You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Francisco Carriedo Scher <fc...@gmail.com> on 2011/07/26 12:15:15 UTC

AccessControlException

Hi there,

i am trying to assign an Acl to a folder node with the code below. Some
questions regarding access control arised and i would like to ask for links
where accurate info about my issues could be found or a brief explanation in
order to explore the appropiate path (could be i went the wrong way while
checking the wiki and the Javadoc of the API...).

The code:

*********** BEGIN OF MY CODE *******************

    private void assignInitialPermissions(User u, Principal principal,
String usersPath, Session session) throws
UnsupportedRepositoryOperationException, RepositoryException {


        ValueFactory vf = session.getValueFactory();
        AccessControlManager acm = session.getAccessControlManager();
        List<AccessControlEntryImpl> aces = new
ArrayList<AccessControlEntryImpl>();
        Privilege privileges[] = acm.getSupportedPrivileges(usersPath);//new
Privilege[2];// = { Privilege.JCR_ADD_CHILD_NODES,
Privilege.JCR_REMOVE_CHILD_NODES};
        Map<String, Integer> restrictions = new HashMap<String, Integer>();

        privileges = new Privilege[] { privileges[3] , privileges[8] };

        // Adding restrictions: dummy restrictions since i found no clear
explanation, but just trying right now
        restrictions.put("rep:nodePath", new Integer(1234));
        restrictions.put("rep:glob", new Integer(1234));

        System.out.println("Privilegios a aƱadir: " +
privileges[0].getName() + " " + privileges[1].getName());

        // IMPORTANT, adding at the very first place!!!
        // since it takes the first matching entry
        aces.add(0,new AccessControlEntryImpl(principal, privileges) {

            @Override
            protected ValueFactory getValueFactory() {
                // TODO Auto-generated method stub
                return null;
            }

            @Override
            protected NameResolver getResolver() {
                // TODO Auto-generated method stub
                return null;
            }
        });

        // Finally build and acl and assign it to the corresponding path
        UnmodifiableAccessControlList acl = new
UnmodifiableAccessControlList(aces, usersPath, restrictions);
        acm.setPolicy(acl.getPath(), acl);

    }


************** END OF MY CODE ***********************


********************* ADDITIONAL CODE FROM JACKRABBIT IMPLEMENTATION
***************************

   /**
     * Always throws <code>AccessControlException</code>
     *
     * @see javax.jcr.security.AccessControlManager#setPolicy(String,
AccessControlPolicy)
     */
    public void setPolicy(String absPath, AccessControlPolicy policy) throws
PathNotFoundException, AccessControlException, AccessDeniedException,
RepositoryException {
        checkInitialized();
        checkPermission(absPath, Permission.MODIFY_AC);

        throw new AccessControlException("AccessControlPolicy " + policy + "
cannot be applied.");
    }


********************* END OF ADDITIONAL CODE
*****************************************************************


My questions:

- Why does the code from JR implementation throw always an exception instead
of trying to assign the policy? It must be a regular practice since i saw
similar always-throwing-exception methods in the same class but i must
confess that i have no idea about such behavior. By the way about this, am i
assigning properly the acl to grant the brand new user (User u param in the
code above) over the brand new folder (let's say "user HOME" defined by
String usersPath).

- Where can i find detailed info about Restriction class/interface? What is
exactly the meaning of such class (specifying special behavior for certain
nodes???)?

- I am accessing the repository through the shell
(java -jar jackrabbit-standalone-2.2.7.jar --cli
file:///media/Datos/Solaiemes/workspace/FileRepo/repository)
to check if my code works and so far it worked fine while testing the folder
and file nodes creation. But now, when trying to check the just written
access control code, i can log in with any username (invented i mean) and
password and any action is allowed aswell for such users. I guess that such
behavior could be the default and it must be customized when developing your
own solution, but so far i did not find any concrete place where to restrict
the access (i.e. not allowing any invented name to perform any operation and
checking that the ACL i assign actually define restrictions on the nodes).

Thanks in advance!