You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Vidar Ramdal <vi...@idium.no> on 2008/05/21 11:15:39 UTC
Limiting child node access in Jackrabbit 1.5
I want to set access control policies so that a parent node (e.g.
/node) is readable for Everyone, but a child node (/node/childnode) is
only readable for specific principals.
So I grant READ to Everyone on the parent node. This renders /node and
the entire subtree readable for everyone. Next, I want to specify
NO_PRIVILEGES for Everyone on the protected child node, and grant READ
access to a specific user on the child node:
session.getAccessControlManager().addAccessControlEntry("/node", new
PrincipalImpl("everyone"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
session.getAccessControlManager().addAccessControlEntry("/node/childnode",
new PrincipalImpl("everyone"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
session.getAccessControlManager().addAccessControlEntry("/node/childnode",
new PrincipalImpl("specificuser"),
PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
However, this strategy fails on line #2, with the following stacktrace:
org.apache.jackrabbit.api.jsr283.security.AccessControlException
at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)
PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
array. This causes PrivilegeRegistry.getBits() to throw an exception,
because (PrivilegeRegistry lines 113..115):
if (privileges == null || privileges.length == 0) {
throw new AccessControlException();
}
So is this a bug, or is there another recommended way of achieving my
goal: Having a publicly accessible parent node, and a protected child
node?
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: Limiting child node access in Jackrabbit 1.5
Posted by Paco Avila <pa...@git.es>.
I implemented my own access manager to achive this behaviour. And I
created this mixin type:
[mix:accessControlled]
- okm:authUsersRead (string) multiple mandatory
- okm:authUsersWrite (string) multiple mandatory
- okm:authRolesRead (string) multiple mandatory
- okm:authRolesWrite (string) multiple mandatory
El jue, 22-05-2008 a las 09:27 +0200, Vidar Ramdal escribió:
> Does no-one really know how to achieve this?
> Maybe Angela Schreiber, who apparently is doing the
> authentication/authorization work for Jackrabbit 1.5, could give me a
> hint?
> Any information is valuable to me - if it's not possible to do this,
> I'd like to hear that as well.
>
> On Wed, May 21, 2008 at 11:15 AM, Vidar Ramdal <vi...@idium.no> wrote:
> > I want to set access control policies so that a parent node (e.g.
> > /node) is readable for Everyone, but a child node (/node/childnode) is
> > only readable for specific principals.
> >
> > So I grant READ to Everyone on the parent node. This renders /node and
> > the entire subtree readable for everyone. Next, I want to specify
> > NO_PRIVILEGES for Everyone on the protected child node, and grant READ
> > access to a specific user on the child node:
> >
> > session.getAccessControlManager().addAccessControlEntry("/node", new
> > PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> > new PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> > new PrincipalImpl("specificuser"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> >
> > However, this strategy fails on line #2, with the following stacktrace:
> > org.apache.jackrabbit.api.jsr283.security.AccessControlException
> > at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
> > at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
> > at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)
> >
> > PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
> > array. This causes PrivilegeRegistry.getBits() to throw an exception,
> > because (PrivilegeRegistry lines 113..115):
> > if (privileges == null || privileges.length == 0) {
> > throw new AccessControlException();
> > }
> >
> > So is this a bug, or is there another recommended way of achieving my
> > goal: Having a publicly accessible parent node, and a protected child
> > node?
>
>
--
Paco Avila <pa...@git.es>
GIT Consultors
Re: Limiting child node access in Jackrabbit 1.5
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Thu, May 22, 2008 at 10:27 AM, Vidar Ramdal <vi...@idium.no> wrote:
> Does no-one really know how to achieve this?
In Jackrabbit 1.4 you'd need to implement an AccessManager class where
you can control read, write, and remove access to any item in the
repository.
> Maybe Angela Schreiber, who apparently is doing the
> authentication/authorization work for Jackrabbit 1.5, could give me a
> hint?
Jackrabbit 1.5 hasn't been released yet and some of the new access
control stuff is still in flux, so you'll likely get better insight by
asking on the dev@ mailing list.
BR,
Jukka Zitting
Re: Limiting child node access in Jackrabbit 1.5
Posted by Martin Zdila <m....@mwaysolutions.com>.
oh no .. sorry ;-)
On Thu 22. May 2008 09:55:55 Vidar Ramdal wrote:
> On Thu, May 22, 2008 at 9:49 AM, Martin Zdila <m....@mwaysolutions.com>
wrote:
> > final NodeTypeDef ntd = new NodeTypeDef();
> > ntd.setChildNodeDefs(new NodeDefImpl[] {nodeDef});
> > ntd.setName(nodeTypeName);
> > ...
>
> Are you sure you responded to the correct message?
