I have been able to narrow this down further, and have a test case for it (attached, can be dropped in to org.apache.jackrabbit.core.integration to be run).
HiI'm working with Jackrabbit 2.4.2 and have the following scenario:
- Create a session for a non-admin user account.
- Cast the session to an XAResource, generate a new transaction ID and start a transaction (like org.apache.jackrabbit.core.UserTransactionImpl).
- Use the session to create a new node, record its identifier then set some properties and save the session.
- After some further processing logic not using Jackrabbit, attempt to get the new node via its identifier.
- javax.jcr.ItemNotFoundException is thrown from inside org.apache.jackrabbit.core.security.authorization.acl.CompiledPermissionsImpl.canRead when it uses an ItemManager instance to get the new node.I have debugged through my code and the Jackrabbit code it calls, and can see the following:
- My new node is present in the item cache for my session, which is retrieved ok by the getNodeByIdentifier() call.
- The permissions check above tries to retrieve my node by id using a different (system) session in the DefaultAccessManager, which doesn't have my node in its cache. This attempts to read the node from the persistence layer as a result, which fails as the data won't be there because of the transaction.If I perform the same operation with an admin account, it works fine as the can-read check is short-circuited to always return true.Is there something I'm missing in how access control should be configured, or how I'm using transactions?Thanks in advance,