Hi there Does anyone have an insight into this problem? Are there people on this list using pre-built JAAS LoginModules with Jackrabbit?
If I start with a working configuration (using DefaultAccessManager and DefaultLoginModule), and add a login.conf file that configures the Sun LdapLoginModule, my Session logins throw exceptions "Unable to access workspace 'default'". Looking through the code, I can only see 2 options: 1) Implement my own WorkspaceAccessManager and configure via SecurityManager 2) Keep the working setup, add the admin ID to an ACL on the root path, with all permissions, then switch to the JAAS setup #1 doesn't look like a solution since in the case of a non-Admin ID I'd like to delegate to the AccessControlProvider of the workspace, but getAccessControlProvider(workspaceName) is private in DefaultSecurityManager. #2 might work, but I'm not sure I won't run into issues later, since several of the default security/auth classes hard-code an isAdminOrSystem method that only consider the 2 Jackrabbit principals as such. There is an option #3 which is extend or (more probably due to private/protected methods) re-implement all the Default... security classes which seems crazy. Any ideas/experience with this? Regards, Rory On Sun, Jan 11, 2009 at 11:53 AM, Rory Douglas <[email protected]>wrote: > Is there a way to configure the DefaultAccessManager (in 1.5) to recognize > a specific user/subject from a JAAS LoginModule as the Admin ID? > > I see this is configurable for the DefaultLoginModule in repository.xml. I > also see that DefaultAccessManager makes a determination based on the class > of the Principals a Subject has (o.a.j.c.security.SystemPrincipal or > o.a.j.c.security.principal.AdminPrincipal). With a 3rd-party LoginModule, I > can't force the Principals to be of a particular class. > > Do I need to extend DefaultAccessManager to enable configuring the AdminID, > or is there a configuration option for this I'm unaware of? I'm using the > JDK 6 LdapLoginModule at the moment, and the latest trunk version of Sling > (but I'm fairly sure this is a purely Jackrabbit-related issue). > > Regards > Rory >
