You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Carlos Proal <ca...@mail.udlap.mx> on 2005/07/15 21:09:27 UTC
Re: ACL problem
Ok, i just commented in Domain.xml the default permissions for all users
in for /files
<objectnode classname="org.apache.slide.structure.SubjectNode"
uri="/files">
<permission action="all" subject="unauthenticated" inheritable="true"/>
<!--<permission action="/actions/write" subject="/roles/user" inheritable="true"/>-->
<permission action="/actions/read-acl" subject="owner" inheritable="true"/>
</objectnode>
Now, everytime i create a new folder under /files i specify the proper
permissions (ie. deny all for /slide/roles/user and grant all to the
"owner" /slide/users/usernamehere, remember that the order is very
important -first match=rule applied- verify the right order with a
webdav client)
I wrote "owner" because in my case the real owner is
always /slide/users/root but the "fake" owner is which have all
permissions granted.
fyi. Im not denying "read" to everybody in /files, so this way a user
with several folders under /files can list all of them without a
problem.
Hope this helps
Carlos
On Wed, 2005-07-13 at 09:46 +0700, gaLihhari wrote:
> Hi Carlos,
>
> Now i'm getting the same problem as you were.
> May ask you to give me some example of how to remove read access for
> everybody... in /slide/files
>
>
> I've try to remove priviliges of /roles/user but it make everybody can't
> access it even root.
>
>
> Any suggestion?
>
> Thanks,
>
>
>
> > hi all.
> >
> > Im developing my first webdav application so im totally newbie on this.
> > Basically is an scholar module where i want to create folders for each
> > subject, the teacher must have full access (read & write) and the
> > students read only, but important: restricted to his/her courses.
> >
> > Let me review what i have done:
> >
> > For instance the default configuration allow everybody to write inside
> > the "files" directory, so i have removed this.
> >
> > The root user is part of the users role, and i think is not desired in
> > my case because root must have full access to everything and if i use
> > some deny involving the users role, root will be affected too; so i
> > removed root from users role.
> >
> > I have created a folder for MA123 (Math) as root and gave full access
> > to john, now john can read and write on his folder perfectly but still
> > remains a problem, everybody has read access* to MA123 (yeah i have a
> > copyright issue) so, how can i deny read access to everybody else except
> > john and his students?, i suppose there must be a way to do a deny all
> > and then grant the students (individually or by group).
> >
> > *By default everybody has read access from "/", apparently because a
> > user needs to read roles/actions, but its inherited to "files" and i
> > cant get rid of it, because appears several errors if i do it.
> >
> > ACL for /slide/files/MA123:
> > ------------------------------------------------------------
> > granted to /slide/users/john (not protected) (not inherited)
> > DAV:all
> > granted to unauthenticated (not protected) (inherited from
> > '/slide/files')
> > DAV:all
> > granted to property (not protected) (inherited from '/slide/files')
> > DAV:read-acl
> > granted to /slide/roles/root (not protected) (inherited from
> > '/slide/')
> > DAV:all
> > denied to all (not protected) (inherited from '/slide/')
> > DAV:read-acl
> > DAV:write-acl
> > DAV:unlock
> > granted to /slide/roles/user (not protected) (inherited from
> > '/slide/')
> > DAV:read
> > ------------------------------------------------------------
> >
> > Any ideas of how can i configure the right acls ?
> >
> > thanx in advance
> > Carlos
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> >
>
>
>
>
>
> --
> Galih Hari Wibowo
> Lab IBS - Teknik Informatika ITS
>
>
> YM : gaLihhari
> Em@il : gaLihhari@inf.its-sby.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: acl question
Posted by Ke...@sybase.com.
If User A is in Accounting and User B is in Engineering I do not want them
to be able to see the same files but I want them both to be able to write
and have full access to files within their same roles.
"Jacob Lund"
<jl@qualiware.net
> To
"Slide Users Mailing List"
07/21/2005 03:34 <sl...@jakarta.apache.org>
AM cc
Subject
Please respond to Re: acl question
"Slide Users
Mailing List"
<slide-user@jakar
ta.apache.org>
Hi Kevin!
Maybe I missed something. But if you have allow all to authenticated users
-
then why should your case with user A and B not be allowed?
/jacob
----- Original Message -----
From: <Ke...@sybase.com>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Thursday, July 21, 2005 1:19 AM
Subject: acl question
> In my domain.xml I have setup permission such that under "/" all can
> read-acl, write-acl, unlock and read (the default)
> <permission action="/actions/read-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/write-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/unlock" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/read" subject="all" inheritable="true"/>
>
> Under "/files" I have setup permission such that anyone authenticated can
> do anything, write if authenticated (although redundant I think),
>
> and the owner can read-acl (also redundant?)
>
> <permission action="all" subject="authenticated" inheritable="true"/>
> <permission action="/actions/write" subject="authenticated" inheritable=
> "true"/>
> <permission action="/actions/read-acl" subject="owner"
inheritable="true"
> />
>
> I am using the JNDIPrincipalStore for user and roles so this is all I
have
> in the domain.xml (default from the JNDI example):
>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/users">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/roles">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
>
> User A authenticates and writes file X to the WebDAV server.
