Issue with security & authorization in Jackrabbit 2.18.0

Tue, 11 Jun 2019 22:54:45 -0700 

Dear Jackrabbit team

I have been working on developing a Jackrabbit pass system.

Now I am trying to enable the security module.

My requirement is:


1. will have to create users and provide them access to different nodes on
the Jackrabbit server.
For example there are 2 tenants that I need to onboard,
So under the root folder I may have tenant1, and tenant2 folder.
2. we need to create 2 users: t1user and t2user.
3. t1user should access only the tree that starts under tenant1, and t2user
for tenant2.
4. And the login mechanism should be token based.


Now I have been exploring AccessControl,
https://wiki.apache.org/jackrabbit/AccessControl
and few other links to create users with proper priviledges.


But it does not seem to work.

How do I create users with proper privileges ?

How do I enable token based authentication on Jackrabbit 2.18

I did not find proper documentation to follow along.


Need your kind help in solving this issue.

I am attaching some code snippet from repository.xml and user creation java
client.



-- 
*Regards*
*Tuhin*

<Security appName="Jackrabbit">

        <!-- SecurityManager 
class="org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager" 
workspaceName="security" -->

        <SecurityManager 
class="org.apache.jackrabbit.core.DefaultSecurityManager"> 
               <!-- 
               optional user manager configuration 
             --> 
             <UserManager 
class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager"> 
               <param name="usersPath" value="/home/users"/> 
               <param name="groupsPath" value="/home/groups"/> 
               <param name="defaultDepth" value="1"/> 
               <param name="autoExpandTree" value="true"/> 
               <AuthorizableAction 
class="org.apache.jackrabbit.core.security.user.action.AccessControlAction"> 
                 <param name="groupPrivilegeNames" value="jcr:read"/> 
                 <param name="userPrivilegeNames" value="jcr:all"/> 
               </AuthorizableAction> 
             </UserManager> 

               <!-- 
               optional workspace access manager configuration 
             --> 
           </SecurityManager> 
         <AccessManager 
class="org.apache.jackrabbit.core.security.DefaultAccessManager">
         </AccessManager>

         <LoginModule 
class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
          <param name="adminId" value="user1" />
        </LoginModule>
      </Security>



================= User creation code which is not 
working=============================
I always get following exception:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
  at securitynstuff.CreateUser.createUsers(CreateUser.java:69)
  at securitynstuff.CreateUser.main(CreateUser.java:28)


Because when I create a new user, the policies are empty at line : 
JackrabbitAccessControlPolicy[] ps = acMgr.getApplicablePolicies(principal); // 
or getApplicablePolicies()
      System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
      JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];





      ======Code here=======


package securitynstuff;

import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.RepositoryImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.config.RepositoryConfig;

import javax.jcr.*;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;

public abstract class CreateUser {


  public static void main(String[] args) {
    // createUsers("workspace1", "james");
    createUsers("tyler3");
  }

  private static void createUsers(String userName) {
    Session session = null;
    try {
      // Repository repository = 
JcrUtils.getRepository("http://localhost:8080/server";);
      // Repository repository = new TransientRepository();
      RepositoryConfig config = null;
      try {
        config = RepositoryConfig.install(new 
File("/Users/tuhinsubhramandal/jack-repo/"));
      } catch (IOException e) {
        e.printStackTrace();
      }
      Repository repository = RepositoryImpl.create(config);

      session = repository.login(new SimpleCredentials("user1", 
"user1".toCharArray()), "jcrlocal");
      Node rootNode = session.getRootNode();
      Node grantedNode = rootNode.addNode("granted");
      rootNode.save();
      System.out.println("Granted node: " + grantedNode.getPath());

      UserManager userManager = ((SessionImpl) session).getUserManager();
      User user = userManager.createUser(userName, userName);


      AccessControlManager acm = ((SessionImpl) 
session).getAccessControlManager();
      AccessControlPolicyIterator acpi = 
acm.getApplicablePolicies(grantedNode.getPath());

      session.save();

      ///////////////////////////////////////////


      Principal principal = user.getPrincipal();

      // get the Jackrabbit access control manager
      JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) 
session.getAccessControlManager();

      JackrabbitAccessControlPolicy[] ps = 
acMgr.getApplicablePolicies(principal); // or getApplicablePolicies()
      System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
      JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];


      // list entries
      JackrabbitAccessControlEntry[] entries = (JackrabbitAccessControlEntry[]) 
list.getAccessControlEntries();
      JackrabbitAccessControlEntry entry = entries[0];

      // remove entry
      list.removeAccessControlEntry(entry);

      // add entry
      Privilege[] privileges = new 
Privilege[]{acMgr.privilegeFromName(Privilege.JCR_READ)};
      Map<String, Value> restrictions = new HashMap<String, Value>();
      ValueFactory vf = session.getValueFactory();
      restrictions.put("rep:nodePath", vf.createValue("/bookstore/catalog/", 
PropertyType.PATH));
      restrictions.put("rep:glob", vf.createValue("*"));
      list.addEntry(principal, privileges, true /* allow or deny */, 
restrictions);


      System.out.println("User is created & all the new privileges are set= " + 
user);

      // Apply the policy
      session.save();

    } catch (LoginException e) {
      e.printStackTrace();
    } catch (RepositoryException e) {
      e.printStackTrace();
    } finally {
      if (session != null)
        session.logout();
    }
  }
}

Reply via email to