You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by "Hermann, Eckehard" <Ec...@softwareag.com> on 2002/01/21 16:14:12 UTC
userpath in ACL
Hi Dirk,
currently it is so, if you define an ACE, the principal has to consist of
the userpath + user. If you do a propfind acl, the principals of the ACEs
also consist of the contextpath + userpath + user. This seems for me slide
specific and not webdav conform. So I would like to change the
parsePrincipal() method of the ACLMethod as follow (see bold typed):
protected String parsePrincipal(Element principal) throws
WebdavException {
// FIXME: make constants and make sure they are used in
// AclMethod:parsePrincipal and PropFindMethod:writePrincipal
NodeList hrefList =
principal.getElementsByTagNameNS(NodeProperty.DEFAULT_NAMESPACE, "href");
if (hrefList.getLength() == 1) {
Element href = (Element) hrefList.item(0);
if (href.getFirstChild().getNodeType() ==
Node.TEXT_NODE){
if
(token.getNamespaceConfig().getUsersPath() != null) {
return
(token.getNamespaceConfig().getUsersPath() + "/" +
getSlidePath(href.getFirstChild().getNodeValue()));
} else {
return
getSlidePath(href.getFirstChild().getNodeValue());
}
}
} else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
"all")) {
return "nobody";
} else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
"self")) {
return "~";
} else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
"unauthenticated")) {
return token.getNamespaceConfig().getUsersPath() + "/" +
token.getNamespaceConfig().getGuestPath();
}
throw new WebdavException(WebdavStatus.SC_BAD_REQUEST);
}
and the writePrincipal() method of the PropFind Method:
protected void writePrincipal(XMLPrinter generatedXML, String principal)
{
generatedXML.writeElement(null, PRINCIPAL, XMLPrinter.OPENING);
// FIXME: Apparently, there are or will be some other cases, but it
// isn't very clear in the spec
// remove userpath, if available
if
(principal.startsWith(token.getNamespaceConfig().getUsersPath())){
if (principal.length() ==
(token.getNamespaceConfig().
getUsersPath()).length()) {
principal = "nobody";
} else {
principal =
principal.substring((token.getNamespaceConfig().
getUsersPath() + "/").length());
}
}
if (principal.equals("~")) {
generatedXML.writeElement(null, "self", XMLPrinter.NO_CONTENT);
} else if (principal.equals("nobody")) {
generatedXML.writeElement(null, "all",
XMLPrinter.NO_CONTENT);
} else {
generatedXML.writeElement(null, "href", XMLPrinter.OPENING);
generatedXML.writeText(principal);
// generatedXML.writeText(getFullPath(principal));
generatedXML.writeElement(null, "href", XMLPrinter.CLOSING);
}
generatedXML.writeElement(null, PRINCIPAL, XMLPrinter.CLOSING);
}
Now just the user without any path-prefix has to be passed with the ACL
method or will be returned by the PropFind method. What do you think about
it and do you remember of any further parts that have to be changed in this
context as well?
regards
Eckehard
Eckehard Hermann
Research & Development
Software AG
Uhlandstrasse 12
D-64297 Darmstadt
Germany
mailto:Eckehard.Hermann@softwareag.com
phone: +49-6151-921465
fax: +49-6151-921609
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: userpath in ACL (original posting in Slide User)
Posted by Dirk Verbeeck <di...@pandora.be>.
Hi
I don't agree that "contextpath + userpath + user" isn't webdav conform.
When I look at webdav acl draft 06 spec
5.4.5 Example: Retrieving a Resources Access Control List
I see the following response example:
<D:principal>
<D:href>
http://www.webdav.org/_acl/groups/maintainers/
</D:href>
</D:principal>
The principal href should be a full uri for the principal resource.
Slide has a restriction that all principal resources must be under
<userspath>
I thought about removing this restriction but decided against it.
It is actually the <D:principal-collection-set> definition. You can
enhance this to a list of principal collection sets.
One thing you might want to change is to define a userspath for each
store and remove this path from href going to the store.
For example:
The principal /users/john is now stored in the security store as
/users/john
We can't remap the stores because the full slide uri is in the security
store.
