Access control

[Atif Manzoor <at...@gmail.com>]

I am new to Jackrabbit and after going through the first hops and little
bit of documentation, I was trying to configure Access Control for the
repository nodes. I was extending ThirdHop tutorial for that purpose and
was following access control wiki
http://wiki.apache.org/jackrabbit/AccessControl and had the following code.

Session session = repository.login(new SimpleCredentials("username",
"password"
.toCharArray()));
Node node = session.getRootNode();
String path = node.getPath();
AccessControlManager acm = session.getAccessControlManager();

Privilege[] privileges = new Privilege[] { acm
.privilegeFromName(Privilege.JCR_ALL) };
AccessControlList acl;
try {
acl = (AccessControlList) acm.getApplicablePolicies(path)
.nextAccessControlPolicy();
} catch (NoSuchElementException e) {
acl = (AccessControlList) acm.getPolicies(path)[0];
}
for (AccessControlEntry e : acl.getAccessControlEntries()) {
acl.removeAccessControlEntry(e);
}
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
acm.setPolicy(path, acl);
session.save();

My problem is that I could not get AccessControlList with this code. Both
functions (getApplicablePolicies and getAllPolicies) don't have any
AccessControlList attached with them. Can you tell me where I went wrong. I
have been using the default security configuration.

Thanks
Atif

Re: Access control

[Atif Manzoor <at...@gmail.com>]

Hi Clay and Robert, it turned out that I was not properly configuring my
repository, so it does not have any ACL attached to it. It have been
working fine now.

Thanks for your suggestions.

Kind regards,
Atif

On Tue, Aug 25, 2015 at 4:15 PM, Clay Ferguson <wc...@gmail.com> wrote:

> ​I'm experimenting with meta64.com discussion capability. Who wants to
> discuss this stuff on there, and see if the meta64 works well as a
> discussion engine? I'm trying to make Social Media a federated free
> commodity, rather than monopolizedy by Diqus, Facebook, etc. Join me...
>
> http://meta64.com?id=/wclayf/public/oak-jackrabbit-discussions
>
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
>
>
> On Tue, Aug 25, 2015 at 9:51 AM, Robert Munteanu <ro...@apache.org>
> wrote:
>
> > Hi,
> >
> > On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote:
> > > Atif, just beware that the "addChildren" privilege doesn't work as
> > > one
> > > would expect. If you want a principle to be able to add children to a
> > > node
> > > you must add ALL of the following privileges:
> > >
> > > "read", "write", "addChildren", "nodeTypeManagement"
> >
> > I think you can simply use rep:write ( not jcr:write ) as a shorthand.
> >
> > >
> > > That costed me many hours of headache, and at least one other person
> > > also.
> > > My personal belief this functionality requirement was an accident
> > > rather
> > > than by design and no one who is an Adobe customer has complained so
> > > they
> > > are leaving it as is.
> >
> > As far as I can tell the behaviour is according to the Access Control
> > Management chapter of the JCR 2.0 specification [1]. If there's a gap
> > between the spec and the implementation it's definitely worth a bug
> > report.
> >
> > Cheers,
> >
> > Robert
> >
> > [1]: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
> > #16.2.3%20Standard%20Privileges
> >
> > >
> > >
> > > Best regards,
> > > Clay Ferguson
> > > wclayf@gmail.com
> > >
> > >
> > > On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <atif.manzoor@gmail.com
> > > >
> > > wrote:
> > >
> > > > Hi Karsten
> > > >
> > > > No actually I was just trying out the simplest case to control
> > > > access to a
> > > > particular code. At later stage I will allow or restrict read /
> > > > write
> > > > access to a node for different users.
> > > >
> > > > Kind regards,
> > > > Atif
> > > >
> > > > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <
> > > > koem@petoria.de>
> > > > wrote:
> > > >
> > > > > Hi Atif
> > > > >
> > > > > reading your code it seems to me you just want to add JCR_ALL
> > > > > privileges
> > > > > to some user. This is what allow() does. No need to do something
> > > > > else.
> > > > And:
> > > > > "admin" normally already has these privileges.
> > > > >
> > > > > I'd try this (not tested)
> > > > >
> > > > > AccessControlUtils.allow(session.getRootNode(),
> > > > > EveryonePrincipal.getInstance()
> > > > > .getName(), Privilege.JCR_ALL);
> > > > >
> > > > >
> > > > > What do you want to accomplish? Make everyone admin?
> > > > >
> > > > >
> > > > > Karsten R. Priegnitz
> > > > >
> > > > > programmierer | web-entwickler | linux administrator | digitaler
> > > > > nomade
> > > > > business: kontakt <http://petoria.de/portfolio/contact-about/> |
> > > > > portfolio <http://petoria.de/portfolio/>
> > > > > -----------------------------------------------------------------
> > > > > -------
> > > > >
> > > > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> > > > >
> > > > > > Hi Karsten
> > > > > >
> > > > > > Thanks a lot for your help. I tried AccessControlUtils.allow(),
> > > > > > however
> > > > > > AccessControlUtils.getACL() is still returning NULL. I think I
> > > > > > may have
> > > > > > also have to do something else to enable access control that
> > > > > > particular
> > > > > > node. Following is my code complete code that tried
> > > > > > AccessControlUtils.
> > > > I
> > > > > > am still getting Null for acl.
> > > > > >
> > > > > > Repository repository = new  TransientRepository();
> > > > > > Session session = repository.login(new
> > > > > > SimpleCredentials("admin",
> > > > > > "password".toCharArray()));
> > > > > > Node root = session.getRootNode();
> > > > > > root.addNode("leftChild");
> > > > > > root.addNode("rightChild");
> > > > > >
> > > > > > session.save();
> > > > > > String path = session.getRootNode().getPath();
> > > > > > System.out.println(path);
> > > > > > AccessControlManager acm = session.getAccessControlManager();
> > > > > > AccessControlUtils.allow(session.getRootNode(), "admin",
> > > > > > Privilege.JCR_ALL);
> > > > > > AccessControlList acl =
> > > > > > AccessControlUtils.getAccessControlList(session,
> > > > > > path);
> > > > > > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > > > > > acl.removeAccessControlEntry(e);
> > > > > > }
> > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new
> > > > Privilege[]
> > > > > > { acm
> > > > > > .privilegeFromName(Privilege.JCR_ALL) });
> > > > > > acm.setPolicy(path, acl);
> > > > > > session.save();
> > > > > >
> > > > > > Regards,
> > > > > > Atif
> > > > > >
> > > > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <
> > > > > > koem@petoria.de>
> > > > > > wrote:
> > > > > >
> > > > > > Hi Atif,
> > > > > > >
> > > > > > > I had the same problem as you and then I found
> > > > > > >
> > > > > > >
> > > > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro
> > > > lUtils:
> > > > > > >
> > > > > > > and that's all:
> > > > > > > AccessControlUtils.allow(session.getRootNode(),
