You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jackrabbit.apache.org by Guo Zhenhua <je...@gmail.com> on 2009/12/15 06:16:27 UTC

Access control in Jackrabbit

I want to register new node types and add new nodes into jackrabbit
repository. I use the default credential.

I got following exception:
javax.jcr.AccessDeniedException: Access denied
    at org.apache.jackrabbit.core.security.simple.SimpleAccessManager.checkPermission(SimpleAccessManager.java:138)
    at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1468)
    at org.apache.jackrabbit.core.NodeImpl.addNodeWithUuid(NodeImpl.java:2074)
    at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1979)
    at org.apache.jackrabbit.spi2jcr.RepositoryServiceImpl$BatchImpl$1.run(RepositoryServiceImpl.java:1360)
    at org.apache.jackrabbit.spi2jcr.RepositoryServiceImpl$BatchImpl.executeGuarded(RepositoryServiceImpl.java:1576)
    at org.apache.jackrabbit.spi2jcr.RepositoryServiceImpl$BatchImpl.addNode(RepositoryServiceImpl.java:1349)
    at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.visit(WorkspaceManager.java:862)
    at org.apache.jackrabbit.jcr2spi.operation.AddNode.accept(AddNode.java:70)
    at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.execute(WorkspaceManager.java:820)
    at org.apache.jackrabbit.jcr2spi.WorkspaceManager$OperationVisitorImpl.access$500(WorkspaceManager.java:797)
    at org.apache.jackrabbit.jcr2spi.WorkspaceManager.execute(WorkspaceManager.java:594)
    at org.apache.jackrabbit.jcr2spi.state.SessionItemStateManager.save(SessionItemStateManager.java:139)
    at org.apache.jackrabbit.jcr2spi.ItemImpl.save(ItemImpl.java:246)
    at org.apache.jackrabbit.jcr2spi.SessionImpl.save(SessionImpl.java:328)

I guess by default write permission is not granted to anonymous users.
How could I enable write privilege in Jackrabbit?

Gerald

Re: Access control in Jackrabbit

Posted by Sébastien Launay <se...@gmail.com>.

2009/12/16 Zhenhua Guo <je...@gmail.com>:
> Basically, it says admin user has id "anonymous" which is default user
> id used by Jackrabbit when the program does not provide a credential
> (when invoking "repository.login()")
> Is that correct?

I do not know exactly how JAAS work but using Repository#login() in
Jackrabbit allows to create a session with the current authenticated user.
IIUC if no authentication has been successful anonymous user is used.

Chances are that you do not use JAAS, therefore I recommend you
to use explicit Credentials where the username is not the anonymousId
(I was just pointing the fact that this id is configurable).

IIRC the user name is useful for access management (restrict access
or actions to nodes) and for storing the lock's owner. You may therefore
want to open session depending on the current user to use these features.

-- 
Sébastien Launay

Re: Access control in Jackrabbit

Posted by Zhenhua Guo <je...@gmail.com>.

Yes, got you, thanks.
Based on your suggestion, following xml configuration should work to
make everyone able to add nodes.

 <LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule">
   <!-- anonymous user name ('anonymous' is the default value) -->
   <param name="anonymousId" value="some_other_id"/>
   <param name="adminId" value="anonymous"/>
 </LoginModule>

Basically, it says admin user has id "anonymous" which is default user
id used by Jackrabbit when the program does not provide a credential
(when invoking "repository.login()")
Is that correct?


Gerald

On Wed, Dec 16, 2009 at 3:35 AM, Sébastien Launay
<se...@gmail.com> wrote:
> Hi,
>
> 2009/12/16 Zhenhua Guo <je...@gmail.com>:
>> Thanks.
>> IMHO, guest and anonymous user are the same (in terms of privileges).
>> My solution is to use admin id,
>>            SimpleCredentials adminCred = new
>> SimpleCredentials("admin", new char[0]);
>>            repoSession = repository.login(adminCred);
>>
>> Access control is done in higher level.
>
> What i was trying to say is that for SimpleLoginModule there is two
> kinds of people :).
> The anonymous identified by the parameter anonymousId (configured by default to
> 'anonymous' username) with limited privileges and the others which
> full privileges.
>
> In your example 'admin' is part of the others kind and therefore can add node.
>
> --
> Sébastien Launay
>

Re: Access control in Jackrabbit

Posted by Sébastien Launay <se...@gmail.com>.

Hi,

2009/12/16 Zhenhua Guo <je...@gmail.com>:
> Thanks.
> IMHO, guest and anonymous user are the same (in terms of privileges).
> My solution is to use admin id,
>            SimpleCredentials adminCred = new
> SimpleCredentials("admin", new char[0]);
>            repoSession = repository.login(adminCred);
>
> Access control is done in higher level.

What i was trying to say is that for SimpleLoginModule there is two
kinds of people :).
The anonymous identified by the parameter anonymousId (configured by default to
'anonymous' username) with limited privileges and the others which
full privileges.

In your example 'admin' is part of the others kind and therefore can add node.

-- 
Sébastien Launay

Re: Access control in Jackrabbit

Posted by Zhenhua Guo <je...@gmail.com>.

Thanks.
IMHO, guest and anonymous user are the same (in terms of privileges).
My solution is to use admin id,
            SimpleCredentials adminCred = new
SimpleCredentials("admin", new char[0]);
            repoSession = repository.login(adminCred);

Access control is done in higher level.


Gerald

On Tue, Dec 15, 2009 at 3:44 AM, Sébastien Launay
<se...@gmail.com> wrote:
> Hi Guo,
>
> 2009/12/15 Guo Zhenhua <je...@gmail.com>:
>> I want to register new node types and add new nodes into jackrabbit
>> repository. I use the default credential.
>>
>> I got following exception:
>> javax.jcr.AccessDeniedException: Access denied
>>    at org.apache.jackrabbit.core.security.simple.SimpleAccessManager.checkPermission(SimpleAccessManager.java:138)
>>    ...
>
> You must use different credentials in order to not be logged as anonymous
> or you can change the repository.xml configuration to change the anonymous
> id to another login like 'guest' for example:
>  <LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule">
>    <!-- anonymous user name ('anonymous' is the default value) -->
>    <param name="anonymousId" value="guest"/>
>  </LoginModule>
>
> Only the user name is used by default (i.e. the password is not checked, you
> can use an empty string).
>
> --
> Sébastien Launay
>

Re: Access control in Jackrabbit

Posted by Sébastien Launay <se...@gmail.com>.

Hi Guo,

2009/12/15 Guo Zhenhua <je...@gmail.com>:
> I want to register new node types and add new nodes into jackrabbit
> repository. I use the default credential.
>
> I got following exception:
> javax.jcr.AccessDeniedException: Access denied
>    at org.apache.jackrabbit.core.security.simple.SimpleAccessManager.checkPermission(SimpleAccessManager.java:138)
>    ...

You must use different credentials in order to not be logged as anonymous
or you can change the repository.xml configuration to change the anonymous
id to another login like 'guest' for example:
  <LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule">
    <!-- anonymous user name ('anonymous' is the default value) -->
    <param name="anonymousId" value="guest"/>
  </LoginModule>

Only the user name is used by default (i.e. the password is not checked, you
can use an empty string).

-- 
Sébastien Launay