Jackrabbit 1.5 ACL Basics

[Sebastian Gomez <sa...@gmail.com>]

Hi everyone.
I'm trying to find some documentation on Jackrabbit 1.5 security using ACLs,
and I haven't found very much so I hope someone can help me out with this.
I'm trying to initialize my repository creating the ACL and ACE nodes by
hand, without having to do it programatically. I'd like to know what kind of
structure I should use. Looking at the source code I've come to the
conclusion that my access controlled nodes must have the mixin type rep:acl,
and a child node with mixin type rep:ace for each entry. These entries will
then have the principal and privileges in it's properties, that must have
the name specified in the AccessControlConstants interface. Is this the
basic idea or am I being mistaken?

Thanks in advance.

Sebastian Gomez.

Re: Jackrabbit 1.5 ACL Basics

[Angela Schreiber <an...@day.com>]

hi sebastian

> I'm trying to find some documentation on Jackrabbit 1.5 security using ACLs,

the jackrabbit 1.5 security functionality is a work-in-progress
snapshot of the upcoming jsr 283.
you may find some documentation though probably not the latest
version with the JSR 283 public draft.

alternatively you may take a look at the tmp. 283 security API
present with jackrabbit-api.

> I'm trying to initialize my repository creating the ACL and ACE nodes by
> hand, without having to do it programatically. 

what do you mean by hand?

> I'd like to know what kind of
> structure I should use. Looking at the source code I've come to the
> conclusion that my access controlled nodes must have the mixin type rep:acl,
> and a child node with mixin type rep:ace for each entry. These entries will
> then have the principal and privileges in it's properties, that must have
> the name specified in the AccessControlConstants interface. Is this the
> basic idea or am I being mistaken?

the basic idea is that the AccessControlManager exposes 
AccessControlPolicies which may or may not be ACL depending
on the implementation.

the current attempt is to make that somehow configurable
allowing to define other ac evaluation systems. the provider
of that evaluation system can be set individually for each
workspace.

currently jackrabbit-core contains examples for

a) an ACL based system that is defined on the access
    controlled nodes themselves,
b) an ACL based system that stores the entries in a separate
    tree grouped by principals,
c) a combination of both
d) and last but not least a simple example of a named policies
without aces (currently used by default to manage access to
users and groups).

if you change the default configuration to use the 
DefaultSecurityManager you will be default get a) + d).

will all examples listed above the security content is
protected and should only be manipulated using the API.

hope that helps
angela

Re: Jackrabbit 1.5 ACL Basics

[Angela Schreiber <an...@day.com>]

> I found the builtin_nodetypes.xml file in the
> org.apache.jackrabbit.core.nodetype package that has helped me understand
> what the hierarchy must look like. 

the hierarchy doen't have to look like that.
it is the access control evaluation system used that
defines on whether the security content is stored within
the repository or if it isn't. and if this is the case how
the structure needs to look like.

the node type definitions present with the buildin-nodetypes
just represent the structure used by the examples i listed
in the previous mail. this isn't mandatory at all.

> I've concluded any node can be access
> controlled by assigning it the "rep:AccessControllable" mixin type, giving
> it a child node of primary type "rep:ACL" and this last one must have one
> child node of primary type "rep:ACE" for each entry in the list. If it's not
> too much asking, I'd appreciate anyone having a good understanding on this
> area to confirm my conclusion.

you shouldn't have to care about the content structure
after all. all you should need to do is using the security
API:

- getting the AccessControlManager from the session.
- retrieving the applicable policies for a specific node
- ev. modify the policies if possible (e.g. if it is
   an implementation of AccessControlList or some other
   modifiable implementation of the AccessControlPolicy).
- use AccessControlManager#setPolicy to place the policy
- and call save to have the policy taking effect.

hope that helps
angela

Re: Jackrabbit 1.5 ACL Basics

[Torgeir Veimo <to...@pobox.com>]

On 8 Jan 2009, at 21:20, Sebastian Gomez wrote:

> Hi again.
> I found the builtin_nodetypes.xml file in the
> org.apache.jackrabbit.core.nodetype package that has helped me  
> understand
> what the hierarchy must look like. I've concluded any node can be  
> access
> controlled by assigning it the "rep:AccessControllable" mixin type,  
> giving
> it a child node of primary type "rep:ACL" and this last one must  
> have one
> child node of primary type "rep:ACE" for each entry in the list. If  
> it's not
> too much asking, I'd appreciate anyone having a good understanding  
> on this
> area to confirm my conclusion.


There's some background information in this jira issue; https://issues.apache.org/jira/browse/JCR-1171

-- 
Torgeir Veimo
torgeir@pobox.com

Re: Jackrabbit 1.5 ACL Basics

[Sebastian Gomez <sa...@gmail.com>]

Hi again.
I found the builtin_nodetypes.xml file in the
org.apache.jackrabbit.core.nodetype package that has helped me understand
what the hierarchy must look like. I've concluded any node can be access
controlled by assigning it the "rep:AccessControllable" mixin type, giving
it a child node of primary type "rep:ACL" and this last one must have one
child node of primary type "rep:ACE" for each entry in the list. If it's not
too much asking, I'd appreciate anyone having a good understanding on this
area to confirm my conclusion.

Thanks.

Sebastian Gomez.

On Wed, Jan 7, 2009 at 6:35 PM, Sebastian Gomez <sa...@gmail.com> wrote:

> Hi everyone.
> I'm trying to find some documentation on Jackrabbit 1.5 security using
> ACLs, and I haven't found very much so I hope someone can help me out with
> this. I'm trying to initialize my repository creating the ACL and ACE nodes
> by hand, without having to do it programatically. I'd like to know what kind
> of structure I should use. Looking at the source code I've come to the
> conclusion that my access controlled nodes must have the mixin type rep:acl,
> and a child node with mixin type rep:ace for each entry. These entries will
> then have the principal and privileges in it's properties, that must have
> the name specified in the AccessControlConstants interface. Is this the
> basic idea or am I being mistaken?
>
> Thanks in advance.
>
> Sebastian Gomez.
>