> > > > username,
> > > > > > > Privilege.JCR_ALL);
> > > > > > >
> > > > > > > Best
> > > > > > > Karsten
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Karsten R. Priegnitz
> > > > > > >
> > > > > > > programmierer | web-entwickler | linux administrator |
> > > > > > > digitaler nomade
> > > > > > > business: kontakt <http://petoria.de/portfolio/contact-about/
> > > > > > > > |
> > > > > > > portfolio <http://petoria.de/portfolio/>
> > > > > > >
> > > > -------------------------------------------------------------------
> > > > -----
> > > > > > >
> > > > > > >
> > > > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> > > > > > >
> > > > > > > I'm not *that* much of an expert, but it kind of works by
> > > > > > > bubbling up
> > > > > > > > towards the root I believe. So if you query for ACL on a
> > > > > > > > node and it
> > > > > > > > finds
> > > > > > > > none, that is fine. It just means that node is effectively
> > > > > > > > controlled
> > > > by
> > > > > > > > an
> > > > > > > > ancestor. Once you start adding AC L privs the that root
> > > > > > > > starts
> > > > applying
> > > > > > > > those there and all beneath it on the tree recursively. By
> > > > > > > > default
> > > > > > > > 'admin'
> > > > > > > > user has full privileges and everyone else has none. The
> > > > > > > > session that
> > > > > > > > creates a node i think by default has all privs on that
> > > > > > > > node, but i'd
> > > > > > > > have
> > > > > > > > to check my code...I might be adding privs when creating.
> > > > > > > > Look at my
> > > > > > > > "controller" class, and that is the top level, and a lot of
> > > > > > > > stuff like
> > > > > > > > creating new nodes, moving nodes, adding ACLs etc can be
> > > > > > > > sussed out by
> > > > > > > > just
> > > > > > > > looking at my code and not even running it. It's not too
> > > > > > > > complicated.
> > > > > > > > Does
> > > > > > > > that answer the question?
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Clay Ferguson
> > > > > > > > wclayf@gmail.com
> > > > > > > >
> > > > > > > >
> > > > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <
> > > > > > > > atif.manzoor@gmail.com
> > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > Hi Clay
> > > > > > > >
> > > > > > > > > Thanks a lot for your response. I have been through your
> > > > > > > > > code and
> > > > have
> > > > > > > > > found that you have also been using
> > > > > > > > > getApplicablePolicies(path) and
> > > > > > > > > getPolicies(path) function to get AccessControlList (ACL)
> > > > > > > > > object,
> > > > > > > > > however
> > > > > > > > > both of these function have not been returning any ACL
> > > > > > > > > policies for
> > > > me.
> > > > > > > > > In
> > > > > > > > > words my node does not contain any modifiable ACL. Can
> > > > > > > > > you tell me
> > > > why
> > > > > > > > > is
> > > > > > > > > that. What will I have to do, so that the node should
> > > > > > > > > also have
> > > > > > > > > modifiable
> > > > > > > > > ACL.
> > > > > > > > >
> > > > > > > > > Kind regards,
> > > > > > > > > Atif
> > > > > > > > >
> > > > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <
> > > > > > > > > wclayf@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > Hello Atif,
> > > > > > > > >
> > > > > > > > > > You should check out my open source project:
> > > > > > > > > > https://github.com/Clay-Ferguson/meta64
> > > > > > > > > >
> > > > > > > > > > Download the zip and search for the words 'privilege'
> > > > > > > > > > and/or
> > > > > > > > > >
> > > > > > > > > > AccessControl,
> > > > > > > > >
> > > > > > > > > etc.
> > > > > > > > > >
> > > > > > > > > > The AclService.java class has ability to do basic
> > > > > > > > > > listing of
> > > > > > > > > > privileges
> > > > > > > > > >
> > > > > > > > > > for
> > > > > > > > >
> > > > > > > > > a node, and adding or removing privileges from a node,
> > > > > > > > > and might help
> > > > > > > > > > you
> > > > > > > > > > some. Good luck.
> > > > > > > > > >
> > > > > > > > > > Best regards,
> > > > > > > > > > Clay Ferguson
> > > > > > > > > > wclayf@gmail.com
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
> > > > > > > > > > atif.manzoor@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > I am new to Jackrabbit and after going through the
> > > > > > > > > > first hops and
> > > > > > > > > > little
> > > > > > > > > > bit of documentation, I was trying to configure Access
> > > > > > > > > > Control for
> > > > the
> > > > > > > > > >
> > > > > > > > > > > repository nodes. I was extending ThirdHop tutorial
> > > > > > > > > > > for that
> > > > purpose
> > > > > > > > > > >
> > > > > > > > > > > and
> > > > > > > > > > was following access control wiki
> > > > > > > > > >
> > > > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl and
> > > > > > > > > > > had the
> > > > > > > > > > > following
> > > > > > > > > > > code.
> > > > > > > > > > >
> > > > > > > > > > > Session session = repository.login(new
> > > > SimpleCredentials("username",
> > > > > > > > > > > "password"
> > > > > > > > > > > .toCharArray()));
> > > > > > > > > > > Node node = session.getRootNode();
> > > > > > > > > > > String path = node.getPath();
> > > > > > > > > > > AccessControlManager acm =
> > > > > > > > > > > session.getAccessControlManager();
> > > > > > > > > > >
> > > > > > > > > > > Privilege[] privileges = new Privilege[] { acm
> > > > > > > > > > > .privilegeFromName(Privilege.JCR_ALL) };
> > > > > > > > > > > AccessControlList acl;
> > > > > > > > > > > try {
> > > > > > > > > > > acl = (AccessControlList)
> > > > > > > > > > > acm.getApplicablePolicies(path)
> > > > > > > > > > > .nextAccessControlPolicy();
> > > > > > > > > > > } catch (NoSuchElementException e) {
> > > > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0];
> > > > > > > > > > > }
> > > > > > > > > > > for (AccessControlEntry e :
> > > > > > > > > > > acl.getAccessControlEntries()) {
> > > > > > > > > > > acl.removeAccessControlEntry(e);
> > > > > > > > > > > }
> > > > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan
> > > > > > > > > > > ce(),
> > > > > > > > > > > privileges);
> > > > > > > > > > > acm.setPolicy(path, acl);
> > > > > > > > > > > session.save();
> > > > > > > > > > >
> > > > > > > > > > > My problem is that I could not get AccessControlList
> > > > > > > > > > > with this
> > > > code.
> > > > > > > > > > >
> > > > > > > > > > > Both
> > > > > > > > > > functions (getApplicablePolicies and getAllPolicies)
> > > > > > > > > > don't have any
> > > > > > > > > >
> > > > > > > > > > > AccessControlList attached with them. Can you tell me
> > > > > > > > > > > where I went
> > > > > > > > > > >
> > > > > > > > > > > wrong. I
> > > > > > > > > >
> > > > > > > > > > have been using the default security configuration.
> > > > > > > > > > >
> > > > > > > > > > > Thanks
> > > > > > > > > > > Atif
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > >
> > > >
> >
> >
>

