Access control and node types with WebDAV

[Charles Brooking <pu...@charlie.brooking.id.au>]

Hi all,

I'm currently developing an application that provides two front-ends:

 * a WebDAV servlet (provided by Jackrabbit), and
 * an application-specific REST (HTML, XML) interface.

I'd be interested in hearing what the consensus is regarding access
control and node typing in this context. The problem - as I see it - is
that an application-specific interface can provide a layer between the
user and the repository, thus preventing bad data being entered, but
WebDAV potentially allows users to enter anything.

If you use nt:unstructured (or subtypes of nt:folder etc) then there could
potentially be errant nodes everywhere. I have found node types to be
effective in preventing WebDAV users from uploading files in places they
shouldn't. This works in a very crude way, returning a "500 Internal
Server Error" response, but stops them at least. Is this the intended
approach?

(In my application, there are strongly-typed "project" nodes at the top
level, and then only beneath this are subtrees where a user can freely
manage files and folders. Only these subtrees are intended to be modified
using WebDAV - the rest should be done through the custom web service.)

The other interesting point is access control. I've written a custom
AccessManager class and have found this useful both for WebDAV and my own
servlets: in my servlets, I access the repository through a user-specific
Jackrabbit session based on credentials provided through HTTP Auth and
thus access control is handled at the repository level instead of the web
application level (a very nice benefit of using a JCR, IMO). But it poses
a minor problem with WebDAV. Although a user has write access to their
projects - subject to node type constraints - it would be desirable to
prevent them modifying certain properties. You can only have one
AccessManager per repository instance, however.

Do people just accept this limitation? Or do people write an AccessManager
with WebDAV in mind and use a "system session" with additional access
filters defined at the web application level? Or are there even further
approaches like using/abusing workspaces that work better? There isn't a
lot of reference material out there at this point in time...

Look forward to hearing other's thoughts!

Thanks
Charlie

Re: Access control and node types with WebDAV

[Alexander Klimetschek <ak...@day.com>]

On Wed, Jan 14, 2009 at 4:20 PM, Charles Brooking
<pu...@charlie.brooking.id.au> wrote:
> Alexander Klimetschek wrote:
> I'm not sure how a different content model would change things - am I
> missing something obvious? My intention is just to restrict WebDAV from
> modifying certain properties; these are properties the user might
> have "permission" to modify, but because WebDAV doesn't allow validation
> it could be argued that modifications should only be allowed through an
> application-specific interface (eg HTTP/HTML with form validation).

Ok, I see. There are two other validation options that will work
without extending the WebDAV code:

a) you can put regexp-like value constraints on properties in JCR (via
node types) (see section 6.7.16 "Value Constraints" of the JCR spec
[1] and node type definition in Jackrabbit [2]), albeit they are quite
limited

b) use JCR observation listeners to check for validity (but this
happens asynchronously after the change was saved)

[1] http://www.day.com/specs/jcr/1.0/6.7.16_Value_Constraints.html
[2] http://jackrabbit.apache.org/node-types.html

> I guess this is life: I spent enough time studying JCR and Jackrabbit,
> I already had opinions and knowledge about the REST interface I wanted,
> and there didn't seem to be much material for people outside the project
> to understand Sling. So I dived-in with plain JAX-RS.
>
> It has been a good experience so far: JAX-RS annotations mean not too
> much code and Jersey supports JSP for view templates. Although maybe it
> could be better with Sling - I guess I'll find out when I have time to
> take another look at the project.

Never mind, that's a good approach, too. Just wanted to let you know
about Sling in case you didn't see it yet. And IMO it's really cool
;-)

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: Access control and node types with WebDAV

[Charles Brooking <pu...@charlie.brooking.id.au>]

Alexander Klimetschek wrote:
 > Why do you want different access rights depending on the way the user
 > connects to the repository? That seems like the content model could be
 > improved.

I'm not sure how a different content model would change things - am I
missing something obvious? My intention is just to restrict WebDAV from
modifying certain properties; these are properties the user might
have "permission" to modify, but because WebDAV doesn't allow validation
it could be argued that modifications should only be allowed through an
application-specific interface (eg HTTP/HTML with form validation).

So not necessarily different access rights, just reduced functionality.

 > Sling offers a lot, and you always have the control over the details.
 > First of all, it supports the following formats over HTTP
 > out-of-the-box: WebDAV, JSON, Plain Text rendering (for reading). The
 > SlingPostServlet allows to manipulate the JCR via form posts. Finally
 > it is *very* easy to write your own REST interface - the built-in ones
 > are the default renderings if there are no others (custom) defined.
 > And since it works on resources (resource =  node in the jcr), you can
 > easily model your URL space in JCR and put different renderes to
 > different resources (eg. /content/orders, /content/products).

I guess this is life: I spent enough time studying JCR and Jackrabbit,
I already had opinions and knowledge about the REST interface I wanted,
and there didn't seem to be much material for people outside the project
to understand Sling. So I dived-in with plain JAX-RS.

It has been a good experience so far: JAX-RS annotations mean not too
much code and Jersey supports JSP for view templates. Although maybe it
could be better with Sling - I guess I'll find out when I have time to
take another look at the project.

Later
Charlie

Re: Access control and node types with WebDAV

[Alexander Klimetschek <ak...@day.com>]

On Wed, Jan 14, 2009 at 1:49 AM, Charles Brooking
<pu...@charlie.brooking.id.au> wrote:
> JCR 1.0 includes the "set_property" permission, and I've implemented a
> custom AccessManager so can control access to this level. The problem I
> have with properties is that I want the user to have write permission when
> connected through my web application, but more limited permissions when
> connected through WebDAV. However, it is only possible to have a single
> AccessManager configured per repository.

