You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Joel Feenstra <jr...@gmail.com> on 2010/07/27 15:51:26 UTC
Access control example
Hi,
I'm working on adding some authentication/authorization to our application
which uses Jackrabbit 2.1. How can I best control access to a node (and it's
children) so that one user has read/write access to the subtree, but all
other users don't have any access (not even read access).
I've looked at using the principal based ACLProvider, but I can't find any
examples detailing how to actually use it.
Thanks,
Joel
jrfeenst@gmail.com
Re: DefaultAccessManager denies all access?
Posted by Cory Prowse <co...@prowse.com>.
Ok got to the bottom of it by stepping through the running application.
You must have the following config for ACLs to work:
<Security appName="Jackrabbit">
<SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" workspaceName="security" />
<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
<!-- This allows any username to login without password -->
<LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
<!-- Unauthenticated JAAS users are ANONYMOUS -->
<param name="anonymousId" value="ANONYMOUS" />
<param name="adminId" value="admin1" />
</LoginModule>
</Security>
Specifically the DefaultSecurityManager must be selected.
Now I'm just trying to determine why although I have ACLs specifying who can read, other users can read as well.
-- Cory
On 28/07/2010, at 4:08 PM, Cory Prowse wrote:
> Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.
>
> -- Cory
>
> On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
>
>> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
>>
>> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
>>
>> When I attempt to use DefaultAccessManager I get:
>> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
>>
>> This is my config:
>> <Security appName="Jackrabbit">
>> <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
>> <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>>
>> <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
>> <param name="anonymousId" value="ANONYMOUS" />
>> </LoginModule>
>> </Security>
>>
>> This exception occurs when I ask the session for the root node.
>>
>> Not quite following how to hook up security properly here, am I doing something obviously wrong?
>>
>> -- Cory
>>
>>
>> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>>
>>> I am currently working on a wiki page for that:
>>> http://wiki.apache.org/jackrabbit/AccessControl
>>>
>>> Expect more in the coming days.
>>>
>>> Regards,
>>> Alex
>>>
>>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>>> Hi,
>>>> I'm working on adding some authentication/authorization to our application
>>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>>> children) so that one user has read/write access to the subtree, but all
>>>> other users don't have any access (not even read access).
>>>>
>>>> I've looked at using the principal based ACLProvider, but I can't find any
>>>> examples detailing how to actually use it.
>>>>
>>>> Thanks,
>>>> Joel
>>>> jrfeenst@gmail.com
>>>>
>>>
>>>
>>>
>>> --
>>> Alexander Klimetschek
>>> alexander.klimetschek@day.com
>>
>
Re: DefaultAccessManager denies all access?
Posted by Cory Prowse <co...@prowse.com>.
Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to Glassfish.
-- Cory
On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
> I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
>
> I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
>
> When I attempt to use DefaultAccessManager I get:
> javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
>
> This is my config:
> <Security appName="Jackrabbit">
> <!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
> <AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>
> <LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
> <param name="anonymousId" value="ANONYMOUS" />
> </LoginModule>
> </Security>
>
> This exception occurs when I ask the session for the root node.
>
> Not quite following how to hook up security properly here, am I doing something obviously wrong?
>
> -- Cory
>
>
> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>
>> I am currently working on a wiki page for that:
>> http://wiki.apache.org/jackrabbit/AccessControl
>>
>> Expect more in the coming days.
>>
>> Regards,
>> Alex
>>
>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>>> Hi,
>>> I'm working on adding some authentication/authorization to our application
>>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>>> children) so that one user has read/write access to the subtree, but all
>>> other users don't have any access (not even read access).
>>>
>>> I've looked at using the principal based ACLProvider, but I can't find any
>>> examples detailing how to actually use it.
>>>
>>> Thanks,
>>> Joel
>>> jrfeenst@gmail.com
>>>
>>
>>
>>
>> --
>> Alexander Klimetschek
>> alexander.klimetschek@day.com
>
DefaultAccessManager denies all access?
