Re: implementing AccessManager

[Torgeir Veimo]

Pavel Jbanov wrote:
Hi,
I've just started with Jackrabbit and currently trying to get some security
going.
I'm trying to implement my own AccessManager. I took SimpleAccessManager as
a base and following the @todo comments. I'm also going to implement (or
hopefully find) a JAAS LoginModule to work with LDAP. The way I was 
planning
to check access to certain Node types is store a set of groups (that have
access to that Node) as properties in those nodes and then compare those
sets with the set of Principals (of Group class).

First of all: does this approach make sense? Is there another/better
approach or built in support for basic role/group based access management?
Any examples, tutorials?

Is it possible to get access to current Session from within AccessManager?
Because I need it in order to get the list of groups from the current
Node...

It's doable. Something along the lines of

public boolean isGranted(ItemId id, int permissions)
throws ItemNotFoundException, RepositoryException {
    if (super.isGranted(id, permissions)) {

        NamespaceResolver nsResolver = 
((HierarchyManagerImpl)context.getHierarchyManager()).getNamespaceResolver();
        String path = null;
        try {
            path = 
context.getHierarchyManager().getPath(id).toJCRPath(nsResolver);
        } catch (NoPrefixDeclaredException npde) {
            log.error("unable to get JCR path: ", npde);
            return false;
        }
        [...]
        if (systemSession == null) {
            synchronized (this) {
                try {

                    // obtain reference to repository to obtain a 
session instance
                    InitialContext context = new InitialContext();
                    Context environment = (Context) 
context.lookup("java:comp/env");
                    Repository repository = (Repository) 
environment.lookup("jcr/repository");
                // replace with whatever method you use to retrieve your 
repository
                
                    systemSession = repository.login(new 
com.somewhere.jaas.SystemCredentials());
                } catch (Exception e) {
                    log.error("unable to obtain a system session; ", e);
                    systemSession = null;
                    return false;
                }
            }
        }

        // use systemSession to retrieve ACL nodes/properties
    }
}


However, the general consensus on this list seems to be that it's better 
to implement it using a separate process that keeps track of mapping 
between nodeIds to ACLs for those nodes.

The process might very well implement this by reading repository content 
looking for ACL entries / properties, and storing these in a cache. It 
would register itself as an event listener on the repository, and update 
its caches on writes to the repository.


--
-Torgeir