well... somehow the subject doesn't match the example code below.
if you are really using 'principal based' access control you
should use the jackrabbit variants of the policy methods that
take a principal as an argument:
JackrabbitAccessControlManager#getApplicablePolicies(Principal)
a second note: i don't see why you first use principal manager and
subsequently the user manager... the second is superfluous IMO.
kind regards
angela
On 5/8/12 11:54 AM, Kanchan Mourya wrote:
Hi,
I am new to jackrabbit. I am creating a content repository. I want to give
users specific access for nodes. Eg I want to assign read access to user john
for node /adminuser/resources
Following is the code I m using
try{
Repository repository =
createJCRRepository.createRepository();
Session session = repository.login(new
SimpleCredentials("admin","".toCharArray()));
System.out.println("connected to Repository successfully at
D:/jcrconfigfile/repo....");
Node n1 = session.getNode("/adminuser/resources");
// usual entry point into the Jackrabbit API
JackrabbitSession js = (JackrabbitSession) session;
PrincipalManager pMgr = js.getPrincipalManager();
Principal principal =
pMgr.getPrincipal(session.getUserID());
User user = ((User)
js.getUserManager().getAuthorizable("john"));
principal = user.getPrincipal();
System.out.println("principal is ======="+principal);
JackrabbitAccessControlManager acMgr =
(JackrabbitAccessControlManager) session.getAccessControlManager();
AccessControlPolicyIterator it =
acMgr.getApplicablePolicies(n1.getPath());
if (it.hasNext()) {
System.out.println(" coming here to set
policy");
AccessControlPolicy policy =
it.nextAccessControlPolicy();
if (policy instanceof AccessControlList) {
Privilege[] privileges = new
Privilege[1];
privileges[0] =
acMgr.privilegeFromName(Privilege.JCR_READ);
((AccessControlList)policy).addAccessControlEntry(user.getPrincipal(),
privileges);
acMgr.setPolicy(n1.getPath(), policy);
}
}
System.out.println(" access provided");
session.save();
session.logout();
}catch(Exception ex){
ex.printStackTrace();
}
Problem is that the above code should give only read access to user john for
specified node. But when I m logging in as user john he is able to perform add,
delete all operations on /adminuser/resources node. John is able to add new
node report under /adminuser/resources and also able to delete it. Which I
don't want I want to give only read access.
Can anybody pointout where I m making mistake?
Thanks
kanchan
NOTICE TO RECIPIENT: THIS E-MAIL (INCLUDING ANY ATTACHMENTS) IS MEANT FOR ONLY
THE INTENDED RECIPIENT OF THE TRANSMISSION, MAY CONTAIN CONFIDENTIAL
INFORMATION, AND IS PROTECTED BY LAW. IF YOU RECEIVED THIS E-MAIL IN ERROR,
PLEASE IMMEDIATELY NOTIFY THE SENDER OF THE ERROR BY RETURN E-MAIL, DELETE THIS
COMMUNICATION AND SHRED ANY ATTACHMENTS. UNAUTHORIZED REVIEW, USE,
DISSEMINATION, DISTRIBUTION, COPYING OR TAKING OF ANY ACTION BASED ON THIS
COMMUNICATION IS STRICTLY PROHIBITED.