Re: Access control

[Clay Ferguson <wc...@gmail.com>]

​I'm experimenting with meta64.com discussion capability. Who wants to
discuss this stuff on there, and see if the meta64 works well as a
discussion engine? I'm trying to make Social Media a federated free
commodity, rather than monopolizedy by Diqus, Facebook, etc. Join me...

http://meta64.com?id=/wclayf/public/oak-jackrabbit-discussions

Best regards,
Clay Ferguson
wclayf@gmail.com


On Tue, Aug 25, 2015 at 9:51 AM, Robert Munteanu <ro...@apache.org> wrote:

> Hi,
>
> On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote:
> > Atif, just beware that the "addChildren" privilege doesn't work as
> > one
> > would expect. If you want a principle to be able to add children to a
> > node
> > you must add ALL of the following privileges:
> >
> > "read", "write", "addChildren", "nodeTypeManagement"
>
> I think you can simply use rep:write ( not jcr:write ) as a shorthand.
>
> >
> > That costed me many hours of headache, and at least one other person
> > also.
> > My personal belief this functionality requirement was an accident
> > rather
> > than by design and no one who is an Adobe customer has complained so
> > they
> > are leaving it as is.
>
> As far as I can tell the behaviour is according to the Access Control
> Management chapter of the JCR 2.0 specification [1]. If there's a gap
> between the spec and the implementation it's definitely worth a bug
> report.
>
> Cheers,
>
> Robert
>
> [1]: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
> #16.2.3%20Standard%20Privileges
>
> >
> >
> > Best regards,
> > Clay Ferguson
> > wclayf@gmail.com
> >
> >
> > On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <atif.manzoor@gmail.com
> > >
> > wrote:
> >
> > > Hi Karsten
> > >
> > > No actually I was just trying out the simplest case to control
> > > access to a
> > > particular code. At later stage I will allow or restrict read /
> > > write
> > > access to a node for different users.
> > >
> > > Kind regards,
> > > Atif
> > >
> > > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <
> > > koem@petoria.de>
> > > wrote:
> > >
> > > > Hi Atif
> > > >
> > > > reading your code it seems to me you just want to add JCR_ALL
> > > > privileges
> > > > to some user. This is what allow() does. No need to do something
> > > > else.
> > > And:
> > > > "admin" normally already has these privileges.
> > > >
> > > > I'd try this (not tested)
> > > >
> > > > AccessControlUtils.allow(session.getRootNode(),
> > > > EveryonePrincipal.getInstance()
> > > > .getName(), Privilege.JCR_ALL);
> > > >
> > > >
> > > > What do you want to accomplish? Make everyone admin?
> > > >
> > > >
> > > > Karsten R. Priegnitz
> > > >
> > > > programmierer | web-entwickler | linux administrator | digitaler
> > > > nomade
> > > > business: kontakt <http://petoria.de/portfolio/contact-about/> |
> > > > portfolio <http://petoria.de/portfolio/>
> > > > -----------------------------------------------------------------
> > > > -------
> > > >
> > > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> > > >
> > > > > Hi Karsten
> > > > >
> > > > > Thanks a lot for your help. I tried AccessControlUtils.allow(),
> > > > > however
> > > > > AccessControlUtils.getACL() is still returning NULL. I think I
> > > > > may have
> > > > > also have to do something else to enable access control that
> > > > > particular
> > > > > node. Following is my code complete code that tried
> > > > > AccessControlUtils.
> > > I
> > > > > am still getting Null for acl.
> > > > >
> > > > > Repository repository = new  TransientRepository();
> > > > > Session session = repository.login(new
> > > > > SimpleCredentials("admin",
> > > > > "password".toCharArray()));
> > > > > Node root = session.getRootNode();
> > > > > root.addNode("leftChild");
> > > > > root.addNode("rightChild");
> > > > >
> > > > > session.save();
> > > > > String path = session.getRootNode().getPath();
> > > > > System.out.println(path);
> > > > > AccessControlManager acm = session.getAccessControlManager();
> > > > > AccessControlUtils.allow(session.getRootNode(), "admin",
> > > > > Privilege.JCR_ALL);
> > > > > AccessControlList acl =
> > > > > AccessControlUtils.getAccessControlList(session,
> > > > > path);
> > > > > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > > > > acl.removeAccessControlEntry(e);
> > > > > }
> > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new
> > > Privilege[]
> > > > > { acm
> > > > > .privilegeFromName(Privilege.JCR_ALL) });
> > > > > acm.setPolicy(path, acl);
> > > > > session.save();
> > > > >
> > > > > Regards,
> > > > > Atif
> > > > >
> > > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <
> > > > > koem@petoria.de>
> > > > > wrote:
> > > > >
> > > > > Hi Atif,
> > > > > >
> > > > > > I had the same problem as you and then I found
> > > > > >
> > > > > >
> > > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro
> > > lUtils:
> > > > > >
> > > > > > and that's all:
> > > > > > AccessControlUtils.allow(session.getRootNode(),
> > > username,
> > > > > > Privilege.JCR_ALL);
> > > > > >
> > > > > > Best
> > > > > > Karsten
> > > > > >
> > > > > >
> > > > > >
> > > > > > Karsten R. Priegnitz
> > > > > >
> > > > > > programmierer | web-entwickler | linux administrator |
> > > > > > digitaler nomade
> > > > > > business: kontakt <http://petoria.de/portfolio/contact-about/
> > > > > > > |
> > > > > > portfolio <http://petoria.de/portfolio/>
> > > > > >
> > > -------------------------------------------------------------------
> > > -----
> > > > > >
> > > > > >
> > > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> > > > > >
> > > > > > I'm not *that* much of an expert, but it kind of works by
> > > > > > bubbling up
> > > > > > > towards the root I believe. So if you query for ACL on a
> > > > > > > node and it
> > > > > > > finds
> > > > > > > none, that is fine. It just means that node is effectively
> > > > > > > controlled
> > > by
> > > > > > > an
> > > > > > > ancestor. Once you start adding AC L privs the that root
> > > > > > > starts
> > > applying
> > > > > > > those there and all beneath it on the tree recursively. By
> > > > > > > default
> > > > > > > 'admin'
> > > > > > > user has full privileges and everyone else has none. The
> > > > > > > session that
> > > > > > > creates a node i think by default has all privs on that
> > > > > > > node, but i'd
> > > > > > > have
> > > > > > > to check my code...I might be adding privs when creating.
> > > > > > > Look at my
> > > > > > > "controller" class, and that is the top level, and a lot of
> > > > > > > stuff like
> > > > > > > creating new nodes, moving nodes, adding ACLs etc can be
> > > > > > > sussed out by
> > > > > > > just
> > > > > > > looking at my code and not even running it. It's not too
> > > > > > > complicated.
> > > > > > > Does
> > > > > > > that answer the question?
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Clay Ferguson
> > > > > > > wclayf@gmail.com
> > > > > > >
> > > > > > >
> > > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <
> > > > > > > atif.manzoor@gmail.com
> > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > Hi Clay
> > > > > > >
> > > > > > > > Thanks a lot for your response. I have been through your
> > > > > > > > code and
> > > have
> > > > > > > > found that you have also been using
> > > > > > > > getApplicablePolicies(path) and
> > > > > > > > getPolicies(path) function to get AccessControlList (ACL)
> > > > > > > > object,
> > > > > > > > however
> > > > > > > > both of these function have not been returning any ACL
> > > > > > > > policies for
> > > me.
> > > > > > > > In
> > > > > > > > words my node does not contain any modifiable ACL. Can
> > > > > > > > you tell me
> > > why
> > > > > > > > is
> > > > > > > > that. What will I have to do, so that the node should
> > > > > > > > also have
> > > > > > > > modifiable
> > > > > > > > ACL.
> > > > > > > >
> > > > > > > > Kind regards,
> > > > > > > > Atif
> > > > > > > >
> > > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <
> > > > > > > > wclayf@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > Hello Atif,
> > > > > > > >
> > > > > > > > > You should check out my open source project:
> > > > > > > > > https://github.com/Clay-Ferguson/meta64
> > > > > > > > >
> > > > > > > > > Download the zip and search for the words 'privilege'
> > > > > > > > > and/or
> > > > > > > > >
> > > > > > > > > AccessControl,
> > > > > > > >
> > > > > > > > etc.
> > > > > > > > >
> > > > > > > > > The AclService.java class has ability to do basic
> > > > > > > > > listing of
> > > > > > > > > privileges
> > > > > > > > >
> > > > > > > > > for
> > > > > > > >
> > > > > > > > a node, and adding or removing privileges from a node,
> > > > > > > > and might help
> > > > > > > > > you
> > > > > > > > > some. Good luck.
> > > > > > > > >
> > > > > > > > > Best regards,
> > > > > > > > > Clay Ferguson
> > > > > > > > > wclayf@gmail.com
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
> > > > > > > > > atif.manzoor@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > I am new to Jackrabbit and after going through the
> > > > > > > > > first hops and
> > > > > > > > > little
> > > > > > > > > bit of documentation, I was trying to configure Access
> > > > > > > > > Control for
> > > the
> > > > > > > > >
> > > > > > > > > > repository nodes. I was extending ThirdHop tutorial
> > > > > > > > > > for that
> > > purpose
> > > > > > > > > >
> > > > > > > > > > and
> > > > > > > > > was following access control wiki
> > > > > > > > >
> > > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl and
> > > > > > > > > > had the
> > > > > > > > > > following
> > > > > > > > > > code.
> > > > > > > > > >
> > > > > > > > > > Session session = repository.login(new
> > > SimpleCredentials("username",
> > > > > > > > > > "password"
> > > > > > > > > > .toCharArray()));
> > > > > > > > > > Node node = session.getRootNode();
> > > > > > > > > > String path = node.getPath();
> > > > > > > > > > AccessControlManager acm =
> > > > > > > > > > session.getAccessControlManager();
> > > > > > > > > >
> > > > > > > > > > Privilege[] privileges = new Privilege[] { acm
> > > > > > > > > > .privilegeFromName(Privilege.JCR_ALL) };
> > > > > > > > > > AccessControlList acl;
> > > > > > > > > > try {
> > > > > > > > > > acl = (AccessControlList)
> > > > > > > > > > acm.getApplicablePolicies(path)
> > > > > > > > > > .nextAccessControlPolicy();
> > > > > > > > > > } catch (NoSuchElementException e) {
> > > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0];
> > > > > > > > > > }
> > > > > > > > > > for (AccessControlEntry e :
> > > > > > > > > > acl.getAccessControlEntries()) {
> > > > > > > > > > acl.removeAccessControlEntry(e);
> > > > > > > > > > }
> > > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan
> > > > > > > > > > ce(),
> > > > > > > > > > privileges);
> > > > > > > > > > acm.setPolicy(path, acl);
> > > > > > > > > > session.save();
> > > > > > > > > >
> > > > > > > > > > My problem is that I could not get AccessControlList
> > > > > > > > > > with this
> > > code.
> > > > > > > > > >
> > > > > > > > > > Both
> > > > > > > > > functions (getApplicablePolicies and getAllPolicies)
> > > > > > > > > don't have any
> > > > > > > > >
> > > > > > > > > > AccessControlList attached with them. Can you tell me
> > > > > > > > > > where I went
> > > > > > > > > >
> > > > > > > > > > wrong. I
> > > > > > > > >
> > > > > > > > > have been using the default security configuration.
> > > > > > > > > >
> > > > > > > > > > Thanks
> > > > > > > > > > Atif
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > >
> > >
>
>

Re: Access control

[Robert Munteanu <ro...@apache.org>]

Hi,

On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote:
> Atif, just beware that the "addChildren" privilege doesn't work as
> one
> would expect. If you want a principle to be able to add children to a
> node
> you must add ALL of the following privileges:
> 
> "read", "write", "addChildren", "nodeTypeManagement"

I think you can simply use rep:write ( not jcr:write ) as a shorthand.

> 
> That costed me many hours of headache, and at least one other person
> also.
> My personal belief this functionality requirement was an accident
> rather
> than by design and no one who is an Adobe customer has complained so
> they
> are leaving it as is.

As far as I can tell the behaviour is according to the Access Control
Management chapter of the JCR 2.0 specification [1]. If there's a gap
between the spec and the implementation it's definitely worth a bug
report.

Cheers,

Robert

[1]: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
#16.2.3%20Standard%20Privileges