Why do you want different access rights depending on the way the user
connects to the repository? That seems like the content model could be
improved.

> I looked at Sling briefly, but I've found the REST side of things pretty
> easy-going just using the Jersey JAX-RS implementation. It wasn't clear to
> me what Sling's benefits were from examples on the website, and I have
> complete control over the details by coding my own!

Sling offers a lot, and you always have the control over the details.
First of all, it supports the following formats over HTTP
out-of-the-box: WebDAV, JSON, Plain Text rendering (for reading). The
SlingPostServlet allows to manipulate the JCR via form posts. Finally
it is *very* easy to write your own REST interface - the built-in ones
are the default renderings if there are no others (custom) defined.
And since it works on resources (resource =  node in the jcr), you can
easily model your URL space in JCR and put different renderes to
different resources (eg. /content/orders, /content/products).

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Re: Access control and node types with WebDAV

[Angela Schreiber <an...@day.com>]

> JCR 1.0 includes the "set_property" permission, and I've implemented a
> custom AccessManager so can control access to this level. The problem I
> have with properties is that I want the user to have write permission when
> connected through my web application, but more limited permissions when
> connected through WebDAV. However, it is only possible to have a single
> AccessManager configured per repository.
> 
> It's apparently possible to hide items in WebDAV by filtering on namespace
> (eg "rep:") or node types, but I have not had success with this and it's
> specified to only affect display and not access.

did you try to create a custom IOHandler/PropertyHandler
the doesn't expose all child-nodes/properties or exposes them but
doesn't allow modifications... that's probably what i would try.

angela

Re: Access control and node types with WebDAV

[Charles Brooking <pu...@charlie.brooking.id.au>]

Hi Alex

> - I think ACLs that handle modification of properties is part of the
> JCR 2.0 standard (but could be wrong here)
> - if not, you should think about changing your content model - ACLs
> are a main driver for it (see rule 2 in [1])

JCR 1.0 includes the "set_property" permission, and I've implemented a
custom AccessManager so can control access to this level. The problem I
have with properties is that I want the user to have write permission when
connected through my web application, but more limited permissions when
connected through WebDAV. However, it is only possible to have a single
AccessManager configured per repository.

It's apparently possible to hide items in WebDAV by filtering on namespace
(eg "rep:") or node types, but I have not had success with this and it's
specified to only affect display and not access.

> - BTW, have you looked at Apache Sling [2]? It should reduce your
> effort to build a custom REST interface on top of JCR

I looked at Sling briefly, but I've found the REST side of things pretty
easy-going just using the Jersey JAX-RS implementation. It wasn't clear to
me what Sling's benefits were from examples on the website, and I have
complete control over the details by coding my own!

Later
Charlie

Re: Access control and node types with WebDAV

[Alexander Klimetschek <ak...@day.com>]

Hi,

just a short reply:

- I think ACLs that handle modification of properties is part of the
JCR 2.0 standard (but could be wrong here)
- if not, you should think about changing your content model - ACLs
are a main driver for it (see rule 2 in [1])
- BTW, have you looked at Apache Sling [2]? It should reduce your
effort to build a custom REST interface on top of JCR

[1] http://wiki.apache.org/jackrabbit/DavidsModel
[2] http://incubator.apache.org/sling/

Regards,
Alex

On Tue, Jan 13, 2009 at 4:45 AM, Charles Brooking
<pu...@charlie.brooking.id.au> wrote:
> Hi all,
>
> I'm currently developing an application that provides two front-ends:
>
>  * a WebDAV servlet (provided by Jackrabbit), and
>  * an application-specific REST (HTML, XML) interface.
>
> I'd be interested in hearing what the consensus is regarding access
> control and node typing in this context. The problem - as I see it - is
> that an application-specific interface can provide a layer between the
> user and the repository, thus preventing bad data being entered, but
> WebDAV potentially allows users to enter anything.
>
> If you use nt:unstructured (or subtypes of nt:folder etc) then there could
> potentially be errant nodes everywhere. I have found node types to be
> effective in preventing WebDAV users from uploading files in places they
> shouldn't. This works in a very crude way, returning a "500 Internal
> Server Error" response, but stops them at least. Is this the intended
> approach?
>
> (In my application, there are strongly-typed "project" nodes at the top
> level, and then only beneath this are subtrees where a user can freely
> manage files and folders. Only these subtrees are intended to be modified
> using WebDAV - the rest should be done through the custom web service.)
>
> The other interesting point is access control. I've written a custom
> AccessManager class and have found this useful both for WebDAV and my own
> servlets: in my servlets, I access the repository through a user-specific
> Jackrabbit session based on credentials provided through HTTP Auth and
> thus access control is handled at the repository level instead of the web
> application level (a very nice benefit of using a JCR, IMO). But it poses
> a minor problem with WebDAV. Although a user has write access to their
> projects - subject to node type constraints - it would be desirable to
> prevent them modifying certain properties. You can only have one
> AccessManager per repository instance, however.
>
> Do people just accept this limitation? Or do people write an AccessManager
> with WebDAV in mind and use a "system session" with additional access
> filters defined at the web application level? Or are there even further
> approaches like using/abusing workspaces that work better? There isn't a
> lot of reference material out there at this point in time...
>
> Look forward to hearing other's thoughts!
>
> Thanks
> Charlie
>
>



-- 
Alexander Klimetschek
alexander.klimetschek@day.com