You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Karsten Priegnitz <ko...@petoria.de> on 2015/08/13 12:21:39 UTC
Problem adding Principal-based ACLs
Hallo group,
I'm trying to add Principal-based ACLs as described here:
http://wiki.apache.org/jackrabbit/AccessControl. But using that code I
get an ArrayIndexOutOfBoundsException.
I have the jackrabbit-webapp-2.10.1 running from sources in Eclipse.
Works. Next I wrote a servlet that does init stuff: add 2 users adam &
eve and grant them ACL_ALL (all privileges) on the root node.
Code:
public class MyInitServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse
resp) throws ServletException,
IOException {
super.doGet(req, resp);
try {
// get the repo from context
ServletContext context = this.getServletContext();
Repository repo = (Repository)
context.getAttribute(Repository.class.getName());
// login as admin
JackrabbitSession session = (JackrabbitSession)
Helper.login(repo,
Helper.ADMIN_CREDENTIALS);
UserManager um = session.getUserManager();
for (String username : new String[] { "adam", "eve"}) {
// create the user
Authorizable authorizable = um.getAuthorizable(username);
if (authorizable == null) {
um.createUser(username, username);
session.save();
}
User user = (User) um.getAuthorizable(username);
addPrivileges(session, user, Privilege.JCR_ALL);
session.save();
LOG.info(" created user '{}'", username);
}
...
} catch (Exception e) {
e.printStackTrace();
}
}
public static void addPrivileges(JackrabbitSession session, User
user, String... privileges)
throws AccessDeniedException, AccessControlException,
UnsupportedRepositoryOperationException, RepositoryException {
// add principal-based privileges
// @see: http://wiki.apache.org/jackrabbit/AccessControl
JackrabbitAccessControlManager acm =
(JackrabbitAccessControlManager) session
.getAccessControlManager();
Principal principal = user.getPrincipal();
JackrabbitAccessControlPolicy[] ps =
acm.getApplicablePolicies(principal);
// next is line 133:
JackrabbitAccessControlList list =
(JackrabbitAccessControlList) ps[0];
// add privileges
Privilege[] nprivileges = new Privilege[privileges.length];
int i = 0;
for (String p : privileges) {
nprivileges[i] = acm.privilegeFromName(p);
i++;
}
Map<String, Value> restrictions = new HashMap<String, Value>();
ValueFactory vf = session.getValueFactory();
restrictions.put("rep:nodePath", vf.createValue("/",
PropertyType.PATH));
restrictions.put("rep:glob", vf.createValue("*"));
list.addEntry(principal, nprivileges, true /* allow or deny */,
restrictions);
// store privilege changes
acm.setPolicy(list.getPath(), list);
}
And I also added this to ~/jackrabbit/workspaces/security/workspace.xml:
<WorkspaceSecurity>
<AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider"
/>
</WorkspaceSecurity>
But when I trigger my servlet I get an empty array in line 132:
2015-08-13 12:06:06.364 INFO [http-bio-8080-exec-3]
MyInitServlet.java:64 called:
doGet(org.apache.catalina.connector.RequestFacade@67a4315b,org.apache.catalina.connector.ResponseFacade@639bb977)
2015-08-13 12:06:06.419 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:362 Creating cache with max size of: 5000
2015-08-13 12:06:06.420 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:369 Root is special-cased: true
2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:73 Cache Update Strategy: T
2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:78 Caching entries with no ACLs: false
2015-08-13 12:06:06.466 WARN [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.468 WARN [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.469 WARN [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.470 WARN [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.471 WARN [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.770 INFO [http-bio-8080-exec-3]
ClusterNode.java:711 [1] 1 system@security:/ (24906)
2015-08-13 12:06:06.857 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:362 Creating cache with max size of: 5000
2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:369 Root is special-cased: true
2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:73 Cache Update Strategy: T
2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
CachingEntryCollector.java:78 Caching entries with no ACLs: false
java.lang.ArrayIndexOutOfBoundsException: 0
at my.jcrweb.j2ee.MyInitServlet.addPrivileges(MyInitServlet.java:133)
at my.jcrweb.j2ee.MyInitServlet.doGet(MyInitServlet.java:100)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
I also read this thread:
http://jackrabbit.510166.n4.nabble.com/Setting-up-Access-Control-td3809801.html
I also tried acl.getPolicies() instead of getApplicablePolicies()
I'm totally stuck here ... Am I doing something wrong, generally or ...
how do I create my own empty JackrabbitAccessControlList?
Karsten
Re: Problem adding Principal-based ACLs
Posted by Karsten Priegnitz <ko...@petoria.de>.
