Hello, Thanks for the pointers Angela. Regarding groups and users, I probably want to be able to list them as well as search them. In both cases what you suggest will be very useful. I eventually found some information on the mailing list on how to grant all rights to a administrators group that I created myself. In case this is of any use, here is a test which shows what I've done: https://gist.github.com/1142000 It would be nice to have this information on the Wiki somewhere in the form of recipes for how to do security related things. I don't mind contributing stuff. Regards, Guillaume.
On 12 August 2011 13:34, Angela Schreiber <[email protected]> wrote: > hi guillaume > >> I am currently looking at leveraging the features of the JackRabbit >> UserManager to be able to manage users, groups and give users >> administrator privileges for my application. >> First of all, is there an easy way to be able to list all users and >> all groups that have been created on the system? > > yes. > if i remember correctly you can use a 'null' simple filter for a > common property such as rep:principalName to obtain a result > containing all authorizables for the specified search-type. > > but as a general rule i would rather suggest to use a specific > query... if you have a huge amount of users and/or groups listing > all of them is probably not very useful. > >> All the findAuthorizable methods on the UserManager are search >> oriented, so all I can think of is writing a wildcard search query for >> groups or users whose name is like *. Am I on the right track? > > yes. see above. > >> Also, it seems the Jackrabbit does not pre-create the administrators >> group by default. > > that's correct. we initially had that and decided to get rid for > various reasons specifically as jackrabbit itself didn't had > any need for it and we decided that it was rather the responsibility > of an application on top of jackrabbit to define such a group. > in addition there is usually the need for various different > groups with some sort of administrative roles depending on the > type and complexity of the application... in order words: limit > the set of authorizables to built-in and avoid creating example > user/group(s). > >> Please see the following test snippet written in >> Scala with ScalaTest. The test fails when trying to get the >> authorizable corresponding to the ADMINSTRATORS_NAME group. > > yep. that's a leftover. the constant should have been marked > deprecated. > >> I guess I can just create that group and add a user to it, but is that >> sufficient then to give that user all administrators privileges (i.e. >> the right to create other users and groups, etc...). If not, what else >> would I need to do? > > if you need an 'administrators' group, the best solution was > to create it using UserManager#createGroup, then make sure > the corresponding principal is granted sufficient permissions > (according to your needs) and then add the required users to the > administrators group. > >> "The super user (i.e admin) should be able to create a user and >> her to the administrators group" in { >> inSession(repository,superuser,password){session => >> val um = session.getUserManager >> um.getAuthorizable(SecurityConstants.ADMINISTRATORS_NAME) >> match{ >> case null => fail("The authorizable for the administrators >> group does not exist.") >> case g : Group => >> val newadmin = "newadmin" >> g.addMember(um.createUser(newadmin,newadmin)) > > if you want to have a group, that can have members, you have to > call UserManager.createGroup > >> case _ => fail("The administrators authorizable is not a >> group") >> } >> } >> } > > regards > angela >
