You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Ulrich <Fo...@gombers.de> on 2013/07/11 12:19:04 UTC
How to get the effective ACL for a given node
for a given node I need to know the list of principals with jcr:read-access. I
started to create my own method by retrieving all "rep:policy"-nodes along the
branch to the node. Just getting these ACLs isn't really hard work but I have to
consider the meaning of all the properties of the ACEs. I will do this but I
would prefer to take an already existing method to check, if there one.
I have had a look at "org.apache.jackrabbit.api.security", but this does not
help here.
Maybe someone in the community can give a hint.
Thanks in advance;
Ulrich
Re: How to get the effective ACL for a given node
Posted by Ulrich <Fo...@gombers.de>.
For starting with this stuff I'm running a non customized
jackrabbit-standalone-jar. Does your question mean, their are other
opportunities to protect nodes than by ACLs?.
I used the sample from the wiki because it looks quite official, as it's linked
from the jackrabbit homepage. Beside this I didn't find anything else about this
subject.
Do you know where I might read more?
brgds,
Ulrich
> Angela Schreiber <an...@adobe.com> hat am 12. Juli 2013 um 09:34
> geschrieben:
>
>
> hi ulrich
>
> i don't know what's written on that wiki page. but i would suggest you
> take a quick look at your repository configuration. which security manager
> do you have in place?
> my first guess, would be that this is the reason for the
> UnsupportedRepositoryOperationException.
>
> kind regards
> angela
>
>
>
> On 7/12/13 8:19 AM, "Ulrich" <Fo...@gombers.de> wrote:
>
> >Have now tried to implement the AccessControlManager - but fail right
> >away.
> > private static void checkPolicy(String nodename) throws
> >RepositoryException {
> > AccessControlManager acm =
> >session.getAccessControlManager();
> > AccessControlPolicy[] acps =
> >acm.getEffectivePolicies(nodename);
> > for (AccessControlPolicy acp : acps) {
> > AccessControlList acl = (AccessControlList)acp;
> > for (AccessControlEntry ace :
> >acl.getAccessControlEntries()) {
> > LOGGER.info("ACE: {}", ace.getPrincipal());
> > }
> > }
> > }
> >
> >I built this code based on the sample described in
> >"http://wiki.apache.org/jackrabbit/AccessControl". But I don't get beyond
> >the
> >line
> > "AccessControlManager acm = session.getAccessControlManager();"
> >it fails with:
> >Exception in thread "main"
> >javax.jcr.UnsupportedRepositoryOperationException:
> >JCR-1104
> > at
> >org.apache.jackrabbit.jcr2spi.SessionImpl.getAccessControlManager(SessionI
> >mpl.java:501)
> > at
> >com.lsy.webcc.samples.acls.TestAccessControlManager.checkPolicy(TestAccess
> >ControlManager.java:109)
> > at
> >com.lsy.webcc.samples.acls.TestAccessControlManager.<init>(TestAccessContr
> >olManager.java:102)
> > at
> >com.lsy.webcc.samples.acls.TestAccessControlManager.main(TestAccessControl
> >Manager.java:162)
> >
> >My program runs with jackrabbit-standalone-2.7.0.jar.
> >
> >brgds,
> >Ulrich
>
Re: How to get the effective ACL for a given node
Posted by Angela Schreiber <an...@adobe.com>.
hi ulrich
i don't know what's written on that wiki page. but i would suggest you
take a quick look at your repository configuration. which security manager
do you have in place?
my first guess, would be that this is the reason for the
UnsupportedRepositoryOperationException.
kind regards
angela
On 7/12/13 8:19 AM, "Ulrich" <Fo...@gombers.de> wrote:
>Have now tried to implement the AccessControlManager - but fail right
>away.
> private static void checkPolicy(String nodename) throws
>RepositoryException {
> AccessControlManager acm =
>session.getAccessControlManager();
> AccessControlPolicy[] acps =
>acm.getEffectivePolicies(nodename);
> for (AccessControlPolicy acp : acps) {
> AccessControlList acl = (AccessControlList)acp;
> for (AccessControlEntry ace :
>acl.getAccessControlEntries()) {
> LOGGER.info("ACE: {}", ace.getPrincipal());
> }
> }
> }
>
>I built this code based on the sample described in
>"http://wiki.apache.org/jackrabbit/AccessControl". But I don't get beyond
>the
>line
> "AccessControlManager acm = session.getAccessControlManager();"
>it fails with:
>Exception in thread "main"
>javax.jcr.UnsupportedRepositoryOperationException:
>JCR-1104
> at
>org.apache.jackrabbit.jcr2spi.SessionImpl.getAccessControlManager(SessionI
>mpl.java:501)
> at
>com.lsy.webcc.samples.acls.TestAccessControlManager.checkPolicy(TestAccess
>ControlManager.java:109)
> at
>com.lsy.webcc.samples.acls.TestAccessControlManager.<init>(TestAccessContr
>olManager.java:102)
> at
>com.lsy.webcc.samples.acls.TestAccessControlManager.main(TestAccessControl
>Manager.java:162)
>
>My program runs with jackrabbit-standalone-2.7.0.jar.