Posted by Cory Prowse <co...@prowse.com>.
I too have been struggling with security access in JackRabbit 2.1.0 these past few days.
I am attempting a proof of concept which allows adding nodes and specifying which users/groups can view them, so that only the nodes the currently logged in user has access to will be shown.
When I attempt to use DefaultAccessManager I get:
javax.jcr.AccessDeniedException: cannot read item cafebabe-cafe-babe-cafe-babecafebabe
This is my config:
<Security appName="Jackrabbit">
<!-- <AccessManager class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
<AccessManager class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
<LoginModule class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
<param name="anonymousId" value="ANONYMOUS" />
</LoginModule>
</Security>
This exception occurs when I ask the session for the root node.
Not quite following how to hook up security properly here, am I doing something obviously wrong?
-- Cory
On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
> I am currently working on a wiki page for that:
> http://wiki.apache.org/jackrabbit/AccessControl
>
> Expect more in the coming days.
>
> Regards,
> Alex
>
> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
>> Hi,
>> I'm working on adding some authentication/authorization to our application
>> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
>> children) so that one user has read/write access to the subtree, but all
>> other users don't have any access (not even read access).
>>
>> I've looked at using the principal based ACLProvider, but I can't find any
>> examples detailing how to actually use it.
>>
>> Thanks,
>> Joel
>> jrfeenst@gmail.com
>>
>
>
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
Re: Access control example
Posted by Joel Feenstra <jr...@gmail.com>.
Thanks, I ran across that wiki and thought it was a bit incomplete.
I was able to get it configured so that a user has full access to a
subtree, but I'm not sure how to keep all other users from accessing
that subtree. My code looks something like:
AccessControlManager acm = session.getAccessControlManager();
AccessControlPolicyIterator it =
acm.getApplicablePolicies(homeNode.getPath());
if (it.hasNext()) {
AccessControlPolicy policy = it.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
Privilege[] privileges = new Privilege[1];
privileges[0] = acm.privilegeFromName(Privilege.JCR_ALL);
((AccessControlList)policy).addAccessControlEntry(user.getPrincipal(),
privileges);
acm.setPolicy(homeNode.getPath(), policy);
}
}
session.save();
Where "homeNode" is the node that "user" needs full access to but all
others should have no access to.
Thanks,
Joel
On Tue, Jul 27, 2010 at 3:37 PM, Alexander Klimetschek <ak...@day.com> wrote:
>
> I am currently working on a wiki page for that:
> http://wiki.apache.org/jackrabbit/AccessControl
>
> Expect more in the coming days.
>
> Regards,
> Alex
>
> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
> > Hi,
> > I'm working on adding some authentication/authorization to our application
> > which uses Jackrabbit 2.1. How can I best control access to a node (and it's
> > children) so that one user has read/write access to the subtree, but all
> > other users don't have any access (not even read access).
> >
> > I've looked at using the principal based ACLProvider, but I can't find any
> > examples detailing how to actually use it.
> >
> > Thanks,
> > Joel
> > jrfeenst@gmail.com
> >
>
>
>
> --
> Alexander Klimetschek
> alexander.klimetschek@day.com
Re: Access control example
Posted by Alexander Klimetschek <ak...@day.com>.
I am currently working on a wiki page for that:
http://wiki.apache.org/jackrabbit/AccessControl
Expect more in the coming days.
Regards,
Alex
On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <jr...@gmail.com> wrote:
> Hi,
> I'm working on adding some authentication/authorization to our application
> which uses Jackrabbit 2.1. How can I best control access to a node (and it's
> children) so that one user has read/write access to the subtree, but all
> other users don't have any access (not even read access).
>
> I've looked at using the principal based ACLProvider, but I can't find any
> examples detailing how to actually use it.
>
> Thanks,
> Joel
> jrfeenst@gmail.com
>
--
Alexander Klimetschek
alexander.klimetschek@day.com