Hi,
On 23.02.2010 11:48, Angela Schreiber wrote:
> Cech. Ulrich wrote:
>> Hi Angela,
>>
>> <Authorizable#remove>
>> But the next start of the repository, the anonymous account
>> is automatically recreated although the anonymous "account"
>> is commented out in repository.xml.
>> I tried this already. After "restart" of the repository,
>> I could login with "anonymous" again. I think this is some
>> Build-in functionality of Jackrabbit.
>
> a yes. that's right... the default always creates the
> admin and anonymous user. so either have to prevent
> the anonymous from login (changing pw or change permissions of
> the everyone or anonymous principal depending on your ac) or
> provide your own security manager that doesn't create the anonymous.
How about a functionality to disable users, such they are prevented from
logging in by the LoginModule/UserManager ?
This has a number of advantageous consequences, IMHO:
* You don't have to set a "dummy" password or set some
ACLs to lock a user out of the system
* You quickly prevent access to a user
* You still have the traces of the user in the system
* Re-enabling can be done easily
* No matter what ACL setting such users will not be
able to access the system anymore -- not even with
password guessing or impersonation
Regards
Felix
>
>> <there is no API method for that. but with the user manager
>> implementation in JR it should work with the following...>
>> Ok, that worked. Thanks.
>> But how do you get the properties of an Authorizable?
>
> what properties are you talking about?
> the API call Authorizable#getProperty et al. only deal with
> non-protected JCR properties that are modifiable by the
> corresponding set methods... for the other props the corresp.
> API calls should be used.
> if you want to look at the properties in the regular item
> hierarchy you have to navigate to the corresponding node.
> NOTE: depending on your configuration the users may be stored
> in a separate workspace.
>
>> <User#changePassword>
>> Yes, the changing works, but I want to verify the old password
>> Like shown in the SLING-code,
>
> but this is the jackrabbit-users list.
> if you want the API to expose a changePw(old, new) method, please
> create a corresponding enhancement request.
>
>> but the same problem as before,
>> no properties nor the propertyNames are returned to verify
>> against.
>
> see above.
>
> regards
> angela
>
