jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karsten Priegnitz <k...@petoria.de>
Subject Re: Access control
Date Wed, 26 Aug 2015 10:16:17 GMT
What exactly did you do to make it work? K

Atif Manzoor <atif.manzoor@gmail.com> schrieb:

>Hi Clay and Robert, it turned out that I was not properly configuring my
>repository, so it does not have any ACL attached to it. It have been
>working fine now.
>
>Thanks for your suggestions.
>
>Kind regards,
>Atif
>
>On Tue, Aug 25, 2015 at 4:15 PM, Clay Ferguson <wclayf@gmail.com> wrote:
>
>> ‚ÄčI'm experimenting with meta64.com discussion capability. Who wants to
>> discuss this stuff on there, and see if the meta64 works well as a
>> discussion engine? I'm trying to make Social Media a federated free
>> commodity, rather than monopolizedy by Diqus, Facebook, etc. Join me...
>>
>> http://meta64.com?id=/wclayf/public/oak-jackrabbit-discussions
>>
>> Best regards,
>> Clay Ferguson
>> wclayf@gmail.com
>>
>>
>> On Tue, Aug 25, 2015 at 9:51 AM, Robert Munteanu <rombert@apache.org>
>> wrote:
>>
>> > Hi,
>> >
>> > On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote:
>> > > Atif, just beware that the "addChildren" privilege doesn't work as
>> > > one
>> > > would expect. If you want a principle to be able to add children to a
>> > > node
>> > > you must add ALL of the following privileges:
>> > >
>> > > "read", "write", "addChildren", "nodeTypeManagement"
>> >
>> > I think you can simply use rep:write ( not jcr:write ) as a shorthand.
>> >
>> > >
>> > > That costed me many hours of headache, and at least one other person
>> > > also.
>> > > My personal belief this functionality requirement was an accident
>> > > rather
>> > > than by design and no one who is an Adobe customer has complained so
>> > > they
>> > > are leaving it as is.
>> >
>> > As far as I can tell the behaviour is according to the Access Control
>> > Management chapter of the JCR 2.0 specification [1]. If there's a gap
>> > between the spec and the implementation it's definitely worth a bug
>> > report.
>> >
>> > Cheers,
>> >
>> > Robert
>> >
>> > [1]: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
>> > #16.2.3%20Standard%20Privileges
>> >
>> > >
>> > >
>> > > Best regards,
>> > > Clay Ferguson
>> > > wclayf@gmail.com
>> > >
>> > >
>> > > On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <atif.manzoor@gmail.com
>> > > >
>> > > wrote:
>> > >
>> > > > Hi Karsten
>> > > >
>> > > > No actually I was just trying out the simplest case to control
>> > > > access to a
>> > > > particular code. At later stage I will allow or restrict read /
>> > > > write
>> > > > access to a node for different users.
>> > > >
>> > > > Kind regards,
>> > > > Atif
>> > > >
>> > > > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <
>> > > > koem@petoria.de>
>> > > > wrote:
>> > > >
>> > > > > Hi Atif
>> > > > >
>> > > > > reading your code it seems to me you just want to add JCR_ALL
>> > > > > privileges
>> > > > > to some user. This is what allow() does. No need to do something
>> > > > > else.
>> > > > And:
>> > > > > "admin" normally already has these privileges.
>> > > > >
>> > > > > I'd try this (not tested)
>> > > > >
>> > > > > AccessControlUtils.allow(session.getRootNode(),
>> > > > > EveryonePrincipal.getInstance()
>> > > > > .getName(), Privilege.JCR_ALL);
>> > > > >
>> > > > >
>> > > > > What do you want to accomplish? Make everyone admin?
>> > > > >
>> > > > >
>> > > > > Karsten R. Priegnitz
>> > > > >
>> > > > > programmierer | web-entwickler | linux administrator | digitaler
>> > > > > nomade
>> > > > > business: kontakt <http://petoria.de/portfolio/contact-about/>
|
>> > > > > portfolio <http://petoria.de/portfolio/>
>> > > > > -----------------------------------------------------------------
>> > > > > -------
>> > > > >
>> > > > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
>> > > > >
>> > > > > > Hi Karsten
>> > > > > >
>> > > > > > Thanks a lot for your help. I tried AccessControlUtils.allow(),
>> > > > > > however
>> > > > > > AccessControlUtils.getACL() is still returning NULL. I think
I
>> > > > > > may have
>> > > > > > also have to do something else to enable access control
that
>> > > > > > particular
>> > > > > > node. Following is my code complete code that tried
>> > > > > > AccessControlUtils.
>> > > > I
>> > > > > > am still getting Null for acl.
