You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jackrabbit.apache.org by Cory Prowse <co...@prowse.com> on 2010/07/28 07:32:08 UTC

DefaultAccessManager denies all access?

I too have been struggling with security access in JackRabbit 2.1.0 these past few days.

I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.

When I attempt to use DefaultAccessManager I get:
  javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe

This is my config:
        <Security appName="Jackrabbit">
                <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
                <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />

                <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
                        <param name="anonymousId" value="ANONYMOUS" />
                </LoginModule>
        </Security>

This exception occurs when I ask the session for the root node.

Not quite following how to hook up security properly here, am I doing something obviously wrong?

 -- Cory


On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:

> I am currently working on a wiki page for that:
> http://wiki.apache.org/jackrabbit/AccessControl
> 
> Expect more in the coming days.
> 
> Regards,
> Alex
> 
> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>> Hi,
>> I'm working on adding some authentication/authorization to our application
>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>> children) so that one user has read/write access to the subtree, but all
>> other users don't have any access (not even read access).
>> 
>> I've looked at using the principal based ACLProvider, but I can't find any
>> examples detailing how to actually use it.
>> 
>> Thanks,
>> Joel
>> jrfeenst@gmail.com
>> 
> 
> 
> 
> -- 
> Alexander Klimetschek
> alexander.klimetschek@day.com

Re: DefaultAccessManager denies all access?

Posted by Cory Prowse <co...@prowse.com>.

Ok got to the bottom of it by stepping through the running application.

You must have the following config for ACLs to work:
	<Security appName="Jackrabbit">
		<SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" workspaceName="security" />

		<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />

		<!-- This allows any username to login without password -->
		<LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
			<!-- Unauthenticated JAAS users are ANONYMOUS -->
			<param name="anonymousId" value="ANONYMOUS" />
			<param name="adminId" value="admin1" />
		</LoginModule>
	</Security>

Specifically the DefaultSecurityManager must be selected.

Now I'm just trying to determine why although I have ACLs specifying who can read, other users can read as well.

 -- Cory

On 28/07/2010, at 4:08 PM, Cory Prowse wrote:

> Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.
> 
> -- Cory
> 
> On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
> 
>> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
>> 
>> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
>> 
>> When I attempt to use DefaultAccessManager I get:
>> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
>> 
>> This is my config:
>>       <Security appName="Jackrabbit">
>>               <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
>>               <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>> 
>>               <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
>>                       <param name="anonymousId" value="ANONYMOUS" />
>>               </LoginModule>
>>       </Security>
>> 
>> This exception occurs when I ask the session for the root node.
>> 
>> Not quite following how to hook up security properly here, am I doing something obviously wrong?
>> 
>> -- Cory
>> 
>> 
>> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>> 
>>> I am currently working on a wiki page for that:
>>> http://wiki.apache.org/jackrabbit/AccessControl
>>> 
>>> Expect more in the coming days.
>>> 
>>> Regards,
>>> Alex
>>> 
>>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>>> Hi,
>>>> I'm working on adding some authentication/authorization to our application
>>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>>> children) so that one user has read/write access to the subtree, but all
>>>> other users don't have any access (not even read access).
>>>> 
>>>> I've looked at using the principal based ACLProvider, but I can't find any
>>>> examples detailing how to actually use it.
>>>> 
>>>> Thanks,
>>>> Joel
>>>> jrfeenst@gmail.com
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Alexander Klimetschek
>>> alexander.klimetschek@day.com
>> 
>

Re: DefaultAccessManager denies all access?

Posted by Cory Prowse <co...@prowse.com>.

Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.

 -- Cory

On 28/07/2010, at 3:32 PM, Cory Prowse wrote:

> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
> 
> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
> 
> When I attempt to use DefaultAccessManager I get:
>  javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
> 
> This is my config:
>        <Security appName="Jackrabbit">
>                <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
>                <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
> 
>                <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
>                        <param name="anonymousId" value="ANONYMOUS" />
>                </LoginModule>
>        </Security>
> 
> This exception occurs when I ask the session for the root node.
> 
> Not quite following how to hook up security properly here, am I doing something obviously wrong?
> 
> -- Cory
> 
> 
> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
> 
>> I am currently working on a wiki page for that:
>> http://wiki.apache.org/jackrabbit/AccessControl
>> 
>> Expect more in the coming days.
>> 
>> Regards,
>> Alex
>> 
>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>> Hi,
>>> I'm working on adding some authentication/authorization to our application
>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>> children) so that one user has read/write access to the subtree, but all
>>> other users don't have any access (not even read access).
>>> 
>>> I've looked at using the principal based ACLProvider, but I can't find any
>>> examples detailing how to actually use it.
>>> 
>>> Thanks,
>>> Joel
>>> jrfeenst@gmail.com
>>> 
>> 
>> 
>> 
>> -- 
>> Alexander Klimetschek
>> alexander.klimetschek@day.com
>