You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Branden Visser <br...@uwindsor.ca> on 2009/12/05 02:30:03 UTC
Private content in JCR
Hi all,
This sounds like more of a JCR question then Sling, but I'm hoping it's a quick answer:
If I have a resource node: /users/branden, how would I make the resource 'branden' and everything beneath it be private, so that no other authenticated user (except branden) can read it? I looked at the AccessControl spec and read up on the spec, but I didn't see anything that could serve this purpose. Did I miss a document?
Thanks,
Branden
Re: Private content in JCR
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
I am working on the JCR2/Jackrabbit 2 integration in my whiteboard at [1]
Regards
Felix
[1]
https://svn.apache.org/repos/asf/sling/whiteboard/fmeschbe/jackrabbit2upgrade/
Branden Visser schrieb:
> Ian,
>
> Thanks for the detailed reply. I've left some comments below.
>
> -----Ian Boston <ia...@googlemail.com> wrote: -----
>
>> To: dev@sling.apache.org
>> From: Ian Boston <ie...@tfd.co.uk>
>> Sent by: Ian Boston <ia...@googlemail.com>
>> Date: 12/05/2009 07:42AM
>> Cc: sling-dev@apache.org
>> Subject: Re: Private content in JCR
>>
>> Branden,
>> Depending on which version of Jackrabbit you are running you might be
>>
>> able to.
>>
>> Assuming
>> / has
>> everyone:grant:jcr:write
>> admin:grant:jcr:all
>> anonomous:grant:jcr:read
>> then /users/branden will need
>> branden:grant:jcr:write
>> everyone:deny:jcr:all
>> anonomous:deny:jcr:all
>>
>
> Ahh, an "everyone" group, that's one big concept I was missing (as well as info about the group deny). Is this a built-in group in JCR that I can reference? Or do I have to create and maintain it manually as I create more users?
>
>> Certainly in 1.5.7 you cant deny access to a group,
>> so since everyone was granted read at / you cant deny read at /users/
>>
>> branden
>>
>> I think in JR2 group deny was enabled, but ATM we dont have JR2 in
>> Sling (Felix is working on it).
>>
>
> Is there a JIRA ticket I can track for the progress? Or even better, some incomplete prerequisite tickets I can complete to help the process along?
>
>> The other problem is that both the AccessManagerServlets and the
>> DefaultSecurityManager have blocks of code that prevent a
>> group:deny:* ACE being applied.
>>
>> ie you cant set everyone:deny:jcr:all and its not processed even if
>> you could.
>>
>> So as part of the upgrade to 2, the checks would need to be removed
>> in
>> the access manager bundle to allow group deny.
>> Alternatively I think the security settings in the contentloader
>> bundle will allow you to set these ACE's directly
>>
>> ----------------
>>
>> We had exactly the same issue, so we patched everything to make it
>> work. Sady the patch to the 1.5.7 DefaultSecurityManager is quite
>> extensive since it requires far greater control over the order in
>> which the ACL bitmap is compiled. (branded is a member of everyone is
>>
>> just one issue)
>>
>> I am in the process or reworking those patches for the JR1.6 based
>> server bundle, but I am not there yet, and can give you pointers to
>> the code if you like.
>
> If you don't mind giving pointers to the code, that would be great. Depending on the timeline of Sling+JR2, I wouldn't mind looking at group-deny for 1.6 if there are any open JIRA's associated to it.
>
>> HTH
>> Ian
>>
>
> Thanks again, it was a great help.
>
> Branden
>
>> On 5 Dec 2009, at 01:30, Branden Visser wrote:
>>
>>> Hi all,
>>>
>>> This sounds like more of a JCR question then Sling, but I'm hoping
>>> it's a quick answer:
>>>
>>> If I have a resource node: /users/branden, how would I make the
>>> resource 'branden' and everything beneath it be private, so that no
>>
>>> other authenticated user (except branden) can read it? I looked at
>>> the AccessControl spec and read up on the spec, but I didn't see
>>> anything that could serve this purpose. Did I miss a document?
