Hi Mark,
there was a huge misunderstanding on my part: I somehow thought that
the rep:nodepath entry in the restrictionsmap is mandatory.
But after trying it without rep:nodepath and only rep:glob it works
fine except for two issues:
1) I have to relogin with the user when I move the node in a parallel
session with the admin.
Otherwise I get exceptions like
javax.jcr.RepositoryException: Failed to list child nodes of node /test2
at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2186)
at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2177)
at
org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:188)
at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
at org.apache.jackrabbit.core.NodeImpl.getNodes(NodeImpl.java:2177)
at .<init>(<console>:16)
at .<clinit>(<console>)
at .<init>(<console>:11)
at .<clinit>(<console>)
at $print(<console>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at scala.tools.nsc.interpreter.IMain$ReadEvalPrint.call(IMain.scala:704)
at
scala.tools.nsc.interpreter.IMain$Request$$anonfun$14.apply(IMain.scala:920)
at
scala.tools.nsc.interpreter.Line$$anonfun$1.apply$mcV$sp(Line.scala:43)
at scala.tools.nsc.io.package$$anon$2.run(package.scala:25)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.jcr.AccessDeniedException: cannot read item
5f182290-2be6-4b05-8731-8efbabc3750e
at
org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:387)
at
org.apache.jackrabbit.core.ItemManager.getItemData(ItemManager.java:337)
at
org.apache.jackrabbit.core.ItemManager.getChildNodes(ItemManager.java:727)
at org.apache.jackrabbit.core.NodeImpl$9.perform(NodeImpl.java:2181)
... 20 more
I read somewhere, that permissions are cached in the session and I
guess it has something to do with that.
2) If I am connected with the standalone client via webdav, this
relogin has to happen on the "serverside". If I just do a logout and
login again in the cli client,
I can't see the changed state. As soon as I've done a relogin with
that user on the server directly, I can relogin with the client and
everything is fine.
That's a bit annoying.
Have you also done a logout/login in the CRX UI?
Thanks for caring,
Markus
On Mon, Sep 26, 2011 at 11:13 PM, Mark Herman <[email protected]> wrote:
>
> Markus Joschko wrote:
>>
>> The policy (Resourcebased not Pathbased)
>>
>
> What do you mean Pathbased? I'm used to Resource based vs Principal based
> [0]
>
>
> Markus Joschko wrote:
>>
>> Should GlobPattern be used at all with Resourcebased Policies?
>>
> According to [1], it is not necessary because keeping it null just means all
> descendants. Note the differences between null, "", and *.
>
>
> Markus Joschko wrote:
>>
>> And if yes, how should the move operation be dealt with?
>>
>
> I was able to create desired behavior using CRX's GUI, so I imagine it is
> how jackrabbit works. Could you send the code you're using to apply the
> security, or maybe what your
> JackrabbitAccessControlList.getAccessControlEntries() contains before and
> after the move?
>
> [0] http://wiki.apache.org/jackrabbit/AccessControl#Resource-based_ACLs
> [1]
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
>
> --
> View this message in context:
> http://jackrabbit.510166.n4.nabble.com/ACLs-GlobPattern-and-move-tp3845190p3845418.html
> Sent from the Jackrabbit - Users mailing list archive at Nabble.com.
>
