Hi Sebastian
I went this route back in August, and came up against the same problems
(see [1]). I had the AccessManager working by exporting the .spi
classes from Sling's Jackrabbit bundle, but would intermittently run
into issues with the JAAS LoginModule after restarts. I think there may
be a need to specify the JAAS classes so they are added to the
system/framework classpath using sling.properties, but I don't
understand that mechanism & couldn't get it work. I ultimately
abandoned work on this because it didn't seem the right approach (as
Felix points out) to depend on non-API classes from the underlying
repository.
As for the AccessManager, I think there are plans to upgrade Sling to
Jackrabbit 1.5, so it may be more worthwhile to wait for that & use the
repository-ACL-based AccessManager that comes with 1.5 rather than
implementing your own. Or ping me & I can send you what I cobbled
together for ACL-based control.
Regards,
Rory
[1] http://markmail.org/message/ejzb4vk6nypmrf5s
Sebastian Gomez wrote:
Hi everyone.
I'm trying to secure the JCR repository creating a custom LoginModule and
AccessManager. The first one has gone OK, as it implements the JAAS standard
interface. On the other hand, the second one must implement Jackrabbit's
AccessManager interface, but as Sling's Jackrabbit Embedded Repository
bundle does not export the jackrabbit-core packages (that includes the
AccessManager interface), the only way to create my custom implementation
has been to embed the dependency in my bundle's classpath. This then makes a
ClassCastException occur in Jackrabbit's SessionImpl when my class is being
casted to the AccessManager interface (line 335). As I guess you'll know,
this is because my CustomAccessManager is implementing the AccessManager
loaded by my bundle's classloader, while Jackrabbit's SessionImpl will
expect the AccessManager loaded by the Jackrabbit Embedded Repository
bundle.
I'd like to know if someone has already come up with (and hopefully
resolved) the same problem as I have, because I guess it's quite a common
scenario. The easiest solution would be to make the Sling's Jackrabbit
Embedded Repository bundle to export the security package of jackrabbit-core
but I suppose there must be some reason for it not to be doing so. I'll
appreciate any indication.
Thanks in advance.
Sebastian Gomez.
P.S: Here's the line of org.apache.jackrabbit.core.SessionImpl where the
ClassCastException occurs, marked with a "=====>" (in case it's of any use):
protected AccessManager createAccessManager(Subject subject,
HierarchyManager hierMgr)
throws AccessDeniedException, RepositoryException {
AccessManagerConfig amConfig =
rep.getConfig().getAccessManagerConfig();
try {
AMContext ctx = new AMContext(new
File(rep.getConfig().getHomeDir()),
rep.getFileSystem(),
subject,
hierMgr,
rep.getNamespaceRegistry(),
wsp.getName());
====> AccessManager accessMgr = (AccessManager)
amConfig.newInstance();
accessMgr.init(ctx);
return accessMgr;
} catch (AccessDeniedException ade) {
// re-throw
throw ade;
} catch (Exception e) {
// wrap in RepositoryException
String msg = "failed to instantiate AccessManager
implementation: " + amConfig.getClassName();
log.error(msg, e);
throw new RepositoryException(msg, e);
}
}