> My question is about access control, not NodeTypes ...
--
Martin Zdila
CTO
M-Way Solutions Slovakia s.r.o.
Letna 27, 040 01 Kosice
Slovakia
tel:+421-908-363-848
mailto:m.zdila@mwaysolutions.com
http://www.mwaysolutions.com
xmpp:zdila@jabbim.sk (Jabber)
skype:m.zdila
Re: Limiting child node access in Jackrabbit 1.5
Posted by Vidar Ramdal <vi...@idium.no>.
On Thu, May 22, 2008 at 9:49 AM, Martin Zdila <m....@mwaysolutions.com> wrote:
> final NodeTypeDef ntd = new NodeTypeDef();
> ntd.setChildNodeDefs(new NodeDefImpl[] {nodeDef});
> ntd.setName(nodeTypeName);
> ...
Are you sure you responded to the correct message?
My question is about access control, not NodeTypes ...
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: Limiting child node access in Jackrabbit 1.5
Posted by Martin Zdila <m....@mwaysolutions.com>.
hi
cca
final NodeTypeDef ntd = new NodeTypeDef();
ntd.setChildNodeDefs(new NodeDefImpl[] {nodeDef});
ntd.setName(nodeTypeName);
...
final NodeDefImpl nodeDef = new NodeDefImpl();
nodeDef.setName(name);
nodeDef.setDeclaringNodeType(declaringNodeType);
nodeDef.setDefaultPrimaryType(defPrimType);
nodeDef.setAllowsSameNameSiblings(true);
...
((NodeTypeManagerImpl) workspace.getNodeTypeManager()).getNodeTypeRegistry().registerNodeType(ntd);
cu
On Thu 22. May 2008 09:27:13 Vidar Ramdal wrote:
> Does no-one really know how to achieve this?
> Maybe Angela Schreiber, who apparently is doing the
> authentication/authorization work for Jackrabbit 1.5, could give me a
> hint?
> Any information is valuable to me - if it's not possible to do this,
> I'd like to hear that as well.
>
> On Wed, May 21, 2008 at 11:15 AM, Vidar Ramdal <vi...@idium.no> wrote:
> > I want to set access control policies so that a parent node (e.g.
> > /node) is readable for Everyone, but a child node (/node/childnode) is
> > only readable for specific principals.
> >
> > So I grant READ to Everyone on the parent node. This renders /node and
> > the entire subtree readable for everyone. Next, I want to specify
> > NO_PRIVILEGES for Everyone on the protected child node, and grant READ
> > access to a specific user on the child node:
> >
> > session.getAccessControlManager().addAccessControlEntry("/node", new
> > PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode"
> >, new PrincipalImpl("everyone"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
> > session.getAccessControlManager().addAccessControlEntry("/node/childnode"
> >, new PrincipalImpl("specificuser"),
> > PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> >
> > However, this strategy fails on line #2, with the following stacktrace:
> > org.apache.jackrabbit.api.jsr283.security.AccessControlException
> > at
> > org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBi
> >ts(PrivilegeRegistry.java:114) at
> > org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccess
> >ControlEntry(ACLEditor.java:198) at
> > org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControl
> >Entry(DefaultAccessManager.java:389)
> >
> > PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
> > array. This causes PrivilegeRegistry.getBits() to throw an exception,
> > because (PrivilegeRegistry lines 113..115):
> > if (privileges == null || privileges.length == 0) {
> > throw new AccessControlException();
> > }
> >
> > So is this a bug, or is there another recommended way of achieving my
> > goal: Having a publicly accessible parent node, and a protected child
> > node?
--
Martin Zdila
CTO
M-Way Solutions Slovakia s.r.o.
Letna 27, 040 01 Kosice
Slovakia
tel:+421-908-363-848
mailto:m.zdila@mwaysolutions.com
http://www.mwaysolutions.com
xmpp:zdila@jabbim.sk (Jabber)
skype:m.zdila
Re: Limiting child node access in Jackrabbit 1.5
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Thu, May 22, 2008 at 12:35 PM, Vidar Ramdal <vi...@idium.no> wrote:
>> On Thu, May 22, 2008 at 10:31 AM, Angela Schreiber <an...@day.com> wrote:
>>> the jackrabbit implementation currently allows to
>>> edit a policy obtained through AccessControlManager.getPolicy
>>> and there you may add a DENY ace.
>
> How do I create an instance of an ACE? Both PolicyEntryImpl and
> ACEImpl are package local, as is ACLEditor ...
Could we take this to dev@ please?
BR,
Jukka Zitting
Re: Limiting child node access in Jackrabbit 1.5
Posted by Vidar Ramdal <vi...@idium.no>.
