You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by Eugeny N Dzhurinsky <eu...@jdevelop.com> on 2006/03/14 10:42:18 UTC

Access Manager custom implementation

Hello!

We need to provide access manager with mode access rights than
READ/WRITE/DELETE.

But I found there are a lot of placed where constants defined in access
meneger used (ItemManager,ItemImpl etc). Should I also provide custom
implementation for all these modules or there is some simplier way?

-- 
Eugene N Dzhurinsky

Re: Access Manager custom implementation

Posted by Eugeny N Dzhurinsky <eu...@jdevelop.com>.

On Thu, Mar 16, 2006 at 12:20:10AM +1000, Torgeir Veimo wrote:
> On Wed, 2006-03-15 at 16:12 +0200, Eugeny N Dzhurinsky wrote:
> > 
> > Okay, that could be good. But what if we will need to extend this list
> > of
> > privileges? Is there some workaround, if we will need, for example
> I'd assume your needs would be met if the AccessManager impl had access
> to more information about the node being accessed than it's path and
> type (node vs property)? 

Well, I don't think so. AccessManager itself seems to me my requirement. But
other core modules are hardly tied with it. All what I need - to allow my
custom implementation to ask for correct permissions - I don't think it is a
good idea to identify ability to get children of a node and read contents
(properties) of a node with same READ property.

I don't see another way rather to implement my own repository object, perhaps
just override it's login method to return my own implementation of a session,
which itself checks various permissions of a nodes and properties when
accessed by a customer. Am I on a correct way?

-- 
Eugene N Dzhurinsky

Re: Access Manager custom implementation

Posted by Torgeir Veimo <to...@pobox.com>.

On Wed, 2006-03-15 at 16:12 +0200, Eugeny N Dzhurinsky wrote:
> 
> Okay, that could be good. But what if we will need to extend this list
> of
> privileges? Is there some workaround, if we will need, for example

I'd assume your needs would be met if the AccessManager impl had access
to more information about the node being accessed than it's path and
type (node vs property)? 

I think it's currently not possible in jackrabbit v1.0. 

-- 
Torgeir Veimo <to...@pobox.com>

Re: Access Manager custom implementation

Posted by Tobias Bocanegra <to...@day.com>.

> Well, I know that. So there is no way to provide custom set of privileges for
> the node, which would match JSR 170 standard. From the other side, is it
> possible to extend JackRabbit somehow without modification of the source code?
currently not. the respective permissions must be identified first,
e.g. BrowseProperties and then also added to all the spots where this
is relevant. In this case, probably in NodeImpl.getProperties().

regards, toby
--
-----------------------------------------< tobias.bocanegra@day.com >---
Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel
T +41 61 226 98 98, F +41 61 226 98 97
-----------------------------------------------< http://www.day.com >---

Re: Access Manager custom implementation

Posted by Eugeny N Dzhurinsky <eu...@jdevelop.com>.

On Wed, Mar 15, 2006 at 03:32:55PM +0100, Stefan Guggisberg wrote:
> > read property
> > write property
> > browse properties
> > add property
> > delete property
> > browse children
> > add child
> > delete child
> the AccessManager interface and therein defined constants cover all
> 'actions' as defined by the JSR-170 specification (see 6.9.2), namely:
> 
> add node
> set property
> remove (item)
> read (item)

Well, I know that. So there is no way to provide custom set of privileges for
the node, which would match JSR 170 standard. From the other side, is it
possible to extend JackRabbit somehow without modification of the source code?

-- 
Eugene N Dzhurinsky

Re: Access Manager custom implementation

Posted by Stefan Guggisberg <st...@gmail.com>.

On 3/15/06, Eugeny N Dzhurinsky <eu...@jdevelop.com> wrote:
> On Wed, Mar 15, 2006 at 03:02:42PM +0100, Tobias Bocanegra wrote:
> > > I need completely different set of constants:
> > > read properties,write properties, browse children,add child,delete child
> > most of them can be mapped:
> >
> > read properties -> PropertyId, READ
> > write properties -> PropertyId, WRITE
> > browse children -> NodeId, READ
> > add child -> NodeId, WRITE
> > delete child -> NodeId, REMOVE
>
> Okay, that could be good. But what if we will need to extend this list of
> privileges? Is there some workaround, if we will need, for example
>
> read property
> write property
> browse properties
> add property
> delete property
> browse children
> add child
> delete child
>
> and so on?

the AccessManager interface and therein defined constants cover all
'actions' as defined by the JSR-170 specification (see 6.9.2), namely:

add node
set property
remove (item)
read (item)


cheers
stefan

>
> --
> Eugene N Dzhurinsky
>

Re: Access Manager custom implementation

Posted by Eugeny N Dzhurinsky <eu...@jdevelop.com>.

