You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by "Cech. Ulrich" <Ul...@aeb.de> on 2010/02/22 17:24:26 UTC
UserManagement
Hello to all,
I played around with the "Authentication" methods in JackRabbit.
For a future production environment, I need some hints for following issues:
1. How can I change the password for the admin user? I read, that the admin user is important, because JackRabbit otherwise cannot access some system nodes in the repo. But I don't find a property for setting the password. If I look at the implementation it seems the the adminId is equal to the password.
Or would it be a option to set the adminId to some "generated value", so no one would guess this account?
Is there a "best practice"?
2. How do I remove the anonymous account? It is important, that only one user can even read his "section", but not other "sections" of the repository, so anonymous would be a security hit, because anonymous can read the whole repository.
3. I don't find a method for reading all "registered" users in the repository. I tried to access the path "/rep:security/rep:authorizables/rep:users" but this node does not exist (or I made some other mistake).
Thanks in advance for any help,
Ulrich
Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: UserManagement
Posted by Matt Meola <ma...@muztek.net>.
Ian Boston wrote:
> On 22 Feb 2010, at 16:24, Cech. Ulrich wrote:
>
>
...
>> 3. I don't find a method for reading all "registered" users in the repository. I tried to access the path "/rep:security/rep:authorizables/rep:users" but this node does not exist (or I made some other mistake).
>>
>
> You have to use the UserManager and the search capabilities in there, /rep:security is protected so a normal session wont be able to get to it.
>
This begs one further question: using UserManager.findAuthorizables(),
it requires a String for a property name and a property value, at
least. How do I use this to find ALL of the users registered in the
repository? I've tried passing null for the property name, as well as
an empty string. Both return an iterator with nothing in it.
I'm using Jackrabbit 2.0.0...
--
Matt Meola
AF0D
Re: AW: AW: AW: UserManagement
Posted by Felix Meschberger <fm...@gmail.com>.
Hi Ian,
No problem -- and I think, I only found the nitty-gritty problem based
on both your and Angela's posts ...
Regards
Felix
On 24.02.2010 10:13, Ian Boston wrote:
> Ulrich,
> I am glad you got sorted out, in spite of me adding confusion.
> Angela, Felix,
> Thank you for untangling this one and Sorry, in future I'll resist trying to answer these sort of questions on a train without access to the code base.
> Ian
> On 24 Feb 2010, at 07:53, Cech. Ulrich wrote:
>
>> Hi,
>>
>> thanks Felix.
>>
>> <[1]
>> http://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/jackrabbit-usermanager/src/main/java/org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.java>
>>
>> Ahh, that looks quite different now ;-). Now everything is clear und worked.
>>
>> Thanks again.
>> Ulrich
>>
>>
>> Treffen Sie AEB vom 2.-4. März 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
>> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
>
>
Re: AW: AW: AW: UserManagement
Posted by Ian Boston <ie...@tfd.co.uk>.
Ulrich,
I am glad you got sorted out, in spite of me adding confusion.
Angela, Felix,
Thank you for untangling this one and Sorry, in future I'll resist trying to answer these sort of questions on a train without access to the code base.
Ian
On 24 Feb 2010, at 07:53, Cech. Ulrich wrote:
> Hi,
>
> thanks Felix.
>
> <[1]
> http://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/jackrabbit-usermanager/src/main/java/org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.java>
>
> Ahh, that looks quite different now ;-). Now everything is clear und worked.
>
> Thanks again.
> Ulrich
>
>
> Treffen Sie AEB vom 2.-4. März 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
AW: AW: AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
Hi,
thanks Felix.
<[1]
http://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/jackrabbit-usermanager/src/main/java/org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.java>
Ahh, that looks quite different now ;-). Now everything is clear und worked.
Thanks again.
Ulrich
Treffen Sie AEB vom 2.-4. März 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: AW: AW: UserManagement
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
On 23.02.2010 09:45, Cech. Ulrich wrote:
> Thanks for answering without Eclipse :-))
>
> I tried to scan the Sling-Sourcecode for help, but the Sling-Code uses this snippet to compare the new Passwort with the existent password, so this code should work somehow:
>
> Value[] pwdProperty = ((User)auth).getProperty("rep:password");
You must be referring to an old version of the Sling Jackrabbit
Usermanager bundle.