> 
> 
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
> 
> 
> On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <atif.manzoor@gmail.com
> >
> wrote:
> 
> > Hi Karsten
> > 
> > No actually I was just trying out the simplest case to control
> > access to a
> > particular code. At later stage I will allow or restrict read /
> > write
> > access to a node for different users.
> > 
> > Kind regards,
> > Atif
> > 
> > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <
> > koem@petoria.de>
> > wrote:
> > 
> > > Hi Atif
> > > 
> > > reading your code it seems to me you just want to add JCR_ALL
> > > privileges
> > > to some user. This is what allow() does. No need to do something
> > > else.
> > And:
> > > "admin" normally already has these privileges.
> > > 
> > > I'd try this (not tested)
> > > 
> > > AccessControlUtils.allow(session.getRootNode(),
> > > EveryonePrincipal.getInstance()
> > > .getName(), Privilege.JCR_ALL);
> > > 
> > > 
> > > What do you want to accomplish? Make everyone admin?
> > > 
> > > 
> > > Karsten R. Priegnitz
> > > 
> > > programmierer | web-entwickler | linux administrator | digitaler
> > > nomade
> > > business: kontakt <http://petoria.de/portfolio/contact-about/> |
> > > portfolio <http://petoria.de/portfolio/>
> > > -----------------------------------------------------------------
> > > -------
> > > 
> > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> > > 
> > > > Hi Karsten
> > > > 
> > > > Thanks a lot for your help. I tried AccessControlUtils.allow(),
> > > > however
> > > > AccessControlUtils.getACL() is still returning NULL. I think I
> > > > may have
> > > > also have to do something else to enable access control that
> > > > particular
> > > > node. Following is my code complete code that tried
> > > > AccessControlUtils.
> > I
> > > > am still getting Null for acl.
> > > > 
> > > > Repository repository = new  TransientRepository();
> > > > Session session = repository.login(new
> > > > SimpleCredentials("admin",
> > > > "password".toCharArray()));
> > > > Node root = session.getRootNode();
> > > > root.addNode("leftChild");
> > > > root.addNode("rightChild");
> > > > 
> > > > session.save();
> > > > String path = session.getRootNode().getPath();
> > > > System.out.println(path);
> > > > AccessControlManager acm = session.getAccessControlManager();
> > > > AccessControlUtils.allow(session.getRootNode(), "admin",
> > > > Privilege.JCR_ALL);
> > > > AccessControlList acl =
> > > > AccessControlUtils.getAccessControlList(session,
> > > > path);
> > > > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > > > acl.removeAccessControlEntry(e);
> > > > }
> > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new
> > Privilege[]
> > > > { acm
> > > > .privilegeFromName(Privilege.JCR_ALL) });
> > > > acm.setPolicy(path, acl);
> > > > session.save();
> > > > 
> > > > Regards,
> > > > Atif
> > > > 
> > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <
> > > > koem@petoria.de>
> > > > wrote:
> > > > 
> > > > Hi Atif,
> > > > > 
> > > > > I had the same problem as you and then I found
> > > > > 
> > > > > 
> > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro
> > lUtils:
> > > > > 
> > > > > and that's all:
> > > > > AccessControlUtils.allow(session.getRootNode(),
> > username,
> > > > > Privilege.JCR_ALL);
> > > > > 
> > > > > Best
> > > > > Karsten
> > > > > 
> > > > > 
> > > > > 
> > > > > Karsten R. Priegnitz
> > > > > 
> > > > > programmierer | web-entwickler | linux administrator |
> > > > > digitaler nomade
> > > > > business: kontakt <http://petoria.de/portfolio/contact-about/
> > > > > > |
> > > > > portfolio <http://petoria.de/portfolio/>
> > > > > 
> > -------------------------------------------------------------------
> > -----
> > > > > 
> > > > > 
> > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> > > > > 
> > > > > I'm not *that* much of an expert, but it kind of works by
> > > > > bubbling up
> > > > > > towards the root I believe. So if you query for ACL on a
> > > > > > node and it
> > > > > > finds
> > > > > > none, that is fine. It just means that node is effectively
> > > > > > controlled
> > by
> > > > > > an
> > > > > > ancestor. Once you start adding AC L privs the that root
> > > > > > starts
> > applying
> > > > > > those there and all beneath it on the tree recursively. By
> > > > > > default
> > > > > > 'admin'
> > > > > > user has full privileges and everyone else has none. The
> > > > > > session that
> > > > > > creates a node i think by default has all privs on that
> > > > > > node, but i'd
> > > > > > have
> > > > > > to check my code...I might be adding privs when creating.
> > > > > > Look at my
> > > > > > "controller" class, and that is the top level, and a lot of
> > > > > > stuff like
> > > > > > creating new nodes, moving nodes, adding ACLs etc can be
> > > > > > sussed out by
> > > > > > just
> > > > > > looking at my code and not even running it. It's not too
> > > > > > complicated.
> > > > > > Does
> > > > > > that answer the question?
> > > > > > 
> > > > > > Best regards,
> > > > > > Clay Ferguson
> > > > > > wclayf@gmail.com
> > > > > > 
> > > > > > 
> > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <
> > > > > > atif.manzoor@gmail.com
> > > 
> > > > > > wrote:
> > > > > > 
> > > > > > Hi Clay
> > > > > > 
> > > > > > > Thanks a lot for your response. I have been through your
> > > > > > > code and
> > have
> > > > > > > found that you have also been using
> > > > > > > getApplicablePolicies(path) and
> > > > > > > getPolicies(path) function to get AccessControlList (ACL)
> > > > > > > object,
> > > > > > > however
> > > > > > > both of these function have not been returning any ACL
> > > > > > > policies for
> > me.
> > > > > > > In
> > > > > > > words my node does not contain any modifiable ACL. Can
> > > > > > > you tell me
> > why
> > > > > > > is
> > > > > > > that. What will I have to do, so that the node should
> > > > > > > also have
> > > > > > > modifiable
> > > > > > > ACL.
> > > > > > > 
> > > > > > > Kind regards,
> > > > > > > Atif
> > > > > > > 
> > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <
> > > > > > > wclayf@gmail.com>
> > > > > > > wrote:
> > > > > > > 
> > > > > > > Hello Atif,
> > > > > > > 
> > > > > > > > You should check out my open source project:
> > > > > > > > https://github.com/Clay-Ferguson/meta64
> > > > > > > > 
> > > > > > > > Download the zip and search for the words 'privilege'
> > > > > > > > and/or
> > > > > > > > 
> > > > > > > > AccessControl,
> > > > > > > 
> > > > > > > etc.
> > > > > > > > 
> > > > > > > > The AclService.java class has ability to do basic
> > > > > > > > listing of
> > > > > > > > privileges
> > > > > > > > 
> > > > > > > > for
> > > > > > > 
> > > > > > > a node, and adding or removing privileges from a node,
> > > > > > > and might help
> > > > > > > > you
> > > > > > > > some. Good luck.
> > > > > > > > 
> > > > > > > > Best regards,
> > > > > > > > Clay Ferguson
> > > > > > > > wclayf@gmail.com
> > > > > > > > 
> > > > > > > > 
> > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
> > > > > > > > atif.manzoor@gmail.com>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > I am new to Jackrabbit and after going through the
> > > > > > > > first hops and
> > > > > > > > little
> > > > > > > > bit of documentation, I was trying to configure Access
> > > > > > > > Control for
> > the
> > > > > > > > 
> > > > > > > > > repository nodes. I was extending ThirdHop tutorial
> > > > > > > > > for that
> > purpose
> > > > > > > > > 
> > > > > > > > > and
> > > > > > > > was following access control wiki
> > > > > > > > 
> > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl and
> > > > > > > > > had the
> > > > > > > > > following
> > > > > > > > > code.
> > > > > > > > > 
> > > > > > > > > Session session = repository.login(new
> > SimpleCredentials("username",
> > > > > > > > > "password"
> > > > > > > > > .toCharArray()));
> > > > > > > > > Node node = session.getRootNode();
> > > > > > > > > String path = node.getPath();
> > > > > > > > > AccessControlManager acm =
> > > > > > > > > session.getAccessControlManager();
> > > > > > > > > 
> > > > > > > > > Privilege[] privileges = new Privilege[] { acm
> > > > > > > > > .privilegeFromName(Privilege.JCR_ALL) };
> > > > > > > > > AccessControlList acl;
> > > > > > > > > try {
> > > > > > > > > acl = (AccessControlList)
> > > > > > > > > acm.getApplicablePolicies(path)
> > > > > > > > > .nextAccessControlPolicy();
> > > > > > > > > } catch (NoSuchElementException e) {
> > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0];
> > > > > > > > > }
> > > > > > > > > for (AccessControlEntry e :
> > > > > > > > > acl.getAccessControlEntries()) {
> > > > > > > > > acl.removeAccessControlEntry(e);
> > > > > > > > > }
> > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan
> > > > > > > > > ce(),
> > > > > > > > > privileges);
> > > > > > > > > acm.setPolicy(path, acl);
> > > > > > > > > session.save();
> > > > > > > > > 
> > > > > > > > > My problem is that I could not get AccessControlList
> > > > > > > > > with this
> > code.
> > > > > > > > > 
> > > > > > > > > Both
> > > > > > > > functions (getApplicablePolicies and getAllPolicies)
> > > > > > > > don't have any
> > > > > > > > 
> > > > > > > > > AccessControlList attached with them. Can you tell me
> > > > > > > > > where I went
> > > > > > > > > 
> > > > > > > > > wrong. I
> > > > > > > > 
> > > > > > > > have been using the default security configuration.
> > > > > > > > > 
> > > > > > > > > Thanks
> > > > > > > > > Atif
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > 
> > 

Re: Access control

[Clay Ferguson <wc...@gmail.com>]

Atif, just beware that the "addChildren" privilege doesn't work as one
would expect. If you want a principle to be able to add children to a node
you must add ALL of the following privileges:

"read", "write", "addChildren", "nodeTypeManagement"

That costed me many hours of headache, and at least one other person also.
My personal belief this functionality requirement was an accident rather
than by design and no one who is an Adobe customer has complained so they
are leaving it as is.


