You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Roland Klein <ro...@mtg-marinetechnik.de> on 2008/11/19 07:58:30 UTC
Access control on property level?
Hi all,
are there planings to extend the access control of jackrabbit to honour
privileges to properties?
Restrict/grant access not only on node level but also on property level.
Roland
--
Roland Klein
Tel: +49 40 65803 209
Fax: +49 40 65803 392
roland.klein@mtg-marinetechnik.de
MTG Marinetechnik GmbH - Wandsbeker Koenigstr. 62 - D 22041 Hamburg
GF Dipl.-Ing. Ullrich Keil
Handelsregister: Abt. B Nr. 11 500 - Amtsgericht Hamburg Abt. 66
USt.-IdNr.: DE 1186 70571
Re: Access control on property level?
Posted by Angela Schreiber <an...@day.com>.
hi roland
> Could You direct me to a place where i can find more documentation,
no documentation so far.
> about the supported restrictions in Jackrabbit?
the list of restrictions depends on the implementation
you are using.
the acl implementation that is stored with the access controlled
node doesn't accept any restrictions up to now.
the acl implementation from the principalbased packages allows
to define a simple glob... as i said still in a draft version
as you might have seen from the TODOs in the code.
however, you may also create your own implementation that fits
your needs. in any case the ACL/ACE implementation is always
coupled with the access control provider that is responsible
for the permission evaluation.
> How could i configure a repository to use
> org.apache.jackrabbit.core.security.authorization.principalbased.ACLTemplate
> ?
you can define for each workspace which ac provider to use.
-> workspaceConfig -> workspaceSecurityConfig -> AccessControlProvider
regards
angela
Re: Access control on property level?
Posted by Roland Klein <ro...@mtg-marinetechnik.de>.
Angela Schreiber schrieb:
> hi roland
>
>> Sorry maybe i wasn't clear enough. i meant grant or deny acces to an
>> individual property of a node.
>
> yes... that's what i understood.
>
>> Will this be possible in Jackrabbit 1.6 or 2.0?
>
> that should be possible with jackrabbit 1.5.0 already.
> despite the fact that it is still work in progress...
>
>> Because i just checked out the trunk for 1.6-SNAPSHOT and tried to
>> restrict the access but got an PathNotFoundException.
>> Than i realized ACL's could only be assigned to nodes, but how do i
>> build a correct ACL which i can assign to the node?
>> am i missing something?
>
> ACLs can only be assigned to Nodes. Similarly a Session
> holds a set of Privileges on a given Node (and never on
> a Property). this is defined by the JSR 283 access control.
>
> however, you still may have finer grained permissions
> even for individual properties or nodes:
>
> quote from the specification:
> "
> In repositories that do support access control management, the
> permissions encompass the restrictions imposed by privileges, but also
> include any additional policy-internal refinements with effects too
> fine-grained to be exposed through privilege discovery. A common cases
> may be to provide finer-grained access restrictions to individual
> properties or child nodes of the node to which the policy applies.
> "
>
> for this purpose jackrabbit defines refined ACL/ACE
> interfaces that allow to pass additional restrictions
> when creating an ACE. which restrictions are understood
> and/or respected is left to the implementation.
>
Could You direct me to a place where i can find more documentation,
about the supported restrictions in Jackrabbit?
I think it has something to do with "rep:glob", but how do i use it?
> you may take a look at
> http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
>
>
How could i configure a repository to use
org.apache.jackrabbit.core.security.authorization.principalbased.ACLTemplate
?
I tried this in my repository.xml, using "DefaultSecurityManager",
"DefaultAccessManager" and "DefaultLoginModule". But it seems the i am not
able to select the principalbased.ACLTemplate. i always get the
acl.ACLTemplate from "AccessControlProviderFactoryImpl.createProvider()"
and i had
a look in that method, so me idea was to configure my repository to use
an principalbased.ACLProvider (line 76-78 in
AccessControlProviderFactoryImpl).
<Workspaces rootPath="${rep.home}/workspaces" defaultWorkspace="default"/>
<!--
workspace configuration template:
used to create the initial workspace if there's no workspace yet
-->
<Workspace name="${wsp.name}">
<!--
virtual file system of the workspace:
class: FQN of class implementing the FileSystem interface
-->
<FileSystem class="org.apache.jackrabbit.core.fs.local.LocalFileSystem">
<param name="path" value="${wsp.home}"/>
</FileSystem>
<!--
persistence manager of the workspace:
class: FQN of class implementing the PersistenceManager interface
-->
<PersistenceManager class="org.apache.jackrabbit.core.persistence.bundle.DerbyPersistenceManager">
<param name="url" value="jdbc:derby:${wsp.home}/db;create=true"/>
<param name="schemaObjectPrefix" value="${wsp.name}_"/>
</PersistenceManager>
<!--
Search index and the file system it uses.
