Well i attempted a solution I found that instantiated a subclassed AccessManager. This AccessManager uses a system user to access the repository which would allow full access to any repository node. However, I ran into issues trying to get a reference to my RepositoryImpl inside my AccessManager and I had the same concerns about performance due to the number node lookups being done. My initial strategy was to load an Access Control List(ACL) into the session when a user logged in. Then i could use the AccessManager to check the node uuid against this ACL and allow access if the uuid was in the ACL. However, the AccessManager is run for every type of node including version nodes and nt:resource nodes. Now this would mean that I would have to load every single type of node at login which included version nodes etc... and this could possibly take forever. I really only wanted to restrict access to certain types of nodes and let everything else through. Therefore the only extra piece of information I really needed was the primary node type of the uuid that was passed to the AccessManager. Then I could check the nodeType and restrict access against my ACL if it was a nodeType that needed restriction...unlike the version and resource nodes. After much pain trying to implement an AccessManager that could get the nodeType, i decided to move on and implement a less elegant solution which involved restricting nodes in multiple places instead of in one place like the AcessManager. If anyone has an update or advice on this, I would love to try to implement it again as I think it is the ideal place to put node restriction. I just think the current jackrabbit AccessManager should provide a way to access more specific node information which in my case is the nodeType. I understand that it could be a potential performance issue, but there must be ways to optimize it. Otherwise I can not use the AccessManager to control node specific access. Any ideas or comments?
(Berry) A.W. van Halderen wrote: > > On Tue, Oct 23, 2007 at 11:47:27AM -0700, bilobag wrote: >> >> So I am attempting to create a SessionImpl with a system subject so that >> it >> can have full access to the repository. I want to use this SessionImpl >> in >> my custom AccessManager to query properties of the nodes(ie. node type) >> to >> determine whether a user should have access to a particular node. I am >> using spring with jackrabbit and I'm not sure what the best way is to get >> a >> ref to a RepositoryImpl. Can someone please give some advise. i have >> been >> working on this for a week straight now. Thanks in advance. > > Check out our AccessManager, source available in public available SVN: > > > http://svn.hippocms.org/repos/hippo/hippo-ecm/branches/Release-HREPTWO-v2_01_00-M1/repository/engine/src/main/java/org/hippoecm/repository/security/SimpleAccessManager.java > > The trick is that you have to extend a number of JackRabbit classes, > such that you are using your own, extended, RepositoryImpl, SessionImpl, > etcetera, in order to create a own (extended) version of a > HierarchyManager. > This HierarchyManager can then expose, the otherwise protected method > which allows you to get the actual ItemState. > > HOWEVER: be very aware that there may be severe implications with this > approach. I think (but maybe a jackrabbit architect can comment) that > it is not by change that you have only access to ItemId in the access > manager, and not to ItemState as well. This because an access manager > might be required to quickly filter out non accessible items (nodes or > properties) before returning. If it would need to constantly access > the actual state, it might have fatal performance consequences. > > We don't have experience with this yet, but it is on our mid-term to-do > list. > So if you gain further experience, let us (all) know. > > \Berry > -- > Berry A.W. van Halderen [EMAIL PROTECTED] / > [EMAIL PROTECTED] > Disclaimer: the above is the author's personal opinion and is not the > opinion > or policy of his employer or of the little green men that have been > following > him all day. > > -- View this message in context: http://www.nabble.com/RepositoryImpl-in-the-AccessManager-tf4679552.html#a13514098 Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
