You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Sean Qi <se...@showiz.com> on 2002/11/02 02:22:25 UTC
webdav ACL
Hi, all,
I am trying to use Slide to build a conttent management system.
I plan to use the JDBCRealm for user authentication at the servlet container level.
In the meantime, I want to do the user authorization, such as user A can only read ABC.txt and meanwhile user B can read/write ABC.txt. I guess the "org.apache.webdav.*" can do the job.
1. How to use/leveage/integrate the "org.apache.webdav.*" together with the user authentication at the servlet container level?
2. Would you please give me some pointers where I can have a good/better understanding of how to "org.apache.webdav.*" packages?
Any input appreciated. Thanx
S.Q
Re: webdav ACL
Posted by Sean Qi <se...@showiz.com>.
Jason and Andreas,
Thanks a lot for your input. I will definitely look into SlideRealm and I
am
looking at the huge client.java now.
Andreas,
Your latest response to Dovan does answer most of questions I was going to
ask. You
just saved me time to type in those questions. :-) Thanx a lot.
Sean Q
----- Original Message -----
From: "Jason" <ja...@xn.com.au>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Friday, November 01, 2002 5:13 PM
Subject: Re: webdav ACL
> You might like to consider using SlideRealm. With this, the servlet
> container (ie Tomcat) authenticates using users in Slide's stores, so
> both the container and slide are dealing with the same user.
>
> Sean Qi wrote:
> > Hi, all,
> >
> > I am trying to use Slide to build a conttent management system.
> >
> > I plan to use the JDBCRealm for user authentication at the servlet
container level.
> >
> > In the meantime, I want to do the user authorization, such as user A can
only read ABC.txt and meanwhile user B can read/write ABC.txt. I guess the
"org.apache.webdav.*" can do the job.
> >
> > 1. How to use/leveage/integrate the "org.apache.webdav.*" together with
the user authentication at the servlet container level?
> > 2. Would you please give me some pointers where I can have a
good/better understanding of how to "org.apache.webdav.*" packages?
> >
> > Any input appreciated. Thanx
> >
> > S.Q
> >
> >
> >
> >
> >
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Jason <ja...@xn.com.au>.
You might like to consider using SlideRealm. With this, the servlet
container (ie Tomcat) authenticates using users in Slide's stores, so
both the container and slide are dealing with the same user.
Sean Qi wrote:
> Hi, all,
>
> I am trying to use Slide to build a conttent management system.
>
> I plan to use the JDBCRealm for user authentication at the servlet container level.
>
> In the meantime, I want to do the user authorization, such as user A can only read ABC.txt and meanwhile user B can read/write ABC.txt. I guess the "org.apache.webdav.*" can do the job.
>
> 1. How to use/leveage/integrate the "org.apache.webdav.*" together with the user authentication at the servlet container level?
> 2. Would you please give me some pointers where I can have a good/better understanding of how to "org.apache.webdav.*" packages?
>
> Any input appreciated. Thanx
>
> S.Q
>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Dovan,
don't forget to tell your servlet container about the users, not
only Slide. If you're using Tomcat with tomcat-users.xml, add
lines with users root and john and so on.
If you're using SlideRealm, this isn't necessary - you just have
to define users in Slide. But I don't know anything about
SlideRealm.
Andreas
On 8 Nov 2002 at 14:06, dovan nguyen wrote:
> Andreas,
>
> I just took the original slide.war and without any
> modification (except uncomment in web.xml for
> authentication) it still doesn't let me in even when i
> use the Slide.java client at the command line.
>
> Please let me know.
>
> Thanks,
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Maybe you have to change your namespace to the new
> > context, at
> > least that's what I did for my app.
> >
> > In web.xml:
> > <init-param>
> > <param-name>namespace</param-name>
> > <param-value>weblaw</param-value>
> >
> > in Domain.xml:
> > <namespace name="weblaw">
> >
> > Hope this helps.
> >
> > Andreas
> >
> >
> > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> >
> > > Andreas,
> > >
> > > I use the slide.war as is and uncomment the
> > > authentication in web.xml; I tried to type the url
> > > http://localhost:8080/weblaw/ (weblaw being my
> > context
> > > that map to slide webdav servlet) and a window
> > popup
> > > asking for user/password...
> > >
> > > i then type in john/john and repeated it with
> > > root/root and neither let me browse the
> > contentstore.
> > >
> > > Please let me know.
> > >
> > > Thanks,
> > > Dovan
> > >
> > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > Hi Dovan,
> > > >
> > > > as this is a rather big topic and I don't know
> > > > everything I
> > > > can't explain this in much detail here. Let me
> > > > explain my
> > > > setting and what I've done.
> > > >
> > > > the setting:
> > > > -users belong to groups
> > > > -users can be writers in one or more groups and
> > > > readers in the
> > > > same and other groups
> > > > -every group got its own directory
> > > > -only users, who belong to the group, must be
> > able
> > > > to access the
> > > > group directory, i.e. the other must not.
> > > >
> > > > Slide's ACL:
> > > > -to have access to a directory a user must have
> > > > access to the
> > > > parent directory -> there's no beginning in the
> > > > middle of the
> > > > tree
> > > > -roles are still very inflexible, but groups can
> > be
> > > > used instead
> > > >
> > > > things to do:
> > > >
> > > > 1. users:
> > > > -create the users under /users, like user john
> > > > -create groups, doing the following steps:
> > > > *create SubjectNode, e.g. /users/groupA
> > > > *create GroupNode, e.g. /users/groupA/readers
> > > > *create GroupNode, e.g. /users/groupA/writers
> > > > (subgrouping is not supported in SecurityImpl)
> > > > -link users to the appropriate groups (if john
> > is a
> > > > writer in
> > > > groupA link /users/groupA/readers/john and
> > > > /users/groupA/writers/john to /users/john
> > > > (example for most of this is in default
> > Domain.xml)
> > > >
> > > > 2. create group directories:
> > > > -create one directory for every group under
> > /files,
> > > > like
> > > > /files/groupA
> > > >
> > > > 3. set ACL appropriately
> > > > -/actions/read for /users on / not inheritable
> > > > -/actions/read for /users on /files not
> > inheritable
> > > > -/actions for /users on /history and the other
> > > > DeltaV
> > > > directories inheritable=true (this will be a
> > problem
> > > > as
> > > > everybody can access everything, but can be
> > solved
> > > > by setting
> > > > scope in web.xml to /files. I don't know a
> > better
> > > > solution for
> > > > this.)
> > > > -keep default ACL settings for /actions and
> > /users
> > > > -set ACL for the group directories under /files
> > > > like:
> > > > */actions/read for +/users/groupA/readers on
> > > > /files/groupA
> > > > inheritable=true
> > > > */actions/write for +/users/groupA/writers on
> > > > /files/groupA
> > > > inheritable=true
> > > >
> > > > Because no permission is inherited from /files
> > or /
> > > > only the
> > > > users, which belong to groupA can access
> > > > /files/groupA. All
> > > > other users can't access the directory. Denying
> > > > permissions will
> > > > make problems if users belong to a denied and a
> > > > granted group at
> > > > the same time. Denied permissions win over
> > granted
> > > > ones. So if a
> > > > user belongs to a denied group he can't access
> > the
> > > > resource even
> > > > if he belongs also to the granted group. That's
> > why
> > > > you can't
> > > > use negative=true on group level in this
> > > > configuration.
> > > >
> > > > tree to show the configuration:
> > > >
> > > > / (/actions/read for /users, not inheritable)
> > > > /users (default ACL settings)
> > > > --groupA
> > > > --readers
> > > > --links to john and others
> > > > --writers
> > > > --links to the users
> > > > --groupB
> > > > --readers
> > > > --links
> > > > --writers
> > > > --links
> > > > and so on
> > > > --john (UserRoleImpl)
> > > > --other users (UserRoleImpl)
> > > > and so on
> > > > /files (/actions/read for /users, not
> > inheritable)
> > > > --groupA (/actions/read for
> > +/users/groupA/readers
> > > > and
> > > > /actions/write for +/users/groupA/writers)
> > > > --groupB (/actions/read for
> > +/users/groupB/readers
> > > > and
> > > > /actions/write for +/users/groupB/writers)
> > > > and so on
> > > >
> > > > I've so far not dynamically created users,
> > groups
> > > > and group
> > > > directories. But I think this should be
> > possible. I
> > > > wait for
> > > > Richies implementation of UserDatabase which I
> > hope
> > > > simplifies
> > > > the handling of users.
> > > >
> > > > I hope this will help you.
> > > >
> > > > Andreas
> > > >
> > > >
> > > > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> > > >
> > > > > Andreas,
> > > > >
> > > > > I am trying to achieve the same thing. Could
> > you
> > > > > please attached a sample configuration file(s)
> > for
> > > > > both Tomcat and Slide along with a
> > description?
> > > > We
> > > > > would appreciate it if you could also describe
> > a
> > > > few
> > > > > sample at user and group levels, and the
> > location
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Dovan,
I haven't seen such a configuration possibility. Webdav-Clients
like MS-Office lock the files as long as they are open. If you
write your own client, you can tell Slide via client method to
lock a long time.
Andreas
On 13 Nov 2002 at 9:02, dovan nguyen wrote:
> Andreas,
>
> I suspected this when I repeated the lock cmd using
> XMetal which locks a file for 3600 second...
>
> But are you saying it is impossible to configure Slide
> (on the server) to give lock request infinitely until
> the owner release the lock ? ... sort of PVCS ?
>
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Dovan,
> >
> > Slide client locks for only 120 sec. If you want a
> > different
> > lock timeout, you have to change the code.
> >
> > If you write your own Webdav client, then you will
> > probably use
> > Slide client methods. Central class there is
> > org.apache.webdav.lib.WebdavResource.
