Hi,
I'm working with Francesco Ancona and we are using jackarabbit OAK.
I have a problem using ACL restrictions with OAK 1.4.0.
I'm using the JCR repository (javax.jcr.Repository interface) and not
the OAK Content Repository.
When I tries to apply a restriction using the rep:glob as key and the
empty string as value of the restrictions map it does not work as I
expected.
As specified in OAK documentation
(http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html)
if we have a node with path /foo
and we tries to give the read permission to a principal, if we use
global restriction with empty string we can apply the permission for the
principal
only to /foo node.
I tries to do that: the restriction provider correctly write the
restriction in my repository data storage but the system simply ignores
the applied ACL.
Using rep:glob
For a nodePath/foothe following results can be expected for
the different values ofrep:glob.
rep:glob Result
"" matches node /foo only
/cat the node /foo/cat and all it’s children
/cat/ the descendants of the node /foo/cat
cat the node /foocat and all it’s children
cat/ all descendants of the node /foocat
* foo, siblings of foo and their descendants
/*cat all children of /foo whose path ends with ‘cat’
/*/cat all non-direct descendants of /foo named ‘cat’
/cat* all descendant path of /foo that have the direct foo-descendant
segment starting with ‘cat’
*cat all siblings and descendants of foo that have a name ending with
‘cat’
*/cat all descendants of /foo and foo’s siblings that have a name
segment ‘cat’
cat/* all descendants of ‘/foocat’
/cat/* all descendants of ‘/foo/cat’
*cat/* all descendants of /foo that have an intermediate segment ending
with ‘cat’
This is my code:
protected void applyRestriction(final JackrabbitSession session, final
Principal principal, final String path, final Privilege[] privileges,
final boolean allow, final boolean propagate) throws RepositoryException{
AccessControlManager acMgr = session.getAccessControlManager();
JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, path);
Map<String,Value> restrictions = new HashMap<String,Value>();
if(!propagate){
restrictions.put(AccessControlConstants.REP_GLOB,
session.getValueFactory().createValue("", PropertyType.STRING));
}
acl.addEntry(principal,
privileges,
allow, restrictions);
acMgr.setPolicy(path, acl);
session.save();
}
and this is the call:
applyRestriction(session, readerGroup.getPrincipal(),"/foo",
AccessControlUtils.privilegesFromNames(session.getAccessControlManager(), PrivilegeConstants.JCR_READ),
true, true);
I have found this issue that is similar to my problem but it's closed.
https://issues.apache.org/jira/browse/OAK-2412
Can you help me?
Thanks in advance.
Gianluca Soffredini
Project Manager
Metaframe SPS S.r.l.
Via Toniolo, 13
30030 Vigonovo(VE)
mobile: +39 3342235291
email: [email protected]
<mailto:[email protected]>
SKYPE ID: gianlucas72
Logo Metaframe SPS S.r.l.
