You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by thorsten zerha <th...@googlemail.com> on 2009/11/14 01:03:18 UTC

Implementing AccessManagerPlugin

Hi all,

I'm still trying to get my own AccessManager(Plugin) running ...

The howto mentioned in the previous thread [1] talks about copying 
simple.AccessManager to a simple.RAccessManager ... This is not the way 
to go in sling (since there is PluggableDefaultAccessManager), is it?

I tried the following to get just the same behaviour as is right now 
with the fallback to DefaultAccessManager (in order to modify it to my 
needs afterwards):

So I implemented AccessManagerPluginFactory and AccessManagerPlugin (by 
copying code from jackrabbit's DefaultAccessManager) ... but the 
interface methods differ from the implementation in jackrabbit(1.6) (e.g 
isGranted(Path absPath,...) != isGranted(String absPath,...), init!=init ).

Then I would put these 2 files in a bundle, install it and then I could 
start experimenting with my adaptations (allowing contents to be denied 
to everybody by default)

I read about the DefaultAccessManager implementation tries (SLING-880), 
but apart from the reaction with the PluggableDefaultAccessManager, I 
couldn't find any further readings how this is actually implemented.

Can anyone point me to an open project implementing AccessManagerPlugin 
(PluggableDefaultAccessManager) or to snippets how this is done or 
anything else that could give me a hint how I could go on with that?

thanks very much for your help up till now,
  thorsten

[1] http://dev.day.com/microsling/content/blogs/main/theaclisdead.html

Re: Implementing AccessManagerPlugin

Posted by Vidar Ramdal <vi...@idium.no>.

On Sat, Nov 14, 2009 at 1:03 AM, thorsten zerha
<th...@googlemail.com> wrote:
> Hi all,
>
> I'm still trying to get my own AccessManager(Plugin) running ...
>
> The howto mentioned in the previous thread [1] talks about copying
> simple.AccessManager to a simple.RAccessManager ... This is not the way to
> go in sling (since there is PluggableDefaultAccessManager), is it?

You might, but since your AccessManager needs to be available from the
Jackrabbit Server bundle, you cannot provide in it your own bundle.
Thus, you need to run a modified version of Jackrabbit Server bundle.
(Actually, that was the motivation for AccessManagerPlugin in the
first place).

> I tried the following to get just the same behaviour as is right now with
> the fallback to DefaultAccessManager (in order to modify it to my needs
> afterwards):
>
> So I implemented AccessManagerPluginFactory and AccessManagerPlugin (by
> copying code from jackrabbit's DefaultAccessManager) ... but the interface
> methods differ from the implementation in jackrabbit(1.6) (e.g
> isGranted(Path absPath,...) != isGranted(String absPath,...), init!=init ).

Right. It was done that way since isGranted(Path) and
isGranted(String) does the same thing in DefaultAccessManager, and
having to implement both of them in an AccessManagerPlugin seemed
unnecessary. Also, if I remember correctly, the Path class is not
exported from Jackrabbit Server.

> Then I would put these 2 files in a bundle, install it and then I could
> start experimenting with my adaptations (allowing contents to be denied to
> everybody by default)

Yes, that should work.

> I read about the DefaultAccessManager implementation tries (SLING-880), but
> apart from the reaction with the PluggableDefaultAccessManager, I couldn't
> find any further readings how this is actually implemented.
>
> Can anyone point me to an open project implementing AccessManagerPlugin
> (PluggableDefaultAccessManager) or to snippets how this is done or anything
> else that could give me a hint how I could go on with that?

I don't know any open projects to look at, but I'll try to get you
started right here. First, the AccessManagerPluginFactory needs to do
nothing more than instantiate AccessManagerPlugins:
/** @scr.component
 *      metatype="no" immediate="false"
 * @scr.service
 *      interface="org.apache.sling.jcr.jackrabbit.server.security.accessmanager.AccessManagerPluginFactory"
*/
public class MyAccessManagerPluginFactory implements
AccessManagerPluginFactory {
   ...
    public AccessManagerPlugin getAccessManager() {
        return new MyAccessManagerPlugin();
    }
  ...
}

More work is needed for MyAccessManagerPlugin, but most of it can be
tucked into isGranted:

public class MyAccessManagerPlugin implements AccessManagerPlugin {
  private boolean isSystemSession;

  public void init(Subject subject, Session session) {
       for (Principal subjectPrincipal : subjectPrincipals) {
          if (subjectPrincipal.getName().equals("admin")) {
                this.isSystemSession = true;  return;
          }
      }
  }


  public boolean isGranted(String path, int bits) {
    if (this.isSystemSession) {
      return true;
    } else {
       // Your logic goes here, to lookup and invoke access policies etc.
       // You will probably do this from a system session.
    }
  }

  public boolean canRead(String path) throws RepositoryException {
      return isGranted(path, AccessManagerPlugin.READ);
  }

  ...
}

It takes some time getting into how AccessManagers are used in
Jackrabbit. I can only recommend setting a breakpoint somehwere in
MyAccessManagerPlugin and stepping through it. You will be surprised
to see how often these methods are called.


-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Sommerrogata 13-15, N-0255 Oslo, Norway
+ 47 22 00 84 00 / +47 21 531941, ext 2070