> >
> > See
> >
> org.apache.webdav.lib.WebdavResource.lockMethod(java.lang.String
> > > owner, int timeout) > > Pass number of seconds as timeout. >
> > Andreas > > On 12 Nov 2002 at 16:17, dovan
> nguyen wrote: > > > Andreas, > > > > I used the Slide client as
> anonymous user and send > a > > LOCK on a file.... which only
> gets locked for 120 > > second... > > > > Could you please tell
> me why ? and how to > configure > > Slide to lock indefinitely
> until the owner unlock > it ? > > > > Thanks, > > Dovan > > > >
> --- Andreas Probst <an...@gmx.net> wrote: > > > Dovan, > > > >
> > > with / I mean the root of the Slide tree, i.e.: > > > > > >
> <objectnode > > > >
> classname="org.apache.slide.structure.SubjectNode" > > > uri="/">
> > > > > > > Below this start tag put maybe > > > > > >
> <permission action="/actions" > subject="/users/guest" > > > > >
> > inheritable="true" negative="false"/> > > > > > > or maybe > >
> > > > > <permission action="/actions" subject="guest" > > >
> inheritable="true" > > > negative="false"/> > > > > > > Andreas >
> > > > > > > > > > > > On 11 Nov 2002 at 14:31, dovan nguyen
> wrote: > > > > > > > Andreas, > > > > > > > > I couldn't see
> where the start tag '/' is > defined > > > but > > > > I saw the
> following: > > > > > > > > <!-- ### Give read/write/manage
> permission to > > > guest > > > > ### > > > >
> Uncomment the following line to > > > give > > > > permission to
> do > > > > all actions on /repository to > guest >
> > > > (unauthenticated users) --> > > > > <permission
> action="/actions" > > > > subject="/users/guest"/> > > > > > > >
> > but it's still doesn't work. > > > > > > > > Please let me
> know. > > > > > > > > Thanks, > > > > Dovan > > > > --- Andreas
> Probst <an...@gmx.net> wrote: > > > > > Hi Dovan, > > > > > >
> > > > > i haven't configured SlideRealm so far. So I > > > can't
> > > > > > tell you > > > > > anything about it. > > > > > > > > >
> > To give access to the unauthenticated guest > user > > > you >
> > > > > could grant > > > > > /actions to /users/guest on /. > >
> > > > Place the following tag just below the start > tag > > > of
> > > > > > the > > > > > definition of / > > > > > <permission
> action="/actions" > > > subject="/users/guest" > > > > >
> inheritable="true" negative="false"/> > > > > > > > > > > Maybe
> it also works with role guest, because > > > guest > > > > > role
> is > > > > > defined in the roles section: > > > > > <permission
> action="/actions" > subject="guest" > > > > > inheritable="true"
> negative="false"/> > > > > > > > > > > Andreas > > > > > > > > >
> > > > > > > On 8 Nov 2002 at 17:48, dovan nguyen wrote: > > > > >
> > > > > > > Andreas, > > > > > > > > > > > > could you please
> show us again how to > > > configure > > > > > > SlideRealm ? > >
> > > > > > > > > > > And how to configure for anonymous user > for
> > > > full > > > > > > access to everything (read, write, ..etc)
> > ? > > > > > > > > > > > > Thanks, > > > > > > Dovan > > > > > >
> > > > > > > --- Andreas Probst <an...@gmx.net> > wrote: > > >
> > > > > Maybe you have to change your namespace > to > > > the >
> > > > > new > > > > > > > context, at > > > > > > > least that's
> what I did for my app. > > > > > > > > > > > > > > In web.xml: >
> > > > > > > <init-param> > > > > > > > > > >
> <param-name>namespace</param-name> > > > > > > > > > >
> <param-value>weblaw</param-value> > > > > > > > > > > > > > > in
> Domain.xml: > > > > > > > <namespace name="weblaw"> > > > > > > >
> > > > > > > > Hope this helps. > > > > > > > > > > > > > >
> Andreas > > > > > > > > > > > > > > > > > > > > > On 7 Nov 2002
> at 15:29, dovan nguyen > wrote: > > > > > > > > > > > > > > >
> Andreas, > > > > > > > > > > > > > > > > I use the slide.war as
> is and > uncomment > > > the > > > > > > > > authentication in
> web.xml; I tried to > type > > > the > > > > > url > > > > > > >
> > http://localhost:8080/weblaw/ (weblaw > > > being my > > > > >
> > > context > > > > > > > > that map to slide webdav servlet) and
> > a > > > window > > > > > > > popup > > > > > > > > asking for
> user/password... > > > > > > > > > > > > > > > > i then type in
> john/john and repeated > it > > > with > > > > > > > > root/root
> and neither let me browse > the > > > > > > > contentstore. > > >
> > > > > > > > > > > > > > Please let me know. > > > > > > > > > >
> > > > > > > Thanks, > > > > > > > > Dovan > > > > > > > > > > > >
> > > > > --- Andreas Probst <an...@gmx.net> > > > wrote: > > >
> > > > > > > Hi Dovan, > === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I suspected this when I repeated the lock cmd using
XMetal which locks a file for 3600 second...
But are you saying it is impossible to configure Slide
(on the server) to give lock request infinitely until
the owner release the lock ? ... sort of PVCS ?
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Dovan,
>
> Slide client locks for only 120 sec. If you want a
> different
> lock timeout, you have to change the code.
>
> If you write your own Webdav client, then you will
> probably use
> Slide client methods. Central class there is
> org.apache.webdav.lib.WebdavResource.
>
> See
>
org.apache.webdav.lib.WebdavResource.lockMethod(java.lang.String
>
> owner, int timeout)
>
> Pass number of seconds as timeout.
>
> Andreas
>
> On 12 Nov 2002 at 16:17, dovan nguyen wrote:
>
> > Andreas,
> >
> > I used the Slide client as anonymous user and send
> a
> > LOCK on a file.... which only gets locked for 120
> > second...
> >
> > Could you please tell me why ? and how to
> configure
> > Slide to lock indefinitely until the owner unlock
> it ?
> >
> > Thanks,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Dovan,
> > >
> > > with / I mean the root of the Slide tree, i.e.:
> > >
> > > <objectnode
> > >
> classname="org.apache.slide.structure.SubjectNode"
> > > uri="/">
> > >
> > > Below this start tag put maybe
> > >
> > > <permission action="/actions"
> subject="/users/guest"
> > >
> > > inheritable="true" negative="false"/>
> > >
> > > or maybe
> > >
> > > <permission action="/actions" subject="guest"
> > > inheritable="true"
> > > negative="false"/>
> > >
> > > Andreas
> > >
> > >
> > >
> > > On 11 Nov 2002 at 14:31, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > I couldn't see where the start tag '/' is
> defined
> > > but
> > > > I saw the following:
> > > >
> > > > <!-- ### Give read/write/manage permission to
> > > guest
> > > > ###
> > > > Uncomment the following line to
> > > give
> > > > permission to do
> > > > all actions on /repository to
> guest
> > > > (unauthenticated users) -->
> > > > <permission action="/actions"
> > > > subject="/users/guest"/>
> > > >
> > > > but it's still doesn't work.
> > > >
> > > > Please let me know.
> > > >
> > > > Thanks,
> > > > Dovan
> > > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > > Hi Dovan,
> > > > >
> > > > > i haven't configured SlideRealm so far. So I
> > > can't
> > > > > tell you
> > > > > anything about it.
> > > > >
> > > > > To give access to the unauthenticated guest
> user
> > > you
> > > > > could grant
> > > > > /actions to /users/guest on /.
> > > > > Place the following tag just below the start
> tag
> > > of
> > > > > the
> > > > > definition of /
> > > > > <permission action="/actions"
> > > subject="/users/guest"
> > > > > inheritable="true" negative="false"/>
> > > > >
> > > > > Maybe it also works with role guest, because
> > > guest
> > > > > role is
> > > > > defined in the roles section:
> > > > > <permission action="/actions"
> subject="guest"
> > > > > inheritable="true" negative="false"/>
> > > > >
> > > > > Andreas
> > > > >
> > > > >
> > > > > On 8 Nov 2002 at 17:48, dovan nguyen wrote:
> > > > >
> > > > > > Andreas,
> > > > > >
> > > > > > could you please show us again how to
> > > configure
> > > > > > SlideRealm ?
> > > > > >
> > > > > > And how to configure for anonymous user
> for
> > > full
> > > > > > access to everything (read, write, ..etc)
> ?
> > > > > >
> > > > > > Thanks,
> > > > > > Dovan
> > > > > >
> > > > > > --- Andreas Probst <an...@gmx.net>
> wrote:
> > > > > > > Maybe you have to change your namespace
> to
> > > the
> > > > > new
> > > > > > > context, at
> > > > > > > least that's what I did for my app.
> > > > > > >
> > > > > > > In web.xml:
> > > > > > > <init-param>
> > > > > > >
> > > <param-name>namespace</param-name>
> > > > > > >
> > > <param-value>weblaw</param-value>
> > > > > > >
> > > > > > > in Domain.xml:
> > > > > > > <namespace name="weblaw">
> > > > > > >
> > > > > > > Hope this helps.
> > > > > > >
> > > > > > > Andreas
> > > > > > >
> > > > > > >
> > > > > > > On 7 Nov 2002 at 15:29, dovan nguyen
> wrote:
> > > > > > >
> > > > > > > > Andreas,
> > > > > > > >
> > > > > > > > I use the slide.war as is and
> uncomment
> > > the
> > > > > > > > authentication in web.xml; I tried to
> type
> > > the
> > > > > url
> > > > > > > > http://localhost:8080/weblaw/ (weblaw
> > > being my
> > > > > > > context
> > > > > > > > that map to slide webdav servlet) and
> a
> > > window
> > > > > > > popup
> > > > > > > > asking for user/password...
> > > > > > > >
> > > > > > > > i then type in john/john and repeated
> it
> > > with
> > > > > > > > root/root and neither let me browse
> the
> > > > > > > contentstore.
> > > > > > > >
> > > > > > > > Please let me know.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Dovan
> > > > > > > >
> > > > > > > > --- Andreas Probst <an...@gmx.net>
> > > wrote:
> > > > > > > > > Hi Dovan,
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Dovan,
Slide client locks for only 120 sec. If you want a different
lock timeout, you have to change the code.
If you write your own Webdav client, then you will probably use
Slide client methods. Central class there is
org.apache.webdav.lib.WebdavResource.
See
org.apache.webdav.lib.WebdavResource.lockMethod(java.lang.String
owner, int timeout)
Pass number of seconds as timeout.
Andreas
On 12 Nov 2002 at 16:17, dovan nguyen wrote:
> Andreas,
>
> I used the Slide client as anonymous user and send a
> LOCK on a file.... which only gets locked for 120
> second...
>
> Could you please tell me why ? and how to configure
> Slide to lock indefinitely until the owner unlock it ?
>
> Thanks,
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Dovan,
> >
> > with / I mean the root of the Slide tree, i.e.:
> >
> > <objectnode
> > classname="org.apache.slide.structure.SubjectNode"
> > uri="/">
> >
> > Below this start tag put maybe
> >
> > <permission action="/actions" subject="/users/guest"
> >
> > inheritable="true" negative="false"/>
> >
> > or maybe
> >
> > <permission action="/actions" subject="guest"
> > inheritable="true"
> > negative="false"/>
> >
> > Andreas
> >
> >
> >
> > On 11 Nov 2002 at 14:31, dovan nguyen wrote:
> >
> > > Andreas,
> > >
> > > I couldn't see where the start tag '/' is defined
> > but
> > > I saw the following:
> > >
> > > <!-- ### Give read/write/manage permission to
> > guest
> > > ###
> > > Uncomment the following line to
> > give
> > > permission to do
> > > all actions on /repository to guest
> > > (unauthenticated users) -->
> > > <permission action="/actions"
> > > subject="/users/guest"/>
> > >
> > > but it's still doesn't work.
> > >
> > > Please let me know.
> > >
> > > Thanks,
> > > Dovan
> > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > Hi Dovan,
> > > >
> > > > i haven't configured SlideRealm so far. So I
> > can't
> > > > tell you
> > > > anything about it.