As of Jackrabbit 1.6 the rep:password (all rep: namespaced user node
properties, actually) are not exposed as Authorizable properties any
more and thus Sling does not use the rep:password any longer.
See the checkPassword method in [1]
Regards
Felix
(ducks and runs for answering a Sling question on the jackrabbit users
list ...)
[1]
http://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/jackrabbit-usermanager/src/main/java/org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.java
>
> I am logged in the repository with the default 'admin'-account, so I should have all neccessary rights, but this code returned pwdProperty with "null".
>
> AccessControlUtil deals with privileges on pathes, I don't find any helpful hint for the problem with the user passwords.
>
> Ok, if "rep:password" is protected, than you will be right, that this doesn't work in a findAuthorizables() methods.
> If my further problem with the properties of an authorizables is fixed, then I can find another property for getting all registered users in the repository, but as long as these methods only return empty lists, that would be difficult ;-)
>
> I searched the net, but to this topic there is really a big lack of documentation. If I managed all these problems, I would like to write all these answers in the wiki or make some tutorial on this.
>
> Perhaps you have some hint later (in the meantime I will start with the ACL topics).
>
> Thank you very much,
> Ulrich
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Ian Boston [mailto:ianboston@googlemail.com] Im Auftrag von Ian Boston
> Gesendet: Dienstag, 23. Februar 2010 10:10
> An: users@jackrabbit.apache.org
> Cc: users@jackrabbit.apache.org
> Betreff: Re: AW: UserManagement
>
> rep:password is a protected property. Iirc you have to use
> accesscontrolutils to set it. Have a look in the sling/bundles/jcr/
> jackrabbit-accessmanager in apache sling to see an example of how.
>
> Also I don't think that you can use rep:password in a search.
> Unfortunately eclipse doesn't run on an iPhone so that's from memory ;)
>
> Ian
>
> Sent from my iPhone
>
> On 23 Feb 2010, at 07:17, "Cech. Ulrich" <Ul...@aeb.de> wrote:
>
>> Hi Ian,
>>
>> thanks for your response.
>>
>> To 1 (changing password):
>> The problem here is that i get the NoSuchElementException while
>> calling:
>> Value[] pwdProperty = ((User)auth).getProperty("rep:password");
>> (copied from the Sling code)
>>
>> If I call:
>> Authorizable a = um.getAuthorizable(userId); // 'um' is the normal
>> UserManager
>> Iterator<String> i = a.getPropertyNames();
>> The resulting iterator is empty, so it seams that there are no
>> properties for the user, what I think is not the case.
>>
>>
>> <You could add an ACL to the root node that dened jcr:all or
>> jcr:read for anonymous ?>
>> Good idea ;-)... shame on me
>>
>>
>> <You have to use the UserManager and the search capabilities in
>> there, /rep:security is protected so a normal session wont be able
>> to get to it.>
>> Like Matt asked in his post, how can we search for "all" existing
>> users. I tried to find for example a special password with
>> "um.findAuthorizables("rep:password", "admin");" for users with
>> password "admin", but this also returned an empty iterator.
>>
>> Thanks again,
>> Ulrich
>>
>>
>> Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart.
>> Halle 5, Stand 407.
>> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
>
> Treffen Sie AEB vom 2.-4. März 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
>
AW: AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
Thanks for answering without Eclipse :-))
I tried to scan the Sling-Sourcecode for help, but the Sling-Code uses this snippet to compare the new Passwort with the existent password, so this code should work somehow:
Value[] pwdProperty = ((User)auth).getProperty("rep:password");
I am logged in the repository with the default 'admin'-account, so I should have all neccessary rights, but this code returned pwdProperty with "null".
AccessControlUtil deals with privileges on pathes, I don't find any helpful hint for the problem with the user passwords.
Ok, if "rep:password" is protected, than you will be right, that this doesn't work in a findAuthorizables() methods.
If my further problem with the properties of an authorizables is fixed, then I can find another property for getting all registered users in the repository, but as long as these methods only return empty lists, that would be difficult ;-)
I searched the net, but to this topic there is really a big lack of documentation. If I managed all these problems, I would like to write all these answers in the wiki or make some tutorial on this.