>
> User B authenticates and changes the contents of file X on the server.
>
> The problem is that user A and user B belong different roles and should
> not
> be able to do this.
>
> How or where do I define this restriction?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: acl question
Posted by Jacob Lund <jl...@qualiware.net>.
Hi Kevin!
Maybe I missed something. But if you have allow all to authenticated users -
then why should your case with user A and B not be allowed?
/jacob
----- Original Message -----
From: <Ke...@sybase.com>
To: "Slide Users Mailing List" <sl...@jakarta.apache.org>
Sent: Thursday, July 21, 2005 1:19 AM
Subject: acl question
> In my domain.xml I have setup permission such that under "/" all can
> read-acl, write-acl, unlock and read (the default)
> <permission action="/actions/read-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/write-acl" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/unlock" subject="all" inheritable="true"
> negative="true"/>
> <permission action="/actions/read" subject="all" inheritable="true"/>
>
> Under "/files" I have setup permission such that anyone authenticated can
> do anything, write if authenticated (although redundant I think),
>
> and the owner can read-acl (also redundant?)
>
> <permission action="all" subject="authenticated" inheritable="true"/>
> <permission action="/actions/write" subject="authenticated" inheritable=
> "true"/>
> <permission action="/actions/read-acl" subject="owner" inheritable="true"
> />
>
> I am using the JNDIPrincipalStore for user and roles so this is all I have
> in the domain.xml (default from the JNDI example):
>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/users">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
> <objectnode classname=
> "org.apache.slide.structure.SubjectNode" uri="/roles">
> <permission action="all" subject="self"
> inheritable="true"/>
> <permission action="all" subject=
> "authenticated" inheritable="true" negative="true"/>
> </objectnode>
>
> User A authenticates and writes file X to the WebDAV server.
>
> User B authenticates and changes the contents of file X on the server.
>
> The problem is that user A and user B belong different roles and should
> not
> be able to do this.
>
> How or where do I define this restriction?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
JNDI and OpenLDAP access
Posted by Ke...@sybase.com.
This is a question for people who have implemented the
JNDIPrincipalStrore/LDAP (openLDAP)
What do you have defined in your slapd.conf?
I am looking for some examples, I have the following but it is too
restrictive and does not allow access.
access to attr=userpassword
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by * none
If I have the normal access open to all it works.
access to *
by * read
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
acl question
Posted by Ke...@sybase.com.
In my domain.xml I have setup permission such that under "/" all can
read-acl, write-acl, unlock and read (the default)
<permission action="/actions/read-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/write-acl" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/unlock" subject="all" inheritable="true"
negative="true"/>
<permission action="/actions/read" subject="all" inheritable="true"/>
Under "/files" I have setup permission such that anyone authenticated can
do anything, write if authenticated (although redundant I think),
and the owner can read-acl (also redundant?)
<permission action="all" subject="authenticated" inheritable="true"/>
<permission action="/actions/write" subject="authenticated" inheritable=
"true"/>
<permission action="/actions/read-acl" subject="owner" inheritable="true"
/>
I am using the JNDIPrincipalStore for user and roles so this is all I have
in the domain.xml (default from the JNDI example):
<objectnode classname=
"org.apache.slide.structure.SubjectNode" uri="/users">
<permission action="all" subject="self"
inheritable="true"/>
<permission action="all" subject=
"authenticated" inheritable="true" negative="true"/>
</objectnode>
<objectnode classname=
"org.apache.slide.structure.SubjectNode" uri="/roles">
<permission action="all" subject="self"
inheritable="true"/>
<permission action="all" subject=
"authenticated" inheritable="true" negative="true"/>
</objectnode>
User A authenticates and writes file X to the WebDAV server.
User B authenticates and changes the contents of file X on the server.
The problem is that user A and user B belong different roles and should not
be able to do this.
How or where do I define this restriction?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
WebdavResource clarification
Posted by Ke...@sybase.com.
Could someone help explain the difference (pros and cons) of getting a
WebdavResource to work with b/t the following.
Is one faster than the other, more overhead, ...?
1. HttpURL httpUrl = new HttpURL("http://localhost:16080/slide/files");
httpUrl.setUserinfo(JAASSecurityUtil.getUsername(), "operator");
WebdavResource wr = new WebdavResource(httpUrl);
2. Context ic = new InitialContext();
WebDAVConnectionFactory _factory = (WebDAVConnectionFactory)
ic.lookup("java:comp/env/WebDAV-Connector");
WebDAVConnectionSpec _spec = new WebDAVConnectionSpec(host,
JAASSecurityUtil.getUsername(), "", timeout);
WebDAVConnection conn = _factory.getConnection(_spec)
WebdavResource wr = conn.getWebdavResource();
The first one I can use in both a webapp and a java client app.
The second one I was only able to figure out how to use in a webapp.
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org