Re: My "dirty" solution to set non-inheritable privileges using webdav client

Tue, 26 Jul 2005 08:08:36 -0700 

Hi again,

I have had the solution from the slide-devel mailing list.
Slide checks permissions for the resource to be created.
It was not "logical" for me but now it is clear.

Regards,

Thomas

Thomas Bellembois wrote:


Hi Maximo,

I have tried reinstalling a new Slide 2.1.
It does not work. :-(
Only the write inheritable permission works.
When I try to create a directory "toto" in /files/test/acl with the user "bourges" I have the following message in debug mode : org.apache.slide.security.AccessDeniedException: Access denied on /files/test/acl/toto by user /users/bourges for action /actions/write
Apparently Slide checks permissions for the resource to be created... This could explain why a write >inheritable< permission is required. 
Strange isn't it ?
I use an LDAP directory for /users, a J2EE authentication layer, a custom "web portal" store for roles. 

I am going to continue my investigations.

Thanks for your help.

Thomas

Maximo Gurmendez wrote:
This is my domain, for you to check. I'm using slide 2.1 with SQLServer and file store. 

Hope it helps.

Maximo

<?xml version="1.0"?>
<slide>
   <namespace name="slide">
       <definition>
           <store name="tx">
<!-- <nodestore classname="org.apache.slide.store.txfile.TxXMLFileDescriptorsStore"> 
                   <parameter name="rootpath">store/metadata</parameter>
                   <parameter name="workpath">work/metadata</parameter>
               </nodestore>-->
<nodestore classname="org.apache.slide.store.impl.rdbms.JDBCStore"> <parameter name="adapter">org.apache.slide.store.impl.rdbms.SQLServerRDBMSAdapter</parameter> <parameter name="driver">com.microsoft.jdbc.sqlserver.SQLServerDriver</parameter> <parameter name="url">jdbc:microsoft:sqlserver://zeus:1433;DatabaseName=slide;SelectMethod=Cursor</parameter> 
                       <parameter name="dbcpPooling">true</parameter>
<parameter name="maxPooledConnections">40</parameter> <parameter name="isolation">READ_UNCOMMITTED</parameter> 
                       <parameter name="user">admin</parameter>
                       <parameter name="password">*******</parameter>