I found this really useful utility class, to accomplish what I needed:
UserManager um = session.getUserManager();
User user = (User) um.getAuthorizable(username);
// add privileges
AccessControlUtils.addAccessControlEntry(session, "/",
user.getPrincipal(),
new String[] { Privilege.JCR_ALL }, true);
session.save();
No need to do anything else, eg. changes in repository.xml or
workspace.xml - at least when using the jackrabbit-webapp.
Karsten R. Priegnitz
programmierer | web-entwickler | linux administrator | digitaler nomade
business: kontakt <http://petoria.de/portfolio/contact-about/> |
portfolio <http://petoria.de/portfolio/>
------------------------------------------------------------------------
Am 13.08.2015 um 15:48 schrieb Clay Ferguson:
> Karsten,
>
> I have a web app that I "think" is doing it reasonably correct (ACLs), or
> at least appears to work. You can find the working code here:
> https://github.com/Clay-Ferguson/meta64
> Just download the zip and search for the keywords "acl", "privilege",
> "principle". Also see AclService.java and AccessControlUtil.java.
>
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
>
>
> On Thu, Aug 13, 2015 at 5:21 AM, Karsten Priegnitz <ko...@petoria.de> wrote:
>
>> Hallo group,
>>
>> I'm trying to add Principal-based ACLs as described here:
>> http://wiki.apache.org/jackrabbit/AccessControl. But using that code I
>> get an ArrayIndexOutOfBoundsException.
>>
>> I have the jackrabbit-webapp-2.10.1 running from sources in Eclipse.
>> Works. Next I wrote a servlet that does init stuff: add 2 users adam & eve
>> and grant them ACL_ALL (all privileges) on the root node.
>>
>> Code:
>>
>> public class MyInitServlet extends HttpServlet {
>>
>> @Override
>> protected void doGet(HttpServletRequest req, HttpServletResponse resp)
>> throws ServletException,
>> IOException {
>>
>> super.doGet(req, resp);
>>
>> try {
>> // get the repo from context
>>
>> ServletContext context = this.getServletContext();
>> Repository repo = (Repository)
>> context.getAttribute(Repository.class.getName());
>>
>> // login as admin
>>
>> JackrabbitSession session = (JackrabbitSession)
>> Helper.login(repo,
>> Helper.ADMIN_CREDENTIALS);
>>
>> UserManager um = session.getUserManager();
>> for (String username : new String[] { "adam", "eve"}) {
>>
>> // create the user
>>
>> Authorizable authorizable = um.getAuthorizable(username);
>> if (authorizable == null) {
>> um.createUser(username, username);
>> session.save();
>> }
>>
>> User user = (User) um.getAuthorizable(username);
>> addPrivileges(session, user, Privilege.JCR_ALL);
>>
>> session.save();
>>
>> LOG.info(" created user '{}'", username);
>> }
>>
>> ...
>>
>> } catch (Exception e) {
>> e.printStackTrace();
>> }
>>
>> }
>>
>> public static void addPrivileges(JackrabbitSession session, User user,
>> String... privileges)
>> throws AccessDeniedException, AccessControlException,
>> UnsupportedRepositoryOperationException, RepositoryException {
>>
>> // add principal-based privileges
>> // @see: http://wiki.apache.org/jackrabbit/AccessControl
>>
>> JackrabbitAccessControlManager acm =
>> (JackrabbitAccessControlManager) session
>> .getAccessControlManager();
>>
>> Principal principal = user.getPrincipal();
>>
>> JackrabbitAccessControlPolicy[] ps =
>> acm.getApplicablePolicies(principal);
>> // next is line 133:
>> JackrabbitAccessControlList list = (JackrabbitAccessControlList)
>> ps[0];
>>
>> // add privileges
>>
>> Privilege[] nprivileges = new Privilege[privileges.length];
>> int i = 0;
>> for (String p : privileges) {
>> nprivileges[i] = acm.privilegeFromName(p);
>> i++;
>> }
>>
>> Map<String, Value> restrictions = new HashMap<String, Value>();
>> ValueFactory vf = session.getValueFactory();
>>
>> restrictions.put("rep:nodePath", vf.createValue("/",
>> PropertyType.PATH));
>> restrictions.put("rep:glob", vf.createValue("*"));
>>
>> list.addEntry(principal, nprivileges, true /* allow or deny */,
>> restrictions);
>>
>> // store privilege changes
>>
>> acm.setPolicy(list.getPath(), list);
>>
>> }
>>
>> And I also added this to ~/jackrabbit/workspaces/security/workspace.xml:
>>
>> <WorkspaceSecurity>
>> <AccessControlProvider
>> class="org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider"
>> />
>> </WorkspaceSecurity>
>>
>> But when I trigger my servlet I get an empty array in line 132:
>>