>> > > > > >
>> > > > > > Repository repository = new  TransientRepository();
>> > > > > > Session session = repository.login(new
>> > > > > > SimpleCredentials("admin",
>> > > > > > "password".toCharArray()));
>> > > > > > Node root = session.getRootNode();
>> > > > > > root.addNode("leftChild");
>> > > > > > root.addNode("rightChild");
>> > > > > >
>> > > > > > session.save();
>> > > > > > String path = session.getRootNode().getPath();
>> > > > > > System.out.println(path);
>> > > > > > AccessControlManager acm = session.getAccessControlManager();
>> > > > > > AccessControlUtils.allow(session.getRootNode(), "admin",
>> > > > > > Privilege.JCR_ALL);
>> > > > > > AccessControlList acl =
>> > > > > > AccessControlUtils.getAccessControlList(session,
>> > > > > > path);
>> > > > > > for (AccessControlEntry e : acl.getAccessControlEntries())
{
>> > > > > > acl.removeAccessControlEntry(e);
>> > > > > > }
>> > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
new
>> > > > Privilege[]
>> > > > > > { acm
>> > > > > > .privilegeFromName(Privilege.JCR_ALL) });
>> > > > > > acm.setPolicy(path, acl);
>> > > > > > session.save();
>> > > > > >
>> > > > > > Regards,
>> > > > > > Atif
>> > > > > >
>> > > > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <
>> > > > > > koem@petoria.de>
>> > > > > > wrote:
>> > > > > >
>> > > > > > Hi Atif,
>> > > > > > >
>> > > > > > > I had the same problem as you and then I found
>> > > > > > >
>> > > > > > >
>> > > > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro
>> > > > lUtils:
>> > > > > > >
>> > > > > > > and that's all:
>> > > > > > > AccessControlUtils.allow(session.getRootNode(),
>> > > > username,
>> > > > > > > Privilege.JCR_ALL);
>> > > > > > >
>> > > > > > > Best
>> > > > > > > Karsten
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > > Karsten R. Priegnitz
>> > > > > > >
>> > > > > > > programmierer | web-entwickler | linux administrator
|
>> > > > > > > digitaler nomade
>> > > > > > > business: kontakt <http://petoria.de/portfolio/contact-about/
>> > > > > > > > |
>> > > > > > > portfolio <http://petoria.de/portfolio/>
>> > > > > > >
>> > > > -------------------------------------------------------------------
>> > > > -----
>> > > > > > >
>> > > > > > >
>> > > > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
>> > > > > > >
>> > > > > > > I'm not *that* much of an expert, but it kind of works
by
>> > > > > > > bubbling up
>> > > > > > > > towards the root I believe. So if you query for
ACL on a
>> > > > > > > > node and it
>> > > > > > > > finds
>> > > > > > > > none, that is fine. It just means that node is
effectively
>> > > > > > > > controlled
>> > > > by
>> > > > > > > > an
>> > > > > > > > ancestor. Once you start adding AC L privs the
that root
>> > > > > > > > starts
>> > > > applying
>> > > > > > > > those there and all beneath it on the tree recursively.
By
>> > > > > > > > default
>> > > > > > > > 'admin'
>> > > > > > > > user has full privileges and everyone else has
none. The
>> > > > > > > > session that
>> > > > > > > > creates a node i think by default has all privs
on that
>> > > > > > > > node, but i'd
>> > > > > > > > have
>> > > > > > > > to check my code...I might be adding privs when
creating.
>> > > > > > > > Look at my
>> > > > > > > > "controller" class, and that is the top level,
and a lot of
>> > > > > > > > stuff like
>> > > > > > > > creating new nodes, moving nodes, adding ACLs
etc can be
>> > > > > > > > sussed out by
>> > > > > > > > just
>> > > > > > > > looking at my code and not even running it. It's
not too
>> > > > > > > > complicated.
>> > > > > > > > Does
>> > > > > > > > that answer the question?
>> > > > > > > >
>> > > > > > > > Best regards,
>> > > > > > > > Clay Ferguson
>> > > > > > > > wclayf@gmail.com
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor
<
>> > > > > > > > atif.manzoor@gmail.com
>> > > > >
>> > > > > > > > wrote:
>> > > > > > > >
>> > > > > > > > Hi Clay
>> > > > > > > >
>> > > > > > > > > Thanks a lot for your response. I have been
through your
>> > > > > > > > > code and
>> > > > have
>> > > > > > > > > found that you have also been using
>> > > > > > > > > getApplicablePolicies(path) and
>> > > > > > > > > getPolicies(path) function to get AccessControlList
(ACL)
>> > > > > > > > > object,
>> > > > > > > > > however
>> > > > > > > > > both of these function have not been returning
any ACL
>> > > > > > > > > policies for
>> > > > me.
>> > > > > > > > > In
>> > > > > > > > > words my node does not contain any modifiable
ACL. Can
>> > > > > > > > > you tell me
>> > > > why
>> > > > > > > > > is
>> > > > > > > > > that. What will I have to do, so that the
node should
>> > > > > > > > > also have
>> > > > > > > > > modifiable
>> > > > > > > > > ACL.
