You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jackrabbit.apache.org by Malzer Ferdinand OSP sIT <Fe...@s-itsolutions.at> on 2012/05/29 11:50:18 UTC

problems using UserPerWorkspaceSecurityManager

hello,
I try to use the following security configuration:

repository config:

<SecurityManager class="org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager">


workspace config:

        <WorkspaceSecurity>
            <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
                <param name="omit-default-permission" value="true"/>
            </AccessControlProvider>
        </WorkspaceSecurity>


I create a user 'ferry' in the workspace:

/rep:security/rep:authorizables/rep:users/f
/rep:security/rep:authorizables/rep:users/f/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/jcr:created = 2012-05-29T11:34:37.828+02:00
/rep:security/rep:authorizables/rep:users/f/jcr:primaryType = rep:AuthorizableFolder
/rep:security/rep:authorizables/rep:users/f/fe
/rep:security/rep:authorizables/rep:users/f/fe/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/fe/jcr:created = 2012-05-29T11:34:37.844+02:00
/rep:security/rep:authorizables/rep:users/f/fe/jcr:primaryType = rep:AuthorizableFolder
/rep:security/rep:authorizables/rep:users/f/fe/ferry
/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:password = {sha1}b8cb3e1eebfe4786-20836e1148db38251cca20bbf14d4d1c4a8ad183
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:uuid = 46171b07-7997-3166-bb30-cf5494eff2f8
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:principalName = ferry
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:created = 2012-05-29T11:34:37.844+02:00
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:primaryType = rep:User

after that I add read/write access-rights for user ferry to the workspace:

/rep:accesscontrol
/rep:accesscontrol/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security
/rep:accesscontrol/rep:security/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables
/rep:accesscontrol/rep:security/rep:authorizables/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:primaryType = rep:PrincipalAccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/jcr:primaryType = rep:ACL
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:privileges = jcr:write
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:privileges = jcr:read
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:glob = *
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:nodePath = /
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:principalName = ferry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/jcr:primaryType = rep:GrantACE


when I try to get the root node information of the workspace I get the following exception:

javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
        at org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:844)

Does someone have any idea what goes wrong?

best regards
ferry malzer

AW: problems using UserPerWorkspaceSecurityManager

Posted by Malzer Ferdinand OSP sIT <Fe...@s-itsolutions.at>.

hello,
problem found.
to get access to the root also the entry rep:glob=* has to be omitted.
regards
ferry malzer
_____________________________________________
Von: Malzer Ferdinand OSP sIT
Gesendet: Dienstag, 29. Mai 2012 11:50
An: users@jackrabbit.apache.org
Betreff: problems using UserPerWorkspaceSecurityManager


hello,
I try to use the following security configuration:

repository config:

<SecurityManager class="org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager">


workspace config:

        <WorkspaceSecurity>
            <AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
                <param name="omit-default-permission" value="true"/>
            </AccessControlProvider>
        </WorkspaceSecurity>


I create a user 'ferry' in the workspace:

/rep:security/rep:authorizables/rep:users/f
/rep:security/rep:authorizables/rep:users/f/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/jcr:created = 2012-05-29T11:34:37.828+02:00
/rep:security/rep:authorizables/rep:users/f/jcr:primaryType = rep:AuthorizableFolder
/rep:security/rep:authorizables/rep:users/f/fe
/rep:security/rep:authorizables/rep:users/f/fe/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/fe/jcr:created = 2012-05-29T11:34:37.844+02:00
/rep:security/rep:authorizables/rep:users/f/fe/jcr:primaryType = rep:AuthorizableFolder
/rep:security/rep:authorizables/rep:users/f/fe/ferry
/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:password = {sha1}b8cb3e1eebfe4786-20836e1148db38251cca20bbf14d4d1c4a8ad183
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:uuid = 46171b07-7997-3166-bb30-cf5494eff2f8
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:createdBy = admin
/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:principalName = ferry
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:created = 2012-05-29T11:34:37.844+02:00
/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:primaryType = rep:User

after that I add read/write access-rights for user ferry to the workspace:

/rep:accesscontrol
/rep:accesscontrol/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security
/rep:accesscontrol/rep:security/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables
/rep:accesscontrol/rep:security/rep:authorizables/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/jcr:primaryType = rep:AccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/jcr:primaryType = rep:PrincipalAccessControl
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/jcr:primaryType = rep:ACL
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:privileges = jcr:write
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:privileges = jcr:read
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:glob = *
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:nodePath = /
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/rep:principalName = ferry
/rep:accesscontrol/rep:security/rep:authorizables/rep:users/f/fe/ferry/rep:policy/entry/jcr:primaryType = rep:GrantACE


when I try to get the root node information of the workspace I get the following exception:

javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
        at org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:844)

Does someone have any idea what goes wrong?

best regards
ferry malzer