>> 2015-08-13 12:06:06.364 INFO [http-bio-8080-exec-3] MyInitServlet.java:64
>> called: doGet(org.apache.catalina.connector.RequestFacade@67a4315b
>> ,org.apache.catalina.connector.ResponseFacade@639bb977)
>> 2015-08-13 12:06:06.419 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:362 Creating cache with max size of: 5000
>> 2015-08-13 12:06:06.420 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:369 Root is special-cased: true
>> 2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:73 Cache Update Strategy: T
>> 2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:78 Caching entries with no ACLs: false
>> 2015-08-13 12:06:06.466 WARN [http-bio-8080-exec-3]
>> UserManagerImpl.java:858 Unexpected user/group node type
>> rep:AuthorizableFolder
>> 2015-08-13 12:06:06.468 WARN [http-bio-8080-exec-3]
>> UserManagerImpl.java:858 Unexpected user/group node type
>> rep:AuthorizableFolder
>> 2015-08-13 12:06:06.469 WARN [http-bio-8080-exec-3]
>> UserManagerImpl.java:858 Unexpected user/group node type
>> rep:AuthorizableFolder
>> 2015-08-13 12:06:06.470 WARN [http-bio-8080-exec-3]
>> UserManagerImpl.java:858 Unexpected user/group node type
>> rep:AuthorizableFolder
>> 2015-08-13 12:06:06.471 WARN [http-bio-8080-exec-3]
>> UserManagerImpl.java:858 Unexpected user/group node type
>> rep:AuthorizableFolder
>> 2015-08-13 12:06:06.770 INFO [http-bio-8080-exec-3] ClusterNode.java:711
>> [1] 1 system@security:/ (24906)
>> 2015-08-13 12:06:06.857 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:362 Creating cache with max size of: 5000
>> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:369 Root is special-cased: true
>> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:73 Cache Update Strategy: T
>> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
>> CachingEntryCollector.java:78 Caching entries with no ACLs: false
>> java.lang.ArrayIndexOutOfBoundsException: 0
>> at my.jcrweb.j2ee.MyInitServlet.addPrivileges(MyInitServlet.java:133)
>> at my.jcrweb.j2ee.MyInitServlet.doGet(MyInitServlet.java:100)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
>>
>>
>> I also read this thread:
>> http://jackrabbit.510166.n4.nabble.com/Setting-up-Access-Control-td3809801.html
>>
>> I also tried acl.getPolicies() instead of getApplicablePolicies()
>>
>> I'm totally stuck here ... Am I doing something wrong, generally or ...
>> how do I create my own empty JackrabbitAccessControlList?
>>
>> Karsten
>>
Re: Problem adding Principal-based ACLs
Posted by Clay Ferguson <wc...@gmail.com>.
Karsten,
I have a web app that I "think" is doing it reasonably correct (ACLs), or
at least appears to work. You can find the working code here:
https://github.com/Clay-Ferguson/meta64
Just download the zip and search for the keywords "acl", "privilege",
"principle". Also see AclService.java and AccessControlUtil.java.
Best regards,
Clay Ferguson
wclayf@gmail.com
On Thu, Aug 13, 2015 at 5:21 AM, Karsten Priegnitz <ko...@petoria.de> wrote:
> Hallo group,
>
> I'm trying to add Principal-based ACLs as described here:
> http://wiki.apache.org/jackrabbit/AccessControl. But using that code I
> get an ArrayIndexOutOfBoundsException.
>
> I have the jackrabbit-webapp-2.10.1 running from sources in Eclipse.
> Works. Next I wrote a servlet that does init stuff: add 2 users adam & eve
> and grant them ACL_ALL (all privileges) on the root node.
>
> Code:
>
> public class MyInitServlet extends HttpServlet {
>
> @Override
> protected void doGet(HttpServletRequest req, HttpServletResponse resp)
> throws ServletException,
> IOException {
>
> super.doGet(req, resp);
>
> try {
> // get the repo from context
>
> ServletContext context = this.getServletContext();
> Repository repo = (Repository)
> context.getAttribute(Repository.class.getName());
>
> // login as admin
>
> JackrabbitSession session = (JackrabbitSession)
> Helper.login(repo,
> Helper.ADMIN_CREDENTIALS);
>
> UserManager um = session.getUserManager();
> for (String username : new String[] { "adam", "eve"}) {
>
> // create the user
>
> Authorizable authorizable = um.getAuthorizable(username);
> if (authorizable == null) {
> um.createUser(username, username);
> session.save();
> }
>
> User user = (User) um.getAuthorizable(username);
> addPrivileges(session, user, Privilege.JCR_ALL);
>
> session.save();
>
> LOG.info(" created user '{}'", username);
> }
>
> ...