> > > >
> > > > To give access to the unauthenticated guest user
> > you
> > > > could grant
> > > > /actions to /users/guest on /.
> > > > Place the following tag just below the start tag
> > of
> > > > the
> > > > definition of /
> > > > <permission action="/actions"
> > subject="/users/guest"
> > > > inheritable="true" negative="false"/>
> > > >
> > > > Maybe it also works with role guest, because
> > guest
> > > > role is
> > > > defined in the roles section:
> > > > <permission action="/actions" subject="guest"
> > > > inheritable="true" negative="false"/>
> > > >
> > > > Andreas
> > > >
> > > >
> > > > On 8 Nov 2002 at 17:48, dovan nguyen wrote:
> > > >
> > > > > Andreas,
> > > > >
> > > > > could you please show us again how to
> > configure
> > > > > SlideRealm ?
> > > > >
> > > > > And how to configure for anonymous user for
> > full
> > > > > access to everything (read, write, ..etc) ?
> > > > >
> > > > > Thanks,
> > > > > Dovan
> > > > >
> > > > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > > > Maybe you have to change your namespace to
> > the
> > > > new
> > > > > > context, at
> > > > > > least that's what I did for my app.
> > > > > >
> > > > > > In web.xml:
> > > > > > <init-param>
> > > > > >
> > <param-name>namespace</param-name>
> > > > > >
> > <param-value>weblaw</param-value>
> > > > > >
> > > > > > in Domain.xml:
> > > > > > <namespace name="weblaw">
> > > > > >
> > > > > > Hope this helps.
> > > > > >
> > > > > > Andreas
> > > > > >
> > > > > >
> > > > > > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> > > > > >
> > > > > > > Andreas,
> > > > > > >
> > > > > > > I use the slide.war as is and uncomment
> > the
> > > > > > > authentication in web.xml; I tried to type
> > the
> > > > url
> > > > > > > http://localhost:8080/weblaw/ (weblaw
> > being my
> > > > > > context
> > > > > > > that map to slide webdav servlet) and a
> > window
> > > > > > popup
> > > > > > > asking for user/password...
> > > > > > >
> > > > > > > i then type in john/john and repeated it
> > with
> > > > > > > root/root and neither let me browse the
> > > > > > contentstore.
> > > > > > >
> > > > > > > Please let me know.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Dovan
> > > > > > >
> > > > > > > --- Andreas Probst <an...@gmx.net>
> > wrote:
> > > > > > > > Hi Dovan,
> > > > > > > >
> > > > > > > > as this is a rather big topic and I
> > don't
> > > > know
> > > > > > > > everything I
> > > > > > > > can't explain this in much detail here.
> > Let
> > > > me
> > > > > > > > explain my
> > > > > > > > setting and what I've done.
> > > > > > > >
> > > > > > > > the setting:
> > > > > > > > -users belong to groups
> > > > > > > > -users can be writers in one or more
> > groups
> > > > and
> > > > > > > > readers in the
> > > > > > > > same and other groups
> > > > > > > > -every group got its own directory
> > > > > > > > -only users, who belong to the group,
> > must
> > > > be
> > > > > > able
> > > > > > > > to access the
> > > > > > > > group directory, i.e. the other must
> > not.
> > > > > > > >
> > > > > > > > Slide's ACL:
> > > > > > > > -to have access to a directory a user
> > must
> > > > have
> > > > > > > > access to the
> > > > > > > > parent directory -> there's no beginning
> > in
> > > > the
> > > > > > > > middle of the
> > > > > > > > tree
> > > > > > > > -roles are still very inflexible, but
> > groups
> > > > can
> > > > > > be
> > > > > > > > used instead
> > > > > > > >
> > > > > > > > things to do:
> > > > > > > >
> > > > > > > > 1. users:
> > > > > > > > -create the users under /users, like
> > user
> > > > john
> > > > > > > > -create groups, doing the following
> > steps:
> > > > > > > > *create SubjectNode, e.g. /users/groupA
> > > > > > > > *create GroupNode, e.g.
> > > > /users/groupA/readers
> > > > > > > > *create GroupNode, e.g.
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I used the Slide client as anonymous user and send a
LOCK on a file.... which only gets locked for 120
second...
Could you please tell me why ? and how to configure
Slide to lock indefinitely until the owner unlock it ?
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Dovan,
>
> with / I mean the root of the Slide tree, i.e.:
>
> <objectnode
> classname="org.apache.slide.structure.SubjectNode"
> uri="/">
>
> Below this start tag put maybe
>
> <permission action="/actions" subject="/users/guest"
>
> inheritable="true" negative="false"/>
>
> or maybe
>
> <permission action="/actions" subject="guest"
> inheritable="true"
> negative="false"/>
>
> Andreas
>
>
>
> On 11 Nov 2002 at 14:31, dovan nguyen wrote:
>
> > Andreas,
> >
> > I couldn't see where the start tag '/' is defined
> but
> > I saw the following:
> >
> > <!-- ### Give read/write/manage permission to
> guest
> > ###
> > Uncomment the following line to
> give
> > permission to do
> > all actions on /repository to guest
> > (unauthenticated users) -->
> > <permission action="/actions"
> > subject="/users/guest"/>
> >
> > but it's still doesn't work.
> >
> > Please let me know.
> >
> > Thanks,
> > Dovan
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Dovan,
> > >
> > > i haven't configured SlideRealm so far. So I
> can't
> > > tell you
> > > anything about it.
> > >
> > > To give access to the unauthenticated guest user
> you
> > > could grant
> > > /actions to /users/guest on /.
> > > Place the following tag just below the start tag
> of
> > > the
> > > definition of /
> > > <permission action="/actions"
> subject="/users/guest"
> > > inheritable="true" negative="false"/>
> > >
> > > Maybe it also works with role guest, because
> guest
> > > role is
> > > defined in the roles section:
> > > <permission action="/actions" subject="guest"
> > > inheritable="true" negative="false"/>
> > >
> > > Andreas
> > >
> > >
> > > On 8 Nov 2002 at 17:48, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > could you please show us again how to
> configure
> > > > SlideRealm ?
> > > >
> > > > And how to configure for anonymous user for
> full
> > > > access to everything (read, write, ..etc) ?
> > > >
> > > > Thanks,
> > > > Dovan
> > > >
> > > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > > Maybe you have to change your namespace to
> the
> > > new
> > > > > context, at
> > > > > least that's what I did for my app.
> > > > >
> > > > > In web.xml:
> > > > > <init-param>
> > > > >
> <param-name>namespace</param-name>
> > > > >
> <param-value>weblaw</param-value>
> > > > >
> > > > > in Domain.xml:
> > > > > <namespace name="weblaw">
> > > > >
> > > > > Hope this helps.
> > > > >
> > > > > Andreas
> > > > >
> > > > >
> > > > > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> > > > >
> > > > > > Andreas,
> > > > > >
> > > > > > I use the slide.war as is and uncomment
> the
> > > > > > authentication in web.xml; I tried to type
> the
> > > url
> > > > > > http://localhost:8080/weblaw/ (weblaw
> being my
> > > > > context
> > > > > > that map to slide webdav servlet) and a
> window
> > > > > popup
> > > > > > asking for user/password...
> > > > > >
> > > > > > i then type in john/john and repeated it
> with
> > > > > > root/root and neither let me browse the
> > > > > contentstore.
> > > > > >
> > > > > > Please let me know.
> > > > > >
> > > > > > Thanks,
> > > > > > Dovan
> > > > > >
> > > > > > --- Andreas Probst <an...@gmx.net>
> wrote:
> > > > > > > Hi Dovan,
> > > > > > >
> > > > > > > as this is a rather big topic and I
> don't
> > > know
> > > > > > > everything I
> > > > > > > can't explain this in much detail here.
> Let
> > > me
> > > > > > > explain my
> > > > > > > setting and what I've done.
> > > > > > >
> > > > > > > the setting:
> > > > > > > -users belong to groups
> > > > > > > -users can be writers in one or more
> groups
> > > and
> > > > > > > readers in the
> > > > > > > same and other groups
> > > > > > > -every group got its own directory
> > > > > > > -only users, who belong to the group,
> must
> > > be
> > > > > able
> > > > > > > to access the
> > > > > > > group directory, i.e. the other must
> not.
> > > > > > >
> > > > > > > Slide's ACL:
> > > > > > > -to have access to a directory a user
> must
> > > have
> > > > > > > access to the
> > > > > > > parent directory -> there's no beginning
> in
> > > the
> > > > > > > middle of the
> > > > > > > tree
> > > > > > > -roles are still very inflexible, but
> groups
> > > can
> > > > > be
> > > > > > > used instead
> > > > > > >
> > > > > > > things to do:
> > > > > > >
> > > > > > > 1. users:
> > > > > > > -create the users under /users, like
> user
> > > john
> > > > > > > -create groups, doing the following
> steps:
> > > > > > > *create SubjectNode, e.g. /users/groupA
> > > > > > > *create GroupNode, e.g.
> > > /users/groupA/readers
> > > > > > > *create GroupNode, e.g.
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Dovan,
with / I mean the root of the Slide tree, i.e.:
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/">
Below this start tag put maybe
<permission action="/actions" subject="/users/guest"
inheritable="true" negative="false"/>
or maybe
<permission action="/actions" subject="guest" inheritable="true"
negative="false"/>
Andreas
On 11 Nov 2002 at 14:31, dovan nguyen wrote:
> Andreas,
>
> I couldn't see where the start tag '/' is defined but
> I saw the following:
>
> <!-- ### Give read/write/manage permission to guest
> ###
> Uncomment the following line to give
> permission to do
> all actions on /repository to guest
> (unauthenticated users) -->
> <permission action="/actions"
> subject="/users/guest"/>
>
> but it's still doesn't work.
>
> Please let me know.
>
> Thanks,
> Dovan
> --- Andreas Probst <an...@gmx.net> wrote:
> > Hi Dovan,
> >
> > i haven't configured SlideRealm so far. So I can't
> > tell you
> > anything about it.
> >
> > To give access to the unauthenticated guest user you
> > could grant
> > /actions to /users/guest on /.
> > Place the following tag just below the start tag of
> > the
> > definition of /
> > <permission action="/actions" subject="/users/guest"
> > inheritable="true" negative="false"/>
> >
> > Maybe it also works with role guest, because guest
> > role is
> > defined in the roles section:
> > <permission action="/actions" subject="guest"
> > inheritable="true" negative="false"/>
> >
> > Andreas
> >
> >
> > On 8 Nov 2002 at 17:48, dovan nguyen wrote:
> >
> > > Andreas,
> > >
> > > could you please show us again how to configure
> > > SlideRealm ?
> > >
> > > And how to configure for anonymous user for full
> > > access to everything (read, write, ..etc) ?
> > >
> > > Thanks,
> > > Dovan
> > >
> > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > Maybe you have to change your namespace to the
> > new
> > > > context, at
> > > > least that's what I did for my app.
