Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D0F93C98C for ; Fri, 25 May 2012 09:29:07 +0000 (UTC) Received: (qmail 32951 invoked by uid 500); 25 May 2012 09:29:07 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 32694 invoked by uid 500); 25 May 2012 09:29:03 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 32658 invoked by uid 99); 25 May 2012 09:29:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 09:29:02 +0000 X-ASF-Spam-Status: No, hits=0.3 required=5.0 tests=FRT_ADOBE2,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Ferdinand.Malzer@s-itsolutions.at designates 213.150.10.1 as permitted sender) Received: from [213.150.10.1] (HELO smxsat1.smxs.net) (213.150.10.1) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 May 2012 09:28:54 +0000 Received: from m01x1.s-mxs.net ([10.3.55.201]) by smxsat1.smxs.net over TLS secured channel (TLSv1/SSLv3:AES256-SHA:256) with XWall v3.47i. ; Fri, 25 May 2012 11:28:33 +0200 Received: from m0107.s-mxs.net ([10.3.55.7]) by m01x1.s-mxs.net over TLS secured channel (TLSv1/SSLv3:AES128-SHA:128) with XWall v3.47i. ; Fri, 25 May 2012 11:28:32 +0200 Received: from M0182.s-mxs.net ([fe80::75f4:618d:f52c:d9af]) by m0107.s-mxs.net ([fe80::21c0:3d8:642a:3294%10]) with mapi id 14.02.0298.004; Fri, 25 May 2012 11:28:31 +0200 From: Malzer Ferdinand OSP sIT To: "users@jackrabbit.apache.org" Subject: using workspaceaccessmanager with removed read-access for everyone from a principal ACL based workspace Thread-Topic: using workspaceaccessmanager with removed read-access for everyone from a principal ACL based workspace Thread-Index: Ac06WLpNSxD2DWflThCG+jJU+G++GA== Date: Fri, 25 May 2012 09:28:31 +0000 Message-ID: Accept-Language: en-US, de-AT Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-XWALL-BCKS: auto hello angela, we have investigated a lot of hours without any useable result. we find no = way to get to the AccessControlProvider from WorkspaceAccessManager#grants = method. do you have any idea how to get the AccessControlProvider? to get a look behind the scene we made some tests with the SimpleAccessWork= spacemanager. we use the following configuration: 1.repository config: 2. workspace config =20 when we use the org.apache.jackrabbit.core.security.simple.SimpleWorkspaceA= ccessManager instead of our own implementation we got the following excepti= on when trying to read the root-node of the respective workspace. javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-b= abecafebabe at org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:= 844) at org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:391= ) at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:328) at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:622) at org.apache.jackrabbit.core.ItemManager.getRootNode(ItemManager.java:531= ) at org.apache.jackrabbit.core.SessionImpl.getRootNode(SessionImpl.java:760= ) at at.spardat.jackrabbit.test.DumpRepository.main(DumpRepository.java:96) Do you have any further hints? best regards ferry -----Urspr=FCngliche Nachricht----- Von: Malzer Ferdinand OSP sIT=20 Gesendet: Mittwoch, 23. Mai 2012 12:13 An: users@jackrabbit.apache.org Betreff: AW: AW: AW: AW: AW: AW: remove read-access for everyone from a pri= ncipal ACL based workspace hello angela, the configuration you mentioned in the last mail is exactly what we mean. Implementing the grants(Set principals, String workspaceName) I = wonder how I could manage to implement a=20 getAccessControlProvider(workspaceName) too. Is there any possibility to remember the AccessControlProvider in the init(= ) method using the session parameter object? best regards ferry -----Urspr=FCngliche Nachricht----- Von: Angela Schreiber [mailto:anchela@adobe.com]=20 Gesendet: Mittwoch, 23. Mai 2012 09:38 An: users@jackrabbit.apache.org Betreff: Re: AW: AW: AW: AW: AW: remove read-access for everyone from a pri= ncipal ACL based workspace hi ferry > we don't want to define users per workspace because most of our users > will have access to different workspaces. > Therefore we would like to use the security workspace which comes with th= e DefaultSecurityManager. ok. > Furthermore a user should only access workspaces where he has a defined A= CL in that workspace. ... so your implementation of the WorkspaceAccessManager would need to verify in some way if there are any acls applying for that subject in the target workspace, right? the implementation of the WorkspaceAccessManager#grants method in your custom wsp-ac-manager could for example look something like: public boolean grants(Set principals, String workspaceName) { AccessControlProvider pvd =3D getAccessControlProvider(workspaceName); CompiledPermissions cp =3D ... /* granting everything */ AccessControlPolicy[] acls =3D pvd.getEffectivePolicies(principals, cp); return acls.length > 0; } > to avoid that every user could read every workspace, we create a new work= space > with ACLProvider as Workspace-AccessControlProvider with option omit-defa= ult-permission=3Dtrue. no sure i understand what you do mean with=20 Workspace-AccessControlProvider.... imo your config should look as follows: 1. repository config: [...] [...] 2. workspace config [...] [...] hope that helps angela