Re: Usecases around Binary handling in Oak

Wed, 07 Sep 2016 13:56:04 -0700 

Hi everyone,

late to the gameā€¦ back from a long leave :) I just wanted to chime in the 
security discussion.

Please be aware that the ReferenceBinary interface [1] exists today (I haven't 
seen that mentioned in this or the previous thread, please excuse if I missed 
it). It has a String getReference() method which in case of a filedata store 
will include the hash, from which you can calculate the file location. We have 
actively used this in a performance optimization as described in the use case 
as described by Chetan. See [2] for some code showcasing it.

Yes, this requires knowing an implementation detail (and we fall back to using 
the JCR binary interface in case the file cannot be found), but if you think 
there is a security issue, it exists in Jackrabbit/Oak already.

I do understand the performance problem, which can be a big one, so finding a 
secure solution would be great. The important case is IMO about bridging 
non-JCR-API capable application (say imagemagick, S3 URLs/browsers etc.), which 
cannot be rewritten to use the JCR API, with the file data store, and IIUC 
readonly access is fine (UC1 mostly).

Cheers,
Alex

[1] 
https://jackrabbit.apache.org/api/2.6/org/apache/jackrabbit/api/ReferenceBinary.html

[2] sample code

    public static File getDataStoreRef(Node ntFile) throws RepositoryException {
        if (ntFile.hasProperty(PN_FILE_DATA)) {
            Property property = ntFile.getProperty(PN_FILE_DATA);
            if (property.getType() == PropertyType.BINARY) {
                Binary binary = property.getBinary();
                if (binary instanceof ReferenceBinary) {
                    String ref = ((ReferenceBinary) binary).getReference();
                    // oak reference is "hash:something"
                    ref = StringUtils.substringBefore(ref, ":");
                    if (ref == null) {
                        // This happens when asset has been created before file 
datastore option was configured
                        // Looks like rendition data is not being extracted for 
existing assets
                        return null;
                    }
                    // hash to datastore file structure - from Jackrabbit 
FileDataStore
                    File file = new File(ref.substring(0, 2));
                    file = new File(file, ref.substring(2, 4));
                    file = new File(file, ref.substring(4, 6));
                    file = new File(file, ref);
                    return file;
                }
            }
        }
        return null;
    }

Reply via email to