Perhaps you have some hint later (in the meantime I will start with the ACL topics).
Thank you very much,
Ulrich
-----Ursprüngliche Nachricht-----
Von: Ian Boston [mailto:ianboston@googlemail.com] Im Auftrag von Ian Boston
Gesendet: Dienstag, 23. Februar 2010 10:10
An: users@jackrabbit.apache.org
Cc: users@jackrabbit.apache.org
Betreff: Re: AW: UserManagement
rep:password is a protected property. Iirc you have to use
accesscontrolutils to set it. Have a look in the sling/bundles/jcr/
jackrabbit-accessmanager in apache sling to see an example of how.
Also I don't think that you can use rep:password in a search.
Unfortunately eclipse doesn't run on an iPhone so that's from memory ;)
Ian
Sent from my iPhone
On 23 Feb 2010, at 07:17, "Cech. Ulrich" <Ul...@aeb.de> wrote:
> Hi Ian,
>
> thanks for your response.
>
> To 1 (changing password):
> The problem here is that i get the NoSuchElementException while
> calling:
> Value[] pwdProperty = ((User)auth).getProperty("rep:password");
> (copied from the Sling code)
>
> If I call:
> Authorizable a = um.getAuthorizable(userId); // 'um' is the normal
> UserManager
> Iterator<String> i = a.getPropertyNames();
> The resulting iterator is empty, so it seams that there are no
> properties for the user, what I think is not the case.
>
>
> <You could add an ACL to the root node that dened jcr:all or
> jcr:read for anonymous ?>
> Good idea ;-)... shame on me
>
>
> <You have to use the UserManager and the search capabilities in
> there, /rep:security is protected so a normal session wont be able
> to get to it.>
> Like Matt asked in his post, how can we search for "all" existing
> users. I tried to find for example a special password with
> "um.findAuthorizables("rep:password", "admin");" for users with
> password "admin", but this also returned an empty iterator.
>
> Thanks again,
> Ulrich
>
>
> Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart.
> Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Treffen Sie AEB vom 2.-4. März 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: AW: UserManagement
Posted by Ian Boston <ie...@tfd.co.uk>.
rep:password is a protected property. Iirc you have to use
accesscontrolutils to set it. Have a look in the sling/bundles/jcr/
jackrabbit-accessmanager in apache sling to see an example of how.
Also I don't think that you can use rep:password in a search.
Unfortunately eclipse doesn't run on an iPhone so that's from memory ;)
Ian
Sent from my iPhone
On 23 Feb 2010, at 07:17, "Cech. Ulrich" <Ul...@aeb.de> wrote:
> Hi Ian,
>
> thanks for your response.
>
> To 1 (changing password):
> The problem here is that i get the NoSuchElementException while
> calling:
> Value[] pwdProperty = ((User)auth).getProperty("rep:password");
> (copied from the Sling code)
>
> If I call:
> Authorizable a = um.getAuthorizable(userId); // 'um' is the normal
> UserManager
> Iterator<String> i = a.getPropertyNames();
> The resulting iterator is empty, so it seams that there are no
> properties for the user, what I think is not the case.
>
>
> <You could add an ACL to the root node that dened jcr:all or
> jcr:read for anonymous ?>
> Good idea ;-)... shame on me
>
>
> <You have to use the UserManager and the search capabilities in
> there, /rep:security is protected so a normal session wont be able
> to get to it.>
> Like Matt asked in his post, how can we search for "all" existing
> users. I tried to find for example a special password with
> "um.findAuthorizables("rep:password", "admin");" for users with
> password "admin", but this also returned an empty iterator.
>
> Thanks again,
> Ulrich
>
>
> Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart.
> Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
Hi Ian,
thanks for your response.
To 1 (changing password):
The problem here is that i get the NoSuchElementException while calling:
Value[] pwdProperty = ((User)auth).getProperty("rep:password");
(copied from the Sling code)
If I call:
Authorizable a = um.getAuthorizable(userId); // 'um' is the normal UserManager
Iterator<String> i = a.getPropertyNames();
The resulting iterator is empty, so it seams that there are no properties for the user, what I think is not the case.