The enhancement would be to define:
<scope match="/" store="jdbc" userspath="/users" />
When the store with john gets remapped to /users/mydomain/john you can
change the scope to:
<scope match="/" store="jdbc" userspath="/users/mydomain" />
this way you don't have to update the acl's and you can restrict/define
the users that are know to the acl's in this scope.
The external view of this uri is then
http://host:port/context/users/mydomain/john
And that is the purpose of the domain file to map stores to a webdav uri
space.
Back to your point, why do you want to remove userspath from the
external uri ?
Dirk
"Hermann, Eckehard" wrote:
>
> Hi Dirk,
>
> currently it is so, if you define an ACE, the principal has to consist of
> the userpath + user. If you do a propfind acl, the principals of the ACEs
> also consist of the contextpath + userpath + user. This seems for me slide
> specific and not webdav conform. So I would like to change the
> parsePrincipal() method of the ACLMethod as follow (see bold typed):
>
> protected String parsePrincipal(Element principal) throws
> WebdavException {
>
> // FIXME: make constants and make sure they are used in
> // AclMethod:parsePrincipal and PropFindMethod:writePrincipal
> NodeList hrefList =
> principal.getElementsByTagNameNS(NodeProperty.DEFAULT_NAMESPACE, "href");
> if (hrefList.getLength() == 1) {
> Element href = (Element) hrefList.item(0);
> if (href.getFirstChild().getNodeType() ==
> Node.TEXT_NODE){
> if
> (token.getNamespaceConfig().getUsersPath() != null) {
> return
> (token.getNamespaceConfig().getUsersPath() + "/" +
> getSlidePath(href.getFirstChild().getNodeValue()));
> } else {
> return
> getSlidePath(href.getFirstChild().getNodeValue());
> }
> }
> } else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
> "all")) {
> return "nobody";
> } else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
> "self")) {
> return "~";
> } else if (hasChild(principal, NodeProperty.DEFAULT_NAMESPACE,
> "unauthenticated")) {
> return token.getNamespaceConfig().getUsersPath() + "/" +
> token.getNamespaceConfig().getGuestPath();
> }
> throw new WebdavException(WebdavStatus.SC_BAD_REQUEST);
> }
>
> and the writePrincipal() method of the PropFind Method:
>
> protected void writePrincipal(XMLPrinter generatedXML, String principal)
> {
> generatedXML.writeElement(null, PRINCIPAL, XMLPrinter.OPENING);
> // FIXME: Apparently, there are or will be some other cases, but it
> // isn't very clear in the spec
>
> // remove userpath, if available
> if
> (principal.startsWith(token.getNamespaceConfig().getUsersPath())){
> if (principal.length() ==
> (token.getNamespaceConfig().
>
> getUsersPath()).length()) {
> principal = "nobody";
> } else {
> principal =
> principal.substring((token.getNamespaceConfig().
>
> getUsersPath() + "/").length());
> }
> }
>
> if (principal.equals("~")) {
> generatedXML.writeElement(null, "self", XMLPrinter.NO_CONTENT);
> } else if (principal.equals("nobody")) {
> generatedXML.writeElement(null, "all",
> XMLPrinter.NO_CONTENT);
> } else {
> generatedXML.writeElement(null, "href", XMLPrinter.OPENING);
> generatedXML.writeText(principal);
> // generatedXML.writeText(getFullPath(principal));
> generatedXML.writeElement(null, "href", XMLPrinter.CLOSING);
> }
> generatedXML.writeElement(null, PRINCIPAL, XMLPrinter.CLOSING);
> }
>
> Now just the user without any path-prefix has to be passed with the ACL
> method or will be returned by the PropFind method. What do you think about
> it and do you remember of any further parts that have to be changed in this
> context as well?
>
> regards
>
> Eckehard
>
> Eckehard Hermann
> Research & Development
> Software AG
> Uhlandstrasse 12
> D-64297 Darmstadt
> Germany
>
> mailto:Eckehard.Hermann@softwareag.com
> phone: +49-6151-921465
> fax: +49-6151-921609
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>