> > > >
> > > > In web.xml:
> > > > <init-param>
> > > > <param-name>namespace</param-name>
> > > > <param-value>weblaw</param-value>
> > > >
> > > > in Domain.xml:
> > > > <namespace name="weblaw">
> > > >
> > > > Hope this helps.
> > > >
> > > > Andreas
> > > >
> > > >
> > > > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> > > >
> > > > > Andreas,
> > > > >
> > > > > I use the slide.war as is and uncomment the
> > > > > authentication in web.xml; I tried to type the
> > url
> > > > > http://localhost:8080/weblaw/ (weblaw being my
> > > > context
> > > > > that map to slide webdav servlet) and a window
> > > > popup
> > > > > asking for user/password...
> > > > >
> > > > > i then type in john/john and repeated it with
> > > > > root/root and neither let me browse the
> > > > contentstore.
> > > > >
> > > > > Please let me know.
> > > > >
> > > > > Thanks,
> > > > > Dovan
> > > > >
> > > > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > > > Hi Dovan,
> > > > > >
> > > > > > as this is a rather big topic and I don't
> > know
> > > > > > everything I
> > > > > > can't explain this in much detail here. Let
> > me
> > > > > > explain my
> > > > > > setting and what I've done.
> > > > > >
> > > > > > the setting:
> > > > > > -users belong to groups
> > > > > > -users can be writers in one or more groups
> > and
> > > > > > readers in the
> > > > > > same and other groups
> > > > > > -every group got its own directory
> > > > > > -only users, who belong to the group, must
> > be
> > > > able
> > > > > > to access the
> > > > > > group directory, i.e. the other must not.
> > > > > >
> > > > > > Slide's ACL:
> > > > > > -to have access to a directory a user must
> > have
> > > > > > access to the
> > > > > > parent directory -> there's no beginning in
> > the
> > > > > > middle of the
> > > > > > tree
> > > > > > -roles are still very inflexible, but groups
> > can
> > > > be
> > > > > > used instead
> > > > > >
> > > > > > things to do:
> > > > > >
> > > > > > 1. users:
> > > > > > -create the users under /users, like user
> > john
> > > > > > -create groups, doing the following steps:
> > > > > > *create SubjectNode, e.g. /users/groupA
> > > > > > *create GroupNode, e.g.
> > /users/groupA/readers
> > > > > > *create GroupNode, e.g.
> > /users/groupA/writers
> > > > > > (subgrouping is not supported in
> > SecurityImpl)
> > > > > > -link users to the appropriate groups (if
> > john
> > > > is a
> > > > > > writer in
> > > > > > groupA link /users/groupA/readers/john and
> > > > > > /users/groupA/writers/john to /users/john
> > > > > > (example for most of this is in default
> > > > Domain.xml)
> > > > > >
> > > > > > 2. create group directories:
> > > > > > -create one directory for every group under
> > > > /files,
> > > > > > like
> > > > > > /files/groupA
> > > > > >
> > > > > > 3. set ACL appropriately
> > > > > > -/actions/read for /users on / not
> > inheritable
> > > > > > -/actions/read for /users on /files not
> > > > inheritable
> > > > > > -/actions for /users on /history and the
> > other
> > > > > > DeltaV
> > > > > > directories inheritable=true (this will be a
> > > > problem
> > > > > > as
> > > > > > everybody can access everything, but can be
> > > > solved
> > > > > > by setting
> > > > > > scope in web.xml to /files. I don't know a
> > > > better
> > > > > > solution for
> > > > > > this.)
> > > > > > -keep default ACL settings for /actions and
> > > > /users
> > > > > > -set ACL for the group directories under
> > /files
> > > > > > like:
> > > > > > */actions/read for +/users/groupA/readers on
> > > > > > /files/groupA
> > > > > > inheritable=true
> > > > > > */actions/write for +/users/groupA/writers
> > on
> > > > > > /files/groupA
> > > > > > inheritable=true
> > > > > >
> > > > > > Because no permission is inherited from
> > /files
> > > > or /
> > > > > > only the
> > > > > > users, which belong to groupA can access
> > > > > > /files/groupA. All
> > > > > > other users can't access the directory.
> > Denying
> > > > > > permissions will
> > > > > > make problems if users belong to a denied
> > and a
> > > > > > granted group at
> > > > > > the same time. Denied permissions win over
> > > > granted
> > > > > > ones. So if a
> > > > > > user belongs to a denied group he can't
> > access
> > > > the
> > > > > > resource even
> > > > > > if he belongs also to the granted group.
> > That's
> > > > why
> > > > > > you can't
> > > > > > use negative=true on group level in this
> > > > > > configuration.
> > > > > >
> > > > > > tree to show the configuration:
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I couldn't see where the start tag '/' is defined but
I saw the following:
<!-- ### Give read/write/manage permission to guest
###
Uncomment the following line to give
permission to do
all actions on /repository to guest
(unauthenticated users) -->
<permission action="/actions"
subject="/users/guest"/>
but it's still doesn't work.
Please let me know.
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Hi Dovan,
>
> i haven't configured SlideRealm so far. So I can't
> tell you
> anything about it.
>
> To give access to the unauthenticated guest user you
> could grant
> /actions to /users/guest on /.
> Place the following tag just below the start tag of
> the
> definition of /
> <permission action="/actions" subject="/users/guest"
> inheritable="true" negative="false"/>
>
> Maybe it also works with role guest, because guest
> role is
> defined in the roles section:
> <permission action="/actions" subject="guest"
> inheritable="true" negative="false"/>
>
> Andreas
>
>
> On 8 Nov 2002 at 17:48, dovan nguyen wrote:
>
> > Andreas,
> >
> > could you please show us again how to configure
> > SlideRealm ?
> >
> > And how to configure for anonymous user for full
> > access to everything (read, write, ..etc) ?
> >
> > Thanks,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Maybe you have to change your namespace to the
> new
> > > context, at
> > > least that's what I did for my app.
> > >
> > > In web.xml:
> > > <init-param>
> > > <param-name>namespace</param-name>
> > > <param-value>weblaw</param-value>
> > >
> > > in Domain.xml:
> > > <namespace name="weblaw">
> > >
> > > Hope this helps.
> > >
> > > Andreas
> > >
> > >
> > > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > I use the slide.war as is and uncomment the
> > > > authentication in web.xml; I tried to type the
> url
> > > > http://localhost:8080/weblaw/ (weblaw being my
> > > context
> > > > that map to slide webdav servlet) and a window
> > > popup
> > > > asking for user/password...
> > > >
> > > > i then type in john/john and repeated it with
> > > > root/root and neither let me browse the
> > > contentstore.
> > > >
> > > > Please let me know.
> > > >
> > > > Thanks,
> > > > Dovan
> > > >
> > > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > > Hi Dovan,
> > > > >
> > > > > as this is a rather big topic and I don't
> know
> > > > > everything I
> > > > > can't explain this in much detail here. Let
> me
> > > > > explain my
> > > > > setting and what I've done.
> > > > >
> > > > > the setting:
> > > > > -users belong to groups
> > > > > -users can be writers in one or more groups
> and
> > > > > readers in the
> > > > > same and other groups
> > > > > -every group got its own directory
> > > > > -only users, who belong to the group, must
> be
> > > able
> > > > > to access the
> > > > > group directory, i.e. the other must not.
> > > > >
> > > > > Slide's ACL:
> > > > > -to have access to a directory a user must
> have
> > > > > access to the
> > > > > parent directory -> there's no beginning in
> the
> > > > > middle of the
> > > > > tree
> > > > > -roles are still very inflexible, but groups
> can
> > > be
> > > > > used instead
> > > > >
> > > > > things to do:
> > > > >
> > > > > 1. users:
> > > > > -create the users under /users, like user
> john
> > > > > -create groups, doing the following steps:
> > > > > *create SubjectNode, e.g. /users/groupA
> > > > > *create GroupNode, e.g.
> /users/groupA/readers
> > > > > *create GroupNode, e.g.
> /users/groupA/writers
> > > > > (subgrouping is not supported in
> SecurityImpl)
> > > > > -link users to the appropriate groups (if
> john
> > > is a
> > > > > writer in
> > > > > groupA link /users/groupA/readers/john and
> > > > > /users/groupA/writers/john to /users/john
> > > > > (example for most of this is in default
> > > Domain.xml)
> > > > >
> > > > > 2. create group directories:
> > > > > -create one directory for every group under
> > > /files,
> > > > > like
> > > > > /files/groupA
> > > > >
> > > > > 3. set ACL appropriately
> > > > > -/actions/read for /users on / not
> inheritable
> > > > > -/actions/read for /users on /files not
> > > inheritable
> > > > > -/actions for /users on /history and the
> other
> > > > > DeltaV
> > > > > directories inheritable=true (this will be a
> > > problem
> > > > > as
> > > > > everybody can access everything, but can be
> > > solved
> > > > > by setting
> > > > > scope in web.xml to /files. I don't know a
> > > better
> > > > > solution for
> > > > > this.)
> > > > > -keep default ACL settings for /actions and
> > > /users
> > > > > -set ACL for the group directories under
> /files
> > > > > like:
> > > > > */actions/read for +/users/groupA/readers on
> > > > > /files/groupA
> > > > > inheritable=true
> > > > > */actions/write for +/users/groupA/writers
> on
> > > > > /files/groupA
> > > > > inheritable=true
> > > > >
> > > > > Because no permission is inherited from
> /files
> > > or /
> > > > > only the
> > > > > users, which belong to groupA can access
> > > > > /files/groupA. All
> > > > > other users can't access the directory.
> Denying
> > > > > permissions will
> > > > > make problems if users belong to a denied
> and a
> > > > > granted group at
> > > > > the same time. Denied permissions win over
> > > granted
> > > > > ones. So if a
> > > > > user belongs to a denied group he can't
> access
> > > the
> > > > > resource even
> > > > > if he belongs also to the granted group.
> That's
> > > why
> > > > > you can't
> > > > > use negative=true on group level in this
> > > > > configuration.
> > > > >
> > > > > tree to show the configuration:
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Hi Dovan,
i haven't configured SlideRealm so far. So I can't tell you
anything about it.
To give access to the unauthenticated guest user you could grant
/actions to /users/guest on /.
Place the following tag just below the start tag of the
definition of /
<permission action="/actions" subject="/users/guest"
inheritable="true" negative="false"/>
Maybe it also works with role guest, because guest role is
defined in the roles section:
<permission action="/actions" subject="guest"
inheritable="true" negative="false"/>
Andreas
On 8 Nov 2002 at 17:48, dovan nguyen wrote:
> Andreas,
>
> could you please show us again how to configure
> SlideRealm ?
>
> And how to configure for anonymous user for full
> access to everything (read, write, ..etc) ?
>
> Thanks,
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Maybe you have to change your namespace to the new
> > context, at
> > least that's what I did for my app.
> >
> > In web.xml:
> > <init-param>
> > <param-name>namespace</param-name>
> > <param-value>weblaw</param-value>
> >
> > in Domain.xml:
> > <namespace name="weblaw">
> >
> > Hope this helps.