> On Thu, May 22, 2008 at 10:31 AM, Angela Schreiber <an...@day.com> wrote:
>> [...]
>> the jackrabbit implementation currently allows to
>> edit a policy obtained through AccessControlManager.getPolicy
>> and there you may add a DENY ace.
How do I create an instance of an ACE? Both PolicyEntryImpl and
ACEImpl are package local, as is ACLEditor ...
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: Limiting child node access in Jackrabbit 1.5
Posted by Vidar Ramdal <vi...@idium.no>.
On Thu, May 22, 2008 at 10:31 AM, Angela Schreiber <an...@day.com> wrote:
> Vidar Ramdal wrote:
>>
>> Does no-one really know how to achieve this?
>> Maybe Angela Schreiber, who apparently is doing the
>> authentication/authorization work for Jackrabbit 1.5, could give me a
>> hint?
> [...]
> the jackrabbit implementation currently allows to
> edit a policy obtained through AccessControlManager.getPolicy
> and there you may add a DENY ace.
Great, that's exactly what I needed.
> but please note (think of this as a bold-red-disclaimer):
>
> as jukka already said the 283 access control is still
> being heavily refactored and consequently the complete
> security code is prone to major changes without any
> further notice. you will have to adjust your code later
> on. that's the only thing i can tell you for sure.
That's perfectly acceptable, I'm only doing a proof-of-concept right
now, and I'll keep updating from the svn repository.
Also thanks to Jukka and Paco for very valuable information.
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway
Re: Limiting child node access in Jackrabbit 1.5
Posted by Angela Schreiber <an...@day.com>.
Vidar Ramdal wrote:
> Does no-one really know how to achieve this?
> Maybe Angela Schreiber, who apparently is doing the
> authentication/authorization work for Jackrabbit 1.5, could give me a
> hint?
you cannot withdraw permissions by using
session.getAccessControlManager().addAccessControlEntry
since the method is defined to only grant additional
permissions. nor can you grant 'no_privilege' in order
to withdraw permissions.
that is how it was define in the latest version of
JSR 283.
the jackrabbit implementation currently allows to
edit a policy obtained through AccessControlManager.getPolicy
and there you may add a DENY ace.
but please note (think of this as a bold-red-disclaimer):
as jukka already said the 283 access control is still
being heavily refactored and consequently the complete
security code is prone to major changes without any
further notice. you will have to adjust your code later
on. that's the only thing i can tell you for sure.
sorry for the inconvenience.
angela
Re: Limiting child node access in Jackrabbit 1.5
Posted by Vidar Ramdal <vi...@idium.no>.
Does no-one really know how to achieve this?
Maybe Angela Schreiber, who apparently is doing the
authentication/authorization work for Jackrabbit 1.5, could give me a
hint?
Any information is valuable to me - if it's not possible to do this,
I'd like to hear that as well.
On Wed, May 21, 2008 at 11:15 AM, Vidar Ramdal <vi...@idium.no> wrote:
> I want to set access control policies so that a parent node (e.g.
> /node) is readable for Everyone, but a child node (/node/childnode) is
> only readable for specific principals.
>
> So I grant READ to Everyone on the parent node. This renders /node and
> the entire subtree readable for everyone. Next, I want to specify
> NO_PRIVILEGES for Everyone on the protected child node, and grant READ
> access to a specific user on the child node:
>
> session.getAccessControlManager().addAccessControlEntry("/node", new
> PrincipalImpl("everyone"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
> session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> new PrincipalImpl("everyone"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.NO_PRIVILEGE));
> session.getAccessControlManager().addAccessControlEntry("/node/childnode",
> new PrincipalImpl("specificuser"),
> PrivilegeRegistry.getPrivileges(PrivilegeRegistry.READ));
>
> However, this strategy fails on line #2, with the following stacktrace:
> org.apache.jackrabbit.api.jsr283.security.AccessControlException
> at org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry.getBits(PrivilegeRegistry.java:114)
> at org.apache.jackrabbit.core.security.authorization.acl.ACLEditor.addAccessControlEntry(ACLEditor.java:198)
> at org.apache.jackrabbit.core.security.DefaultAccessManager.addAccessControlEntry(DefaultAccessManager.java:389)
>
> PrivilegeRegistry.getPrivileges(0) returns an emtpy Privileges[]
> array. This causes PrivilegeRegistry.getBits() to throw an exception,
> because (PrivilegeRegistry lines 113..115):
> if (privileges == null || privileges.length == 0) {
> throw new AccessControlException();
> }
>
> So is this a bug, or is there another recommended way of achieving my
> goal: Having a publicly accessible parent node, and a protected child
> node?
--
Vidar S. Ramdal <vi...@idium.no> - http://www.idium.no
Akersgata 16, N-0158 Oslo, Norway