jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From marco <pioves...@esteco.com>
Subject Re: non-administrator user, how to grant permission on folder
Date Fri, 11 Mar 2016 13:11:00 GMT
Hi Angela,
thanks for the explanation. I tried to set the best-effort option as you
suggested, but I can't make it work.
When i try to set the privileges using the method "AccessControlUtils.allow"
i get the error:
      *"javax.jcr.security.AccessControlException: Invalid principal null"*

Here my repository settings:

Properties authzProps = new Properties();
authzProps.put(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR,
ImportBehavior.NAME_BESTEFFORT);
Properties userProps = new Properties();
userProps.put(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR,
ImportBehavior.NAME_BESTEFFORT);

Properties securityProps = new Properties();
securityProps.put(UserConfiguration.NAME,
ConfigurationParameters.of(userProps));
securityProps.put(AuthorizationConfiguration.NAME,
ConfigurationParameters.of(authzProps));
ConfigurationParameters defaultConfigurationParameters =
ConfigurationParameters.of(securityProps);

File repositoryFile = new File("tmp", REPOSITORY);
File dataStoreFile = new File("tmp", DATASTORE);
BlobStore blobStore = new FileBlobStore(dataStoreFile.getAbsolutePath());
FileStore repositoryStore =
FileStore.newFileStore(repositoryFile).withBlobStore(blobStore).create();
NodeStore nodeStore =
SegmentNodeStore.newSegmentNodeStore(repositoryStore).create();

Jcr jcr = new Jcr(nodeStore).with(new
SecurityProviderImpl(defaultConfigurationParameters));
repository = jcr.createRepository();

What am I doing wrong?

Marco.


On Thu, Mar 10, 2016 at 12:45 PM, Angela Schreiber-2 [via Jackrabbit] <
ml-node+s510166n4663782h17@n4.nabble.com> wrote:

> Hi Marco
>
> To be quite frank, there are some variants in the AccessControlUtils
> that are rather troublesome and bad, because they hide the fact
> that the impl needs to make an internal lookup (in case of principals
> this is a query which requires data to be persisted).
>
> Having said that:
> Using the variant that takes a Principal instance will likely
> do the trick as there is no extra lookup needed.
>
> Note however that your editing session needs to have sufficient
> karma to read the target principal + additionally needs to have
> jcr:modifyAccessControl permission in order to be able to edit
> access control content.
>
> If you user session only has the latter but doesn't have sufficient
> permission to read the principal, you have two options:
>
> - accept the fact that your user-session doesn't have sufficient
> permission
>   (imho that's the formally correct setup from a security pov)
>
> - Oak: run the repo with the best-effort import option for access control
>   in which case the principal validation as mandated by jsr 283 is relaxed
>   and you can create an ACE with any principal object.
>
> hope that helps
> angela
>
> On 07/03/16 18:28, "marco" <[hidden email]
> <http:///user/SendEmail.jtp?type=node&node=4663782&i=0>> wrote:
>
> >I have two users "userA" and "userB". With "userA" I create a node and i
> >want
> >to grant read permission to "userB" on that node.
> >
> >If i do:
> >AccessControlUtils.allow(folderA, "userB", new
> >String[]{Privilege.JCR_READ});
> >
> >the command fails because is not possible to find the principal "userB"
> in
> >the current session.
> >
> >Same thing happens if i try to find the principal before executing the
> >allow
> >function:
> >Session userSession = repository.login(new SimpleCredentials("userA",
> >"password".toCharArray()));
> >Authorizable userBAuth = ((JackrabbitSession)
> >userSession).getUserManager().getAuthorizable("Users");
> >AccessControlUtils.allow(folderA, userBAuth.getPrincipal().getName(), new
> >String[]{Privilege.JCR_READ});
> >
> >How can i do it without using the administrator account? (With admin
> >account
> >everything works fine).
> >
> >Marco.
> >
> >
> >
> >--
> >View this message in context:
> >
> http://jackrabbit.510166.n4.nabble.com/non-administrator-user-how-to-grant
> >-permission-on-folder-tp4663773.html
> >Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://jackrabbit.510166.n4.nabble.com/non-administrator-user-how-to-grant-permission-on-folder-tp4663773p4663782.html
> To unsubscribe from non-administrator user, how to grant permission on
> folder, click here
> <http://jackrabbit.510166.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4663773&code=cGlvdmVzYW5hQGVzdGVjby5jb218NDY2Mzc3M3wtOTcyNjU3NjI4>
> .
> NAML
> <http://jackrabbit.510166.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>



-- 


Marco PiovesanaEnterprise Application

*ESTECO Spa* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
<http://t.sidekickopen32.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs7fcktHW8p_bs61qfTwHW64QWwH56dQjld35mPj02?t=http%3A%2F%2Fum14.esteco.com%2F&si=5320178724503552&pi=4842d0b5-4532-4e67-df1f-63b3f01e87bf>



Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.



*Please consider the environment before printing this email.*




--
View this message in context: http://jackrabbit.510166.n4.nabble.com/non-administrator-user-how-to-grant-permission-on-folder-tp4663773p4663786.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message