You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Markus Joschko <ma...@gmail.com> on 2011/09/21 22:57:56 UTC
Restrict read rights to root node and the davex connection
In my quest to secure the access to the repository I removed the
everyone read access from the root node.
That leads to the situation where my users can't login any longer (I
guess it's the workspacemanager that denies the access as the users
now don't have read rights to root any longer).
I therefore tried to create some access rules to solely access the
root node (not the descendants of it, as I don't want to work with
denys).
To get there I added a path based entry to the users AccessControlList
that is valid for "/" and has a restriction which is rep:glob -> ""
That seems to work fine when I login in code: I don't see a node below "/".
However if I try to login via webdav with the cli, I get the exception:
exception: java.lang.NullPointerException
message: null
display stack trace? [y/n]y
java.lang.NullPointerException
at org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver.getJCRName(ParsingNameResolver.java:79)
at org.apache.jackrabbit.spi.commons.conversion.CachingNameResolver.getJCRName(CachingNameResolver.java:95)
at org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver.getJCRName(DefaultNamePathResolver.java:78)
at org.apache.jackrabbit.jcr2spi.util.LogUtil.saveGetJCRName(LogUtil.java:89)
at org.apache.jackrabbit.jcr2spi.NodeImpl.<init>(NodeImpl.java:104)
at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.createNodeInstance(ItemManagerImpl.java:322)
at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.created(ItemManagerImpl.java:347)
at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.created(TransientISFactory.java:153)
at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:349)
at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:101)
at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.createNodeState(TransientISFactory.java:97)
at org.apache.jackrabbit.jcr2spi.hierarchy.NodeEntryImpl.doResolve(NodeEntryImpl.java:990)
at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.resolve(HierarchyEntryImpl.java:134)
at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.getItemState(HierarchyEntryImpl.java:253)
at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.getItem(ItemManagerImpl.java:199)
at org.apache.jackrabbit.jcr2spi.SessionImpl.getRootNode(SessionImpl.java:233)
at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:84)
at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
Any idea what that is about? I also tried the resource based ACL
instead of the path based with basically the same effect.
Another thing I don't understand is what happens when I use rep:glob
-> "*" instead. That gives me a
exception: javax.jcr.RepositoryException
message: Unauthorized
display stack trace? [y/n]y
javax.jcr.RepositoryException: Unauthorized
at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:45)
at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:722)
at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:666)
at org.apache.jackrabbit.spi2davex.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:273)
at org.apache.jackrabbit.jcr2spi.RepositoryImpl.login(RepositoryImpl.java:151)
at org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:123)
at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:79)
at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
Caused by: org.apache.jackrabbit.webdav.DavException: Unauthorized
at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseException(DavMethodBase.java:162)
at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseBodyAsMultiStatus(DavMethodBase.java:91)
at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:694)
... 9 more
According to the javadoc the "*" allows "access to all siblings of
foo and foo's and the siblings' descendants."
Doesn't that include "/" in this case?
Thanks,
Markus
Re: Restrict read rights to root node and the davex connection
Posted by Markus Joschko <ma...@gmail.com>.
OK, I found the reason for the NullPointerException:
The restrictions do not allow any property to be sent to the client.
Therefore the nodeTypeName (jcr:primaryType) is null which should
(according to this comment in NodeImpl) never be the case:
if (!session.getNodeTypeManager().hasNodeType(nodeTypeName)) {
// should not occur. Since nodetypes are defined by the 'server'
// its not possible to determine a fallback nodetype that is
// always available.
throw new IllegalArgumentException("Unknown nodetype " +
LogUtil.saveGetJCRName(nodeTypeName, session.getNameResolver()));
}
If I allow in addition the jcr:primaryType to be read, the davex
client works fine.
Is this a bug or expected behaviour?
Regards,
Markus
On Wed, Sep 21, 2011 at 10:57 PM, Markus Joschko
<ma...@gmail.com> wrote:
> In my quest to secure the access to the repository I removed the
> everyone read access from the root node.
> That leads to the situation where my users can't login any longer (I
> guess it's the workspacemanager that denies the access as the users
> now don't have read rights to root any longer).
>
> I therefore tried to create some access rules to solely access the
> root node (not the descendants of it, as I don't want to work with
> denys).
> To get there I added a path based entry to the users AccessControlList
> that is valid for "/" and has a restriction which is rep:glob -> ""
>
> That seems to work fine when I login in code: I don't see a node below "/".
> However if I try to login via webdav with the cli, I get the exception:
>
> exception: java.lang.NullPointerException
> message: null
>
> display stack trace? [y/n]y
> java.lang.NullPointerException
> at org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver.getJCRName(ParsingNameResolver.java:79)
> at org.apache.jackrabbit.spi.commons.conversion.CachingNameResolver.getJCRName(CachingNameResolver.java:95)
> at org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver.getJCRName(DefaultNamePathResolver.java:78)
> at org.apache.jackrabbit.jcr2spi.util.LogUtil.saveGetJCRName(LogUtil.java:89)
> at org.apache.jackrabbit.jcr2spi.NodeImpl.<init>(NodeImpl.java:104)
> at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.createNodeInstance(ItemManagerImpl.java:322)
> at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.created(ItemManagerImpl.java:347)
> at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
> at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.created(TransientISFactory.java:153)
> at org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
> at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:349)
> at org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:101)
> at org.apache.jackrabbit.jcr2spi.state.TransientISFactory.createNodeState(TransientISFactory.java:97)
> at org.apache.jackrabbit.jcr2spi.hierarchy.NodeEntryImpl.doResolve(NodeEntryImpl.java:990)
> at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.resolve(HierarchyEntryImpl.java:134)
> at org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.getItemState(HierarchyEntryImpl.java:253)
> at org.apache.jackrabbit.jcr2spi.ItemManagerImpl.getItem(ItemManagerImpl.java:199)
> at org.apache.jackrabbit.jcr2spi.SessionImpl.getRootNode(SessionImpl.java:233)
> at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:84)
> at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
> at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
> at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
> at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
>
>
> Any idea what that is about? I also tried the resource based ACL
> instead of the path based with basically the same effect.
>
>
> Another thing I don't understand is what happens when I use rep:glob
> -> "*" instead. That gives me a
>
> exception: javax.jcr.RepositoryException
> message: Unauthorized
>
> display stack trace? [y/n]y
> javax.jcr.RepositoryException: Unauthorized
> at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
> at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
> at org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:45)
> at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:722)
> at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:666)
> at org.apache.jackrabbit.spi2davex.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:273)
> at org.apache.jackrabbit.jcr2spi.RepositoryImpl.login(RepositoryImpl.java:151)
> at org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:123)
> at org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:79)
> at org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
> at org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
> at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
> at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
> Caused by: org.apache.jackrabbit.webdav.DavException: Unauthorized
> at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseException(DavMethodBase.java:162)
> at org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseBodyAsMultiStatus(DavMethodBase.java:91)
> at org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:694)
> ... 9 more
>
> According to the javadoc the "*" allows "access to all siblings of
> foo and foo's and the siblings' descendants."
> Doesn't that include "/" in this case?
>
> Thanks,
> Markus
>