               </nodestore>
     <parameter name="enable-content-caching">false</parameter>
               <securitystore>
                   <reference store="nodestore"/>
               </securitystore>
               <lockstore>
                   <reference store="nodestore"/>
               </lockstore>
               <revisiondescriptorsstore>
                   <reference store="nodestore"/>
               </revisiondescriptorsstore>
               <revisiondescriptorstore>
                   <reference store="nodestore"/>
               </revisiondescriptorstore>
<contentstore classname="org.apache.slide.store.txfile.TxFileContentStore"> <parameter name="rootpath">d:/academic/fs/store/content</parameter> <parameter name="workpath">d:/academic/fs/work/content</parameter> 
               </contentstore>
           </store>
           <scope match="/" store="tx"/>
       </definition>
       <configuration>
           <!-- Actions mapping -->
           <read-object>/actions/read</read-object>
           <create-object>/actions/write</create-object>
           <remove-object>/actions/write</remove-object>
           <grant-permission>/actions/write-acl</grant-permission>
           <revoke-permission>/actions/write-acl</revoke-permission>
           <read-permissions>/actions/read-acl</read-permissions>
<read-own-permissions>/actions/read-current-user-privilege-set</read-own-permissions> 
           <lock-object>/actions/write</lock-object>
           <kill-lock>/actions/unlock</kill-lock>
           <read-locks>/actions/read</read-locks>
<read-revision-metadata>/actions/read</read-revision-metadata> <create-revision-metadata>/actions/write-properties</create-revision-metadata> <modify-revision-metadata>/actions/write-properties</modify-revision-metadata> <remove-revision-metadata>/actions/write-properties</remove-revision-metadata> 
           <read-revision-content>/actions/read</read-revision-content>
<create-revision-content>/actions/write-content</create-revision-content> <modify-revision-content>/actions/write-content</modify-revision-content> <remove-revision-content>/actions/write-content</remove-revision-content> 
           <bind-member>/actions/bind</bind-member>
           <unbind-member>/actions/unbind</unbind-member>
           <!-- Paths configuration -->
           <userspath>/users</userspath>
           <rolespath>/roles</rolespath>
           <actionspath>/actions</actionspath>
           <filespath>/files</filespath>
           <parameter name="dav">true</parameter>
           <parameter name="standalone">true</parameter>
           <parameter name="acl_inheritance_type">path</parameter>
           <auto-create-users>root</auto-create-users>
           <auto-create-users-role>user</auto-create-users-role>
<content-interceptor class="org.apache.slide.content.WebFolderContentInterceptor"/> 
       </configuration>
       <data>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/"> 
               <!-- Subject can be:
               any user             "all"
               authenticated user   "authenticated"
               unauthenticated user "unauthenticated"
               self                 "self"
               owner of resource    "owner"
               a user               "/users/john"
               a role               "/roles/admin"
               -->
<permission action="all" subject="/roles/root" inheritable="true"/> <permission action="/actions/read-acl" subject="all" inheritable="true" negative="true"/> <permission action="/actions/write-acl" subject="all" inheritable="true" negative="true"/> <permission action="/actions/unlock" subject="all" inheritable="true" negative="true"/> <!--<permission action="/actions/read" subject="all" inheritable="true"/>--> 
               <!-- /users -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users"> <permission action="all" subject="self" inheritable="true"/> <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/> 
                   <!-- /users/root represents the administrator -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/root"> 
                       <revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password"></property> 
                       </revision>
                   </objectnode>
<!-- /users/john and /users/john2 represent authenticated users --> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/mgurmend"> 
                       <revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password"></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/john2"> 
                       <revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password"></property> 
                       </revision>
                   </objectnode>
<!-- /users/guest represents an authenticated or unauthenticated guest user --> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users/guest"> 
                       <revision>
<property namespace="http://jakarta.apache.org/slide/"; name="password"></property> 
                       </revision>
                   </objectnode>
               </objectnode>
               <!-- /roles -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles"> <permission action="all" subject="self" inheritable="true"/> <permission action="all" subject="unauthenticated" inheritable="true" negative="true"/> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/root"> 
                       <revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/root</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/user"> 
                       <revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/ggisby</D:href><D:href xmlns:D='DAV:'>/users/mgurmend</D:href><D:href xmlns:D='DAV:'>/users/john2</D:href><D:href xmlns:D='DAV:'>/users/root</D:href><D:href xmlns:D='DAV:'>/users/ggisby</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/guest"> 
                       <revision>
<property name="group-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/users/ggisby</D:href><D:href xmlns:D='DAV:'>/users/guest</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/student"/> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/teacher"/> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/roles/parent"/> 
               </objectnode>
               <!-- action -->
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions"> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read"> 
                       <revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/read-acl</D:href> <D:href xmlns:D='DAV:'>/actions/read-current-user-privilege-set</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-acl"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read-current-user-privilege-set"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write"> 
                       <revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/write-acl</D:href> <D:href xmlns:D='DAV:'>/actions/write-properties</D:href> <D:href xmlns:D='DAV:'>/actions/write-content</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-acl"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-properties"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write-content"> 
                       <revision>
<property name="privilege-member-set"><![CDATA[<D:href xmlns:D='DAV:'>/actions/bind</D:href> <D:href xmlns:D='DAV:'>/actions/unbind</D:href>]]></property> 
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/bind"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/unbind"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
<objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/unlock"> 
                       <revision>
                           <property name="privilege-member-set"/>
                       </revision>
                   </objectnode>
               </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/files"> <permission action="all" subject="unauthenticated" inheritable="true"/> <!-- <permission action="/actions/write" subject="/roles/user" inheritable="true"/> --> <permission action="/actions/read-acl" subject="owner" inheritable="true"/> <permission action="/actions/read" subject="/roles/teacher" inheritable="false"/> <permission action="/actions/read" subject="/roles/student" inheritable="false"/> 
  <permission action="/actions/read" subject="all" inheritable="false"/>


               </objectnode>
               <!-- DeltaV: default history and workspace paths -->
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/history"> <permission action="all" subject="unauthenticated" inheritable="true"/> 
               </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workspace"> <permission action="all" subject="unauthenticated" inheritable="true"/> 
               </objectnode>
<objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workingresource"> <permission action="all" subject="unauthenticated" inheritable="true"/> 
               </objectnode>
           </objectnode>
       </data>
   </namespace>
   <!--
   DeltaV global parameters
   ========================
   * historypath (mandatory=no, default="/history"):
Specifies a Slide path which determines the location where this DeltaV 
   server stores history data.

