Pavel Jbanov wrote:
Hi,
I've just started with Jackrabbit and currently trying to get some security
going.
I'm trying to implement my own AccessManager. I took SimpleAccessManager as
a base and following the @todo comments. I'm also going to implement (or
hopefully find) a JAAS LoginModule to work with LDAP. The way I was
planning
to check access to certain Node types is store a set of groups (that have
access to that Node) as properties in those nodes and then compare those
sets with the set of Principals (of Group class).
First of all: does this approach make sense? Is there another/better
approach or built in support for basic role/group based access management?
Any examples, tutorials?
Is it possible to get access to current Session from within AccessManager?
Because I need it in order to get the list of groups from the current
Node...
It's doable. Something along the lines of
public boolean isGranted(ItemId id, int permissions)
throws ItemNotFoundException, RepositoryException {
if (super.isGranted(id, permissions)) {
NamespaceResolver nsResolver =
((HierarchyManagerImpl)context.getHierarchyManager()).getNamespaceResolver();
String path = null;
try {
path =
context.getHierarchyManager().getPath(id).toJCRPath(nsResolver);
} catch (NoPrefixDeclaredException npde) {
log.error("unable to get JCR path: ", npde);
return false;
}
[...]
if (systemSession == null) {
synchronized (this) {
try {
// obtain reference to repository to obtain a
session instance
InitialContext context = new InitialContext();
Context environment = (Context)
context.lookup("java:comp/env");
Repository repository = (Repository)
environment.lookup("jcr/repository");
// replace with whatever method you use to retrieve your
repository
systemSession = repository.login(new
com.somewhere.jaas.SystemCredentials());
} catch (Exception e) {
log.error("unable to obtain a system session; ", e);
systemSession = null;
return false;
}
}
}
// use systemSession to retrieve ACL nodes/properties
}
}
However, the general consensus on this list seems to be that it's better
to implement it using a separate process that keeps track of mapping
between nodeIds to ACLs for those nodes.
The process might very well implement this by reading repository content
looking for ACL entries / properties, and storing these in a cache. It
would register itself as an event listener on the repository, and update
its caches on writes to the repository.
--
-Torgeir