<You could add an ACL to the root node that dened jcr:all or jcr:read for anonymous ?>
Good idea ;-)... shame on me
<You have to use the UserManager and the search capabilities in there, /rep:security is protected so a normal session wont be able to get to it.>
Like Matt asked in his post, how can we search for "all" existing users. I tried to find for example a special password with "um.findAuthorizables("rep:password", "admin");" for users with password "admin", but this also returned an empty iterator.
Thanks again,
Ulrich
Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: UserManagement
Posted by Ian Boston <ie...@tfd.co.uk>.
On 22 Feb 2010, at 16:24, Cech. Ulrich wrote:
> Hello to all,
>
> I played around with the "Authentication" methods in JackRabbit.
> For a future production environment, I need some hints for following issues:
>
> 1. How can I change the password for the admin user? I read, that the admin user is important, because JackRabbit otherwise cannot access some system nodes in the repo. But I don't find a property for setting the password. If I look at the implementation it seems the the adminId is equal to the password.
> Or would it be a option to set the adminId to some "generated value", so no one would guess this account?
> Is there a "best practice"?
In general where there is an admistrative session established internal to the repository a trusted credential should be used, either a SimpleCredential with null password and an attribute, or a Credential implementation that indicates an Administrative login. Obviously there needs to be a LoginModule that understand these objects.
This way its possible to establish an internal session that does not need a password, and hence you can change the password. If you look at Sling I think you will find that this is what is done there. There were also some threads on the subject [1]
1 http://markmail.org/thread/zqqcjqbne6zcdd5x
2 http://markmail.org/thread/ppvsmacmwnrateca
3 https://issues.apache.org/jira/browse/SLING-1282
>
> 2. How do I remove the anonymous account? It is important, that only one user can even read his "section", but not other "sections" of the repository, so anonymous would be a security hit, because anonymous can read the whole repository.
You could add an ACL to the root node that dened jcr:all or jcr:read for anonymous ?
>
> 3. I don't find a method for reading all "registered" users in the repository. I tried to access the path "/rep:security/rep:authorizables/rep:users" but this node does not exist (or I made some other mistake).
You have to use the UserManager and the search capabilities in there, /rep:security is protected so a normal session wont be able to get to it.
HTH
Ian
>
> Thanks in advance for any help,
> Ulrich
>
>
> Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
> Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: AW: AW: UserManagement
Posted by Angela Schreiber <an...@day.com>.
> Is it right, that the folling will yet fail, because the nodes and properties of the security workspace are not directly modifiable?
not quite... the security workspace isn't any different to the other
workspaces. once you obtained a session for that workspace you
can modify items according to the general rules defined by the JCR
API which include that protected items may not be modified using
the general jcr write methods.
the idea of the security workspace was to keep user information only
once for the whole repository. i other words: all workspaces retrieve
the user information from that dedicated workspace.
and one more comment: there is also an alternative implementation keeps
the user/group information in each workspace.
-> see UserPerWorkspaceSecurityManager.
> Authorizable a = um.getAuthorizable(userId);
> boolean result = a.hasProperty("rep:principalName");
> which results to false.
Authorizable.hasProperty isn't the same as Node.hasProperty.
you could write an UserManagement implementation that doesn't
store users in the repository. it's an implementation detail
that the users pw is stored in a JCR property. the authoriable
properties are meant to be used for additional custom user
attributes... e.g. a display name.
regards
angela
AW: AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
<NOTE: depending on your configuration the users may be stored in a separate workspace.>
This was the hint.
I can now log to the "security workspace" and travers throght that structure:
...
Node-Name: admin
Property-Name: rep:password; {sha1}d033e22ae348aeb5660fc2140aec35850c4da997
Property-Name: jcr:uuid; 21232f29-7a57-35a7-8389-4a0e4a801fc3
Property-Name: jcr:createdBy; system
Property-Name: rep:principalName; admin
Property-Name: jcr:created; 2010-02-23T12:29:30.415+01:00
Property-Name: jcr:primaryType; rep:User
...
Is it right, that the folling will yet fail, because the nodes and properties of the security workspace are not directly modifiable?
Authorizable a = um.getAuthorizable(userId);
boolean result = a.hasProperty("rep:principalName");
which results to false.
Thanks again.