>>>
>>> Thanks,
>>> Branden
>>>
>>>
>
>
Re: Private content in JCR
Posted by Ian Boston <ie...@tfd.co.uk>.
You might want to consider not using html on lists :), came through a
bit odd.
Comments inline
On 5 Dec 2009, at 15:39, Branden Visser wrote:
> Ian,
>
> Thanks for the detailed reply. I've left some comments below.
>
> -----Ian Boston <ia...@googlemail.com> wrote: -----
>
>> To: dev@sling.apache.org
>> From: Ian Boston <ie...@tfd.co.uk>
>> Sent by: Ian Boston <ia...@googlemail.com>
>> Date: 12/05/2009 07:42AM
>> Cc: sling-dev@apache.org
>> Subject: Re: Private content in JCR
>>
>> Branden,
>> Depending
>>  
>> ;on
>>  
>> ;which
>>  
>> ;version
>>  
>> ;of
>>  
>> ;Jackrabbit
>> you are running you might be
>>
>> able to.
>>
>> Assuming
>> / has
>>  
>> ; 
>> ; 
>> ; 
>> ; everyone:grant:jcr:write
>>  
>> ; 
>> ; 
>> ; admin:grant:jcr:all
>>  
>> ; 
>> ; 
>> ; 
>> ; anonomous:grant:jcr:read
>> then /users/branden will need
>>  
>> ; 
>> ; 
>> ; branden:grant:jcr:write
>>  
>> ; 
>> ; 
>> ; everyone:deny:jcr:all
>>  
>> ; 
>> ; 
>> ; anonomous:deny:jcr:all
>>
>
> Ahh, an "everyone" group, that's one big concept I was missing (as
> well as info about the group deny). Is this a built-in group in JCR
> that I can reference?
Yes I think it is you should use the PrincipalManager.getEveryone()
method to get its principal which you can use to reference it. I think
it might be a bit unsafe to use "everyone" as a string.
> Or do I have to create and maintain it manually as I create more
> users?
IIRC the PrincipalManager impl does it all auto for you.
>
>>
>> Certainly in
>> 1.5.7
>> you cant deny access to a group,
>> so
>>  
>> ;since everyone was granted read at /
>> you cant deny read at /users/
>>
>> branden
>>
>> I
>>  
>> ;think
>>  
>> ;in
>>  
>> ;JR2
>>  
>> ;group
>>  
>> ;deny
>>  
>> ;was
>>  
>> ;enabled
>> , 
>> ;but
>> ATM we dont have JR2 in
>> Sling (Felix is working on it).
>>
>
> Is there a JIRA ticket I can track for the progress? Or even better,
> some incomplete prerequisite tickets I can complete to help the
> process along?
> https://issues.apache.org/jira/browse/SLING-1093
>
>> The
>>  
>> ;other
>>  
>> ;problem
>>  
>> ;is
>>  
>> ;that
>>  
>> ;both
>> the AccessManagerServlets and the
>> DefaultSecurityManager
>>  
>> ;have
>>  
>> ;blocks of code that prevent a
>> group:deny:* ACE being applied.
>>
>> ie
>>  
>> ;you
>>  
>> ;cant
>>  
>> ;set
>>  
>> ;everyone:deny:jcr:all
>>  
>> ;and its not processed even if
>> you could.
>>
>> So as part of the upgrade to
>> 2
>> , 
>> ;the checks would need to be removed
>> in
>> the
>>  
>> ;access
>> manager bundle to allow group deny.
>> Alternatively
>>  
>> ;I
>>  
>> ;think
>>  
>> ;the
>>  
>> ;security
>> settings in the contentloader
>> bundle
>>  
>> ;will
>>  
>> ;allow you to set these ACE's directly
>>
>> ----------------
>>
>> We
>>  
>> ;had
>>  
>> ;exactly
>>  
>> ;the
>>  
>> ;same
>>  
>> ;issue
>> , 
>> ;so
>>  
>> ;we
>> patched everything to make it
>> work. Sady the patch to the
>> 1.5.7 DefaultSecurityManager is quite
>> extensive
>>  
>> ;since
>>  
>> ;it
>>  
>> ;requires
>>  
>> ;far
>>  
>> ;greater
>> control over the order in
>> which the ACL bitmap is compiled.
