Question regarding combining use of resource-based ACLs and principal-based ACLs in Jackrabbit.

Wed, 24 Aug 2011 03:44:59 -0700 

Hi all,

I am doing some testing to understand what is possible to achieve
using a combination of resource-based ACLs and principal-based ACLs in
Jackrabbit.
I am using version 2.2.0 of Jackrabbit core with the CombinedProvider
I've written a test which prevents a user userX from reading a given
node called A. This was achieved by setting up an ACL on the node A to
deny read access to userX.
By inheritance, userX is not granted read access on a sub folder of A
called subfolder.

I then create a principal-based ACL which grants the user read access
to a sub folder of /A /subfolder: /A/subfolder/subfolder
Even though userX has been granted the right via the Principal-based
ACL, he is not able to read the folder.

Is this actually possible? I wonder if principal-based and
resource-based ACLs can work together but only on separate sets of
nodes.

In case it might help, I enclose an extract from the test I am running
(written in Scala).

Regards,

Guillaume Belrose.


        "The user fred" should {
        
          "not be able to see the existing node 'A' with an ACL which
prevents access" in {
        
                  rwSession (repository, superuserName, superuserPassword){ 
session =>
                        session.getRootNode.addNode("A")
                        
                        withACL(session,"/A"){acl=>
                                
acl.addEntry(session.getUserManager.getAuthorizable(username).getPrincipal,Array(session.getAccessControlManager.privilegeFromName(Privilege.JCR_ALL)),false)
                        }
                  }
                
                  evaluating{
                    rwSession(repository,username,username){session =>
                      session.getNode("/A")
                    }
                  }should produce [PathNotFoundException]
          }

    "(by inheritance) not be able to see any subnode of the node 'A'" in {

      rwSession (repository, superuserName, superuserPassword){ session =>
        session.getNode("/A").addNode("subfolder")
      }

      evaluating{
        rwSession(repository,username,username){session =>
          session.getNode("/A/subfolder")
        }
      }should produce [PathNotFoundException]
    }

    "be able to see sub nodes of /A/subfolder thanks to a pattern
granting read access" in {
      rwSession(repository,superuserName,superuserPassword){session =>
        session.getNode("/A/subfolder").addNode("subfolder")
        val user = session.getUserManager.getAuthorizable(username)

        withACL(session,user.getPrincipal){ acl =>
          val vf = session.getValueFactory
          val read =
Array(session.getAccessControlManager.privilegeFromName(Privilege.JCR_READ))
          val restrictions : Map[String,Value] = Map(
            "rep:nodePath" -> vf.createValue("/A/subfolder",PropertyType.PATH)
           ,"rep:glob"     -> vf.createValue("/subfolder")
          )
          acl.addEntry(user.getPrincipal,read,true,restrictions);
        }
      }

      roSession(repository, username,username){session =>
        session.getNode("/A/subfolder/subfolder")
      }
    }

Reply via email to