You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by Vidar Ramdal <vi...@idium.no> on 2009/11/13 14:23:00 UTC

Script-based access control

I remember a blog post from some time ago, which provided an example
of implementing access control in Sling/JCR using a (java-)script.
However, I cannot find back to this blog post. Does this ring a bell
with anyone?

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Sommerrogata 13-15, N-0255 Oslo, Norway
+ 47 22 00 84 00 / +47 21 531941, ext 2070

Re: Implementing AccessManagerPlugin

Posted by Vidar Ramdal <vi...@idium.no>.

On Sat, Nov 14, 2009 at 1:03 AM, thorsten zerha
<th...@googlemail.com> wrote:
> Hi all,
>
> I'm still trying to get my own AccessManager(Plugin) running ...
>
> The howto mentioned in the previous thread [1] talks about copying
> simple.AccessManager to a simple.RAccessManager ... This is not the way to
> go in sling (since there is PluggableDefaultAccessManager), is it?

You might, but since your AccessManager needs to be available from the
Jackrabbit Server bundle, you cannot provide in it your own bundle.
Thus, you need to run a modified version of Jackrabbit Server bundle.
(Actually, that was the motivation for AccessManagerPlugin in the
first place).

> I tried the following to get just the same behaviour as is right now with
> the fallback to DefaultAccessManager (in order to modify it to my needs
> afterwards):
>
> So I implemented AccessManagerPluginFactory and AccessManagerPlugin (by
> copying code from jackrabbit's DefaultAccessManager) ... but the interface
> methods differ from the implementation in jackrabbit(1.6) (e.g
> isGranted(Path absPath,...) != isGranted(String absPath,...), init!=init ).

Right. It was done that way since isGranted(Path) and
isGranted(String) does the same thing in DefaultAccessManager, and
having to implement both of them in an AccessManagerPlugin seemed
unnecessary. Also, if I remember correctly, the Path class is not
exported from Jackrabbit Server.

> Then I would put these 2 files in a bundle, install it and then I could
> start experimenting with my adaptations (allowing contents to be denied to
> everybody by default)

Yes, that should work.

> I read about the DefaultAccessManager implementation tries (SLING-880), but
> apart from the reaction with the PluggableDefaultAccessManager, I couldn't
> find any further readings how this is actually implemented.
>
> Can anyone point me to an open project implementing AccessManagerPlugin
> (PluggableDefaultAccessManager) or to snippets how this is done or anything
> else that could give me a hint how I could go on with that?

I don't know any open projects to look at, but I'll try to get you
started right here. First, the AccessManagerPluginFactory needs to do
nothing more than instantiate AccessManagerPlugins:
/** @scr.component
 *      metatype="no" immediate="false"
 * @scr.service
 *      interface="org.apache.sling.jcr.jackrabbit.server.security.accessmanager.AccessManagerPluginFactory"
*/
public class MyAccessManagerPluginFactory implements
AccessManagerPluginFactory {
   ...
    public AccessManagerPlugin getAccessManager() {
        return new MyAccessManagerPlugin();
    }
  ...
}

More work is needed for MyAccessManagerPlugin, but most of it can be
tucked into isGranted:

public class MyAccessManagerPlugin implements AccessManagerPlugin {
  private boolean isSystemSession;

  public void init(Subject subject, Session session) {
       for (Principal subjectPrincipal : subjectPrincipals) {
          if (subjectPrincipal.getName().equals("admin")) {
                this.isSystemSession = true;  return;
          }
      }
  }


  public boolean isGranted(String path, int bits) {
    if (this.isSystemSession) {
      return true;
    } else {
       // Your logic goes here, to lookup and invoke access policies etc.
       // You will probably do this from a system session.
    }
  }

  public boolean canRead(String path) throws RepositoryException {
      return isGranted(path, AccessManagerPlugin.READ);
  }

  ...
}

It takes some time getting into how AccessManagers are used in
Jackrabbit. I can only recommend setting a breakpoint somehwere in
MyAccessManagerPlugin and stepping through it. You will be surprised
to see how often these methods are called.


-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Sommerrogata 13-15, N-0255 Oslo, Norway
+ 47 22 00 84 00 / +47 21 531941, ext 2070

Implementing AccessManagerPlugin

Posted by thorsten zerha <th...@googlemail.com>.

Hi all,

I'm still trying to get my own AccessManager(Plugin) running ...

The howto mentioned in the previous thread [1] talks about copying 
simple.AccessManager to a simple.RAccessManager ... This is not the way 
to go in sling (since there is PluggableDefaultAccessManager), is it?