>> (branded is a member of everyone is
>>
>> just one issue)
>>
>> I
>>  
>> ;am
>>  
>> ;in
>>  
>> ;the
>>  
>> ;process
>>  
>> ;or
>>  
>> ;reworking
>>  
>> ;those
>> patches for the JR1.6 based
>> server
>>  
>> ;bundle
>> , 
>> ;but
>>  
>> ;I
>>  
>> ;am
>>  
>> ;not
>>  
>> ;there
>>  
>> ;yet
>> , 
>> ;and can give you pointers to
>> the code if you like.
>
> If you don't mind giving pointers to the code, that would be great.
> Depending on the timeline of Sling+JR2, I wouldn't mind looking at
> group-deny for 1.6 if there are any open JIRA's associated to it.
My server bundle is [1], access manager [2], user manager [3], however
the user manager is highly custom (and you might not need it)
These are JR1.5.7 versions, and may include dependencies you dont want
(esp user)
Ian
1. http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/server/
2. http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/sling/accessmanager/
3. http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/user/
>
>> HTH
>> Ian
>>
>
> Thanks again, it was a great help.
>
> Branden
>
>> On 5 Dec 2009, at
>> 01:30, Branden Visser wrote:
>>
>>> Hi all,
>>>
>>>  
>>> ;This
>>>  
>>> ;sounds
>>>  
>>> ;like
>>>  
>>> ;more
>>>  
>>> ;of
>>>  
>>> ;a
>>>  
>>> ;JCR
>>>  
>>> ;question then Sling, but I'm hoping
>>
>>> it's a quick answer:
>>>
>>> If I have a resource node: /
>>> users/
>>> branden, how would I make the
>>>  
>>> ;resource
>>>  
>>> ;'branden
>>> ' 
>>> ;and
>>>  
>>> ;everything
>>>  
>>> ;beneath it be private, so that no
>>
>>> other authenticated user
>>> (except branden) can read it?
>>> I looked at
>>
>>>  
>>> ;the
>>>  
>>> ;AccessControl
>>>  
>>> ;spec
>>>  
>>> ;and
>>>  
>>> ;read
>>>  
>>> ;up
>>>  
>>> ;on
>>>  
>>> ;the spec, but I didn't see
>>>  
>>> ;anything
>>>  
>>> ;that
>>>  
>>> ;could
>>>  
>>> ;serve
>>>  
>>> ;this purpose. Did I miss a document?
>>>
>>> Thanks,
>>> Branden
>>>
>>>
>
Re: Private content in JCR
Posted by Branden Visser <br...@uwindsor.ca>.
Ian,
Thanks for the detailed reply. I've left some comments below.
-----Ian Boston <ia...@googlemail.com> wrote: -----
>To: dev@sling.apache.org
>From: Ian Boston <ie...@tfd.co.uk>
>Sent by: Ian Boston <ia...@googlemail.com>
>Date: 12/05/2009 07:42AM
>Cc: sling-dev@apache.org
>Subject: Re: Private content in JCR
>
>Branden,
>Depending on which version of Jackrabbit you are running you might be
>
>able to.
>
>Assuming
>/ has
> everyone:grant:jcr:write
> admin:grant:jcr:all
> anonomous:grant:jcr:read
>then /users/branden will need
> branden:grant:jcr:write
> everyone:deny:jcr:all
> anonomous:deny:jcr:all
>
Ahh, an "everyone" group, that's one big concept I was missing (as well as info about the group deny). Is this a built-in group in JCR that I can reference? Or do I have to create and maintain it manually as I create more users?