> >
> > Andreas
> >
> >
> > On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> >
> > > Andreas,
> > >
> > > I use the slide.war as is and uncomment the
> > > authentication in web.xml; I tried to type the url
> > > http://localhost:8080/weblaw/ (weblaw being my
> > context
> > > that map to slide webdav servlet) and a window
> > popup
> > > asking for user/password...
> > >
> > > i then type in john/john and repeated it with
> > > root/root and neither let me browse the
> > contentstore.
> > >
> > > Please let me know.
> > >
> > > Thanks,
> > > Dovan
> > >
> > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > Hi Dovan,
> > > >
> > > > as this is a rather big topic and I don't know
> > > > everything I
> > > > can't explain this in much detail here. Let me
> > > > explain my
> > > > setting and what I've done.
> > > >
> > > > the setting:
> > > > -users belong to groups
> > > > -users can be writers in one or more groups and
> > > > readers in the
> > > > same and other groups
> > > > -every group got its own directory
> > > > -only users, who belong to the group, must be
> > able
> > > > to access the
> > > > group directory, i.e. the other must not.
> > > >
> > > > Slide's ACL:
> > > > -to have access to a directory a user must have
> > > > access to the
> > > > parent directory -> there's no beginning in the
> > > > middle of the
> > > > tree
> > > > -roles are still very inflexible, but groups can
> > be
> > > > used instead
> > > >
> > > > things to do:
> > > >
> > > > 1. users:
> > > > -create the users under /users, like user john
> > > > -create groups, doing the following steps:
> > > > *create SubjectNode, e.g. /users/groupA
> > > > *create GroupNode, e.g. /users/groupA/readers
> > > > *create GroupNode, e.g. /users/groupA/writers
> > > > (subgrouping is not supported in SecurityImpl)
> > > > -link users to the appropriate groups (if john
> > is a
> > > > writer in
> > > > groupA link /users/groupA/readers/john and
> > > > /users/groupA/writers/john to /users/john
> > > > (example for most of this is in default
> > Domain.xml)
> > > >
> > > > 2. create group directories:
> > > > -create one directory for every group under
> > /files,
> > > > like
> > > > /files/groupA
> > > >
> > > > 3. set ACL appropriately
> > > > -/actions/read for /users on / not inheritable
> > > > -/actions/read for /users on /files not
> > inheritable
> > > > -/actions for /users on /history and the other
> > > > DeltaV
> > > > directories inheritable=true (this will be a
> > problem
> > > > as
> > > > everybody can access everything, but can be
> > solved
> > > > by setting
> > > > scope in web.xml to /files. I don't know a
> > better
> > > > solution for
> > > > this.)
> > > > -keep default ACL settings for /actions and
> > /users
> > > > -set ACL for the group directories under /files
> > > > like:
> > > > */actions/read for +/users/groupA/readers on
> > > > /files/groupA
> > > > inheritable=true
> > > > */actions/write for +/users/groupA/writers on
> > > > /files/groupA
> > > > inheritable=true
> > > >
> > > > Because no permission is inherited from /files
> > or /
> > > > only the
> > > > users, which belong to groupA can access
> > > > /files/groupA. All
> > > > other users can't access the directory. Denying
> > > > permissions will
> > > > make problems if users belong to a denied and a
> > > > granted group at
> > > > the same time. Denied permissions win over
> > granted
> > > > ones. So if a
> > > > user belongs to a denied group he can't access
> > the
> > > > resource even
> > > > if he belongs also to the granted group. That's
> > why
> > > > you can't
> > > > use negative=true on group level in this
> > > > configuration.
> > > >
> > > > tree to show the configuration:
> > > >
> > > > / (/actions/read for /users, not inheritable)
> > > > /users (default ACL settings)
> > > > --groupA
> > > > --readers
> > > > --links to john and others
> > > > --writers
> > > > --links to the users
> > > > --groupB
> > > > --readers
> > > > --links
> > > > --writers
> > > > --links
> > > > and so on
> > > > --john (UserRoleImpl)
> > > > --other users (UserRoleImpl)
> > > > and so on
> > > > /files (/actions/read for /users, not
> > inheritable)
> > > > --groupA (/actions/read for
> > +/users/groupA/readers
> > > > and
> > > > /actions/write for +/users/groupA/writers)
> > > > --groupB (/actions/read for
> > +/users/groupB/readers
> > > > and
> > > > /actions/write for +/users/groupB/writers)
> > > > and so on
> > > >
> > > > I've so far not dynamically created users,
> > groups
> > > > and group
> > > > directories. But I think this should be
> > possible. I
> > > > wait for
> > > > Richies implementation of UserDatabase which I
> > hope
> > > > simplifies
> > > > the handling of users.
> > > >
> > > > I hope this will help you.
> > > >
> > > > Andreas
> > > >
> > > >
> > > > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> > > >
> > > > > Andreas,
> > > > >
> > > > > I am trying to achieve the same thing. Could
> > you
> > > > > please attached a sample configuration file(s)
> > for
> > > > > both Tomcat and Slide along with a
> > description?
> > > > We
> > > > > would appreciate it if you could also describe
> > a
> > > > few
> > > > > sample at user and group levels, and the
> > location
> >
> === message truncated ===
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
could you please show us again how to configure
SlideRealm ?
And how to configure for anonymous user for full
access to everything (read, write, ..etc) ?
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Maybe you have to change your namespace to the new
> context, at
> least that's what I did for my app.
>
> In web.xml:
> <init-param>
> <param-name>namespace</param-name>
> <param-value>weblaw</param-value>
>
> in Domain.xml:
> <namespace name="weblaw">
>
> Hope this helps.
>
> Andreas
>
>
> On 7 Nov 2002 at 15:29, dovan nguyen wrote:
>
> > Andreas,
> >
> > I use the slide.war as is and uncomment the
> > authentication in web.xml; I tried to type the url
> > http://localhost:8080/weblaw/ (weblaw being my
> context
> > that map to slide webdav servlet) and a window
> popup
> > asking for user/password...
> >
> > i then type in john/john and repeated it with
> > root/root and neither let me browse the
> contentstore.
> >
> > Please let me know.
> >
> > Thanks,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Dovan,
> > >
> > > as this is a rather big topic and I don't know
> > > everything I
> > > can't explain this in much detail here. Let me
> > > explain my
> > > setting and what I've done.
> > >
> > > the setting:
> > > -users belong to groups
> > > -users can be writers in one or more groups and
> > > readers in the
> > > same and other groups
> > > -every group got its own directory
> > > -only users, who belong to the group, must be
> able
> > > to access the
> > > group directory, i.e. the other must not.
> > >
> > > Slide's ACL:
> > > -to have access to a directory a user must have
> > > access to the
> > > parent directory -> there's no beginning in the
> > > middle of the
> > > tree
> > > -roles are still very inflexible, but groups can
> be
> > > used instead
> > >
> > > things to do:
> > >
> > > 1. users:
> > > -create the users under /users, like user john
> > > -create groups, doing the following steps:
> > > *create SubjectNode, e.g. /users/groupA
> > > *create GroupNode, e.g. /users/groupA/readers
> > > *create GroupNode, e.g. /users/groupA/writers
> > > (subgrouping is not supported in SecurityImpl)
> > > -link users to the appropriate groups (if john
> is a
> > > writer in
> > > groupA link /users/groupA/readers/john and
> > > /users/groupA/writers/john to /users/john
> > > (example for most of this is in default
> Domain.xml)
> > >
> > > 2. create group directories:
> > > -create one directory for every group under
> /files,
> > > like
> > > /files/groupA
> > >
> > > 3. set ACL appropriately
> > > -/actions/read for /users on / not inheritable
> > > -/actions/read for /users on /files not
> inheritable
> > > -/actions for /users on /history and the other
> > > DeltaV
> > > directories inheritable=true (this will be a
> problem
> > > as
> > > everybody can access everything, but can be
> solved
> > > by setting
> > > scope in web.xml to /files. I don't know a
> better
> > > solution for
> > > this.)
> > > -keep default ACL settings for /actions and
> /users
> > > -set ACL for the group directories under /files
> > > like:
> > > */actions/read for +/users/groupA/readers on
> > > /files/groupA
> > > inheritable=true
> > > */actions/write for +/users/groupA/writers on
> > > /files/groupA
> > > inheritable=true
> > >
> > > Because no permission is inherited from /files
> or /
> > > only the
> > > users, which belong to groupA can access
> > > /files/groupA. All
> > > other users can't access the directory. Denying
> > > permissions will
> > > make problems if users belong to a denied and a
> > > granted group at
> > > the same time. Denied permissions win over
> granted
> > > ones. So if a
> > > user belongs to a denied group he can't access
> the
> > > resource even
> > > if he belongs also to the granted group. That's
> why
> > > you can't
> > > use negative=true on group level in this
> > > configuration.
> > >
> > > tree to show the configuration:
> > >
> > > / (/actions/read for /users, not inheritable)
> > > /users (default ACL settings)
> > > --groupA
> > > --readers
> > > --links to john and others
> > > --writers
> > > --links to the users
> > > --groupB
> > > --readers
> > > --links
> > > --writers
> > > --links
> > > and so on
> > > --john (UserRoleImpl)
> > > --other users (UserRoleImpl)
> > > and so on
> > > /files (/actions/read for /users, not
> inheritable)
> > > --groupA (/actions/read for
> +/users/groupA/readers
> > > and
> > > /actions/write for +/users/groupA/writers)
> > > --groupB (/actions/read for
> +/users/groupB/readers
> > > and
> > > /actions/write for +/users/groupB/writers)
> > > and so on
> > >
> > > I've so far not dynamically created users,
> groups
> > > and group
> > > directories. But I think this should be
> possible. I
> > > wait for
> > > Richies implementation of UserDatabase which I
> hope
> > > simplifies
> > > the handling of users.
> > >
> > > I hope this will help you.
> > >
> > > Andreas
> > >
> > >
> > > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > I am trying to achieve the same thing. Could
> you
> > > > please attached a sample configuration file(s)
> for
> > > > both Tomcat and Slide along with a
> description?
> > > We
> > > > would appreciate it if you could also describe
> a
> > > few
> > > > sample at user and group levels, and the
> location
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I just took the original slide.war and without any
modification (except uncomment in web.xml for
authentication) it still doesn't let me in even when i
use the Slide.java client at the command line.
Please let me know.
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Maybe you have to change your namespace to the new
> context, at
> least that's what I did for my app.
>
> In web.xml:
> <init-param>
> <param-name>namespace</param-name>
> <param-value>weblaw</param-value>
>
> in Domain.xml:
> <namespace name="weblaw">
>
> Hope this helps.
>
> Andreas
>
>
> On 7 Nov 2002 at 15:29, dovan nguyen wrote:
>
> > Andreas,
> >
> > I use the slide.war as is and uncomment the
> > authentication in web.xml; I tried to type the url
> > http://localhost:8080/weblaw/ (weblaw being my
> context
> > that map to slide webdav servlet) and a window
> popup
> > asking for user/password...
