You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Jiantao Pan <ji...@labbook.com> on 2001/10/03 17:47:10 UTC
Role based access
I am using tomcat4.0 and slide recent build. It uses
JDBCDescriptorsStore with mysql and FileContentStore
It is configured to use JDBCRealm for authentication and role
assignment. I have setup a user with role "root" and "groupA". And in
permissions table, both root and groupA has write access to files.
However, When I tries to Put a file. It give me forbidden response.
Am I missing something? I am not clear with the following 2 questions.
Maybe they are related to my problem...
1. When I insert a row in my user table, Then the new user can be
authenticated and associated with certain role. But it is not inserted
in the "objects" table, will this matter?
2. In web.xml, there is entries to open access for certain roles,which I
uncomment to enable security. There is also "permissions" table for
controlling access, what is the relationship between them?
Thanks for the help.
Jiantao
For your information, the following is the console message:
03 Oct 2001 11:20:49 - org.apache.slide.common.Domain - WARNING - Access
denied on /files/sampleproject/rtf/CRC.rtf by user /users/jpan for
action /actions/write
03 Oct 2001 11:20:49 - org.apache.slide.common.Domain - INFO - PUT = 403
Forbidden (time: 78 ms) URI = /files/sampleproject/rtf/CRC.rtf
The following is the log entry in catalina_log file
2001-10-03 11:20:32 JDBCRealm[Standalone]: Username jpan successfully
authenticated
2001-10-03 11:20:32 JDBCRealm[Standalone]: Username jpan has role root
Then the permissions table contents:
mysql> select * from permissions;
+-----------------------+----------------+---------------------+--------
---------+-------------+----------+
| object | revisionnumber | subject | action
| inheritable | negative |
+-----------------------+----------------+---------------------+--------
---------+-------------+----------+
| /files/sampleproject/ | NULL | /users/ohuser |
/actions/read | 1 | 0 |
| / | NULL | root |
/actions | 1 | 0 |
| / | NULL | user |
/actions/read | 0 | 0 |
| / | NULL | nobody |
/actions/read | 0 | 0 |
| /users | NULL | ~ |
/actions | 1 | 0 |
| /users | NULL | guest |
/actions | 1 | 1 |
| /users | NULL | user |
/actions/read | 0 | 0 |
| /files | NULL | /users/john |
/actions/manage | 1 | 0 |
| /files/ | NULL | /users/john |
/actions/manage | 1 | 0 |
| /files/ | NULL | nobody |
/actions/read | 1 | 0 |
| /files/ | NULL | /%252B/users/groupA |
/actions/write | 1 | 0 |
| /files/ | NULL | /users/john |
/actions/manage | 1 | 0 |
| /files/ | NULL | nobody |
/actions/read | 1 | 0 |
| /files/ | NULL | /%2B/users/groupA |
/actions/write | 1 | 0 |
| /files/sampleproject/ | NULL | /users/ohuser |
/actions/write | 1 | 0 |
| /files | NULL | +/users/groupA |
/actions/write | 1 | 0 |
| /files | NULL | nobody |
/actions/read | 1 | 0 |
+-----------------------+----------------+---------------------+--------
---------+-------------+----------+
Re: Role based access
Posted by Dirk Verbeeck <di...@pandora.be>.
Jiantao Pan wrote:
>
> I am using tomcat4.0 and slide recent build. It uses
> JDBCDescriptorsStore with mysql and FileContentStore
> It is configured to use JDBCRealm for authentication and role
> assignment. I have setup a user with role "root" and "groupA". And in
> permissions table, both root and groupA has write access to files.
> However, When I tries to Put a file. It give me forbidden response.
> Am I missing something? I am not clear with the following 2 questions.
> Maybe they are related to my problem...
> 1. When I insert a row in my user table, Then the new user can be
> authenticated and associated with certain role. But it is not inserted
> in the "objects" table, will this matter?
> 2. In web.xml, there is entries to open access for certain roles,which I
> uncomment to enable security. There is also "permissions" table for
> controlling access, what is the relationship between them?
> Thanks for the help.
> Jiantao
The tomcat roles have nothing to do with the slide groups or roles.
1) The roles that you configure in the JDBCRealm from tomcat are only
used for granting access to the servlet (the roles that are in web.xml).
Your user jpan has a realm role root and has access to the servlet.
2) Slide roles are defined like this (RootRole is a java interface)
<role name="root">slideroles.basic.RootRole</role>
For your user to have this role, he has to be of a class that implements
that interface.
<objectnode classname="slideroles.basic.RootRoleImpl"
uri="/users/jpan">
RootRoleImpl is a class that implements the RootRole interface.
It will then match:
<permission action="/actions" subject="root"/>
3) A Slide group is GroupNode that has links to other nodes (its
members)
<objectnode classname="org.apache.slide.structure.GroupNode"
uri="/users/groupA">
<objectnode classname="org.apache.slide.structure.LinkNode"
uri="/users/groupA/jpan" linkedUri="/users/jpan" />
</objectnode>
When you grant a permission to a group you have put a "+" sign in front
of the principal to indicate its a group:
<permission action="/actions/write" subject="+/users/groupA"/>
Bottom line, currently you have to create nodes for your users/groups
and classes for your roles.
Hope this helps
Dirk