Possible problem with deny read on anon

Sat, 31 Oct 2009 18:09:41 -0700 

Hi,
I am seeing sporadic exceptions in ACLProvider.ACLPermissions.isReadAllowed() for anonymous users that is preventing anonymous, jcr:read, denied ACE's from working. 


When the exception below is reported,  the query does not return  
anything, and isReadAllowed() returns true (negating the ACE)



I am trying to find a pattern to reliably recreate the problem, but I  
think it might happen if isReadAllowed() is invoked when the query to  
the node in question is made (as opposed to the session already being  
in the pool the isReadAllowed() already resolved)




31.10.2009 21:03:30.771 *INFO* [127.0.0.1 [1257023010765] POST /test/ 
authztest/node1257023003/childnode HTTP/1.1] logs/access.log 127.0.0.1  
- admin 31/Oct/2009:21:03:30 +0000 "POST /test/authztest/ 
node1257023003/childnode HTTP/1.1" 200 2371 "-" "-"
31.10.2009 21:03:30.776 *INFO* [127.0.0.1 [1257023010775] POST /test/ 
authztest/node1257023003 HTTP/1.1] logs/request.log 31/Oct/ 
2009:21:03:30 +0000 [1004] -> POST /test/authztest/node1257023003 HTTP/ 
1.1



31.10.2009 21:03:30.796 *WARN* [127.0.0.1 [1257023010775] POST /test/ 
authztest/node1257023003 HTTP/1.1]  
org.apache.jackrabbit.core.query.lucene.QueryResultImpl Exception  
retrieving Node with UUID: 19c1dcd1-8b3a-4bc3-b28f-92595ac3ee8f:  
javax.jcr.ItemNotFoundException: 19c1dcd1-8b3a-4bc3-b28f-92595ac3ee8f



^ 
^ 
^ 
^ 
^ 
^ 
^ 
^ 
^ 
^ 
^ 
^ 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
31.10.2009 21:03:30.796 *INFO* [127.0.0.1 [1257023010775] POST /test/ 
authztest/node1257023003 HTTP/1.1]  
org 
.apache.sling.jcr.jackrabbit.server.impl.security.standard.ACLProvider  
+++ Is Read Allowed gave true



^^^^^^^^^^ This line records the return value of  
ACLProvider.ACLPermissions.isReadAllowed()




31.10.2009 21:03:30.801 *WARN* [127.0.0.1 [1257023010775] POST /test/ 
authztest/node1257023003 HTTP/1.1]  
org.apache.jackrabbit.core.query.lucene.QueryResultImpl Exception  
retrieving Node with UUID: 19c1dcd1-8b3a-4bc3-b28f-92595ac3ee8f:  
javax.jcr.ItemNotFoundException: 19c1dcd1-8b3a-4bc3-b28f-92595ac3ee8f
31.10.2009 21:03:30.801 *INFO* [127.0.0.1 [1257023010775] POST /test/ 
authztest/node1257023003 HTTP/1.1]  
org 
.apache.sling.jcr.jackrabbit.server.impl.security.standard.ACLProvider  
+++ Is Read Allowed gave true



I think the marked line indicates that the Query cant retrieve the ACL  
that says deny anon, and so it assumes that there are no deny acls for  
the set of principals (isReadAllowed = true) and all read access is  
allowed in that session, the anon session.


Has anyone else experienced this ?

Ian















    











					Reply via email to