Ulrich
Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
AW: AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
<what properties are you talking about?
the API call Authorizable#getProperty et al. only deal with
non-protected JCR properties that are modifiable>
I mean properties like "rep:password" and so on.
I thought, after the post von Ian, that SLING also uses
only standard JackRabbit methods, and there the property
"rep:password" could be read from the User-object via
getProperty();
Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: AW: UserManagement
Posted by Felix Meschberger <fm...@gmail.com>.
Hi Angela,
On 24.02.2010 09:36, Angela Schreiber wrote:
> Felix Meschberger wrote:
>> Hi,
>>
>> On 23.02.2010 11:48, Angela Schreiber wrote:
>>> Cech. Ulrich wrote:
>>>> Hi Angela,
>>>>
>>>> <Authorizable#remove>
>>>> But the next start of the repository, the anonymous account
>>>> is automatically recreated although the anonymous "account"
>>>> is commented out in repository.xml.
>>>> I tried this already. After "restart" of the repository,
>>>> I could login with "anonymous" again. I think this is some
>>>> Build-in functionality of Jackrabbit.
>>> a yes. that's right... the default always creates the
>>> admin and anonymous user. so either have to prevent
>>> the anonymous from login (changing pw or change permissions of
>>> the everyone or anonymous principal depending on your ac) or
>>> provide your own security manager that doesn't create the anonymous.
>>
>> How about a functionality to disable users, such they are prevented from
>> logging in by the LoginModule/UserManager ?
>
> sure. as you - felix = know that's on my todo list.
Then I must have missed the respective JIRA to give out... Sorry.
> but as
> it isn't implemented yet that's not a solution to offer
> to user asking for help hic et nunc.
It is also less a solution to be offered to the user than a point in
discussion.
Regards
Felix
Re: AW: UserManagement
Posted by Angela Schreiber <an...@day.com>.
Felix Meschberger wrote:
> Hi,
>
> On 23.02.2010 11:48, Angela Schreiber wrote:
>> Cech. Ulrich wrote:
>>> Hi Angela,
>>>
>>> <Authorizable#remove>
>>> But the next start of the repository, the anonymous account
>>> is automatically recreated although the anonymous "account"
>>> is commented out in repository.xml.
>>> I tried this already. After "restart" of the repository,
>>> I could login with "anonymous" again. I think this is some
>>> Build-in functionality of Jackrabbit.
>> a yes. that's right... the default always creates the
>> admin and anonymous user. so either have to prevent
>> the anonymous from login (changing pw or change permissions of
>> the everyone or anonymous principal depending on your ac) or
>> provide your own security manager that doesn't create the anonymous.
>
> How about a functionality to disable users, such they are prevented from
> logging in by the LoginModule/UserManager ?
sure. as you - felix = know that's on my todo list. but as
it isn't implemented yet that's not a solution to offer
to user asking for help hic et nunc.
angela
Re: AW: UserManagement
Posted by Felix Meschberger <fm...@gmail.com>.
Hi,
On 23.02.2010 11:48, Angela Schreiber wrote:
> Cech. Ulrich wrote:
>> Hi Angela,
>>
>> <Authorizable#remove>
>> But the next start of the repository, the anonymous account
>> is automatically recreated although the anonymous "account"
>> is commented out in repository.xml.
>> I tried this already. After "restart" of the repository,
>> I could login with "anonymous" again. I think this is some
>> Build-in functionality of Jackrabbit.
>
> a yes. that's right... the default always creates the
> admin and anonymous user. so either have to prevent
> the anonymous from login (changing pw or change permissions of
> the everyone or anonymous principal depending on your ac) or
> provide your own security manager that doesn't create the anonymous.
How about a functionality to disable users, such they are prevented from
logging in by the LoginModule/UserManager ?
This has a number of advantageous consequences, IMHO:
* You don't have to set a "dummy" password or set some
ACLs to lock a user out of the system
* You quickly prevent access to a user
* You still have the traces of the user in the system
* Re-enabling can be done easily
* No matter what ACL setting such users will not be
able to access the system anymore -- not even with
password guessing or impersonation
Regards
Felix
>
>> <there is no API method for that. but with the user manager
>> implementation in JR it should work with the following...>
>> Ok, that worked. Thanks.