I tried the following to get just the same behaviour as is right now 
with the fallback to DefaultAccessManager (in order to modify it to my 
needs afterwards):

So I implemented AccessManagerPluginFactory and AccessManagerPlugin (by 
copying code from jackrabbit's DefaultAccessManager) ... but the 
interface methods differ from the implementation in jackrabbit(1.6) (e.g 
isGranted(Path absPath,...) != isGranted(String absPath,...), init!=init ).

Then I would put these 2 files in a bundle, install it and then I could 
start experimenting with my adaptations (allowing contents to be denied 
to everybody by default)

I read about the DefaultAccessManager implementation tries (SLING-880), 
but apart from the reaction with the PluggableDefaultAccessManager, I 
couldn't find any further readings how this is actually implemented.

Can anyone point me to an open project implementing AccessManagerPlugin 
(PluggableDefaultAccessManager) or to snippets how this is done or 
anything else that could give me a hint how I could go on with that?

thanks very much for your help up till now,
  thorsten

[1] http://dev.day.com/microsling/content/blogs/main/theaclisdead.html

Re: Script-based access control

Posted by Bertrand Delacretaz <bd...@apache.org>.

On Sat, Nov 14, 2009 at 9:23 AM, Christophe Lombart
<ch...@gmail.com> wrote:
> ...I'm +1 to see on of these solutions (dynamic group or acl scripts) inside
> the Sling code base. We also need this kind of flexibility....

Same here, but I will insist on serious automated tests for this
(*)...scripted ACLs are probably easier to abuse than coded access
control, so we must be careful not to open a can of worms.

-Bertrand

(*) well this is not too different from my usual point of view ;-)

Re: Script-based access control

Posted by Christophe Lombart <ch...@gmail.com>.

Just for info, the Sakai project use the notion of Dynamic Group [1], [2]: a
user is member of group depending of a context (node state, external sys,
date or any kind of business rules). You can code some component used by the
AccessManager to check if a user is member of a group depending on a
context. I worked a little bit with Ian on that but this is not yet
finished.
I plan to come back on this issue asap.

I'm +1 to see on of these solutions (dynamic group or acl scripts) inside
the Sling code base. We also need this kind of flexibility.

br,
Christophe

[1]
http://confluence.sakaiproject.org/display/KERNDOC/Sling+AuthZ+Implementation+Plan
[2]
http://confluence.sakaiproject.org/display/KERNDOC/Configuring+Users+and+Groups

2009/11/13 Vidar Ramdal <vi...@idium.no>

> > On Fri, Nov 13, 2009 at 14:23, Vidar Ramdal <vi...@idium.no> wrote:
> >> I remember a blog post from some time ago, which provided an example
> >> of implementing access control in Sling/JCR using a (java-)script.
> >> However, I cannot find back to this blog post. Does this ring a bell
> >> with anyone?
>
> On Fri, Nov 13, 2009 at 3:15 PM, Alexander Klimetschek <ak...@day.com>
> wrote:
> > I guess you mean
> > http://dev.day.com/microsling/content/blogs/main/theaclisdead.html
>
> That's the one. Thanks a lot!
>
> --
> Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
> Sommerrogata 13-15, N-0255 Oslo, Norway
> + 47 22 00 84 00 / +47 21 531941, ext 2070
>

Re: Script-based access control

Posted by Vidar Ramdal <vi...@idium.no>.

> On Fri, Nov 13, 2009 at 14:23, Vidar Ramdal <vi...@idium.no> wrote:
>> I remember a blog post from some time ago, which provided an example
>> of implementing access control in Sling/JCR using a (java-)script.
>> However, I cannot find back to this blog post. Does this ring a bell
>> with anyone?

On Fri, Nov 13, 2009 at 3:15 PM, Alexander Klimetschek <ak...@day.com> wrote:
> I guess you mean
> http://dev.day.com/microsling/content/blogs/main/theaclisdead.html

That's the one. Thanks a lot!

-- 
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Sommerrogata 13-15, N-0255 Oslo, Norway
+ 47 22 00 84 00 / +47 21 531941, ext 2070

Re: Script-based access control

Posted by Alexander Klimetschek <ak...@day.com>.

On Fri, Nov 13, 2009 at 14:23, Vidar Ramdal <vi...@idium.no> wrote:
> I remember a blog post from some time ago, which provided an example
> of implementing access control in Sling/JCR using a (java-)script.
> However, I cannot find back to this blog post. Does this ring a bell
> with anyone?

I guess you mean
http://dev.day.com/microsling/content/blogs/main/theaclisdead.html

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com