Best regards,
Clay Ferguson
wclayf@gmail.com


On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <at...@gmail.com>
wrote:

> Hi Karsten
>
> No actually I was just trying out the simplest case to control access to a
> particular code. At later stage I will allow or restrict read / write
> access to a node for different users.
>
> Kind regards,
> Atif
>
> On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <ko...@petoria.de>
> wrote:
>
> > Hi Atif
> >
> > reading your code it seems to me you just want to add JCR_ALL privileges
> > to some user. This is what allow() does. No need to do something else.
> And:
> > "admin" normally already has these privileges.
> >
> > I'd try this (not tested)
> >
> > AccessControlUtils.allow(session.getRootNode(),
> > EveryonePrincipal.getInstance()
> > .getName(), Privilege.JCR_ALL);
> >
> >
> > What do you want to accomplish? Make everyone admin?
> >
> >
> > Karsten R. Priegnitz
> >
> > programmierer | web-entwickler | linux administrator | digitaler nomade
> > business: kontakt <http://petoria.de/portfolio/contact-about/> |
> > portfolio <http://petoria.de/portfolio/>
> > ------------------------------------------------------------------------
> >
> > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> >
> >> Hi Karsten
> >>
> >> Thanks a lot for your help. I tried AccessControlUtils.allow(), however
> >> AccessControlUtils.getACL() is still returning NULL. I think I may have
> >> also have to do something else to enable access control that particular
> >> node. Following is my code complete code that tried AccessControlUtils.
> I
> >> am still getting Null for acl.
> >>
> >> Repository repository = new  TransientRepository();
> >> Session session = repository.login(new SimpleCredentials("admin",
> >> "password".toCharArray()));
> >> Node root = session.getRootNode();
> >> root.addNode("leftChild");
> >> root.addNode("rightChild");
> >>
> >> session.save();
> >> String path = session.getRootNode().getPath();
> >> System.out.println(path);
> >> AccessControlManager acm = session.getAccessControlManager();
> >> AccessControlUtils.allow(session.getRootNode(), "admin",
> >> Privilege.JCR_ALL);
> >> AccessControlList acl = AccessControlUtils.getAccessControlList(session,
> >> path);
> >> for (AccessControlEntry e : acl.getAccessControlEntries()) {
> >> acl.removeAccessControlEntry(e);
> >> }
> >> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new
> Privilege[]
> >> { acm
> >> .privilegeFromName(Privilege.JCR_ALL) });
> >> acm.setPolicy(path, acl);
> >> session.save();
> >>
> >> Regards,
> >> Atif
> >>
> >> On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <ko...@petoria.de>
> >> wrote:
> >>
> >> Hi Atif,
> >>>
> >>> I had the same problem as you and then I found
> >>>
> >>>
> org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils:
> >>>
> >>> and that's all: AccessControlUtils.allow(session.getRootNode(),
> username,
> >>> Privilege.JCR_ALL);
> >>>
> >>> Best
> >>> Karsten
> >>>
> >>>
> >>>
> >>> Karsten R. Priegnitz
> >>>
> >>> programmierer | web-entwickler | linux administrator | digitaler nomade
> >>> business: kontakt <http://petoria.de/portfolio/contact-about/> |
> >>> portfolio <http://petoria.de/portfolio/>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>>
> >>> Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> >>>
> >>> I'm not *that* much of an expert, but it kind of works by bubbling up
> >>>> towards the root I believe. So if you query for ACL on a node and it
> >>>> finds
> >>>> none, that is fine. It just means that node is effectively controlled
> by
> >>>> an
> >>>> ancestor. Once you start adding AC L privs the that root starts
> applying
> >>>> those there and all beneath it on the tree recursively. By default
> >>>> 'admin'
> >>>> user has full privileges and everyone else has none. The session that
> >>>> creates a node i think by default has all privs on that node, but i'd
> >>>> have
> >>>> to check my code...I might be adding privs when creating. Look at my
> >>>> "controller" class, and that is the top level, and a lot of stuff like
> >>>> creating new nodes, moving nodes, adding ACLs etc can be sussed out by
> >>>> just
> >>>> looking at my code and not even running it. It's not too complicated.
> >>>> Does
> >>>> that answer the question?
> >>>>
> >>>> Best regards,
> >>>> Clay Ferguson
> >>>> wclayf@gmail.com
> >>>>
> >>>>
> >>>> On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <atif.manzoor@gmail.com
> >
> >>>> wrote:
> >>>>
> >>>> Hi Clay
> >>>>
> >>>>> Thanks a lot for your response. I have been through your code and
> have
> >>>>> found that you have also been using getApplicablePolicies(path) and
> >>>>> getPolicies(path) function to get AccessControlList (ACL) object,
> >>>>> however
> >>>>> both of these function have not been returning any ACL policies for
> me.
> >>>>> In
> >>>>> words my node does not contain any modifiable ACL. Can you tell me
> why
> >>>>> is
> >>>>> that. What will I have to do, so that the node should also have
> >>>>> modifiable
> >>>>> ACL.
> >>>>>
> >>>>> Kind regards,
> >>>>> Atif
> >>>>>
> >>>>> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>> Hello Atif,
> >>>>>
> >>>>>> You should check out my open source project:
> >>>>>> https://github.com/Clay-Ferguson/meta64
> >>>>>>
> >>>>>> Download the zip and search for the words 'privilege' and/or
> >>>>>>
> >>>>>> AccessControl,
> >>>>>
> >>>>> etc.
> >>>>>>
> >>>>>> The AclService.java class has ability to do basic listing of
> >>>>>> privileges
> >>>>>>
> >>>>>> for
> >>>>>
> >>>>> a node, and adding or removing privileges from a node, and might help
> >>>>>> you
> >>>>>> some. Good luck.
> >>>>>>
> >>>>>> Best regards,
> >>>>>> Clay Ferguson
> >>>>>> wclayf@gmail.com
> >>>>>>
> >>>>>>
> >>>>>> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
> >>>>>> atif.manzoor@gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>> I am new to Jackrabbit and after going through the first hops and
> >>>>>> little
> >>>>>> bit of documentation, I was trying to configure Access Control for
> the
> >>>>>>
> >>>>>>> repository nodes. I was extending ThirdHop tutorial for that
> purpose
> >>>>>>>
> >>>>>>> and
> >>>>>> was following access control wiki
> >>>>>>
> >>>>>>> http://wiki.apache.org/jackrabbit/AccessControl and had the
> >>>>>>> following
> >>>>>>> code.
> >>>>>>>
> >>>>>>> Session session = repository.login(new
> SimpleCredentials("username",
> >>>>>>> "password"
> >>>>>>> .toCharArray()));
> >>>>>>> Node node = session.getRootNode();
> >>>>>>> String path = node.getPath();
> >>>>>>> AccessControlManager acm = session.getAccessControlManager();
> >>>>>>>
> >>>>>>> Privilege[] privileges = new Privilege[] { acm
> >>>>>>> .privilegeFromName(Privilege.JCR_ALL) };
> >>>>>>> AccessControlList acl;
> >>>>>>> try {
> >>>>>>> acl = (AccessControlList) acm.getApplicablePolicies(path)
> >>>>>>> .nextAccessControlPolicy();
> >>>>>>> } catch (NoSuchElementException e) {
> >>>>>>> acl = (AccessControlList) acm.getPolicies(path)[0];
> >>>>>>> }
> >>>>>>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
> >>>>>>> acl.removeAccessControlEntry(e);
> >>>>>>> }
> >>>>>>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
> >>>>>>> privileges);
> >>>>>>> acm.setPolicy(path, acl);
> >>>>>>> session.save();
> >>>>>>>
> >>>>>>> My problem is that I could not get AccessControlList with this
> code.
> >>>>>>>
> >>>>>>> Both
> >>>>>> functions (getApplicablePolicies and getAllPolicies) don't have any
> >>>>>>
> >>>>>>> AccessControlList attached with them. Can you tell me where I went
> >>>>>>>
> >>>>>>> wrong. I
> >>>>>>
> >>>>>> have been using the default security configuration.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>> Atif
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >
>

Re: Access control

[Atif Manzoor <at...@gmail.com>]

Hi Karsten

No actually I was just trying out the simplest case to control access to a
particular code. At later stage I will allow or restrict read / write
access to a node for different users.

Kind regards,
Atif

On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <ko...@petoria.de> wrote:

> Hi Atif
>
> reading your code it seems to me you just want to add JCR_ALL privileges
> to some user. This is what allow() does. No need to do something else. And:
> "admin" normally already has these privileges.
>
> I'd try this (not tested)
>
> AccessControlUtils.allow(session.getRootNode(),
> EveryonePrincipal.getInstance()
> .getName(), Privilege.JCR_ALL);
>
>
> What do you want to accomplish? Make everyone admin?
>
>
> Karsten R. Priegnitz
>
> programmierer | web-entwickler | linux administrator | digitaler nomade
> business: kontakt <http://petoria.de/portfolio/contact-about/> |
> portfolio <http://petoria.de/portfolio/>
> ------------------------------------------------------------------------
>
> Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
>
>> Hi Karsten
>>
>> Thanks a lot for your help. I tried AccessControlUtils.allow(), however
>> AccessControlUtils.getACL() is still returning NULL. I think I may have
>> also have to do something else to enable access control that particular
>> node. Following is my code complete code that tried AccessControlUtils. I
>> am still getting Null for acl.
>>
>> Repository repository = new  TransientRepository();
>> Session session = repository.login(new SimpleCredentials("admin",
>> "password".toCharArray()));
>> Node root = session.getRootNode();
>> root.addNode("leftChild");
>> root.addNode("rightChild");
>>
>> session.save();
>> String path = session.getRootNode().getPath();
>> System.out.println(path);
>> AccessControlManager acm = session.getAccessControlManager();
>> AccessControlUtils.allow(session.getRootNode(), "admin",
>> Privilege.JCR_ALL);
>> AccessControlList acl = AccessControlUtils.getAccessControlList(session,
>> path);
>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>> acl.removeAccessControlEntry(e);
>> }
>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new Privilege[]
>> { acm
>> .privilegeFromName(Privilege.JCR_ALL) });
>> acm.setPolicy(path, acl);
>> session.save();
>>
>> Regards,
>> Atif
>>
>> On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <ko...@petoria.de>
>> wrote:
>>
>> Hi Atif,
>>>
>>> I had the same problem as you and then I found
>>>
>>> org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils:
>>>
>>> and that's all: AccessControlUtils.allow(session.getRootNode(), username,
>>> Privilege.JCR_ALL);
>>>
>>> Best
>>> Karsten
>>>
>>>
>>>
>>> Karsten R. Priegnitz
>>>
>>> programmierer | web-entwickler | linux administrator | digitaler nomade
>>> business: kontakt <http://petoria.de/portfolio/contact-about/> |
>>> portfolio <http://petoria.de/portfolio/>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
>>>
>>> I'm not *that* much of an expert, but it kind of works by bubbling up
>>>> towards the root I believe. So if you query for ACL on a node and it
>>>> finds
>>>> none, that is fine. It just means that node is effectively controlled by
>>>> an
>>>> ancestor. Once you start adding AC L privs the that root starts applying
>>>> those there and all beneath it on the tree recursively. By default
>>>> 'admin'
>>>> user has full privileges and everyone else has none. The session that
>>>> creates a node i think by default has all privs on that node, but i'd
>>>> have
>>>> to check my code...I might be adding privs when creating. Look at my
>>>> "controller" class, and that is the top level, and a lot of stuff like
>>>> creating new nodes, moving nodes, adding ACLs etc can be sussed out by
>>>> just
>>>> looking at my code and not even running it. It's not too complicated.
>>>> Does
>>>> that answer the question?
>>>>
>>>> Best regards,
>>>> Clay Ferguson
>>>> wclayf@gmail.com
>>>>
>>>>
>>>> On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <at...@gmail.com>
>>>> wrote:
>>>>
>>>> Hi Clay
>>>>
>>>>> Thanks a lot for your response. I have been through your code and have
>>>>> found that you have also been using getApplicablePolicies(path) and
>>>>> getPolicies(path) function to get AccessControlList (ACL) object,
>>>>> however
>>>>> both of these function have not been returning any ACL policies for me.
>>>>> In
>>>>> words my node does not contain any modifiable ACL. Can you tell me why
>>>>> is
>>>>> that. What will I have to do, so that the node should also have
>>>>> modifiable
>>>>> ACL.
>>>>>
>>>>> Kind regards,
>>>>> Atif
>>>>>
>>>>> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Hello Atif,
>>>>>
>>>>>> You should check out my open source project:
>>>>>> https://github.com/Clay-Ferguson/meta64
>>>>>>
>>>>>> Download the zip and search for the words 'privilege' and/or
>>>>>>
>>>>>> AccessControl,
>>>>>
>>>>> etc.
>>>>>>
>>>>>> The AclService.java class has ability to do basic listing of
>>>>>> privileges
>>>>>>
>>>>>> for
>>>>>
>>>>> a node, and adding or removing privileges from a node, and might help
>>>>>> you
>>>>>> some. Good luck.
>>>>>>
>>>>>> Best regards,
>>>>>> Clay Ferguson
>>>>>> wclayf@gmail.com
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
>>>>>> atif.manzoor@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> I am new to Jackrabbit and after going through the first hops and
>>>>>> little
>>>>>> bit of documentation, I was trying to configure Access Control for the
>>>>>>
>>>>>>> repository nodes. I was extending ThirdHop tutorial for that purpose
>>>>>>>
>>>>>>> and
>>>>>> was following access control wiki
>>>>>>
>>>>>>> http://wiki.apache.org/jackrabbit/AccessControl and had the
>>>>>>> following
>>>>>>> code.
>>>>>>>
>>>>>>> Session session = repository.login(new SimpleCredentials("username",
>>>>>>> "password"
>>>>>>> .toCharArray()));
>>>>>>> Node node = session.getRootNode();
>>>>>>> String path = node.getPath();
>>>>>>> AccessControlManager acm = session.getAccessControlManager();
>>>>>>>
>>>>>>> Privilege[] privileges = new Privilege[] { acm
>>>>>>> .privilegeFromName(Privilege.JCR_ALL) };
>>>>>>> AccessControlList acl;
>>>>>>> try {
>>>>>>> acl = (AccessControlList) acm.getApplicablePolicies(path)
>>>>>>> .nextAccessControlPolicy();
>>>>>>> } catch (NoSuchElementException e) {
>>>>>>> acl = (AccessControlList) acm.getPolicies(path)[0];
>>>>>>> }
>>>>>>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>>>>>>> acl.removeAccessControlEntry(e);
>>>>>>> }
>>>>>>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(),
>>>>>>> privileges);
>>>>>>> acm.setPolicy(path, acl);
>>>>>>> session.save();
>>>>>>>
>>>>>>> My problem is that I could not get AccessControlList with this code.
>>>>>>>
>>>>>>> Both
>>>>>> functions (getApplicablePolicies and getAllPolicies) don't have any
>>>>>>
>>>>>>> AccessControlList attached with them. Can you tell me where I went
>>>>>>>
>>>>>>> wrong. I
>>>>>>
>>>>>> have been using the default security configuration.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Atif
>>>>>>>
>>>>>>>
>>>>>>>
>

Re: Access control

[Karsten Priegnitz <ko...@petoria.de>]

Hi Atif

reading your code it seems to me you just want to add JCR_ALL privileges 
to some user. This is what allow() does. No need to do something else. 
And: "admin" normally already has these privileges.

I'd try this (not tested)

AccessControlUtils.allow(session.getRootNode(), EveryonePrincipal.getInstance()
.getName(), Privilege.JCR_ALL);


What do you want to accomplish? Make everyone admin?


Karsten R. Priegnitz

programmierer | web-entwickler | linux administrator | digitaler nomade
business: kontakt <http://petoria.de/portfolio/contact-about/> | 
portfolio <http://petoria.de/portfolio/>
------------------------------------------------------------------------

Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> Hi Karsten
>
> Thanks a lot for your help. I tried AccessControlUtils.allow(), however
> AccessControlUtils.getACL() is still returning NULL. I think I may have
> also have to do something else to enable access control that particular
> node. Following is my code complete code that tried AccessControlUtils. I
> am still getting Null for acl.
>
> Repository repository = new  TransientRepository();
> Session session = repository.login(new SimpleCredentials("admin",
> "password".toCharArray()));
> Node root = session.getRootNode();
> root.addNode("leftChild");
> root.addNode("rightChild");
>
> session.save();
> String path = session.getRootNode().getPath();
> System.out.println(path);
> AccessControlManager acm = session.getAccessControlManager();
> AccessControlUtils.allow(session.getRootNode(), "admin", Privilege.JCR_ALL);
> AccessControlList acl = AccessControlUtils.getAccessControlList(session,
> path);
> for (AccessControlEntry e : acl.getAccessControlEntries()) {
> acl.removeAccessControlEntry(e);
> }
> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new Privilege[]
> { acm
> .privilegeFromName(Privilege.JCR_ALL) });
> acm.setPolicy(path, acl);
> session.save();
>
> Regards,
> Atif
>
> On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <ko...@petoria.de> wrote:
>
>> Hi Atif,
>>
>> I had the same problem as you and then I found
>> org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils:
>>
>> and that's all: AccessControlUtils.allow(session.getRootNode(), username,
>> Privilege.JCR_ALL);
>>
>> Best
>> Karsten
>>
>>
>>
>> Karsten R. Priegnitz
>>
>> programmierer | web-entwickler | linux administrator | digitaler nomade
>> business: kontakt <http://petoria.de/portfolio/contact-about/> |
>> portfolio <http://petoria.de/portfolio/>
>> ------------------------------------------------------------------------
>>
>>
>> Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
>>
>>> I'm not *that* much of an expert, but it kind of works by bubbling up
>>> towards the root I believe. So if you query for ACL on a node and it finds
>>> none, that is fine. It just means that node is effectively controlled by
>>> an
>>> ancestor. Once you start adding AC L privs the that root starts applying
>>> those there and all beneath it on the tree recursively. By default 'admin'
>>> user has full privileges and everyone else has none. The session that
>>> creates a node i think by default has all privs on that node, but i'd have
>>> to check my code...I might be adding privs when creating. Look at my
>>> "controller" class, and that is the top level, and a lot of stuff like
>>> creating new nodes, moving nodes, adding ACLs etc can be sussed out by
>>> just
>>> looking at my code and not even running it. It's not too complicated. Does
>>> that answer the question?
>>>
>>> Best regards,
>>> Clay Ferguson
>>> wclayf@gmail.com
>>>
>>>
>>> On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <at...@gmail.com>
>>> wrote:
>>>
>>> Hi Clay
>>>> Thanks a lot for your response. I have been through your code and have
>>>> found that you have also been using getApplicablePolicies(path) and
>>>> getPolicies(path) function to get AccessControlList (ACL) object, however
>>>> both of these function have not been returning any ACL policies for me.
>>>> In
>>>> words my node does not contain any modifiable ACL. Can you tell me why is
>>>> that. What will I have to do, so that the node should also have
>>>> modifiable
>>>> ACL.
>>>>
>>>> Kind regards,
>>>> Atif
>>>>
>>>> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com> wrote:
>>>>
>>>> Hello Atif,
>>>>> You should check out my open source project:
>>>>> https://github.com/Clay-Ferguson/meta64
>>>>>
>>>>> Download the zip and search for the words 'privilege' and/or
>>>>>
>>>> AccessControl,
>>>>
>>>>> etc.
>>>>>
>>>>> The AclService.java class has ability to do basic listing of privileges
>>>>>
>>>> for
>>>>
>>>>> a node, and adding or removing privileges from a node, and might help
>>>>> you
>>>>> some. Good luck.
>>>>>
>>>>> Best regards,
>>>>> Clay Ferguson
>>>>> wclayf@gmail.com
>>>>>
>>>>>
>>>>> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> I am new to Jackrabbit and after going through the first hops and
>>>>> little
>>>>> bit of documentation, I was trying to configure Access Control for the
>>>>>> repository nodes. I was extending ThirdHop tutorial for that purpose
>>>>>>
>>>>> and
>>>>> was following access control wiki
>>>>>> http://wiki.apache.org/jackrabbit/AccessControl and had the following
>>>>>> code.
>>>>>>
>>>>>> Session session = repository.login(new SimpleCredentials("username",
>>>>>> "password"
>>>>>> .toCharArray()));
>>>>>> Node node = session.getRootNode();
>>>>>> String path = node.getPath();
>>>>>> AccessControlManager acm = session.getAccessControlManager();
>>>>>>
>>>>>> Privilege[] privileges = new Privilege[] { acm
>>>>>> .privilegeFromName(Privilege.JCR_ALL) };
>>>>>> AccessControlList acl;
>>>>>> try {
>>>>>> acl = (AccessControlList) acm.getApplicablePolicies(path)
>>>>>> .nextAccessControlPolicy();
>>>>>> } catch (NoSuchElementException e) {
>>>>>> acl = (AccessControlList) acm.getPolicies(path)[0];
>>>>>> }
>>>>>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>>>>>> acl.removeAccessControlEntry(e);
>>>>>> }
>>>>>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
>>>>>> acm.setPolicy(path, acl);
>>>>>> session.save();
>>>>>>
>>>>>> My problem is that I could not get AccessControlList with this code.
>>>>>>
>>>>> Both
>>>>> functions (getApplicablePolicies and getAllPolicies) don't have any
>>>>>> AccessControlList attached with them. Can you tell me where I went
>>>>>>
>>>>> wrong. I
>>>>>
>>>>>> have been using the default security configuration.
>>>>>>
>>>>>> Thanks
>>>>>> Atif
>>>>>>
>>>>>>