> >
> > i then type in john/john and repeated it with
> > root/root and neither let me browse the
> contentstore.
> >
> > Please let me know.
> >
> > Thanks,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Dovan,
> > >
> > > as this is a rather big topic and I don't know
> > > everything I
> > > can't explain this in much detail here. Let me
> > > explain my
> > > setting and what I've done.
> > >
> > > the setting:
> > > -users belong to groups
> > > -users can be writers in one or more groups and
> > > readers in the
> > > same and other groups
> > > -every group got its own directory
> > > -only users, who belong to the group, must be
> able
> > > to access the
> > > group directory, i.e. the other must not.
> > >
> > > Slide's ACL:
> > > -to have access to a directory a user must have
> > > access to the
> > > parent directory -> there's no beginning in the
> > > middle of the
> > > tree
> > > -roles are still very inflexible, but groups can
> be
> > > used instead
> > >
> > > things to do:
> > >
> > > 1. users:
> > > -create the users under /users, like user john
> > > -create groups, doing the following steps:
> > > *create SubjectNode, e.g. /users/groupA
> > > *create GroupNode, e.g. /users/groupA/readers
> > > *create GroupNode, e.g. /users/groupA/writers
> > > (subgrouping is not supported in SecurityImpl)
> > > -link users to the appropriate groups (if john
> is a
> > > writer in
> > > groupA link /users/groupA/readers/john and
> > > /users/groupA/writers/john to /users/john
> > > (example for most of this is in default
> Domain.xml)
> > >
> > > 2. create group directories:
> > > -create one directory for every group under
> /files,
> > > like
> > > /files/groupA
> > >
> > > 3. set ACL appropriately
> > > -/actions/read for /users on / not inheritable
> > > -/actions/read for /users on /files not
> inheritable
> > > -/actions for /users on /history and the other
> > > DeltaV
> > > directories inheritable=true (this will be a
> problem
> > > as
> > > everybody can access everything, but can be
> solved
> > > by setting
> > > scope in web.xml to /files. I don't know a
> better
> > > solution for
> > > this.)
> > > -keep default ACL settings for /actions and
> /users
> > > -set ACL for the group directories under /files
> > > like:
> > > */actions/read for +/users/groupA/readers on
> > > /files/groupA
> > > inheritable=true
> > > */actions/write for +/users/groupA/writers on
> > > /files/groupA
> > > inheritable=true
> > >
> > > Because no permission is inherited from /files
> or /
> > > only the
> > > users, which belong to groupA can access
> > > /files/groupA. All
> > > other users can't access the directory. Denying
> > > permissions will
> > > make problems if users belong to a denied and a
> > > granted group at
> > > the same time. Denied permissions win over
> granted
> > > ones. So if a
> > > user belongs to a denied group he can't access
> the
> > > resource even
> > > if he belongs also to the granted group. That's
> why
> > > you can't
> > > use negative=true on group level in this
> > > configuration.
> > >
> > > tree to show the configuration:
> > >
> > > / (/actions/read for /users, not inheritable)
> > > /users (default ACL settings)
> > > --groupA
> > > --readers
> > > --links to john and others
> > > --writers
> > > --links to the users
> > > --groupB
> > > --readers
> > > --links
> > > --writers
> > > --links
> > > and so on
> > > --john (UserRoleImpl)
> > > --other users (UserRoleImpl)
> > > and so on
> > > /files (/actions/read for /users, not
> inheritable)
> > > --groupA (/actions/read for
> +/users/groupA/readers
> > > and
> > > /actions/write for +/users/groupA/writers)
> > > --groupB (/actions/read for
> +/users/groupB/readers
> > > and
> > > /actions/write for +/users/groupB/writers)
> > > and so on
> > >
> > > I've so far not dynamically created users,
> groups
> > > and group
> > > directories. But I think this should be
> possible. I
> > > wait for
> > > Richies implementation of UserDatabase which I
> hope
> > > simplifies
> > > the handling of users.
> > >
> > > I hope this will help you.
> > >
> > > Andreas
> > >
> > >
> > > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > I am trying to achieve the same thing. Could
> you
> > > > please attached a sample configuration file(s)
> for
> > > > both Tomcat and Slide along with a
> description?
> > > We
> > > > would appreciate it if you could also describe
> a
> > > few
> > > > sample at user and group levels, and the
> location
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
did this and it still doesn't let me in... and I also
change the following:
<!-- Default properties mapping -->
<default-property name="foo" namespace="nsfoo/"
value="bar"
role="user"/>
<default-property name="password"
namespace="weblaw/" value=""
role="user"/>
Any other suggestion ? Please let me know.
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Maybe you have to change your namespace to the new
> context, at
> least that's what I did for my app.
>
> In web.xml:
> <init-param>
> <param-name>namespace</param-name>
> <param-value>weblaw</param-value>
>
> in Domain.xml:
> <namespace name="weblaw">
>
> Hope this helps.
>
> Andreas
>
>
> On 7 Nov 2002 at 15:29, dovan nguyen wrote:
>
> > Andreas,
> >
> > I use the slide.war as is and uncomment the
> > authentication in web.xml; I tried to type the url
> > http://localhost:8080/weblaw/ (weblaw being my
> context
> > that map to slide webdav servlet) and a window
> popup
> > asking for user/password...
> >
> > i then type in john/john and repeated it with
> > root/root and neither let me browse the
> contentstore.
> >
> > Please let me know.
> >
> > Thanks,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Dovan,
> > >
> > > as this is a rather big topic and I don't know
> > > everything I
> > > can't explain this in much detail here. Let me
> > > explain my
> > > setting and what I've done.
> > >
> > > the setting:
> > > -users belong to groups
> > > -users can be writers in one or more groups and
> > > readers in the
> > > same and other groups
> > > -every group got its own directory
> > > -only users, who belong to the group, must be
> able
> > > to access the
> > > group directory, i.e. the other must not.
> > >
> > > Slide's ACL:
> > > -to have access to a directory a user must have
> > > access to the
> > > parent directory -> there's no beginning in the
> > > middle of the
> > > tree
> > > -roles are still very inflexible, but groups can
> be
> > > used instead
> > >
> > > things to do:
> > >
> > > 1. users:
> > > -create the users under /users, like user john
> > > -create groups, doing the following steps:
> > > *create SubjectNode, e.g. /users/groupA
> > > *create GroupNode, e.g. /users/groupA/readers
> > > *create GroupNode, e.g. /users/groupA/writers
> > > (subgrouping is not supported in SecurityImpl)
> > > -link users to the appropriate groups (if john
> is a
> > > writer in
> > > groupA link /users/groupA/readers/john and
> > > /users/groupA/writers/john to /users/john
> > > (example for most of this is in default
> Domain.xml)
> > >
> > > 2. create group directories:
> > > -create one directory for every group under
> /files,
> > > like
> > > /files/groupA
> > >
> > > 3. set ACL appropriately
> > > -/actions/read for /users on / not inheritable
> > > -/actions/read for /users on /files not
> inheritable
> > > -/actions for /users on /history and the other
> > > DeltaV
> > > directories inheritable=true (this will be a
> problem
> > > as
> > > everybody can access everything, but can be
> solved
> > > by setting
> > > scope in web.xml to /files. I don't know a
> better
> > > solution for
> > > this.)
> > > -keep default ACL settings for /actions and
> /users
> > > -set ACL for the group directories under /files
> > > like:
> > > */actions/read for +/users/groupA/readers on
> > > /files/groupA
> > > inheritable=true
> > > */actions/write for +/users/groupA/writers on
> > > /files/groupA
> > > inheritable=true
> > >
> > > Because no permission is inherited from /files
> or /
> > > only the
> > > users, which belong to groupA can access
> > > /files/groupA. All
> > > other users can't access the directory. Denying
> > > permissions will
> > > make problems if users belong to a denied and a
> > > granted group at
> > > the same time. Denied permissions win over
> granted
> > > ones. So if a
> > > user belongs to a denied group he can't access
> the
> > > resource even
> > > if he belongs also to the granted group. That's
> why
> > > you can't
> > > use negative=true on group level in this
> > > configuration.
> > >
> > > tree to show the configuration:
> > >
> > > / (/actions/read for /users, not inheritable)
> > > /users (default ACL settings)
> > > --groupA
> > > --readers
> > > --links to john and others
> > > --writers
> > > --links to the users
> > > --groupB
> > > --readers
> > > --links
> > > --writers
> > > --links
> > > and so on
> > > --john (UserRoleImpl)
> > > --other users (UserRoleImpl)
> > > and so on
> > > /files (/actions/read for /users, not
> inheritable)
> > > --groupA (/actions/read for
> +/users/groupA/readers
> > > and
> > > /actions/write for +/users/groupA/writers)
> > > --groupB (/actions/read for
> +/users/groupB/readers
> > > and
> > > /actions/write for +/users/groupB/writers)
> > > and so on
> > >
> > > I've so far not dynamically created users,
> groups
> > > and group
> > > directories. But I think this should be
> possible. I
> > > wait for
> > > Richies implementation of UserDatabase which I
> hope
> > > simplifies
> > > the handling of users.
> > >
> > > I hope this will help you.
> > >
> > > Andreas
> > >
> > >
> > > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> > >
> > > > Andreas,
> > > >
> > > > I am trying to achieve the same thing. Could
> you
> > > > please attached a sample configuration file(s)
> for
> > > > both Tomcat and Slide along with a
> description?
> > > We
> > > > would appreciate it if you could also describe
> a
> > > few
> > > > sample at user and group levels, and the
> location
>
=== message truncated ===
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Maybe you have to change your namespace to the new context, at
least that's what I did for my app.
In web.xml:
<init-param>
<param-name>namespace</param-name>
<param-value>weblaw</param-value>
in Domain.xml:
<namespace name="weblaw">
Hope this helps.
Andreas
On 7 Nov 2002 at 15:29, dovan nguyen wrote:
> Andreas,
>
> I use the slide.war as is and uncomment the
> authentication in web.xml; I tried to type the url
> http://localhost:8080/weblaw/ (weblaw being my context
> that map to slide webdav servlet) and a window popup
> asking for user/password...
>
> i then type in john/john and repeated it with
> root/root and neither let me browse the contentstore.
>
> Please let me know.
>
> Thanks,
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Hi Dovan,
> >
> > as this is a rather big topic and I don't know
> > everything I
> > can't explain this in much detail here. Let me
> > explain my
> > setting and what I've done.
> >
> > the setting:
> > -users belong to groups
> > -users can be writers in one or more groups and
> > readers in the
> > same and other groups
> > -every group got its own directory
> > -only users, who belong to the group, must be able
> > to access the
> > group directory, i.e. the other must not.