   * workspacepath (mandatory=no, default="/workspace"):
Specifies a Slide path which determines the location where this DeltaV 
   server allows workspaces to reside.

   * workingresourcepath (mandatory=no, default="/workingresource"):
Specifies a Slide path which determines the location where this DeltaV 
   server stores working resources.

   * auto-version (mandatory=no, default="checkout-checkin"):
   Controls the DeltaV auto-version behaviour.

   * auto-version-control (mandatory=no, default="false"):
   Indicates if a resource just created by a PUT should be set under
   version-control.

  * versioncontrol-exclude (mandatory=no, default=""):
Specifies a Slide path which determines resources which are excluded from version-control. 
  The default value "" makes no path being excluded.

   * checkout-fork (mandatory=no, default="forbidden"):
   Controls the DeltaV check-out behaviour when a version is already
   checked-out or has a successor.

   * checkin-fork (mandatory=no, default="forbidden"):
   Controls the DeltaV check-out behaviour when a version has already a
   successor.

   * standardLivePropertiesClass (mandatory=no,
default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"): Determines the "agent" knowing about what the standard live properties are. It should be a loadable class containing the following static methods: 
   - boolean isLiveProperty(String propName)
   - boolean isProtectedProperty(String propName)
   - boolean isComputedProperty(String propName)
   - Set getAllLiveProperties()
   - Set getAllProtectedProperties()
   - Set getAllComputedProperties()

   * uriRedirectorClass (mandatory=no,
   default="org.apache.slide.webdav.util.DeltavUriRedirector"):
   Determines the URI redirector class. The DeltaV URI redirector is in
   charge of the following redirections:
   - version URI to history URI, e.g. /history/2/1.4 to /history/2
   - latest revision number for history resource to 0.0
   - latest revision number for version resource to last URI token,
   e.g. /history/2/1.4 to 1.4
It should be a loadable class containing the following static methods: 
   - String redirectUri(String uri)
   - NodeRevisionNumber redirectLatestRevisionNumber(String uri)
   -->
   <parameter name="historypath">/history</parameter>
   <parameter name="workspacepath">/workspace</parameter>
   <parameter name="workingresourcepath">/workingresource</parameter>
   <parameter name="auto-version">checkout-checkin</parameter>
   <parameter name="auto-version-control">false</parameter>
   <parameter name="versioncontrol-exclude"/>
   <parameter name="checkout-fork">forbidden</parameter>
   <parameter name="checkin-fork">forbidden</parameter>
</slide>
----- Original Message ----- From: "Thomas Bellembois" <[EMAIL PROTECTED]> 
To: "Slide Users Mailing List" <slide-user@jakarta.apache.org>
Sent: Monday, July 25, 2005 11:24 AM
Subject: Re: My "dirty" solution to set non-inheritable privileges using webdav client 



Hello,
It does not work for me, even with the read permission on /files (and on the full path). I wonder if Slide manages non inheritable permissions even with the acl_inheritance_type parameter ? 

Thomas

Maximo Gurmendez wrote:
I've tried something similar, and worked well through the domain.xml, however I need to add this privilege without restarting the application (through webdav).
I recall I had a similar problem on a folder, say, /files/afolder and the problem was that it needed to have /files read permission (not inherited) 

Regards,
  Maximo
----- Original Message ----- From: "Thomas Bellembois" <[EMAIL PROTECTED]> 
To: "Slide Users Mailing List" <slide-user@jakarta.apache.org>
Sent: Monday, July 25, 2005 7:35 AM
Subject: Re: My "dirty" solution to set non-inheritable privileges using webdav client 



Hello,

It does not seem to work either.
I have the same problem.
When I put the following permission on a resource :
<permissions>
<permission subjectUri="/users/bourges" actionUri="/actions/write" inheritable="true" negative="false" /> 
</permissions>
The user "bourges" can write but if I change the inheritable="true" into "false" it does not work anymore.
I have tried many configurations in my Domain.xml for the acl_inheritance_type parameter. 

Any idea ?

Thanks.

Thomas


Miguel Figueiredo wrote:



Good morning,


Have you checked the following parameter?


<parameter name="acl_inheritance_type">[path|0|1|...]</parameter>


It’s configurable in the Domain.xml


Hope this helps,

Miguel Figueiredo



-----Original Message-----
From: Maximo Gurmendez [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 25 de Julho de 2005 5:20 
To: Slide Users Mailing List
Subject: My "dirty" solution to set non-inheritable privileges using webdav 
client


I've modified the createNodePermissionList method from
org.apache.slide.webdav.method.AclMethod class as pasted below.
For doing this I send through webdav a new privilege "read-noninheritable" 
or "write-noninheritable", and it works fine.


