Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 918509588 for ; Wed, 30 May 2012 08:23:44 +0000 (UTC) Received: (qmail 26949 invoked by uid 500); 30 May 2012 08:23:44 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 26706 invoked by uid 500); 30 May 2012 08:23:39 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 26655 invoked by uid 99); 30 May 2012 08:23:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2012 08:23:36 +0000 X-ASF-Spam-Status: No, hits=-1.3 required=5.0 tests=FRT_ADOBE2,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of anchela@adobe.com designates 64.18.1.29 as permitted sender) Received: from [64.18.1.29] (HELO exprod6og112.obsmtp.com) (64.18.1.29) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2012 08:23:29 +0000 Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP ID DSNKT8XY6w3bIGKeMPN+UgvAykAqWglDVfSH@postini.com; Wed, 30 May 2012 01:23:08 PDT Received: from inner-relay-4.eur.adobe.com (inner-relay-4b [10.128.4.237]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id q4U8N6X9010562 for ; Wed, 30 May 2012 01:23:07 -0700 (PDT) Received: from nacas01.corp.adobe.com (nacas01.corp.adobe.com [10.8.189.99]) by inner-relay-4.eur.adobe.com (8.12.10/8.12.9) with ESMTP id q4U8N4Ys008309 for ; Wed, 30 May 2012 01:23:06 -0700 (PDT) Received: from eurcas01.eur.adobe.com (10.128.4.27) by nacas01.corp.adobe.com (10.8.189.99) with Microsoft SMTP Server (TLS) id 8.3.192.1; Wed, 30 May 2012 01:23:04 -0700 Received: from angela.eur.adobe.com (10.32.178.107) by eurcas01.eur.adobe.com (10.128.4.111) with Microsoft SMTP Server id 8.3.192.1; Wed, 30 May 2012 09:23:03 +0100 Message-ID: <4FC5D8E7.8010405@adobe.com> Date: Wed, 30 May 2012 10:23:03 +0200 From: Angela Schreiber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Subject: Re: using workspaceaccessmanager with removed read-access for everyone from a principal ACL based workspace References: In-Reply-To: Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org hi well... either you place your implementation in a package that has access to the internals. or you could create a security manager extensions and use the protected method or you don't use the access control provider to retrieve the information needed. e.g. you could also check if the acl node you are looking for really exists... again these are again just suggestions, how you could get there... regards angela On 5/25/12 11:28 AM, Malzer Ferdinand OSP sIT wrote: > hello angela, > we have investigated a lot of hours without any useable result. we find no way to get to the AccessControlProvider from WorkspaceAccessManager#grants method. > > do you have any idea how to get the AccessControlProvider? > > > > to get a look behind the scene we made some tests with the SimpleAccessWorkspacemanager. > > we use the following configuration: > > 1.repository config: > > > > > > > > 2. workspace config > > > > > > > > > when we use the org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager instead of our own implementation we got the following exception when trying to read the root-node of the respective workspace. > > javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe > at org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:844) > at org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:391) > at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:328) > at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:622) > at org.apache.jackrabbit.core.ItemManager.getRootNode(ItemManager.java:531) > at org.apache.jackrabbit.core.SessionImpl.getRootNode(SessionImpl.java:760) > at at.spardat.jackrabbit.test.DumpRepository.main(DumpRepository.java:96) > > Do you have any further hints? > > best regards > ferry > > > -----Urspr�ngliche Nachricht----- > Von: Malzer Ferdinand OSP sIT > Gesendet: Mittwoch, 23. Mai 2012 12:13 > An: users@jackrabbit.apache.org > Betreff: AW: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL based workspace > > hello angela, > the configuration you mentioned in the last mail is exactly what we mean. > > Implementing the grants(Set principals, String workspaceName) I wonder how I could manage to implement a > getAccessControlProvider(workspaceName) too. > > Is there any possibility to remember the AccessControlProvider in the init() method using the session parameter object? > > best regards > ferry > > -----Urspr�ngliche Nachricht----- > Von: Angela Schreiber [mailto:anchela@adobe.com] > Gesendet: Mittwoch, 23. Mai 2012 09:38 > An: users@jackrabbit.apache.org > Betreff: Re: AW: AW: AW: AW: AW: remove read-access for everyone from a principal ACL based workspace > > hi ferry > >> we don't want to define users per workspace because most of our users >> will have access to different workspaces. >> Therefore we would like to use the security workspace which comes with the DefaultSecurityManager. > > ok. > >> Furthermore a user should only access workspaces where he has a defined ACL in that workspace. > > ... so your implementation of the WorkspaceAccessManager would need to > verify in some way if there are any acls applying for that subject > in the target workspace, right? > > the implementation of the WorkspaceAccessManager#grants method in > your custom wsp-ac-manager could for example look something like: > > public boolean grants(Set principals, String workspaceName) { > AccessControlProvider pvd = getAccessControlProvider(workspaceName); > CompiledPermissions cp = ... /* granting everything */ > AccessControlPolicy[] acls = pvd.getEffectivePolicies(principals, cp); > return acls.length> 0; > } > >> to avoid that every user could read every workspace, we create a new workspace >> with ACLProvider as Workspace-AccessControlProvider with option omit-default-permission=true. > > no sure i understand what you do mean with > Workspace-AccessControlProvider.... imo your config should look as follows: > > 1. repository config: > > > [...] > > class="org.apache.jackrabbit.core.DefaultSecurityManager" > workspaceName="security"> > > > > [...] > > > 2. workspace config > > > > [...] > > class="org.apache.jackrabbit.core.security.authorization.principalbased.AccessControlProvider"> > > > > [...] > > > hope that helps > angela > > >