You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by "gianluca.soffredini@metaframe.it" <gi...@metaframe.it> on 2016/03/29 17:31:59 UTC

Problems with OAK Restrictions

Hi,

I'm working with Francesco Ancona and we are using jackarabbit OAK.
I have a problem using ACL restrictions with OAK 1.4.0.
I'm using the JCR repository (javax.jcr.Repository interface) and not 
the OAK Content Repository.
When I tries to apply a restriction using the rep:glob as key and the 
empty string as value of the restrictions map it does not work as I 
expected.

As specified in OAK documentation 
(http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html) 
if we have a node with path /foo
and we tries to give the read permission to a principal, if we use 
global restriction with empty string we can apply the permission for the 
principal
only to /foo node.

I tries to do that: the restriction provider correctly write the 
restriction in my repository data storage but the system simply ignores 
the applied ACL.


            Using rep:glob


            For a nodePath/foothe following results can be expected for
            the different values ofrep:glob.

rep:glob 	Result
"" 	matches node /foo only
/cat 	the node /foo/cat and all it’s children
/cat/ 	the descendants of the node /foo/cat
cat 	the node /foocat and all it’s children
cat/ 	all descendants of the node /foocat
* 	foo, siblings of foo and their descendants
/*cat 	all children of /foo whose path ends with ‘cat’
/*/cat 	all non-direct descendants of /foo named ‘cat’
/cat* 	all descendant path of /foo that have the direct foo-descendant 
segment starting with ‘cat’
*cat 	all siblings and descendants of foo that have a name ending with 
‘cat’
*/cat 	all descendants of /foo and foo’s siblings that have a name 
segment ‘cat’
cat/* 	all descendants of ‘/foocat’
/cat/* 	all descendants of ‘/foo/cat’
*cat/* 	all descendants of /foo that have an intermediate segment ending 
with ‘cat’



This is my code:

protected void applyRestriction(final JackrabbitSession session, final 
Principal principal, final String path, final Privilege[] privileges, 
final boolean allow, final boolean propagate) throws RepositoryException{
         AccessControlManager acMgr = session.getAccessControlManager();

         JackrabbitAccessControlList acl = 
AccessControlUtils.getAccessControlList(acMgr, path);

         Map<String,Value> restrictions = new HashMap<String,Value>();

         if(!propagate){
             restrictions.put(AccessControlConstants.REP_GLOB, 
session.getValueFactory().createValue("", PropertyType.STRING));

         }
         acl.addEntry(principal,
                 privileges,
                 allow, restrictions);
         acMgr.setPolicy(path, acl);
         session.save();
     }

and this is the call:
applyRestriction(session,  readerGroup.getPrincipal(),"/foo", 
AccessControlUtils.privilegesFromNames(session.getAccessControlManager(), PrivilegeConstants.JCR_READ), 
true, true);

I have found this issue that is similar to my problem but it's closed. 
https://issues.apache.org/jira/browse/OAK-2412

Can you help me?

Thanks in advance.

Gianluca Soffredini
Project Manager
Metaframe SPS S.r.l.
Via Toniolo, 13
30030 Vigonovo(VE)
mobile: +39 3342235291
email: gianluca.soffredini@metaframe.it 
<ma...@metaframe.it>
SKYPE ID: gianlucas72
Logo Metaframe SPS S.r.l.