Example, for client:


       Ace a = new Ace("/users/auser");

       a.setInherited(false);

       a.addPrivilege(new
Privilege("ECADEMICUS:","read-noninherited","inherit"));

       a.setProtected(false);

       a.setNegative(false);

       Ace[] aces = new Ace[1];

       aces[0]=a;

       boolean ok = res.aclMethod("/files/afolder",aces);
Maybe it is not the best, but it was suggested as a posibility. Maybe 
someone knows of a better way.


Many thanks,

    Máximo


Ing. Máximo Gurméndez

IT Applications Integrator

The British Schools, Montevideo

Máximo Tajes 6400

Tel. 6003421 int. 136

email: [EMAIL PROTECTED]
---------------------------------------------------------------------------- 

----




private List createNodePermissionList( Element aceElm ) throws
PreconditionViolationException, SlideException, JDOMException {

       List result = new ArrayList();

       String objectUri = resourcePath;

       String subjectUri = null;

       String actionUri = null;

       boolean negative = false;

       boolean invert = false;


       // ACE principal

       Element principalElm = aceElm.getChild(E_PRINCIPAL, DNSP);

       if (principalElm == null) {

           Element invertElm = aceElm.getChild(E_INVERT, DNSP);

           if (invertElm != null) {

               invert = true;

               principalElm = invertElm.getChild(E_PRINCIPAL, DNSP);

           }

       }

       if (principalElm != null) {

           subjectUri = createSubjectUri(principalElm);

       }

       else {

           throw new PreconditionViolationException(

               new ViolatedPrecondition("missing-ace-principal",
WebdavStatus.SC_BAD_REQUEST), resourcePath

           );

       }


       // ACE grant and deny

       Element grantDenyElm = null;

       Element grantElm = aceElm.getChild(E_GRANT, DNSP);

       Element denyElm = aceElm.getChild(E_DENY, DNSP);

       if (grantElm != null && denyElm == null) {

           grantDenyElm = grantElm;

       }

       else if (grantElm == null && denyElm != null) {

           negative = true;

           grantDenyElm = denyElm;

       }

       else if(grantElm != null && denyElm != null) {

           throw new PreconditionViolationException(
new ViolatedPrecondition("only-grant-or-deny-allowed", 
WebdavStatus.SC_BAD_REQUEST), resourcePath

           );

       }

       else if(grantElm == null && denyElm == null) {

           throw new PreconditionViolationException(

               new ViolatedPrecondition("missing-grant-or-deny",
WebdavStatus.SC_BAD_REQUEST), resourcePath

           );

       }

       Iterator privilegeIt = grantDenyElm.getChildren(E_PRIVILEGE,
DNSP).iterator();


       while (privilegeIt.hasNext()) {

           Element privilegeElm = (Element)privilegeIt.next();

           actionUri = createActionUri(privilegeElm);

           if (actionUri == null) {

               throw new PreconditionViolationException(
new ViolatedPrecondition("not-supported-privilege", 
WebdavStatus.SC_BAD_REQUEST), resourcePath

               );

           }

           else {

               //begin add ecademicus

               boolean inherit=true;

               if (actionUri.endsWith("-noninherited")) {

                   inherit=false;
actionUri=actionUri.replaceAll("-noninherited",""); 

               }

               //end add ecademicus



               //NodePermission np = new NodePermission(objectUri,
subjectUri, actionUri, true, negative);

               // mod ecademicus

               NodePermission np = new NodePermission(objectUri,
subjectUri, actionUri, inherit, negative);

               np.setInvert(invert);

               result.add(np);

           }

       }




       return result;

   }






--
+---=(    Thomas Bellembois    )=---+
| CRI - University of Rennes 1 - FR |
| [EMAIL PROTECTED] |
| +33 2 23 23 69 60                 |
+-----------------------------------+


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
+---=(    Thomas Bellembois    )=---+
| CRI - University of Rennes 1 - FR |
| [EMAIL PROTECTED] |
| +33 2 23 23 69 60                 |
+-----------------------------------+


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








--
+---=(    Thomas Bellembois    )=---+
| CRI - University of Rennes 1 - FR |
| [EMAIL PROTECTED] |
| +33 2 23 23 69 60                 |
+-----------------------------------+


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to