Re: Problem adding Principal-based ACLs

Karsten Priegnitz Sun, 16 Aug 2015 06:37:58 -0700

I found this really useful utility class, to accomplish what I needed:


                UserManager um = session.getUserManager();
                User user = (User) um.getAuthorizable(username);

                // add privileges

AccessControlUtils.addAccessControlEntry(session, "/",user.getPrincipal(),

                        new String[] { Privilege.JCR_ALL }, true);

                session.save();

No need to do anything else, eg. changes in repository.xml orworkspace.xml - at least when using the jackrabbit-webapp.



Karsten R. Priegnitz

programmierer | web-entwickler | linux administrator | digitaler nomade

business: kontakt <http://petoria.de/portfolio/contact-about/> |portfolio <http://petoria.de/portfolio/>

------------------------------------------------------------------------

Am 13.08.2015 um 15:48 schrieb Clay Ferguson:

Karsten,

I have a web app that I "think" is doing it reasonably correct (ACLs), or
at least appears to work. You can find the working code here:
https://github.com/Clay-Ferguson/meta64
Just download the zip and search for the keywords "acl", "privilege",
"principle". Also see AclService.java and AccessControlUtil.java.

Best regards,
Clay Ferguson
[email protected]


On Thu, Aug 13, 2015 at 5:21 AM, Karsten Priegnitz <[email protected]> wrote:

Hallo group,

I'm trying to add Principal-based ACLs as described here:
http://wiki.apache.org/jackrabbit/AccessControl. But using that code I
get an ArrayIndexOutOfBoundsException.

I have the jackrabbit-webapp-2.10.1 running from sources in Eclipse.
Works. Next I wrote a servlet that does init stuff: add 2 users adam & eve
and grant them ACL_ALL (all privileges) on the root node.

Code:

public class MyInitServlet extends HttpServlet {

     @Override
     protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException,
             IOException {

         super.doGet(req, resp);

         try {
             // get the repo from context

             ServletContext context = this.getServletContext();
             Repository repo = (Repository)
context.getAttribute(Repository.class.getName());

             // login as admin

             JackrabbitSession session = (JackrabbitSession)
Helper.login(repo,
                     Helper.ADMIN_CREDENTIALS);

             UserManager um = session.getUserManager();
             for (String username : new String[] { "adam", "eve"}) {

                 // create the user

                 Authorizable authorizable = um.getAuthorizable(username);
                 if (authorizable == null) {
                     um.createUser(username, username);
                     session.save();
                 }

                 User user = (User) um.getAuthorizable(username);
                 addPrivileges(session, user, Privilege.JCR_ALL);

                 session.save();

                 LOG.info(" created user '{}'", username);
             }

             ...

         } catch (Exception e) {
             e.printStackTrace();
         }

     }

     public static void addPrivileges(JackrabbitSession session, User user,
String... privileges)
             throws AccessDeniedException, AccessControlException,
             UnsupportedRepositoryOperationException, RepositoryException {

         // add principal-based privileges
         // @see: http://wiki.apache.org/jackrabbit/AccessControl

         JackrabbitAccessControlManager acm =
(JackrabbitAccessControlManager) session
                 .getAccessControlManager();

         Principal principal = user.getPrincipal();

         JackrabbitAccessControlPolicy[] ps =
acm.getApplicablePolicies(principal);
         // next is line 133:
         JackrabbitAccessControlList list = (JackrabbitAccessControlList)
ps[0];

         // add privileges

         Privilege[] nprivileges = new Privilege[privileges.length];
         int i = 0;
         for (String p : privileges) {
             nprivileges[i] = acm.privilegeFromName(p);
             i++;
         }

         Map<String, Value> restrictions = new HashMap<String, Value>();
         ValueFactory vf = session.getValueFactory();

         restrictions.put("rep:nodePath", vf.createValue("/",
PropertyType.PATH));
         restrictions.put("rep:glob", vf.createValue("*"));

         list.addEntry(principal, nprivileges, true /* allow or deny */,
restrictions);

         // store privilege changes

         acm.setPolicy(list.getPath(), list);

     }

And I also added this to ~/jackrabbit/workspaces/security/workspace.xml:

         <WorkspaceSecurity>
             <AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider"
/>
         </WorkspaceSecurity>

But when I trigger my servlet I get an empty array in line 132:

2015-08-13 12:06:06.364 INFO  [http-bio-8080-exec-3] MyInitServlet.java:64
called: doGet(org.apache.catalina.connector.RequestFacade@67a4315b
,org.apache.catalina.connector.ResponseFacade@639bb977)
2015-08-13 12:06:06.419 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:362 Creating cache with max size of: 5000
2015-08-13 12:06:06.420 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:369 Root is special-cased: true
2015-08-13 12:06:06.421 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:73 Cache Update Strategy: T
2015-08-13 12:06:06.421 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:78 Caching entries with no ACLs: false
2015-08-13 12:06:06.466 WARN  [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.468 WARN  [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.469 WARN  [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.470 WARN  [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.471 WARN  [http-bio-8080-exec-3]
UserManagerImpl.java:858 Unexpected user/group node type
rep:AuthorizableFolder
2015-08-13 12:06:06.770 INFO  [http-bio-8080-exec-3] ClusterNode.java:711
[1] 1 system@security:/ (24906)
2015-08-13 12:06:06.857 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:362 Creating cache with max size of: 5000
2015-08-13 12:06:06.858 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:369 Root is special-cased: true
2015-08-13 12:06:06.858 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:73 Cache Update Strategy: T
2015-08-13 12:06:06.858 INFO  [http-bio-8080-exec-3]
CachingEntryCollector.java:78 Caching entries with no ACLs: false
java.lang.ArrayIndexOutOfBoundsException: 0
     at my.jcrweb.j2ee.MyInitServlet.addPrivileges(MyInitServlet.java:133)
     at my.jcrweb.j2ee.MyInitServlet.doGet(MyInitServlet.java:100)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)


I also read this thread:
http://jackrabbit.510166.n4.nabble.com/Setting-up-Access-Control-td3809801.html

I also tried acl.getPolicies() instead of getApplicablePolicies()

I'm totally stuck here ... Am I doing something wrong, generally or ...
how do I create my own empty JackrabbitAccessControlList?

Karsten

Re: Problem adding Principal-based ACLs

Reply via email to