Ok got to the bottom of it by stepping through the running application.
You must have the following config for ACLs to work:
<Security appName="Jackrabbit">
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="security" />
<AccessManager
class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
<!-- This allows any username to login without password -->
<LoginModule
class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
<!-- Unauthenticated JAAS users are ANONYMOUS -->
<param name="anonymousId" value="ANONYMOUS" />
<param name="adminId" value="admin1" />
</LoginModule>
</Security>
Specifically the DefaultSecurityManager must be selected.
Now I'm just trying to determine why although I have ACLs specifying who can
read, other users can read as well.
-- Cory
On 28/07/2010, at 4:08 PM, Cory Prowse wrote:
> Ah it is probably worth mentioning I am deplying the JCA of JackRabbit to
> Glassfish.
>
> -- Cory
>
> On 28/07/2010, at 3:32 PM, Cory Prowse wrote:
>
>> I too have been struggling with security access in JackRabbit 2.1.0 these
>> past few days.
>>
>> I am attempting a proof of concept which allows adding nodes and specifying
>> which users/groups can view them, so that only the nodes the currently
>> logged in user has access to will be shown.
>>
>> When I attempt to use DefaultAccessManager I get:
>> javax.jcr.AccessDeniedException: cannot read item
>> cafebabe-cafe-babe-cafe-babecafebabe
>>
>> This is my config:
>> <Security appName="Jackrabbit">
>> <!-- <AccessManager
>> class="org.apache.jackrabbit.core.security.simple.SimpleAccessManager" /> -->
>> <AccessManager
>> class="org.apache.jackrabbit.core.security.DefaultAccessManager" />
>>
>> <LoginModule
>> class="org.apache.jackrabbit.core.security.simple.SimpleLoginModule">
>> <param name="anonymousId" value="ANONYMOUS" />
>> </LoginModule>
>> </Security>
>>
>> This exception occurs when I ask the session for the root node.
>>
>> Not quite following how to hook up security properly here, am I doing
>> something obviously wrong?
>>
>> -- Cory
>>
>>
>> On 28/07/2010, at 5:37 AM, Alexander Klimetschek wrote:
>>
>>> I am currently working on a wiki page for that:
>>> http://wiki.apache.org/jackrabbit/AccessControl
>>>
>>> Expect more in the coming days.
>>>
>>> Regards,
>>> Alex
>>>
>>> On Tue, Jul 27, 2010 at 15:51, Joel Feenstra <[email protected]> wrote:
>>>> Hi,
>>>> I'm working on adding some authentication/authorization to our application
>>>> which uses Jackrabbit 2.1. How can I best control access to a node (and
>>>> it's
>>>> children) so that one user has read/write access to the subtree, but all
>>>> other users don't have any access (not even read access).
>>>>
>>>> I've looked at using the principal based ACLProvider, but I can't find any
>>>> examples detailing how to actually use it.
>>>>
>>>> Thanks,
>>>> Joel
>>>> [email protected]
>>>>
>>>
>>>
>>>
>>> --
>>> Alexander Klimetschek
>>> [email protected]
>>
>