> >
> > Slide's ACL:
> > -to have access to a directory a user must have
> > access to the
> > parent directory -> there's no beginning in the
> > middle of the
> > tree
> > -roles are still very inflexible, but groups can be
> > used instead
> >
> > things to do:
> >
> > 1. users:
> > -create the users under /users, like user john
> > -create groups, doing the following steps:
> > *create SubjectNode, e.g. /users/groupA
> > *create GroupNode, e.g. /users/groupA/readers
> > *create GroupNode, e.g. /users/groupA/writers
> > (subgrouping is not supported in SecurityImpl)
> > -link users to the appropriate groups (if john is a
> > writer in
> > groupA link /users/groupA/readers/john and
> > /users/groupA/writers/john to /users/john
> > (example for most of this is in default Domain.xml)
> >
> > 2. create group directories:
> > -create one directory for every group under /files,
> > like
> > /files/groupA
> >
> > 3. set ACL appropriately
> > -/actions/read for /users on / not inheritable
> > -/actions/read for /users on /files not inheritable
> > -/actions for /users on /history and the other
> > DeltaV
> > directories inheritable=true (this will be a problem
> > as
> > everybody can access everything, but can be solved
> > by setting
> > scope in web.xml to /files. I don't know a better
> > solution for
> > this.)
> > -keep default ACL settings for /actions and /users
> > -set ACL for the group directories under /files
> > like:
> > */actions/read for +/users/groupA/readers on
> > /files/groupA
> > inheritable=true
> > */actions/write for +/users/groupA/writers on
> > /files/groupA
> > inheritable=true
> >
> > Because no permission is inherited from /files or /
> > only the
> > users, which belong to groupA can access
> > /files/groupA. All
> > other users can't access the directory. Denying
> > permissions will
> > make problems if users belong to a denied and a
> > granted group at
> > the same time. Denied permissions win over granted
> > ones. So if a
> > user belongs to a denied group he can't access the
> > resource even
> > if he belongs also to the granted group. That's why
> > you can't
> > use negative=true on group level in this
> > configuration.
> >
> > tree to show the configuration:
> >
> > / (/actions/read for /users, not inheritable)
> > /users (default ACL settings)
> > --groupA
> > --readers
> > --links to john and others
> > --writers
> > --links to the users
> > --groupB
> > --readers
> > --links
> > --writers
> > --links
> > and so on
> > --john (UserRoleImpl)
> > --other users (UserRoleImpl)
> > and so on
> > /files (/actions/read for /users, not inheritable)
> > --groupA (/actions/read for +/users/groupA/readers
> > and
> > /actions/write for +/users/groupA/writers)
> > --groupB (/actions/read for +/users/groupB/readers
> > and
> > /actions/write for +/users/groupB/writers)
> > and so on
> >
> > I've so far not dynamically created users, groups
> > and group
> > directories. But I think this should be possible. I
> > wait for
> > Richies implementation of UserDatabase which I hope
> > simplifies
> > the handling of users.
> >
> > I hope this will help you.
> >
> > Andreas
> >
> >
> > On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> >
> > > Andreas,
> > >
> > > I am trying to achieve the same thing. Could you
> > > please attached a sample configuration file(s) for
> > > both Tomcat and Slide along with a description?
> > We
> > > would appreciate it if you could also describe a
> > few
> > > sample at user and group levels, and the location
> > on
> > > where those files must reside.
> > >
> > > Thank you,
> > > Dovan
> > >
> > > --- Andreas Probst <an...@gmx.net> wrote:
> > > > Hi Sean!
> > > >
> > > > On 1 Nov 2002 at 17:22, Sean Qi wrote:
> > > >
> > > > > Hi, all,
> > > > >
> > > > > I am trying to use Slide to build a conttent
> > > > management system.
> > > > >
> > > > > I plan to use the JDBCRealm for user
> > > > authentication at the servlet container level.
> > > > >
> > > > > In the meantime, I want to do the user
> > > > authorization, such as user A can only read
> > ABC.txt
> > > > and meanwhile user B can read/write ABC.txt. I
> > > > guess the "org.apache.webdav.*" can do the job.
> >
> > > >
> > > > Authentication is done by servlet container, ie.
> > > > Tomcat.
> > > > Authorization is done by Slide using Access
> > Control
> > > > Lists (ACL),
> > > > which are saved in the nodes of the tree.
> > > > >
> > > > > 1. How to use/leveage/integrate the
> > > > "org.apache.webdav.*" together with the user
> > > > authentication at the servlet container level?
> > > > > 2. Would you please give me some pointers
> > where I
> > > > can have a good/better understanding of how to
> > > > "org.apache.webdav.*" packages?
> > > >
> > > > org.apache.webdav.cmd.Slide and
> > > > org.apache.webdav.cmd.Client
> > > > would be good starting points for the
> > WebDAV-Client
> > > > packages.
> > > >
> > > >
> > > > >
> > > > > Any input appreciated. Thanx
> > > > >
> > > > > S.Q
> > > > >
> > > > Andreas
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> >
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org> For additional
> commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I use the slide.war as is and uncomment the
authentication in web.xml; I tried to type the url
http://localhost:8080/weblaw/ (weblaw being my context
that map to slide webdav servlet) and a window popup
asking for user/password...
i then type in john/john and repeated it with
root/root and neither let me browse the contentstore.
Please let me know.
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Hi Dovan,
>
> as this is a rather big topic and I don't know
> everything I
> can't explain this in much detail here. Let me
> explain my
> setting and what I've done.
>
> the setting:
> -users belong to groups
> -users can be writers in one or more groups and
> readers in the
> same and other groups
> -every group got its own directory
> -only users, who belong to the group, must be able
> to access the
> group directory, i.e. the other must not.
>
> Slide's ACL:
> -to have access to a directory a user must have
> access to the
> parent directory -> there's no beginning in the
> middle of the
> tree
> -roles are still very inflexible, but groups can be
> used instead
>
> things to do:
>
> 1. users:
> -create the users under /users, like user john
> -create groups, doing the following steps:
> *create SubjectNode, e.g. /users/groupA
> *create GroupNode, e.g. /users/groupA/readers
> *create GroupNode, e.g. /users/groupA/writers
> (subgrouping is not supported in SecurityImpl)
> -link users to the appropriate groups (if john is a
> writer in
> groupA link /users/groupA/readers/john and
> /users/groupA/writers/john to /users/john
> (example for most of this is in default Domain.xml)
>
> 2. create group directories:
> -create one directory for every group under /files,
> like
> /files/groupA
>
> 3. set ACL appropriately
> -/actions/read for /users on / not inheritable
> -/actions/read for /users on /files not inheritable
> -/actions for /users on /history and the other
> DeltaV
> directories inheritable=true (this will be a problem
> as
> everybody can access everything, but can be solved
> by setting
> scope in web.xml to /files. I don't know a better
> solution for
> this.)
> -keep default ACL settings for /actions and /users
> -set ACL for the group directories under /files
> like:
> */actions/read for +/users/groupA/readers on
> /files/groupA
> inheritable=true
> */actions/write for +/users/groupA/writers on
> /files/groupA
> inheritable=true
>
> Because no permission is inherited from /files or /
> only the
> users, which belong to groupA can access
> /files/groupA. All
> other users can't access the directory. Denying
> permissions will
> make problems if users belong to a denied and a
> granted group at
> the same time. Denied permissions win over granted
> ones. So if a
> user belongs to a denied group he can't access the
> resource even
> if he belongs also to the granted group. That's why
> you can't
> use negative=true on group level in this
> configuration.
>
> tree to show the configuration:
>
> / (/actions/read for /users, not inheritable)
> /users (default ACL settings)
> --groupA
> --readers
> --links to john and others
> --writers
> --links to the users
> --groupB
> --readers
> --links
> --writers
> --links
> and so on
> --john (UserRoleImpl)
> --other users (UserRoleImpl)
> and so on
> /files (/actions/read for /users, not inheritable)
> --groupA (/actions/read for +/users/groupA/readers
> and
> /actions/write for +/users/groupA/writers)
> --groupB (/actions/read for +/users/groupB/readers
> and
> /actions/write for +/users/groupB/writers)
> and so on
>
> I've so far not dynamically created users, groups
> and group
> directories. But I think this should be possible. I
> wait for
> Richies implementation of UserDatabase which I hope
> simplifies
> the handling of users.
>
> I hope this will help you.
>
> Andreas
>
>
> On 4 Nov 2002 at 7:53, dovan nguyen wrote:
>
> > Andreas,
> >
> > I am trying to achieve the same thing. Could you
> > please attached a sample configuration file(s) for
> > both Tomcat and Slide along with a description?
> We
> > would appreciate it if you could also describe a
> few
> > sample at user and group levels, and the location
> on
> > where those files must reside.
> >
> > Thank you,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Sean!
> > >
> > > On 1 Nov 2002 at 17:22, Sean Qi wrote:
> > >
> > > > Hi, all,
> > > >
> > > > I am trying to use Slide to build a conttent
> > > management system.
> > > >
> > > > I plan to use the JDBCRealm for user
> > > authentication at the servlet container level.
> > > >
> > > > In the meantime, I want to do the user
> > > authorization, such as user A can only read
> ABC.txt
> > > and meanwhile user B can read/write ABC.txt. I
> > > guess the "org.apache.webdav.*" can do the job.
>
> > >
> > > Authentication is done by servlet container, ie.
> > > Tomcat.
> > > Authorization is done by Slide using Access
> Control
> > > Lists (ACL),
> > > which are saved in the nodes of the tree.
> > > >
> > > > 1. How to use/leveage/integrate the
> > > "org.apache.webdav.*" together with the user
> > > authentication at the servlet container level?
> > > > 2. Would you please give me some pointers
> where I
> > > can have a good/better understanding of how to
> > > "org.apache.webdav.*" packages?
> > >
> > > org.apache.webdav.cmd.Slide and
> > > org.apache.webdav.cmd.Client
> > > would be good starting points for the
> WebDAV-Client
> > > packages.
> > >
> > >
> > > >
> > > > Any input appreciated. Thanx
> > > >
> > > > S.Q
> > > >
> > > Andreas
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I use the slide.war as is and uncomment the
authentication in web.xml; I tried to type the url
http://localhost:8080/weblaw/ (weblaw being my context
that map to slide webdav servlet) and a window popup
asking for user/password...
i then type in john/john and repeated it with
root/root and neither let me browse the contentstore.
Please let me know.
Thanks,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Hi Dovan,
>
> as this is a rather big topic and I don't know
> everything I
> can't explain this in much detail here. Let me
> explain my
> setting and what I've done.
>
> the setting:
> -users belong to groups
> -users can be writers in one or more groups and
> readers in the
> same and other groups
> -every group got its own directory
> -only users, who belong to the group, must be able
> to access the
> group directory, i.e. the other must not.
