Re: Can't get rejected by Lenya

Andreas Hartmann Mon, 28 Oct 2013 09:00:53 -0700

Hi Ben,

IIRC Lenya 1.2.x doesn't allow denying roles explicitly. Have you triedto remove the "world" entry from subtree-policy.acml? This should blockall access.


-- Andreas


Am 17.10.13 06:23, schrieb Ben Pracht:

I'm using a prebuilt Lenya 1.2.5.  I'm trying to *not* have to write
code to do this.

I'm doing a non-public site for a local club in my area that I want to
have members sign on before even seeing any content.  I'd essentially
like to deny the world, even localhost, unless they first authenticate.

Below is what I'm working with.  I'm sorry if I omitted anything, I just
could not make sense of the security mechanism enough to know what's
relevant.

An example URL I'd like blocked is:
http://localhost:8888/MembersOnly/live/Welcome.html


lenya/pubs/MembersOnly/config/ac/policies/live/Welcome/subtree-policy.acml
lenya/pubs/MembersOnly/config/ac/policies/live/subtree-policy.acml
lenya/pubs/MembersOnly/config/ac/policies/subtree-policy.acml

Each of the above look like this:


My ac.xconf looks like:

<policy xmlns="http://apache.org/cocoon/lenya/ac/1.0";>

   <world>
     <role id="visit" method="deny"/>
   </world>

</policy>

<access-controller type="bypassable">

   <accreditable-manager type="file">
     <parameter name="directory"
value="context:///lenya/pubs/MembersOnly/config/ac/passwd"/>

     <user-manager>
        <user-type class="org.apache.lenya.ac.file.FileUser"
create-use-case="userAddUser">Local User</user-type>
        <!-- uncomment the following line if you want LDAP support -->
        <!-- <user-type class="org.apache.lenya.ac.ldap.LDAPUser"
create-use-case="userAddUserLdap">LDAP User</user-type> -->
     </user-manager>
   </accreditable-manager>

   <policy-manager type="document">
     <policy-manager type="file">
       <parameter name="directory"
value="context:///lenya/pubs/MembersOnly/config/ac/policies"/>
     </policy-manager>
   </policy-manager>

   <authorizer type="policy"/>

   <authorizer type="usecase">
       <parameter name="configuration"
value="context:///lenya/pubs/MembersOnly/config/ac/usecase-policies.xml"/>
   </authorizer>

   <authorizer type="workflow"/>

</access-controller>

---------- Log file snippet -------
24995 2013-10-12 00:31:35,383 [PoolThread-4] DEBUG
lenya.ac.cache.get():161  - Caching object
[org.apache.lenya.ac.impl.DefaultPolicy@65089d7] for further requests of
[file:/C:/java/eclipse/ClubSoftware/Lenya/lenya/pubs/MembersOnly/config/ac/policies/live/Welcome/subtree-policy.acml].

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.policymanager.file.buildPolicy():149  - Policy exists: [true]

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.authorizer.policy.saveRoles():156  - Adding roles [ visit ] to
request [org.apache.cocoon.environment.http.HttpRequest@2457c24c]

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.authorizer.policy.authorize():111  - Authorized: true

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():121  - Authorizer
[org.apache.lenya.ac.impl.PolicyAuthorizer@6566aa35] returned [true]

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():108  -
---------------------------------------------------------

24996 2013-10-12 00:31:35,384 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():109  - Invoking
authorizer [org.apache.lenya.cms.ac.usecase.UsecaseAuthorizer@26456721]

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.authorizer.usecase.authorize():104  - No usecase to authorize.
Granting access.

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():121  - Authorizer
[org.apache.lenya.cms.ac.usecase.UsecaseAuthorizer@26456721] returned [true]

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():108  -
---------------------------------------------------------

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():109  - Invoking
authorizer [org.apache.lenya.cms.ac.workflow.WorkflowAuthorizer@7e1b0beb]

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.authorizer.workflow.authorize():69  - Authorizing workflow for
event [null]

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():121  - Authorizer
[org.apache.lenya.cms.ac.workflow.WorkflowAuthorizer@7e1b0beb] returned
[true]

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():130  -
=========================================================

24997 2013-10-12 00:31:35,385 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():131  - Authorization
complete, result: [true]

24998 2013-10-12 00:31:35,386 [PoolThread-4] DEBUG
lenya.ac.accesscontroller.bypassable.authorize():132  -
=========================================================

24998 2013-10-12 00:31:35,386 [PoolThread-4] DEBUG
sitemap.decommission():342  - ComponentFactory decommissioning instance
of org.apache.lenya.cms.cocoon.acting.DelegatingAuthorizerAction.



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@lenya.apache.org
For additional commands, e-mail: user-h...@lenya.apache.org

Re: Can't get rejected by Lenya

Reply via email to