You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Ke...@sybase.com on 2005/07/21 01:19:58 UTC
acl question
In my domain.xml I have setup permission such that under "/" all can
read-acl, write-acl, unlock and read (the default)
<permission action="/actions/read-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/write-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/unlock" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/read" subject="all" inheritable="true"/>
Under "/files" I have setup permission such that anyone authenticated can
do anything, write if authenticated (although redundant I think),
and the owner can read-acl (also redundant?)
<permission action="all" subject="authenticated" inheritable="true"/>
<permission action="/actions/write" subject="authenticated" inheritable=
"true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"
/>
I am using the JNDIPrincipalStore for user and roles so this is all I have
in the domain.xml (default from the JNDI example):
<objectnode classname=
"org.apache.slide.structure.SubjectNode" uri="/users">
<permission action="all" subject="self"
inheritable="true"/>
<permission action="all" subject=
"authenticated" inheritable="true" negative="true"/>
</objectnode>
<objectnode classname=
"org.apache.slide.structure.SubjectNode" uri="/roles">
<permission action="all" subject="self"
inheritable="true"/>
<permission action="all" subject=
"authenticated" inheritable="true" negative="true"/>
</objectnode>
User A authenticates and writes file X to the WebDAV server.
User B authenticates and changes the contents of file X on the server.
The problem is that user A and user B belong different roles and should not
be able to do this.
How or where do I define this restriction?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: acl question
Posted by Ke...@sybase.com.
If User A is in Accounting and User B is in Engineering I do not want them
to be able to see the same files but I want them both to be able to write
and have full access to files within their same roles.
"Jacob Lund"
<jl@qualiware.net
> To
"Slide Users Mailing List"
07/21/2005 03:34 <sl...@jakarta.apache.org>
AM cc
Subject
Please respond to Re: acl question
"Slide Users
Mailing List"
<slide-user@jakar
ta.apache.org>
Hi Kevin!
Maybe I missed something. But if you have allow all to authenticated users
-
then why should your case with user A and B not be allowed?
/jacob
----- Original Message -----
From: <Ke...@sybase.com>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Thursday, July 21, 2005 1:19 AM
Subject: acl question
> In my domain.xml I have setup permission such that under "/" all can
> read-acl, write-acl, unlock and read (the default)
> <permission action="/actions/read-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/write-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/unlock" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/read" subject="all" inheritable="true"/>
>
> Under "/files" I have setup permission such that anyone authenticated can
> do anything, write if authenticated (although redundant I think),
>
> and the owner can read-acl (also redundant?)
>
> <permission action="all" subject="authenticated" inheritable="true"/>
> <permission action="/actions/write" subject="authenticated" inheritable=
> "true"/>
> <permission action="/actions/read-acl" subject="owner"
inheritable="true"
> />
>
> I am using the JNDIPrincipalStore for user and roles so this is all I
have
> in the domain.xml (default from the JNDI example):
>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/users">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/roles">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
>
> User A authenticates and writes file X to the WebDAV server.
>
> User B authenticates and changes the contents of file X on the server.
>
> The problem is that user A and user B belong different roles and should
> not
> be able to do this.
>
> How or where do I define this restriction?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: acl question
Posted by Jacob Lund <jl...@qualiware.net>.
Hi Kevin!
Maybe I missed something. But if you have allow all to authenticated users -
then why should your case with user A and B not be allowed?
/jacob
----- Original Message -----
From: <Ke...@sybase.com>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Thursday, July 21, 2005 1:19 AM
Subject: acl question
> In my domain.xml I have setup permission such that under "/" all can
> read-acl, write-acl, unlock and read (the default)
> <permission action="/actions/read-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/write-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/unlock" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/read" subject="all" inheritable="true"/>
>
> Under "/files" I have setup permission such that anyone authenticated can
> do anything, write if authenticated (although redundant I think),
>
> and the owner can read-acl (also redundant?)
>
> <permission action="all" subject="authenticated" inheritable="true"/>
> <permission action="/actions/write" subject="authenticated" inheritable=
> "true"/>
> <permission action="/actions/read-acl" subject="owner" inheritable="true"
> />
>
> I am using the JNDIPrincipalStore for user and roles so this is all I have
> in the domain.xml (default from the JNDI example):
>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/users">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/roles">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
>
> User A authenticates and writes file X to the WebDAV server.
>
> User B authenticates and changes the contents of file X on the server.
>
> The problem is that user A and user B belong different roles and should
> not
> be able to do this.
>
> How or where do I define this restriction?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
JNDI and OpenLDAP access
Posted by Ke...@sybase.com.
This is a question for people who have implemented the
JNDIPrincipalStrore/LDAP (openLDAP)
What do you have defined in your slapd.conf?
I am looking for some examples, I have the following but it is too
restrictive and does not allow access.
access to attr=userpassword
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by * none
If I have the normal access open to all it works.
access to *
by * read
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org