In my quest to secure the access to the repository I removed the
everyone read access from the root node.
That leads to the situation where my users can't login any longer (I
guess it's the workspacemanager that denies the access as the users
now don't have read rights to root any longer).
I therefore tried to create some access rules to solely access the
root node (not the descendants of it, as I don't want to work with
denys).
To get there I added a path based entry to the users AccessControlList
that is valid for "/" and has a restriction which is rep:glob -> ""
That seems to work fine when I login in code: I don't see a node below "/".
However if I try to login via webdav with the cli, I get the exception:
exception: java.lang.NullPointerException
message: null
display stack trace? [y/n]y
java.lang.NullPointerException
at
org.apache.jackrabbit.spi.commons.conversion.ParsingNameResolver.getJCRName(ParsingNameResolver.java:79)
at
org.apache.jackrabbit.spi.commons.conversion.CachingNameResolver.getJCRName(CachingNameResolver.java:95)
at
org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver.getJCRName(DefaultNamePathResolver.java:78)
at
org.apache.jackrabbit.jcr2spi.util.LogUtil.saveGetJCRName(LogUtil.java:89)
at org.apache.jackrabbit.jcr2spi.NodeImpl.<init>(NodeImpl.java:104)
at
org.apache.jackrabbit.jcr2spi.ItemManagerImpl.createNodeInstance(ItemManagerImpl.java:322)
at
org.apache.jackrabbit.jcr2spi.ItemManagerImpl.created(ItemManagerImpl.java:347)
at
org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
at
org.apache.jackrabbit.jcr2spi.state.TransientISFactory.created(TransientISFactory.java:153)
at
org.apache.jackrabbit.jcr2spi.state.AbstractItemStateFactory.notifyCreated(AbstractItemStateFactory.java:74)
at
org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:349)
at
org.apache.jackrabbit.jcr2spi.state.WorkspaceItemStateFactory.createNodeState(WorkspaceItemStateFactory.java:101)
at
org.apache.jackrabbit.jcr2spi.state.TransientISFactory.createNodeState(TransientISFactory.java:97)
at
org.apache.jackrabbit.jcr2spi.hierarchy.NodeEntryImpl.doResolve(NodeEntryImpl.java:990)
at
org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.resolve(HierarchyEntryImpl.java:134)
at
org.apache.jackrabbit.jcr2spi.hierarchy.HierarchyEntryImpl.getItemState(HierarchyEntryImpl.java:253)
at
org.apache.jackrabbit.jcr2spi.ItemManagerImpl.getItem(ItemManagerImpl.java:199)
at
org.apache.jackrabbit.jcr2spi.SessionImpl.getRootNode(SessionImpl.java:233)
at
org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:84)
at
org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
at
org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
Any idea what that is about? I also tried the resource based ACL
instead of the path based with basically the same effect.
Another thing I don't understand is what happens when I use rep:glob
-> "*" instead. That gives me a
exception: javax.jcr.RepositoryException
message: Unauthorized
display stack trace? [y/n]y
javax.jcr.RepositoryException: Unauthorized
at
org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:120)
at
org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:51)
at
org.apache.jackrabbit.spi2dav.ExceptionConverter.generate(ExceptionConverter.java:45)
at
org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:722)
at
org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:666)
at
org.apache.jackrabbit.spi2davex.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:273)
at
org.apache.jackrabbit.jcr2spi.RepositoryImpl.login(RepositoryImpl.java:151)
at
org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:123)
at
org.apache.jackrabbit.standalone.cli.core.Login.execute(Login.java:79)
at
org.apache.jackrabbit.standalone.cli.JcrClient.runCommand(JcrClient.java:255)
at
org.apache.jackrabbit.standalone.cli.JcrClient.runInteractive(JcrClient.java:210)
at org.apache.jackrabbit.standalone.Main.run(Main.java:145)
at org.apache.jackrabbit.standalone.Main.main(Main.java:61)
Caused by: org.apache.jackrabbit.webdav.DavException: Unauthorized
at
org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseException(DavMethodBase.java:162)
at
org.apache.jackrabbit.webdav.client.methods.DavMethodBase.getResponseBodyAsMultiStatus(DavMethodBase.java:91)
at
org.apache.jackrabbit.spi2dav.RepositoryServiceImpl.obtain(RepositoryServiceImpl.java:694)
... 9 more
According to the javadoc the "*" allows "access to all siblings of
foo and foo's and the siblings' descendants."
Doesn't that include "/" in this case?
Thanks,
Markus