Re: Access control

[Atif Manzoor <at...@gmail.com>]

Hi Karsten

Thanks a lot for your help. I tried AccessControlUtils.allow(), however
AccessControlUtils.getACL() is still returning NULL. I think I may have
also have to do something else to enable access control that particular
node. Following is my code complete code that tried AccessControlUtils. I
am still getting Null for acl.

Repository repository = new  TransientRepository();
Session session = repository.login(new SimpleCredentials("admin",
"password".toCharArray()));
Node root = session.getRootNode();
root.addNode("leftChild");
root.addNode("rightChild");

session.save();
String path = session.getRootNode().getPath();
System.out.println(path);
AccessControlManager acm = session.getAccessControlManager();
AccessControlUtils.allow(session.getRootNode(), "admin", Privilege.JCR_ALL);
AccessControlList acl = AccessControlUtils.getAccessControlList(session,
path);
for (AccessControlEntry e : acl.getAccessControlEntries()) {
acl.removeAccessControlEntry(e);
}
acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new Privilege[]
{ acm
.privilegeFromName(Privilege.JCR_ALL) });
acm.setPolicy(path, acl);
session.save();

Regards,
Atif

On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <ko...@petoria.de> wrote:

> Hi Atif,
>
> I had the same problem as you and then I found
> org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils:
>
> and that's all: AccessControlUtils.allow(session.getRootNode(), username,
> Privilege.JCR_ALL);
>
> Best
> Karsten
>
>
>
> Karsten R. Priegnitz
>
> programmierer | web-entwickler | linux administrator | digitaler nomade
> business: kontakt <http://petoria.de/portfolio/contact-about/> |
> portfolio <http://petoria.de/portfolio/>
> ------------------------------------------------------------------------
>
>
> Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
>
>> I'm not *that* much of an expert, but it kind of works by bubbling up
>> towards the root I believe. So if you query for ACL on a node and it finds
>> none, that is fine. It just means that node is effectively controlled by
>> an
>> ancestor. Once you start adding AC L privs the that root starts applying
>> those there and all beneath it on the tree recursively. By default 'admin'
>> user has full privileges and everyone else has none. The session that
>> creates a node i think by default has all privs on that node, but i'd have
>> to check my code...I might be adding privs when creating. Look at my
>> "controller" class, and that is the top level, and a lot of stuff like
>> creating new nodes, moving nodes, adding ACLs etc can be sussed out by
>> just
>> looking at my code and not even running it. It's not too complicated. Does
>> that answer the question?
>>
>> Best regards,
>> Clay Ferguson
>> wclayf@gmail.com
>>
>>
>> On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <at...@gmail.com>
>> wrote:
>>
>> Hi Clay
>>>
>>> Thanks a lot for your response. I have been through your code and have
>>> found that you have also been using getApplicablePolicies(path) and
>>> getPolicies(path) function to get AccessControlList (ACL) object, however
>>> both of these function have not been returning any ACL policies for me.
>>> In
>>> words my node does not contain any modifiable ACL. Can you tell me why is
>>> that. What will I have to do, so that the node should also have
>>> modifiable
>>> ACL.
>>>
>>> Kind regards,
>>> Atif
>>>
>>> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com> wrote:
>>>
>>> Hello Atif,
>>>>
>>>> You should check out my open source project:
>>>> https://github.com/Clay-Ferguson/meta64
>>>>
>>>> Download the zip and search for the words 'privilege' and/or
>>>>
>>> AccessControl,
>>>
>>>> etc.
>>>>
>>>> The AclService.java class has ability to do basic listing of privileges
>>>>
>>> for
>>>
>>>> a node, and adding or removing privileges from a node, and might help
>>>> you
>>>> some. Good luck.
>>>>
>>>> Best regards,
>>>> Clay Ferguson
>>>> wclayf@gmail.com
>>>>
>>>>
>>>> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
>>>> wrote:
>>>>
>>>> I am new to Jackrabbit and after going through the first hops and
>>>>>
>>>> little
>>>
>>>> bit of documentation, I was trying to configure Access Control for the
>>>>> repository nodes. I was extending ThirdHop tutorial for that purpose
>>>>>
>>>> and
>>>
>>>> was following access control wiki
>>>>> http://wiki.apache.org/jackrabbit/AccessControl and had the following
>>>>> code.
>>>>>
>>>>> Session session = repository.login(new SimpleCredentials("username",
>>>>> "password"
>>>>> .toCharArray()));
>>>>> Node node = session.getRootNode();
>>>>> String path = node.getPath();
>>>>> AccessControlManager acm = session.getAccessControlManager();
>>>>>
>>>>> Privilege[] privileges = new Privilege[] { acm
>>>>> .privilegeFromName(Privilege.JCR_ALL) };
>>>>> AccessControlList acl;
>>>>> try {
>>>>> acl = (AccessControlList) acm.getApplicablePolicies(path)
>>>>> .nextAccessControlPolicy();
>>>>> } catch (NoSuchElementException e) {
>>>>> acl = (AccessControlList) acm.getPolicies(path)[0];
>>>>> }
>>>>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>>>>> acl.removeAccessControlEntry(e);
>>>>> }
>>>>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
>>>>> acm.setPolicy(path, acl);
>>>>> session.save();
>>>>>
>>>>> My problem is that I could not get AccessControlList with this code.
>>>>>
>>>> Both
>>>
>>>> functions (getApplicablePolicies and getAllPolicies) don't have any
>>>>> AccessControlList attached with them. Can you tell me where I went
>>>>>
>>>> wrong. I
>>>>
>>>>> have been using the default security configuration.
>>>>>
>>>>> Thanks
>>>>> Atif
>>>>>
>>>>>
>

Re: Access control

[Karsten Priegnitz <ko...@petoria.de>]

Hi Atif,

I had the same problem as you and then I found 
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils:

and that's all: AccessControlUtils.allow(session.getRootNode(), 
username, Privilege.JCR_ALL);

Best
Karsten



Karsten R. Priegnitz

programmierer | web-entwickler | linux administrator | digitaler nomade
business: kontakt <http://petoria.de/portfolio/contact-about/> | 
portfolio <http://petoria.de/portfolio/>
------------------------------------------------------------------------

Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> I'm not *that* much of an expert, but it kind of works by bubbling up
> towards the root I believe. So if you query for ACL on a node and it finds
> none, that is fine. It just means that node is effectively controlled by an
> ancestor. Once you start adding AC L privs the that root starts applying
> those there and all beneath it on the tree recursively. By default 'admin'
> user has full privileges and everyone else has none. The session that
> creates a node i think by default has all privs on that node, but i'd have
> to check my code...I might be adding privs when creating. Look at my
> "controller" class, and that is the top level, and a lot of stuff like
> creating new nodes, moving nodes, adding ACLs etc can be sussed out by just
> looking at my code and not even running it. It's not too complicated. Does
> that answer the question?
>
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
>
>
> On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <at...@gmail.com>
> wrote:
>
>> Hi Clay
>>
>> Thanks a lot for your response. I have been through your code and have
>> found that you have also been using getApplicablePolicies(path) and
>> getPolicies(path) function to get AccessControlList (ACL) object, however
>> both of these function have not been returning any ACL policies for me. In
>> words my node does not contain any modifiable ACL. Can you tell me why is
>> that. What will I have to do, so that the node should also have modifiable
>> ACL.
>>
>> Kind regards,
>> Atif
>>
>> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com> wrote:
>>
>>> Hello Atif,
>>>
>>> You should check out my open source project:
>>> https://github.com/Clay-Ferguson/meta64
>>>
>>> Download the zip and search for the words 'privilege' and/or
>> AccessControl,
>>> etc.
>>>
>>> The AclService.java class has ability to do basic listing of privileges
>> for
>>> a node, and adding or removing privileges from a node, and might help you
>>> some. Good luck.
>>>
>>> Best regards,
>>> Clay Ferguson
>>> wclayf@gmail.com
>>>
>>>
>>> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
>>> wrote:
>>>
>>>> I am new to Jackrabbit and after going through the first hops and
>> little
>>>> bit of documentation, I was trying to configure Access Control for the
>>>> repository nodes. I was extending ThirdHop tutorial for that purpose
>> and
>>>> was following access control wiki
>>>> http://wiki.apache.org/jackrabbit/AccessControl and had the following
>>>> code.
>>>>
>>>> Session session = repository.login(new SimpleCredentials("username",
>>>> "password"
>>>> .toCharArray()));
>>>> Node node = session.getRootNode();
>>>> String path = node.getPath();
>>>> AccessControlManager acm = session.getAccessControlManager();
>>>>
>>>> Privilege[] privileges = new Privilege[] { acm
>>>> .privilegeFromName(Privilege.JCR_ALL) };
>>>> AccessControlList acl;
>>>> try {
>>>> acl = (AccessControlList) acm.getApplicablePolicies(path)
>>>> .nextAccessControlPolicy();
>>>> } catch (NoSuchElementException e) {
>>>> acl = (AccessControlList) acm.getPolicies(path)[0];
>>>> }
>>>> for (AccessControlEntry e : acl.getAccessControlEntries()) {
>>>> acl.removeAccessControlEntry(e);
>>>> }
>>>> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
>>>> acm.setPolicy(path, acl);
>>>> session.save();
>>>>
>>>> My problem is that I could not get AccessControlList with this code.
>> Both
>>>> functions (getApplicablePolicies and getAllPolicies) don't have any
>>>> AccessControlList attached with them. Can you tell me where I went
>>> wrong. I
>>>> have been using the default security configuration.
>>>>
>>>> Thanks
>>>> Atif
>>>>

Re: Access control

[Clay Ferguson <wc...@gmail.com>]

I'm not *that* much of an expert, but it kind of works by bubbling up
towards the root I believe. So if you query for ACL on a node and it finds
none, that is fine. It just means that node is effectively controlled by an
ancestor. Once you start adding AC L privs the that root starts applying
those there and all beneath it on the tree recursively. By default 'admin'
user has full privileges and everyone else has none. The session that
creates a node i think by default has all privs on that node, but i'd have
to check my code...I might be adding privs when creating. Look at my
"controller" class, and that is the top level, and a lot of stuff like
creating new nodes, moving nodes, adding ACLs etc can be sussed out by just
looking at my code and not even running it. It's not too complicated. Does
that answer the question?

Best regards,
Clay Ferguson
wclayf@gmail.com


On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <at...@gmail.com>
wrote:

> Hi Clay
>
> Thanks a lot for your response. I have been through your code and have
> found that you have also been using getApplicablePolicies(path) and
> getPolicies(path) function to get AccessControlList (ACL) object, however
> both of these function have not been returning any ACL policies for me. In
> words my node does not contain any modifiable ACL. Can you tell me why is
> that. What will I have to do, so that the node should also have modifiable
> ACL.
>
> Kind regards,
> Atif
>
> On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com> wrote:
>
> > Hello Atif,
> >
> > You should check out my open source project:
> > https://github.com/Clay-Ferguson/meta64
> >
> > Download the zip and search for the words 'privilege' and/or
> AccessControl,
> > etc.
> >
> > The AclService.java class has ability to do basic listing of privileges
> for
> > a node, and adding or removing privileges from a node, and might help you
> > some. Good luck.
> >
> > Best regards,
> > Clay Ferguson
> > wclayf@gmail.com
> >
> >
> > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
> > wrote:
> >
> > > I am new to Jackrabbit and after going through the first hops and
> little
> > > bit of documentation, I was trying to configure Access Control for the
> > > repository nodes. I was extending ThirdHop tutorial for that purpose
> and
> > > was following access control wiki
> > > http://wiki.apache.org/jackrabbit/AccessControl and had the following
> > > code.
> > >
> > > Session session = repository.login(new SimpleCredentials("username",
> > > "password"
> > > .toCharArray()));
> > > Node node = session.getRootNode();
> > > String path = node.getPath();
> > > AccessControlManager acm = session.getAccessControlManager();
> > >
> > > Privilege[] privileges = new Privilege[] { acm
> > > .privilegeFromName(Privilege.JCR_ALL) };
> > > AccessControlList acl;
> > > try {
> > > acl = (AccessControlList) acm.getApplicablePolicies(path)
> > > .nextAccessControlPolicy();
> > > } catch (NoSuchElementException e) {
> > > acl = (AccessControlList) acm.getPolicies(path)[0];
> > > }
> > > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > > acl.removeAccessControlEntry(e);
> > > }
> > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
> > > acm.setPolicy(path, acl);
> > > session.save();
> > >
> > > My problem is that I could not get AccessControlList with this code.
> Both
> > > functions (getApplicablePolicies and getAllPolicies) don't have any
> > > AccessControlList attached with them. Can you tell me where I went
> > wrong. I
> > > have been using the default security configuration.
> > >
> > > Thanks
> > > Atif
> > >
> >
>

Re: Access control

[Atif Manzoor <at...@gmail.com>]

Hi Clay

Thanks a lot for your response. I have been through your code and have
found that you have also been using getApplicablePolicies(path) and
getPolicies(path) function to get AccessControlList (ACL) object, however
both of these function have not been returning any ACL policies for me. In
words my node does not contain any modifiable ACL. Can you tell me why is
that. What will I have to do, so that the node should also have modifiable
ACL.

Kind regards,
Atif

On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <wc...@gmail.com> wrote:

> Hello Atif,
>
> You should check out my open source project:
> https://github.com/Clay-Ferguson/meta64
>
> Download the zip and search for the words 'privilege' and/or AccessControl,
> etc.
>
> The AclService.java class has ability to do basic listing of privileges for
> a node, and adding or removing privileges from a node, and might help you
> some. Good luck.
>
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
>
>
> On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
> wrote:
>
> > I am new to Jackrabbit and after going through the first hops and little
> > bit of documentation, I was trying to configure Access Control for the
> > repository nodes. I was extending ThirdHop tutorial for that purpose and
> > was following access control wiki
> > http://wiki.apache.org/jackrabbit/AccessControl and had the following
> > code.
> >
> > Session session = repository.login(new SimpleCredentials("username",
> > "password"
> > .toCharArray()));
> > Node node = session.getRootNode();
> > String path = node.getPath();
> > AccessControlManager acm = session.getAccessControlManager();
> >
> > Privilege[] privileges = new Privilege[] { acm
> > .privilegeFromName(Privilege.JCR_ALL) };
> > AccessControlList acl;
> > try {
> > acl = (AccessControlList) acm.getApplicablePolicies(path)
> > .nextAccessControlPolicy();
> > } catch (NoSuchElementException e) {
> > acl = (AccessControlList) acm.getPolicies(path)[0];
> > }
> > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > acl.removeAccessControlEntry(e);
> > }
> > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
> > acm.setPolicy(path, acl);
> > session.save();
> >
> > My problem is that I could not get AccessControlList with this code. Both
> > functions (getApplicablePolicies and getAllPolicies) don't have any
> > AccessControlList attached with them. Can you tell me where I went
> wrong. I
> > have been using the default security configuration.
> >
> > Thanks
> > Atif
> >
>

Re: Access control

[Clay Ferguson <wc...@gmail.com>]

Hello Atif,

You should check out my open source project:
https://github.com/Clay-Ferguson/meta64

Download the zip and search for the words 'privilege' and/or AccessControl,
etc.

The AclService.java class has ability to do basic listing of privileges for
a node, and adding or removing privileges from a node, and might help you
some. Good luck.

Best regards,
Clay Ferguson
wclayf@gmail.com


On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <at...@gmail.com>
wrote:

> I am new to Jackrabbit and after going through the first hops and little
> bit of documentation, I was trying to configure Access Control for the
> repository nodes. I was extending ThirdHop tutorial for that purpose and
> was following access control wiki
> http://wiki.apache.org/jackrabbit/AccessControl and had the following
> code.
>
> Session session = repository.login(new SimpleCredentials("username",
> "password"
> .toCharArray()));
> Node node = session.getRootNode();
> String path = node.getPath();
> AccessControlManager acm = session.getAccessControlManager();
>
> Privilege[] privileges = new Privilege[] { acm
> .privilegeFromName(Privilege.JCR_ALL) };
> AccessControlList acl;
> try {
> acl = (AccessControlList) acm.getApplicablePolicies(path)
> .nextAccessControlPolicy();
> } catch (NoSuchElementException e) {
> acl = (AccessControlList) acm.getPolicies(path)[0];
> }
> for (AccessControlEntry e : acl.getAccessControlEntries()) {
> acl.removeAccessControlEntry(e);
> }
> acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privileges);
> acm.setPolicy(path, acl);
> session.save();
>
> My problem is that I could not get AccessControlList with this code. Both
> functions (getApplicablePolicies and getAllPolicies) don't have any
> AccessControlList attached with them. Can you tell me where I went wrong. I
> have been using the default security configuration.
>
> Thanks
> Atif
>