>
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
> public static void addPrivileges(JackrabbitSession session, User user,
> String... privileges)
> throws AccessDeniedException, AccessControlException,
> UnsupportedRepositoryOperationException, RepositoryException {
>
> // add principal-based privileges
> // @see: http://wiki.apache.org/jackrabbit/AccessControl
>
> JackrabbitAccessControlManager acm =
> (JackrabbitAccessControlManager) session
> .getAccessControlManager();
>
> Principal principal = user.getPrincipal();
>
> JackrabbitAccessControlPolicy[] ps =
> acm.getApplicablePolicies(principal);
> // next is line 133:
> JackrabbitAccessControlList list = (JackrabbitAccessControlList)
> ps[0];
>
> // add privileges
>
> Privilege[] nprivileges = new Privilege[privileges.length];
> int i = 0;
> for (String p : privileges) {
> nprivileges[i] = acm.privilegeFromName(p);
> i++;
> }
>
> Map<String, Value> restrictions = new HashMap<String, Value>();
> ValueFactory vf = session.getValueFactory();
>
> restrictions.put("rep:nodePath", vf.createValue("/",
> PropertyType.PATH));
> restrictions.put("rep:glob", vf.createValue("*"));
>
> list.addEntry(principal, nprivileges, true /* allow or deny */,
> restrictions);
>
> // store privilege changes
>
> acm.setPolicy(list.getPath(), list);
>
> }
>
> And I also added this to ~/jackrabbit/workspaces/security/workspace.xml:
>
> <WorkspaceSecurity>
> <AccessControlProvider
> class="org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider"
> />
> </WorkspaceSecurity>
>
> But when I trigger my servlet I get an empty array in line 132:
>
> 2015-08-13 12:06:06.364 INFO [http-bio-8080-exec-3] MyInitServlet.java:64
> called: doGet(org.apache.catalina.connector.RequestFacade@67a4315b
> ,org.apache.catalina.connector.ResponseFacade@639bb977)
> 2015-08-13 12:06:06.419 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:362 Creating cache with max size of: 5000
> 2015-08-13 12:06:06.420 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:369 Root is special-cased: true
> 2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:73 Cache Update Strategy: T
> 2015-08-13 12:06:06.421 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:78 Caching entries with no ACLs: false
> 2015-08-13 12:06:06.466 WARN [http-bio-8080-exec-3]
> UserManagerImpl.java:858 Unexpected user/group node type
> rep:AuthorizableFolder
> 2015-08-13 12:06:06.468 WARN [http-bio-8080-exec-3]
> UserManagerImpl.java:858 Unexpected user/group node type
> rep:AuthorizableFolder
> 2015-08-13 12:06:06.469 WARN [http-bio-8080-exec-3]
> UserManagerImpl.java:858 Unexpected user/group node type
> rep:AuthorizableFolder
> 2015-08-13 12:06:06.470 WARN [http-bio-8080-exec-3]
> UserManagerImpl.java:858 Unexpected user/group node type
> rep:AuthorizableFolder
> 2015-08-13 12:06:06.471 WARN [http-bio-8080-exec-3]
> UserManagerImpl.java:858 Unexpected user/group node type
> rep:AuthorizableFolder
> 2015-08-13 12:06:06.770 INFO [http-bio-8080-exec-3] ClusterNode.java:711
> [1] 1 system@security:/ (24906)
> 2015-08-13 12:06:06.857 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:362 Creating cache with max size of: 5000
> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:369 Root is special-cased: true
> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:73 Cache Update Strategy: T
> 2015-08-13 12:06:06.858 INFO [http-bio-8080-exec-3]
> CachingEntryCollector.java:78 Caching entries with no ACLs: false
> java.lang.ArrayIndexOutOfBoundsException: 0
> at my.jcrweb.j2ee.MyInitServlet.addPrivileges(MyInitServlet.java:133)
> at my.jcrweb.j2ee.MyInitServlet.doGet(MyInitServlet.java:100)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)
>
>
> I also read this thread:
> http://jackrabbit.510166.n4.nabble.com/Setting-up-Access-Control-td3809801.html
>
> I also tried acl.getPolicies() instead of getApplicablePolicies()
>
> I'm totally stuck here ... Am I doing something wrong, generally or ...
> how do I create my own empty JackrabbitAccessControlList?
>
> Karsten
>