**"/>
>       </SecurityManager>
>     </Security>
>     [...]
> </Repository>
>
> 2. workspace config
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Workspace name="...">
>     [...]
>     <WorkspaceSecurity>
>        <AccessControlProvider
> class="org.apache.jackrabbit.core.security.authorization.principalbased.AccessControlProvider">
>          <param name="omit-default-permission" value="true"/>
>        </AccessControlProvider>
>     </WorkspaceSecurity>
>     [...]
> </Workspace>
>
> hope that helps
> angela
>
>
>

Mime
View raw message