You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Cory Prowse <co...@prowse.com> on 2010/07/28 07:32:08 UTC
DefaultAccessManager denies all access?
I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
When I attempt to use DefaultAccessManager I get:
javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
This is my config:
<Security appName="Jackrabbit">
<!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
<LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
<param name="anonymousId" value="ANONYMOUS" />
</LoginModule>
</Security>
This exception occurs when I ask the session for the root node.
Not quite following how to hook up security properly here, am I doing something obviously wrong?
-- Cory
On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
> I am currently working on a wiki page for that:
> http://wiki.apache.org/jackrabbit/AccessControl
>
> Expect more in the coming days.
>
> Regards,
> Alex
>
> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>> Hi,
>> I'm working on adding some authentication/authorization to our application
>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>> children) so that one user has read/write access to the subtree, but all
>> other users don't have any access (not even read access).
>>
>> I've looked at using the principal based ACLProvider, but I can't find any
>> examples detailing how to actually use it.
>>
>> Thanks,
>> Joel
>> jrfeenst@gmail.com
>>
>
>
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
Re: DefaultAccessManager denies all access?
Posted by Cory Prowse <co...@prowse.com>.
Ok got to the bottom of it by stepping through the running application.
You must have the following config for ACLs to work:
<Security appName="Jackrabbit">
<SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" workspaceName="security" />
<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
<!-- This allows any username to login without password -->
<LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
<!-- Unauthenticated JAAS users are ANONYMOUS -->
<param name="anonymousId" value="ANONYMOUS" />
<param name="adminId" value="admin1" />
</LoginModule>
</Security>
Specifically the DefaultSecurityManager must be selected.
Now I'm just trying to determine why although I have ACLs specifying who can read, other users can read as well.
-- Cory
On 28/07/2010, at 4:08 PM, Cory Prowse wrote:
> Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.
>
> -- Cory
>
> On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
>
>> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
>>
>> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
>>
>> When I attempt to use DefaultAccessManager I get:
>> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
>>
>> This is my config:
>> <Security appName="Jackrabbit">
>> <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
>> <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>>
>> <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
>> <param name="anonymousId" value="ANONYMOUS" />
>> </LoginModule>
>> </Security>
>>
>> This exception occurs when I ask the session for the root node.
>>
>> Not quite following how to hook up security properly here, am I doing something obviously wrong?
>>
>> -- Cory
>>
>>
>> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>>
>>> I am currently working on a wiki page for that:
>>> http://wiki.apache.org/jackrabbit/AccessControl
>>>
>>> Expect more in the coming days.
>>>
>>> Regards,
>>> Alex
>>>
>>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>>> Hi,
>>>> I'm working on adding some authentication/authorization to our application
>>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>>> children) so that one user has read/write access to the subtree, but all
>>>> other users don't have any access (not even read access).
>>>>
>>>> I've looked at using the principal based ACLProvider, but I can't find any
>>>> examples detailing how to actually use it.
>>>>
>>>> Thanks,
>>>> Joel
>>>> jrfeenst@gmail.com
>>>>
>>>
>>>
>>>
>>> --
>>> Alexander Klimetschek
>>> alexander.klimetschek@day.com
>>
>
Re: DefaultAccessManager denies all access?
Posted by Cory Prowse <co...@prowse.com>.
Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.
-- Cory
On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
>
> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
>
> When I attempt to use DefaultAccessManager I get:
> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
>
> This is my config:
> <Security appName="Jackrabbit">
> <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
> <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>
> <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
> <param name="anonymousId" value="ANONYMOUS" />
> </LoginModule>
> </Security>
>
> This exception occurs when I ask the session for the root node.
>
> Not quite following how to hook up security properly here, am I doing something obviously wrong?
>
> -- Cory
>
>
> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>
>> I am currently working on a wiki page for that:
>> http://wiki.apache.org/jackrabbit/AccessControl
>>
>> Expect more in the coming days.
>>
>> Regards,
>> Alex
>>
>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>> Hi,
>>> I'm working on adding some authentication/authorization to our application
>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>> children) so that one user has read/write access to the subtree, but all
>>> other users don't have any access (not even read access).
>>>
>>> I've looked at using the principal based ACLProvider, but I can't find any
>>> examples detailing how to actually use it.
>>>
>>> Thanks,
>>> Joel
>>> jrfeenst@gmail.com
>>>
>>
>>
>>
>> --
>> Alexander Klimetschek
>> alexander.klimetschek@day.com
>