>
>brgds,
>Ulrich
Re: How to get the effective ACL for a given node
Posted by Ulrich <Fo...@gombers.de>.
Have now tried to implement the AccessControlManager - but fail right away.
private static void checkPolicy(String nodename) throws
RepositoryException {
AccessControlManager acm = session.getAccessControlManager();
AccessControlPolicy[] acps = acm.getEffectivePolicies(nodename);
for (AccessControlPolicy acp : acps) {
AccessControlList acl = (AccessControlList)acp;
for (AccessControlEntry ace :
acl.getAccessControlEntries()) {
LOGGER.info("ACE: {}", ace.getPrincipal());
}
}
}
I built this code based on the sample described in
"http://wiki.apache.org/jackrabbit/AccessControl". But I don't get beyond the
line
"AccessControlManager acm = session.getAccessControlManager();"
it fails with:
Exception in thread "main" javax.jcr.UnsupportedRepositoryOperationException:
JCR-1104
at
org.apache.jackrabbit.jcr2spi.SessionImpl.getAccessControlManager(SessionImpl.java:501)
at
com.lsy.webcc.samples.acls.TestAccessControlManager.checkPolicy(TestAccessControlManager.java:109)
at
com.lsy.webcc.samples.acls.TestAccessControlManager.<init>(TestAccessControlManager.java:102)
at
com.lsy.webcc.samples.acls.TestAccessControlManager.main(TestAccessControlManager.java:162)
My program runs with jackrabbit-standalone-2.7.0.jar.
brgds,
Ulrich
Re: How to get the effective ACL for a given node
Posted by Ulrich <Fo...@gombers.de>.
Thank you. I had read the definitions on several webpages but I'm always
wondering whether I got it right. The property "jcr:write" for example consists
of jcr:modifyProperties (and serveral others). In my understanding of the word
"modify" you must know the subject if you want to change it. The
IBM-Host-security for example grants implicitely READ if you are
WRITE-permitted. The Unix-Filesystem-permission distincts the both, I know.
But I see your point and say thank you very much.
Ulrich
> Angela Schreiber <an...@adobe.com> hat am 12. Juli 2013 um 15:11
> geschrieben:
>
>
> hi ulrich
>
> short version:
>
> - jcr:all -> is mandated to include all privileges exposed by a given impl
> - jcr:write -> just item write (except for protected items which are covered
> by
> specific privileges)
> - jcr:read -> read items (except for access control items)
>
> please refer to JSR 283 for details on the different built in privileges
> and further details such as the 'abstract' flag, aggregation and possible
> extension points for the implementor.
>
> regards
> angela
>
> On Jul 11, 2013, at 3:46 PM, Ulrich <Fo...@gombers.de> wrote:
>
> > Hello Angela,
> >
> > this will help. I thought to get a list of principals permitted for a
> > specific
> > privilege (e.g. jcr:read). Now I have to look at all specified privileges to
> > see
> > whether either jcr:read has been set, or whether it may be implicitely set
> > by
> > other specified privileges. I'm pretty sure that read-access is granted by
> > jcr:all, but I'm not sure what jcr:write means - does this include jcr:read
> > as
> > well? And what about the other privileges?
> >
> > best regards,
> > Ulrich
> >
> >> Angela Schreiber <an...@adobe.com> hat am 11. Juli 2013 um 13:22
> >> geschrieben:
> >>
> >>
> >> hi ulrich
> >>
> >> the following method is defined by the JCR specification:
> >>
> >> javax.jcr.security.AccessControlManager#getEffectivePolicies(String
> >> absPath)
> >> and returns an array of access control policies.
> >>
> >> this this what you are looking for?
> >> the jackrabbit API defines a variant that takes a set of principals instead
> >> of a path.
> >>
> >> kind regards
> >> angela
> >>
> >> On Jul 11, 2013, at 12:19 PM, Ulrich <Fo...@gombers.de> wrote:
> >>
> >>> for a given node I need to know the list of principals with
> >>> jcr:read-access.
> >>> I
> >>> started to create my own method by retrieving all "rep:policy"-nodes along
> >>> the
> >>> branch to the node. Just getting these ACLs isn't really hard work but I
> >>> have to
> >>> consider the meaning of all the properties of the ACEs. I will do this but
> >>> I
> >>> would prefer to take an already existing method to check, if there one.
> >>> I have had a look at "org.apache.jackrabbit.api.security", but this does
> >>> not
> >>> help here.
> >>> Maybe someone in the community can give a hint.
