hello angela,
we have investigated a lot of hours without any useable result. we find no way
to get to the AccessControlProvider from WorkspaceAccessManager#grants method.
do you have any idea how to get the AccessControlProvider?
to get a look behind the scene we made some tests with the
SimpleAccessWorkspacemanager.
we use the following configuration:
1.repository config:
<Security appName="Jackrabbit">
<!--
security manager:
class: FQN of class implementing the JackrabbitSecurityManager
interface
-->
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="security">
<WorkspaceAccessManager
class="org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager"/>
</SecurityManager>
2. workspace config
<WorkspaceSecurity>
<AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider">
<param name="omit-default-permission" value="true"/>
</AccessControlProvider>
</WorkspaceSecurity>
when we use the
org.apache.jackrabbit.core.security.simple.SimpleWorkspaceAccessManager instead
of our own implementation we got the following exception when trying to read
the root-node of the respective workspace.
javax.jcr.AccessDeniedException: cannot read item
cafebabe-cafe-babe-cafe-babecafebabe
at
org.apache.jackrabbit.core.ItemManager.createItemData(ItemManager.java:844)
at
org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:391)
at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:328)
at org.apache.jackrabbit.core.ItemManager.getItem(ItemManager.java:622)
at
org.apache.jackrabbit.core.ItemManager.getRootNode(ItemManager.java:531)
at
org.apache.jackrabbit.core.SessionImpl.getRootNode(SessionImpl.java:760)
at
at.spardat.jackrabbit.test.DumpRepository.main(DumpRepository.java:96)
Do you have any further hints?
best regards
ferry
-----Ursprüngliche Nachricht-----
Von: Malzer Ferdinand OSP sIT
Gesendet: Mittwoch, 23. Mai 2012 12:13
An: [email protected]
Betreff: AW: AW: AW: AW: AW: AW: remove read-access for everyone from a
principal ACL based workspace
hello angela,
the configuration you mentioned in the last mail is exactly what we mean.
Implementing the grants(Set<Principal> principals, String workspaceName) I
wonder how I could manage to implement a
getAccessControlProvider(workspaceName) too.
Is there any possibility to remember the AccessControlProvider in the init()
method using the session parameter object?
best regards
ferry
-----Ursprüngliche Nachricht-----
Von: Angela Schreiber [mailto:[email protected]]
Gesendet: Mittwoch, 23. Mai 2012 09:38
An: [email protected]
Betreff: Re: AW: AW: AW: AW: AW: remove read-access for everyone from a
principal ACL based workspace
hi ferry
> we don't want to define users per workspace because most of our users
> will have access to different workspaces.
> Therefore we would like to use the security workspace which comes with the
> DefaultSecurityManager.
ok.
> Furthermore a user should only access workspaces where he has a defined ACL
> in that workspace.
... so your implementation of the WorkspaceAccessManager would need to
verify in some way if there are any acls applying for that subject
in the target workspace, right?
the implementation of the WorkspaceAccessManager#grants method in
your custom wsp-ac-manager could for example look something like:
public boolean grants(Set<Principal> principals, String workspaceName) {
AccessControlProvider pvd = getAccessControlProvider(workspaceName);
CompiledPermissions cp = ... /* granting everything */
AccessControlPolicy[] acls = pvd.getEffectivePolicies(principals, cp);
return acls.length > 0;
}
> to avoid that every user could read every workspace, we create a new workspace
> with ACLProvider as Workspace-AccessControlProvider with option
> omit-default-permission=true.
no sure i understand what you do mean with
Workspace-AccessControlProvider.... imo your config should look as follows:
1. repository config:
<Repository>
[...]
<Security appName="...">
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="security">
<WorkspaceAccessManager class="**your-custom-wsp-access-mgr**"/>
</SecurityManager>
</Security>
[...]
</Repository>
2. workspace config
<?xml version="1.0" encoding="UTF-8"?>
<Workspace name="...">
[...]
<WorkspaceSecurity>
<AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.principalbased.AccessControlProvider">
<param name="omit-default-permission" value="true"/>
</AccessControlProvider>
</WorkspaceSecurity>
[...]
</Workspace>
hope that helps
angela
