You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by David Brossard <da...@gmail.com> on 2010/02/25 17:31:01 UTC
Access Control in Jackrabbit
Hi folks,
I am new to this list and to Jackrabbit. My interest lies mainly in JCR
rather than Jackrabbit per se...
I downloaded and started running Jackrabbit on top of my own webapp. Very
smooth beginning, no probs. I wanted to play around with security so I:
(a) had a look at repository.xml
(b) edited <AccessManager class=" to point to a class I wrote and that is an
exact copy of org.apache.jackrabbit.core.security.simple.SimpleAccessManager
(c) started looking at the session and the context objects
>From what I can see I can find the subject object which lets me know who
authenticated. I can also retrieve the userid from the session...
But I would now like to know what node the user is trying to access. If I
want some smart access control, it should take into account the target of
the user's request. I couldn't find anything like that.
In addition, what is the AccessControlManager and what policies is it
referring to?
Cheers,
David.
Re: Access Control in Jackrabbit
Posted by David Brossard <da...@gmail.com>.
Thanks for the clarification.
What I am doing now is extend AbstractAccessControlManager and implement
AccessManager.
I still use the same config in repository.xml:
<AccessManager
class="org.apache.jackrabbit.core.security.simple.AnotherAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->
</AccessManager>
And I can now access ItemId. I will let you know how I get along. My aim
eventually is to be able to see item info (be it a file or a folder) and
attached metadata (properties, file properties, user-defined properties...)
I will post here my results for future reference.
David.
On Thu, Feb 25, 2010 at 6:50 PM, Mat Lowery <ml...@pentaho.com> wrote:
> All comments result from my experiences with Jackrabbit 1.6. Version 1.6
> is a weird beast because it contains a full JCR 1.0 implementation with some
> JCR 2.0 implementation too. (But the JCR 2.0 implementation isn't against
> the standard JCR 2.0 interfaces.) So AccessControlManager (a JCR 2.0
> interface) exists in Jackrabbit 1.6 but it doesn't implement the standard
> interface.
>
> There is no JCR API for configuring access control logic. Jackrabbit's
> SimpleAccessManager doesn't care about the "target of the user's request."
> Instead, I recommend turning on DefaultAccessManager and putting your
> breakpoint at
> org.apache.jackrabbit.core.security.authorization.acl.ACLProvider$AbstractCompiledPermissions#buildResult(Path).
> The Path object is the "target of the user's request." This is where ACL
> decisions are made with this manager.
>
> AccessControlManager is the JCR 2.0 method of getting and setting the
> policy for a given path. The only policies that I have used are
> javax.jcr.security.AccessControlList. This is a traditional ACL.
>
>
> On Thu, 2010-02-25 at 17:31 +0100, David Brossard wrote:
>
> Hi folks,
>
> I am new to this list and to Jackrabbit. My interest lies mainly in JCR
> rather than Jackrabbit per se...
>
> I downloaded and started running Jackrabbit on top of my own webapp. Very
> smooth beginning, no probs. I wanted to play around with security so I:
>
> (a) had a look at repository.xml
> (b) edited <AccessManager class=" to point to a class I wrote and that is
> an exact copy of
> org.apache.jackrabbit.core.security.simple.SimpleAccessManager
> (c) started looking at the session and the context objects
>
> From what I can see I can find the subject object which lets me know who
> authenticated. I can also retrieve the userid from the session...
>
> But I would now like to know what node the user is trying to access. If I
> want some smart access control, it should take into account the target of
> the user's request. I couldn't find anything like that.
>
> In addition, what is the AccessControlManager and what policies is it
> referring to?
>
> Cheers,
> David.
>
>
>
--
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://delicious.com/foggybottom
---
Stay safe on the Internet: http://www.ic3.gov/preventiontips.aspx
Prenez vos précautions sur Internet:
http://www.securite-informatique.gouv.fr/gp_rubrique34.html
Re: Access Control in Jackrabbit
Posted by Mat Lowery <ml...@pentaho.com>.
All comments result from my experiences with Jackrabbit 1.6. Version
1.6 is a weird beast because it contains a full JCR 1.0 implementation
with some JCR 2.0 implementation too. (But the JCR 2.0 implementation
isn't against the standard JCR 2.0 interfaces.) So AccessControlManager
(a JCR 2.0 interface) exists in Jackrabbit 1.6 but it doesn't implement
the standard interface.
There is no JCR API for configuring access control logic. Jackrabbit's
SimpleAccessManager doesn't care about the "target of the user's
request." Instead, I recommend turning on DefaultAccessManager and
putting your breakpoint at
org.apache.jackrabbit.core.security.authorization.acl.ACLProvider
$AbstractCompiledPermissions#buildResult(Path). The Path object is the
"target of the user's request." This is where ACL decisions are made
with this manager.
AccessControlManager is the JCR 2.0 method of getting and setting the
policy for a given path. The only policies that I have used are
javax.jcr.security.AccessControlList. This is a traditional ACL.
On Thu, 2010-02-25 at 17:31 +0100, David Brossard wrote:
> Hi folks,
>
> I am new to this list and to Jackrabbit. My interest lies mainly in
> JCR rather than Jackrabbit per se...
>
> I downloaded and started running Jackrabbit on top of my own webapp.
> Very smooth beginning, no probs. I wanted to play around with security
> so I:
>
> (a) had a look at repository.xml
> (b) edited <AccessManager class=" to point to a class I wrote and that
> is an exact copy of
> org.apache.jackrabbit.core.security.simple.SimpleAccessManager
> (c) started looking at the session and the context objects
>
> From what I can see I can find the subject object which lets me know
> who authenticated. I can also retrieve the userid from the session...
>
> But I would now like to know what node the user is trying to access.
> If I want some smart access control, it should take into account the
> target of the user's request. I couldn't find anything like that.
>
> In addition, what is the AccessControlManager and what policies is it
> referring to?
>
> Cheers,
> David.