> >>> Thanks in advance;
> >>> Ulrich
> >>
>
Re: How to get the effective ACL for a given node
Posted by Angela Schreiber <an...@adobe.com>.
hi ulrich
short version:
- jcr:all -> is mandated to include all privileges exposed by a given impl
- jcr:write -> just item write (except for protected items which are covered by
specific privileges)
- jcr:read -> read items (except for access control items)
please refer to JSR 283 for details on the different built in privileges
and further details such as the 'abstract' flag, aggregation and possible
extension points for the implementor.
regards
angela
On Jul 11, 2013, at 3:46 PM, Ulrich <Fo...@gombers.de> wrote:
> Hello Angela,
>
> this will help. I thought to get a list of principals permitted for a specific
> privilege (e.g. jcr:read). Now I have to look at all specified privileges to see
> whether either jcr:read has been set, or whether it may be implicitely set by
> other specified privileges. I'm pretty sure that read-access is granted by
> jcr:all, but I'm not sure what jcr:write means - does this include jcr:read as
> well? And what about the other privileges?
>
> best regards,
> Ulrich
>
>> Angela Schreiber <an...@adobe.com> hat am 11. Juli 2013 um 13:22
>> geschrieben:
>>
>>
>> hi ulrich
>>
>> the following method is defined by the JCR specification:
>>
>> javax.jcr.security.AccessControlManager#getEffectivePolicies(String absPath)
>> and returns an array of access control policies.
>>
>> this this what you are looking for?
>> the jackrabbit API defines a variant that takes a set of principals instead
>> of a path.
>>
>> kind regards
>> angela
>>
>> On Jul 11, 2013, at 12:19 PM, Ulrich <Fo...@gombers.de> wrote:
>>
>>> for a given node I need to know the list of principals with jcr:read-access.
>>> I
>>> started to create my own method by retrieving all "rep:policy"-nodes along
>>> the
>>> branch to the node. Just getting these ACLs isn't really hard work but I
>>> have to
>>> consider the meaning of all the properties of the ACEs. I will do this but I
>>> would prefer to take an already existing method to check, if there one.
>>> I have had a look at "org.apache.jackrabbit.api.security", but this does not
>>> help here.
>>> Maybe someone in the community can give a hint.
>>> Thanks in advance;
>>> Ulrich
>>
Re: How to get the effective ACL for a given node
Posted by Ulrich <Fo...@gombers.de>.
Hello Angela,
this will help. I thought to get a list of principals permitted for a specific
privilege (e.g. jcr:read). Now I have to look at all specified privileges to see
whether either jcr:read has been set, or whether it may be implicitely set by
other specified privileges. I'm pretty sure that read-access is granted by
jcr:all, but I'm not sure what jcr:write means - does this include jcr:read as
well? And what about the other privileges?
best regards,
Ulrich
> Angela Schreiber <an...@adobe.com> hat am 11. Juli 2013 um 13:22
> geschrieben:
>
>
> hi ulrich
>
> the following method is defined by the JCR specification:
>
> javax.jcr.security.AccessControlManager#getEffectivePolicies(String absPath)
> and returns an array of access control policies.
>
> this this what you are looking for?
> the jackrabbit API defines a variant that takes a set of principals instead
> of a path.
>
> kind regards
> angela
>
> On Jul 11, 2013, at 12:19 PM, Ulrich <Fo...@gombers.de> wrote:
>
> > for a given node I need to know the list of principals with jcr:read-access.
> > I
> > started to create my own method by retrieving all "rep:policy"-nodes along
> > the
> > branch to the node. Just getting these ACLs isn't really hard work but I
> > have to
> > consider the meaning of all the properties of the ACEs. I will do this but I
> > would prefer to take an already existing method to check, if there one.
> > I have had a look at "org.apache.jackrabbit.api.security", but this does not
> > help here.
> > Maybe someone in the community can give a hint.
> > Thanks in advance;
> > Ulrich
>
Re: How to get the effective ACL for a given node
Posted by Angela Schreiber <an...@adobe.com>.
hi ulrich
the following method is defined by the JCR specification:
javax.jcr.security.AccessControlManager#getEffectivePolicies(String absPath)
and returns an array of access control policies.
this this what you are looking for?
the jackrabbit API defines a variant that takes a set of principals instead
of a path.
kind regards
angela
On Jul 11, 2013, at 12:19 PM, Ulrich <Fo...@gombers.de> wrote:
> for a given node I need to know the list of principals with jcr:read-access. I
> started to create my own method by retrieving all "rep:policy"-nodes along the
> branch to the node. Just getting these ACLs isn't really hard work but I have to
> consider the meaning of all the properties of the ACEs. I will do this but I
> would prefer to take an already existing method to check, if there one.
> I have had a look at "org.apache.jackrabbit.api.security", but this does not
> help here.
> Maybe someone in the community can give a hint.
> Thanks in advance;
> Ulrich