>> But how do you get the properties of an Authorizable?
>
> what properties are you talking about?
> the API call Authorizable#getProperty et al. only deal with
> non-protected JCR properties that are modifiable by the
> corresponding set methods... for the other props the corresp.
> API calls should be used.
> if you want to look at the properties in the regular item
> hierarchy you have to navigate to the corresponding node.
> NOTE: depending on your configuration the users may be stored
> in a separate workspace.
>
>> <User#changePassword>
>> Yes, the changing works, but I want to verify the old password
>> Like shown in the SLING-code,
>
> but this is the jackrabbit-users list.
> if you want the API to expose a changePw(old, new) method, please
> create a corresponding enhancement request.
>
>> but the same problem as before,
>> no properties nor the propertyNames are returned to verify
>> against.
>
> see above.
>
> regards
> angela
>
Re: AW: UserManagement
Posted by Angela Schreiber <an...@day.com>.
Cech. Ulrich wrote:
> Hi Angela,
>
> <Authorizable#remove>
> But the next start of the repository, the anonymous account
> is automatically recreated although the anonymous "account"
> is commented out in repository.xml.
> I tried this already. After "restart" of the repository,
> I could login with "anonymous" again. I think this is some
> Build-in functionality of Jackrabbit.
a yes. that's right... the default always creates the
admin and anonymous user. so either have to prevent
the anonymous from login (changing pw or change permissions of
the everyone or anonymous principal depending on your ac) or
provide your own security manager that doesn't create the anonymous.
> <there is no API method for that. but with the user manager
> implementation in JR it should work with the following...>
> Ok, that worked. Thanks.
> But how do you get the properties of an Authorizable?
what properties are you talking about?
the API call Authorizable#getProperty et al. only deal with
non-protected JCR properties that are modifiable by the
corresponding set methods... for the other props the corresp.
API calls should be used.
if you want to look at the properties in the regular item
hierarchy you have to navigate to the corresponding node.
NOTE: depending on your configuration the users may be stored
in a separate workspace.
> <User#changePassword>
> Yes, the changing works, but I want to verify the old password
> Like shown in the SLING-code,
but this is the jackrabbit-users list.
if you want the API to expose a changePw(old, new) method, please
create a corresponding enhancement request.
> but the same problem as before,
> no properties nor the propertyNames are returned to verify
> against.
see above.
regards
angela
AW: UserManagement
Posted by "Cech. Ulrich" <Ul...@aeb.de>.
Hi Angela,
<Authorizable#remove>
But the next start of the repository, the anonymous account
is automatically recreated although the anonymous "account"
is commented out in repository.xml.
I tried this already. After "restart" of the repository,
I could login with "anonymous" again. I think this is some
Build-in functionality of Jackrabbit.
<there is no API method for that. but with the user manager
implementation in JR it should work with the following...>
Ok, that worked. Thanks.
But how do you get the properties of an Authorizable?
<User#changePassword>
Yes, the changing works, but I want to verify the old password
Like shown in the SLING-code, but the same problem as before,
no properties nor the propertyNames are returned to verify
against.
Thanks for your help.
Ulrich
Treffen Sie AEB vom 2.-4. M?rz 2010 auf der LogiMAT in Stuttgart. Halle 5, Stand 407.
Weitere Informationen und Terminvereinbarung unter: www.aeb.de/logimat
Re: UserManagement
Posted by Angela Schreiber <an...@day.com>.
> 1. How can I change the password for the admin user?
User#changePassword
> 2. How do I remove the anonymous account? It is important, that only one user can even read his "section", but not other "sections" of the repository, so anonymous would be a security hit, because anonymous can read the whole repository.
Authorizable#remove
> 3. I don't find a method for reading all "registered" users in the repository. I tried to access the path "/rep:security/rep:authorizables/rep:users" but this node does not exist (or I made some other mistake).
there is no API method for that. but with the user manager
implementation in JR it should work with the following
int type = UserManager.SEARCH_TYPE_USER; // or group or authorizable
UserManager#findAuthorizable("rep:principalName", null, type)
(that how the default principal provider collects the complete list,
which from my point of view is a bad thing to do...)
regards
angela