>> > > > > > > > >
>> > > > > > > > > Kind regards,
>> > > > > > > > > Atif
>> > > > > > > > >
>> > > > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson
<
>> > > > > > > > > wclayf@gmail.com>
>> > > > > > > > > wrote:
>> > > > > > > > >
>> > > > > > > > > Hello Atif,
>> > > > > > > > >
>> > > > > > > > > > You should check out my open source
project:
>> > > > > > > > > > https://github.com/Clay-Ferguson/meta64
>> > > > > > > > > >
>> > > > > > > > > > Download the zip and search for the
words 'privilege'
>> > > > > > > > > > and/or
>> > > > > > > > > >
>> > > > > > > > > > AccessControl,
>> > > > > > > > >
>> > > > > > > > > etc.
>> > > > > > > > > >
>> > > > > > > > > > The AclService.java class has ability
to do basic
>> > > > > > > > > > listing of
>> > > > > > > > > > privileges
>> > > > > > > > > >
>> > > > > > > > > > for
>> > > > > > > > >
>> > > > > > > > > a node, and adding or removing privileges
from a node,
>> > > > > > > > > and might help
>> > > > > > > > > > you
>> > > > > > > > > > some. Good luck.
>> > > > > > > > > >
>> > > > > > > > > > Best regards,
>> > > > > > > > > > Clay Ferguson
>> > > > > > > > > > wclayf@gmail.com
>> > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif
Manzoor <
>> > > > > > > > > > atif.manzoor@gmail.com>
>> > > > > > > > > > wrote:
>> > > > > > > > > >
>> > > > > > > > > > I am new to Jackrabbit and after going
through the
>> > > > > > > > > > first hops and
>> > > > > > > > > > little
>> > > > > > > > > > bit of documentation, I was trying to
configure Access
>> > > > > > > > > > Control for
>> > > > the
>> > > > > > > > > >
>> > > > > > > > > > > repository nodes. I was extending
ThirdHop tutorial
>> > > > > > > > > > > for that
>> > > > purpose
>> > > > > > > > > > >
>> > > > > > > > > > > and
>> > > > > > > > > > was following access control wiki
>> > > > > > > > > >
>> > > > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl
and
>> > > > > > > > > > > had the
>> > > > > > > > > > > following
>> > > > > > > > > > > code.
>> > > > > > > > > > >
>> > > > > > > > > > > Session session = repository.login(new
>> > > > SimpleCredentials("username",
>> > > > > > > > > > > "password"
>> > > > > > > > > > > .toCharArray()));
>> > > > > > > > > > > Node node = session.getRootNode();
>> > > > > > > > > > > String path = node.getPath();
>> > > > > > > > > > > AccessControlManager acm =
>> > > > > > > > > > > session.getAccessControlManager();
>> > > > > > > > > > >
>> > > > > > > > > > > Privilege[] privileges = new Privilege[]
{ acm
>> > > > > > > > > > > .privilegeFromName(Privilege.JCR_ALL)
};
>> > > > > > > > > > > AccessControlList acl;
>> > > > > > > > > > > try {
>> > > > > > > > > > > acl = (AccessControlList)
>> > > > > > > > > > > acm.getApplicablePolicies(path)
>> > > > > > > > > > > .nextAccessControlPolicy();
>> > > > > > > > > > > } catch (NoSuchElementException
e) {
>> > > > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0];
>> > > > > > > > > > > }
>> > > > > > > > > > > for (AccessControlEntry e :
>> > > > > > > > > > > acl.getAccessControlEntries())
{
>> > > > > > > > > > > acl.removeAccessControlEntry(e);
>> > > > > > > > > > > }
>> > > > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan
>> > > > > > > > > > > ce(),
>> > > > > > > > > > > privileges);
>> > > > > > > > > > > acm.setPolicy(path, acl);
>> > > > > > > > > > > session.save();
>> > > > > > > > > > >
>> > > > > > > > > > > My problem is that I could not
get AccessControlList
>> > > > > > > > > > > with this
>> > > > code.
>> > > > > > > > > > >
>> > > > > > > > > > > Both
>> > > > > > > > > > functions (getApplicablePolicies and
getAllPolicies)
>> > > > > > > > > > don't have any
>> > > > > > > > > >
>> > > > > > > > > > > AccessControlList attached with
them. Can you tell me
>> > > > > > > > > > > where I went
>> > > > > > > > > > >
>> > > > > > > > > > > wrong. I
>> > > > > > > > > >
>> > > > > > > > > > have been using the default security
configuration.
>> > > > > > > > > > >
>> > > > > > > > > > > Thanks
>> > > > > > > > > > > Atif
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > >
>> > > >
>> >
>> >
>>
Mime
View raw message