>
> Slide's ACL:
> -to have access to a directory a user must have
> access to the
> parent directory -> there's no beginning in the
> middle of the
> tree
> -roles are still very inflexible, but groups can be
> used instead
>
> things to do:
>
> 1. users:
> -create the users under /users, like user john
> -create groups, doing the following steps:
> *create SubjectNode, e.g. /users/groupA
> *create GroupNode, e.g. /users/groupA/readers
> *create GroupNode, e.g. /users/groupA/writers
> (subgrouping is not supported in SecurityImpl)
> -link users to the appropriate groups (if john is a
> writer in
> groupA link /users/groupA/readers/john and
> /users/groupA/writers/john to /users/john
> (example for most of this is in default Domain.xml)
>
> 2. create group directories:
> -create one directory for every group under /files,
> like
> /files/groupA
>
> 3. set ACL appropriately
> -/actions/read for /users on / not inheritable
> -/actions/read for /users on /files not inheritable
> -/actions for /users on /history and the other
> DeltaV
> directories inheritable=true (this will be a problem
> as
> everybody can access everything, but can be solved
> by setting
> scope in web.xml to /files. I don't know a better
> solution for
> this.)
> -keep default ACL settings for /actions and /users
> -set ACL for the group directories under /files
> like:
> */actions/read for +/users/groupA/readers on
> /files/groupA
> inheritable=true
> */actions/write for +/users/groupA/writers on
> /files/groupA
> inheritable=true
>
> Because no permission is inherited from /files or /
> only the
> users, which belong to groupA can access
> /files/groupA. All
> other users can't access the directory. Denying
> permissions will
> make problems if users belong to a denied and a
> granted group at
> the same time. Denied permissions win over granted
> ones. So if a
> user belongs to a denied group he can't access the
> resource even
> if he belongs also to the granted group. That's why
> you can't
> use negative=true on group level in this
> configuration.
>
> tree to show the configuration:
>
> / (/actions/read for /users, not inheritable)
> /users (default ACL settings)
> --groupA
> --readers
> --links to john and others
> --writers
> --links to the users
> --groupB
> --readers
> --links
> --writers
> --links
> and so on
> --john (UserRoleImpl)
> --other users (UserRoleImpl)
> and so on
> /files (/actions/read for /users, not inheritable)
> --groupA (/actions/read for +/users/groupA/readers
> and
> /actions/write for +/users/groupA/writers)
> --groupB (/actions/read for +/users/groupB/readers
> and
> /actions/write for +/users/groupB/writers)
> and so on
>
> I've so far not dynamically created users, groups
> and group
> directories. But I think this should be possible. I
> wait for
> Richies implementation of UserDatabase which I hope
> simplifies
> the handling of users.
>
> I hope this will help you.
>
> Andreas
>
>
> On 4 Nov 2002 at 7:53, dovan nguyen wrote:
>
> > Andreas,
> >
> > I am trying to achieve the same thing. Could you
> > please attached a sample configuration file(s) for
> > both Tomcat and Slide along with a description?
> We
> > would appreciate it if you could also describe a
> few
> > sample at user and group levels, and the location
> on
> > where those files must reside.
> >
> > Thank you,
> > Dovan
> >
> > --- Andreas Probst <an...@gmx.net> wrote:
> > > Hi Sean!
> > >
> > > On 1 Nov 2002 at 17:22, Sean Qi wrote:
> > >
> > > > Hi, all,
> > > >
> > > > I am trying to use Slide to build a conttent
> > > management system.
> > > >
> > > > I plan to use the JDBCRealm for user
> > > authentication at the servlet container level.
> > > >
> > > > In the meantime, I want to do the user
> > > authorization, such as user A can only read
> ABC.txt
> > > and meanwhile user B can read/write ABC.txt. I
> > > guess the "org.apache.webdav.*" can do the job.
>
> > >
> > > Authentication is done by servlet container, ie.
> > > Tomcat.
> > > Authorization is done by Slide using Access
> Control
> > > Lists (ACL),
> > > which are saved in the nodes of the tree.
> > > >
> > > > 1. How to use/leveage/integrate the
> > > "org.apache.webdav.*" together with the user
> > > authentication at the servlet container level?
> > > > 2. Would you please give me some pointers
> where I
> > > can have a good/better understanding of how to
> > > "org.apache.webdav.*" packages?
> > >
> > > org.apache.webdav.cmd.Slide and
> > > org.apache.webdav.cmd.Client
> > > would be good starting points for the
> WebDAV-Client
> > > packages.
> > >
> > >
> > > >
> > > > Any input appreciated. Thanx
> > > >
> > > > S.Q
> > > >
> > > Andreas
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Hi Dovan,
as this is a rather big topic and I don't know everything I
can't explain this in much detail here. Let me explain my
setting and what I've done.
the setting:
-users belong to groups
-users can be writers in one or more groups and readers in the
same and other groups
-every group got its own directory
-only users, who belong to the group, must be able to access the
group directory, i.e. the other must not.
Slide's ACL:
-to have access to a directory a user must have access to the
parent directory -> there's no beginning in the middle of the
tree
-roles are still very inflexible, but groups can be used instead
things to do:
1. users:
-create the users under /users, like user john
-create groups, doing the following steps:
*create SubjectNode, e.g. /users/groupA
*create GroupNode, e.g. /users/groupA/readers
*create GroupNode, e.g. /users/groupA/writers
(subgrouping is not supported in SecurityImpl)
-link users to the appropriate groups (if john is a writer in
groupA link /users/groupA/readers/john and
/users/groupA/writers/john to /users/john
(example for most of this is in default Domain.xml)
2. create group directories:
-create one directory for every group under /files, like
/files/groupA
3. set ACL appropriately
-/actions/read for /users on / not inheritable
-/actions/read for /users on /files not inheritable
-/actions for /users on /history and the other DeltaV
directories inheritable=true (this will be a problem as
everybody can access everything, but can be solved by setting
scope in web.xml to /files. I don't know a better solution for
this.)
-keep default ACL settings for /actions and /users
-set ACL for the group directories under /files like:
*/actions/read for +/users/groupA/readers on /files/groupA
inheritable=true
*/actions/write for +/users/groupA/writers on /files/groupA
inheritable=true
Because no permission is inherited from /files or / only the
users, which belong to groupA can access /files/groupA. All
other users can't access the directory. Denying permissions will
make problems if users belong to a denied and a granted group at
the same time. Denied permissions win over granted ones. So if a
user belongs to a denied group he can't access the resource even
if he belongs also to the granted group. That's why you can't
use negative=true on group level in this configuration.
tree to show the configuration:
/ (/actions/read for /users, not inheritable)
/users (default ACL settings)
--groupA
--readers
--links to john and others
--writers
--links to the users
--groupB
--readers
--links
--writers
--links
and so on
--john (UserRoleImpl)
--other users (UserRoleImpl)
and so on
/files (/actions/read for /users, not inheritable)
--groupA (/actions/read for +/users/groupA/readers and
/actions/write for +/users/groupA/writers)
--groupB (/actions/read for +/users/groupB/readers and
/actions/write for +/users/groupB/writers)
and so on
I've so far not dynamically created users, groups and group
directories. But I think this should be possible. I wait for
Richies implementation of UserDatabase which I hope simplifies
the handling of users.
I hope this will help you.
Andreas
On 4 Nov 2002 at 7:53, dovan nguyen wrote:
> Andreas,
>
> I am trying to achieve the same thing. Could you
> please attached a sample configuration file(s) for
> both Tomcat and Slide along with a description? We
> would appreciate it if you could also describe a few
> sample at user and group levels, and the location on
> where those files must reside.
>
> Thank you,
> Dovan
>
> --- Andreas Probst <an...@gmx.net> wrote:
> > Hi Sean!
> >
> > On 1 Nov 2002 at 17:22, Sean Qi wrote:
> >
> > > Hi, all,
> > >
> > > I am trying to use Slide to build a conttent
> > management system.
> > >
> > > I plan to use the JDBCRealm for user
> > authentication at the servlet container level.
> > >
> > > In the meantime, I want to do the user
> > authorization, such as user A can only read ABC.txt
> > and meanwhile user B can read/write ABC.txt. I
> > guess the "org.apache.webdav.*" can do the job.
> >
> > Authentication is done by servlet container, ie.
> > Tomcat.
> > Authorization is done by Slide using Access Control
> > Lists (ACL),
> > which are saved in the nodes of the tree.
> > >
> > > 1. How to use/leveage/integrate the
> > "org.apache.webdav.*" together with the user
> > authentication at the servlet container level?
> > > 2. Would you please give me some pointers where I
> > can have a good/better understanding of how to
> > "org.apache.webdav.*" packages?
> >
> > org.apache.webdav.cmd.Slide and
> > org.apache.webdav.cmd.Client
> > would be good starting points for the WebDAV-Client
> > packages.
> >
> >
> > >
> > > Any input appreciated. Thanx
> > >
> > > S.Q
> > >
> > Andreas
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by dovan nguyen <do...@yahoo.com>.
Andreas,
I am trying to achieve the same thing. Could you
please attached a sample configuration file(s) for
both Tomcat and Slide along with a description? We
would appreciate it if you could also describe a few
sample at user and group levels, and the location on
where those files must reside.
Thank you,
Dovan
--- Andreas Probst <an...@gmx.net> wrote:
> Hi Sean!
>
> On 1 Nov 2002 at 17:22, Sean Qi wrote:
>
> > Hi, all,
> >
> > I am trying to use Slide to build a conttent
> management system.
> >
> > I plan to use the JDBCRealm for user
> authentication at the servlet container level.
> >
> > In the meantime, I want to do the user
> authorization, such as user A can only read ABC.txt
> and meanwhile user B can read/write ABC.txt. I
> guess the "org.apache.webdav.*" can do the job.
>
> Authentication is done by servlet container, ie.
> Tomcat.
> Authorization is done by Slide using Access Control
> Lists (ACL),
> which are saved in the nodes of the tree.
> >
> > 1. How to use/leveage/integrate the
> "org.apache.webdav.*" together with the user
> authentication at the servlet container level?
> > 2. Would you please give me some pointers where I
> can have a good/better understanding of how to
> "org.apache.webdav.*" packages?
>
> org.apache.webdav.cmd.Slide and
> org.apache.webdav.cmd.Client
> would be good starting points for the WebDAV-Client
> packages.
>
>
> >
> > Any input appreciated. Thanx
> >
> > S.Q
> >
> Andreas
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: webdav ACL
Posted by Andreas Probst <an...@gmx.net>.
Hi Sean!
On 1 Nov 2002 at 17:22, Sean Qi wrote:
> Hi, all,
>
> I am trying to use Slide to build a conttent management system.
>
> I plan to use the JDBCRealm for user authentication at the servlet container level.
>
> In the meantime, I want to do the user authorization, such as user A can only read ABC.txt and meanwhile user B can read/write ABC.txt. I guess the "org.apache.webdav.*" can do the job.
Authentication is done by servlet container, ie. Tomcat.
Authorization is done by Slide using Access Control Lists (ACL),
which are saved in the nodes of the tree.
>
> 1. How to use/leveage/integrate the "org.apache.webdav.*" together with the user authentication at the servlet container level?
> 2. Would you please give me some pointers where I can have a good/better understanding of how to "org.apache.webdav.*" packages?
org.apache.webdav.cmd.Slide and org.apache.webdav.cmd.Client
would be good starting points for the WebDAV-Client packages.
>
> Any input appreciated. Thanx
>
> S.Q
>
Andreas
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>