On Wed, Mar 15, 2006 at 03:02:42PM +0100, Tobias Bocanegra wrote:
> > I need completely different set of constants:
> > read properties,write properties, browse children,add child,delete child
> most of them can be mapped:
> 
> read properties -> PropertyId, READ
> write properties -> PropertyId, WRITE
> browse children -> NodeId, READ
> add child -> NodeId, WRITE
> delete child -> NodeId, REMOVE

Okay, that could be good. But what if we will need to extend this list of
privileges? Is there some workaround, if we will need, for example

read property
write property
browse properties
add property
delete property
browse children
add child
delete child

and so on?

-- 
Eugene N Dzhurinsky

Re: Access Manager custom implementation

Posted by Tobias Bocanegra <to...@day.com>.

> I need completely different set of constants:
> read properties,write properties, browse children,add child,delete child
most of them can be mapped:

read properties -> PropertyId, READ
write properties -> PropertyId, WRITE
browse children -> NodeId, READ
add child -> NodeId, WRITE
delete child -> NodeId, REMOVE

regards, toby
--
-----------------------------------------< tobias.bocanegra@day.com >---
Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel
T +41 61 226 98 98, F +41 61 226 98 97
-----------------------------------------------< http://www.day.com >---

Re: Access Manager custom implementation

Posted by Eugeny N Dzhurinsky <eu...@jdevelop.com>.

On Wed, Mar 15, 2006 at 11:04:50AM +0100, Stefan Guggisberg wrote:
> On 3/14/06, Eugeny N Dzhurinsky <eu...@jdevelop.com> wrote:
> > Hello!
> >
> > We need to provide access manager with mode access rights than
> > READ/WRITE/DELETE.
> >
> > But I found there are a lot of placed where constants defined in access
> > meneger used (ItemManager,ItemImpl etc). Should I also provide custom
> > implementation for all these modules or there is some simplier way?
> i don't know what constants you're talking of but you certainly don't need
> to extend ItemImpl etc..

I need completely different set of constants:
read properties,write properties, browse children,add child,delete child

> take a look at the o.a.j.c.security.AccessManager interface. all you have
> to do is to provide an implementation of this interface that handles your
> custom authorization. check out SimpleAccessManager (a mock
> access manager); there are todo comments in the source code that should
> hint you to those areas where you might want to insert your code.

I thought it is simple as you described, but in many places like:

SessionImpl.java
BatchedItemOperations.java
ItemManager.java
EventConsumer.java
QueryImpl.java

there is direct reference to AccessManager.READ/WRITE/REMOVE access constants.
So I guess I need to override somehow behavior of those classes. The worst
thing I found is there is no way to specify ItemManager etc in configuration,
so I seem to need to implement repository to return session object, and
session - to return correct NodeImpl, which will refer to correct ItemManager
and ItemImpl.

-- 
Eugene N Dzhurinsky

Re: Access Manager custom implementation

Posted by Stefan Guggisberg <st...@gmail.com>.

On 3/14/06, Eugeny N Dzhurinsky <eu...@jdevelop.com> wrote:
> Hello!
>
> We need to provide access manager with mode access rights than
> READ/WRITE/DELETE.
>
> But I found there are a lot of placed where constants defined in access
> meneger used (ItemManager,ItemImpl etc). Should I also provide custom
> implementation for all these modules or there is some simplier way?

i don't know what constants you're talking of but you certainly don't need
to extend ItemImpl etc..

take a look at the o.a.j.c.security.AccessManager interface. all you have
to do is to provide an implementation of this interface that handles your
custom authorization. check out SimpleAccessManager (a mock
access manager); there are todo comments in the source code that should
hint you to those areas where you might want to insert your code.

cheers
stefan

>
> --
> Eugene N Dzhurinsky
>