>
>Certainly in 1.5.7 you cant deny access to a group,
>so since everyone was granted read at / you cant deny read at /users/
>
>branden
>
>I think in JR2 group deny was enabled, but ATM we dont have JR2 in
>Sling (Felix is working on it).
>
Is there a JIRA ticket I can track for the progress? Or even better, some incomplete prerequisite tickets I can complete to help the process along?
>The other problem is that both the AccessManagerServlets and the
>DefaultSecurityManager have blocks of code that prevent a
>group:deny:* ACE being applied.
>
>ie you cant set everyone:deny:jcr:all and its not processed even if
>you could.
>
>So as part of the upgrade to 2, the checks would need to be removed
>in
>the access manager bundle to allow group deny.
>Alternatively I think the security settings in the contentloader
>bundle will allow you to set these ACE's directly
>
>----------------
>
>We had exactly the same issue, so we patched everything to make it
>work. Sady the patch to the 1.5.7 DefaultSecurityManager is quite
>extensive since it requires far greater control over the order in
>which the ACL bitmap is compiled. (branded is a member of everyone is
>
>just one issue)
>
>I am in the process or reworking those patches for the JR1.6 based
>server bundle, but I am not there yet, and can give you pointers to
>the code if you like.
If you don't mind giving pointers to the code, that would be great. Depending on the timeline of Sling+JR2, I wouldn't mind looking at group-deny for 1.6 if there are any open JIRA's associated to it.
>HTH
>Ian
>
Thanks again, it was a great help.
Branden
>On 5 Dec 2009, at 01:30, Branden Visser wrote:
>
>> Hi all,
>>
>> This sounds like more of a JCR question then Sling, but I'm hoping
>
>> it's a quick answer:
>>
>> If I have a resource node: /users/branden, how would I make the
>> resource 'branden' and everything beneath it be private, so that no
>
>> other authenticated user (except branden) can read it? I looked at
>
>> the AccessControl spec and read up on the spec, but I didn't see
>> anything that could serve this purpose. Did I miss a document?
>>
>> Thanks,
>> Branden
>>
>>
Re: Private content in JCR
Posted by Ian Boston <ie...@tfd.co.uk>.
Branden,
Depending on which version of Jackrabbit you are running you might be
able to.
Assuming
/ has
everyone:grant:jcr:write
admin:grant:jcr:all
anonomous:grant:jcr:read
then /users/branden will need
branden:grant:jcr:write
everyone:deny:jcr:all
anonomous:deny:jcr:all
Certainly in 1.5.7 you cant deny access to a group,
so since everyone was granted read at / you cant deny read at /users/
branden
I think in JR2 group deny was enabled, but ATM we dont have JR2 in
Sling (Felix is working on it).
The other problem is that both the AccessManagerServlets and the
DefaultSecurityManager have blocks of code that prevent a
group:deny:* ACE being applied.
ie you cant set everyone:deny:jcr:all and its not processed even if
you could.
So as part of the upgrade to 2, the checks would need to be removed in
the access manager bundle to allow group deny.
Alternatively I think the security settings in the contentloader
bundle will allow you to set these ACE's directly
----------------
We had exactly the same issue, so we patched everything to make it
work. Sady the patch to the 1.5.7 DefaultSecurityManager is quite
extensive since it requires far greater control over the order in
which the ACL bitmap is compiled. (branded is a member of everyone is
just one issue)
I am in the process or reworking those patches for the JR1.6 based
server bundle, but I am not there yet, and can give you pointers to
the code if you like.
HTH
Ian
On 5 Dec 2009, at 01:30, Branden Visser wrote:
> Hi all,
>
> This sounds like more of a JCR question then Sling, but I'm hoping
> it's a quick answer:
>
> If I have a resource node: /users/branden, how would I make the
> resource 'branden' and everything beneath it be private, so that no
> other authenticated user (except branden) can read it? I looked at
> the AccessControl spec and read up on the spec, but I didn't see
> anything that could serve this purpose. Did I miss a document?
>
> Thanks,
> Branden
>
>