class: FQN of class implementing the QueryHandler interface
-->
<SearchIndex class="org.apache.jackrabbit.core.query.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
<param name="textFilterClasses" value="org.apache.jackrabbit.extractor.PlainTextExtractor,org.apache.jackrabbit.extractor.MsWordTextExtractor,org.apache.jackrabbit.extractor.MsExcelTextExtractor,org.apache.jackrabbit.extractor.MsPowerPointTextExtractor,org.apache.jackrabbit.extractor.PdfTextExtractor,org.apache.jackrabbit.extractor.OpenOfficeTextExtractor,org.apache.jackrabbit.extractor.RTFTextExtractor,org.apache.jackrabbit.extractor.HTMLTextExtractor,org.apache.jackrabbit.extractor.XMLTextExtractor"/>
<param name="extractorPoolSize" value="2"/>
<param name="supportHighlighting" value="true"/>
</SearchIndex>
<WorkspaceSecurity>
<AccessControlProvider class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
</AccessControlProvider>
</WorkspaceSecurity>
</Workspace>
> it is still sort of a draft but you will get the idea.
>
> hope that helps
> angela
>
>
thanks in advance
roland
--
Roland Klein
Tel: +49 40 65803 209
Fax: +49 40 65803 392
roland.klein@mtg-marinetechnik.de
MTG Marinetechnik GmbH - Wandsbeker Koenigstr. 62 - D 22041 Hamburg
GF Dipl.-Ing. Ullrich Keil
Handelsregister: Abt. B Nr. 11 500 - Amtsgericht Hamburg Abt. 66
USt.-IdNr.: DE 1186 70571
Re: Access control on property level?
Posted by Angela Schreiber <an...@day.com>.
hi roland
> Sorry maybe i wasn't clear enough. i meant grant or deny acces to an
> individual property of a node.
yes... that's what i understood.
> Will this be possible in Jackrabbit 1.6 or 2.0?
that should be possible with jackrabbit 1.5.0 already.
despite the fact that it is still work in progress...
> Because i just checked out the trunk for 1.6-SNAPSHOT and tried to
> restrict the access but got an PathNotFoundException.
> Than i realized ACL's could only be assigned to nodes, but how do i
> build a correct ACL which i can assign to the node?
> am i missing something?
ACLs can only be assigned to Nodes. Similarly a Session
holds a set of Privileges on a given Node (and never on
a Property). this is defined by the JSR 283 access control.
however, you still may have finer grained permissions
even for individual properties or nodes:
quote from the specification:
"
In repositories that do support access control management, the
permissions encompass the restrictions imposed by privileges, but also
include any additional policy-internal refinements with effects too
fine-grained to be exposed through privilege discovery. A common cases
may be to provide finer-grained access restrictions to individual
properties or child nodes of the node to which the policy applies.
"
for this purpose jackrabbit defines refined ACL/ACE
interfaces that allow to pass additional restrictions
when creating an ACE. which restrictions are understood
and/or respected is left to the implementation.
you may take a look at
http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authorization/principalbased/ACLTemplate.java
it is still sort of a draft but you will get the idea.
hope that helps
angela
Re: Access control on property level?
Posted by Roland Klein <ro...@mtg-marinetechnik.de>.
Angela Schreiber schrieb:
> hi roland
>
>> are there planings to extend the access control of jackrabbit to honour
>> privileges to properties?
>> Restrict/grant access not only on node level but also on property level.
>
> with the changes made for "JCR-1588 JSR 283: Access Control"
> and the corresponding jackrabbit specific extensions it
> is possible to grant/restrict access to properties by
> adding additional restrictions to an ACE.
>
> regards
> angela
>
>
Sorry maybe i wasn't clear enough. i meant grant or deny acces to an
individual property of a node.
e.g.
[vo:address] > nt:unstructured
- vo:name (String)
- vo:street (String)
- vo:city (String)
etc.
- vo:mySecret (String)
Than two Principals A and B.
- A has read/write access to all properties of Address addr.
- B has read/write access to all properties of Address addr accept the
Property vo:mySecret
Will this be possible in Jackrabbit 1.6 or 2.0?
Because i just checked out the trunk for 1.6-SNAPSHOT and tried to
restrict the access but got an PathNotFoundException.
Than i realized ACL's could only be assigned to nodes, but how do i
build a correct ACL which i can assign to the node?
am i missing something?
thanks
roland
--
Roland Klein
Tel: +49 40 65803 209
Fax: +49 40 65803 392
roland.klein@mtg-marinetechnik.de
MTG Marinetechnik GmbH - Wandsbeker Koenigstr. 62 - D 22041 Hamburg
GF Dipl.-Ing. Ullrich Keil
Handelsregister: Abt. B Nr. 11 500 - Amtsgericht Hamburg Abt. 66
USt.-IdNr.: DE 1186 70571
Re: Access control on property level?
Posted by Angela Schreiber <an...@day.com>.
hi roland
> are there planings to extend the access control of jackrabbit to honour
> privileges to properties?
> Restrict/grant access not only on node level but also on property level.
with the changes made for "JCR-1588 JSR 283: Access Control"
and the corresponding jackrabbit specific extensions it
is possible to grant/restrict access to properties by
adding additional restrictions to an ACE.
regards
angela