jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malzer Ferdinand OSP sIT <Ferdinand.Mal...@s-itsolutions.at>
Subject AW: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL based workspace
Date Wed, 23 May 2012 10:13:22 GMT
hello angela,
the configuration you mentioned in the last mail is exactly what we mean.

Implementing the grants(Set<Principal> principals, String workspaceName) I wonder how
I could manage to implement a 
getAccessControlProvider(workspaceName) too.

Is there any possibility to remember the AccessControlProvider in the init() method using
the session parameter object?

best regards
ferry

-----Urspr√ľngliche Nachricht-----
Von: Angela Schreiber [mailto:anchela@adobe.com] 
Gesendet: Mittwoch, 23. Mai 2012 09:38
An: users@jackrabbit.apache.org
Betreff: Re: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL based
workspace

hi ferry

> we don't want to define users per workspace because most of our users
> will have access to different workspaces.
> Therefore we would like to use the security workspace which comes with the DefaultSecurityManager.

ok.

> Furthermore a user should only access workspaces where he has a defined ACL in that workspace.

... so your implementation of the WorkspaceAccessManager would need to
verify in some way if there are any acls applying for that subject
in the target workspace, right?

the implementation of the WorkspaceAccessManager#grants method in
your custom wsp-ac-manager could for example look something like:

public boolean grants(Set<Principal> principals, String workspaceName) {
   AccessControlProvider pvd = getAccessControlProvider(workspaceName);
   CompiledPermissions cp = ... /* granting everything */
   AccessControlPolicy[] acls = pvd.getEffectivePolicies(principals, cp);
   return acls.length > 0;
}

> to avoid that every user could read every workspace, we create a new workspace
> with ACLProvider as Workspace-AccessControlProvider with option omit-default-permission=true.

no sure i understand what you do mean with 
Workspace-AccessControlProvider.... imo your config should look as follows:

1. repository config:

<Repository>
   [...]
   <Security appName="...">
     <SecurityManager 
class="org.apache.jackrabbit.core.DefaultSecurityManager" 
workspaceName="security">
       <WorkspaceAccessManager class="**your-custom-wsp-access-mgr**"/>
     </SecurityManager>
   </Security>
   [...]
</Repository>

2. workspace config

<?xml version="1.0" encoding="UTF-8"?>
<Workspace name="...">
   [...]
   <WorkspaceSecurity>
      <AccessControlProvider 
class="org.apache.jackrabbit.core.security.authorization.principalbased.AccessControlProvider">
        <param name="omit-default-permission" value="true"/>
      </AccessControlProvider>
   </WorkspaceSecurity>
   [...]
</Workspace>

hope that helps
angela




Mime
View raw message