Hey all,
For a project I'm trying to make use of the JSR 283 Access Control
(6.11) API. I know the implementations are currently in flux and it
is caveat emptor as far as consuming the available API/impl. But I do
have some questions about what is currently available specifically
concerning Principals and implementing/configuring a
PrincipalProvider. Currently in my repository.xml file I have the
<Security/> section configured to use the DefaultAccessManager,
DefaultLoginModule, and DefaultSecurityManager. I do this because of
the available AccessControlManager impls, DefaultAccessManager is the
only one to support the API for things like
addAccessControlEntry(...)/getACE(...)/hasPrivileges(...) and similar
API.
I'm using the AccessControlManager/ACE API to control access to an
unknown number of Principals which will not have a predictable "name".
Therefore defining id's in the repository.xml file such as "adminId",
"anonymousId", and "defaultUserId" isn't really an option. However if
I don't define ids in the repository.xml file I get messages saying
the "LoginModule ignored the credentials". Looking through the code I
came to the conclusion I'd need to write a PrincipalProvider that
would support the multiple Principals with various names. Is that a
correct assumption?
The next question I have is what is the proper way to configure
usage of my custom PrincipalProvider? In the repository.xml file I
have the following:
<Security appName="Jackrabbit">
<AccessManager
class="org.apache.jackrabbit.core.security.DefaultAccessManager">
</AccessManager>
<LoginModule
class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
<param name="principalprovider"
value="com.foo.BasicPrincipalProvider"/>
</LoginModule>
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager">
</SecurityManager>
</Security>
And running a test that calls RepositoryImpl.login(Credentials) gives
me the following stack trace:
javax.jcr.LoginException:
org.apache.jackrabbit.core.security.authentication.DefaultLoginModule
does not support 'principalprovider:
org.apache.jackrabbit.core.security.authentication.DefaultLoginModule
does not support 'principalprovider:
org.apache.jackrabbit.core.security.authentication.DefaultLoginModule
does not support 'principalprovider
at
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1353)
at
org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:53)
...
Caused by: javax.security.auth.login.LoginException:
org.apache.jackrabbit.core.security.authentication.DefaultLoginModule
does not support 'principalprovider
at
org.apache.jackrabbit.core.security.authentication.LocalAuthContext.login(LocalAuthContext.java:68)
at
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1346)
... 22 more
javax.security.auth.login.LoginException:
org.apache.jackrabbit.core.security.authentication.DefaultLoginModule
does not support 'principalprovider
at
org.apache.jackrabbit.core.security.authentication.LocalAuthContext.login(LocalAuthContext.java:68)
at
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1346)
at
org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:53)
Do none of the available LoginModules (default and simple) support
setting a custom PrincipalProvider? I see how it is used in the
AbstractLoginModule.initialize(...) method but this exception is
thrown before it ever gets to that method.
Thanks in advance for you help,
Micah
