I was using TransientRepository implementation of the Repository interface. Access control functionality is not supported in that implementation. That can be checked by querying the descriptor table with OPTION_ACCESS_CONTROL_SUPPORTED option. I changed it to RepositoryImpl and it has been working fine now.
On Wed, Aug 26, 2015 at 11:16 AM, Karsten Priegnitz <[email protected]> wrote: > What exactly did you do to make it work? K > > Atif Manzoor <[email protected]> schrieb: > > >Hi Clay and Robert, it turned out that I was not properly configuring my > >repository, so it does not have any ACL attached to it. It have been > >working fine now. > > > >Thanks for your suggestions. > > > >Kind regards, > >Atif > > > >On Tue, Aug 25, 2015 at 4:15 PM, Clay Ferguson <[email protected]> wrote: > > > >> I'm experimenting with meta64.com discussion capability. Who wants to > >> discuss this stuff on there, and see if the meta64 works well as a > >> discussion engine? I'm trying to make Social Media a federated free > >> commodity, rather than monopolizedy by Diqus, Facebook, etc. Join me... > >> > >> http://meta64.com?id=/wclayf/public/oak-jackrabbit-discussions > >> > >> Best regards, > >> Clay Ferguson > >> [email protected] > >> > >> > >> On Tue, Aug 25, 2015 at 9:51 AM, Robert Munteanu <[email protected]> > >> wrote: > >> > >> > Hi, > >> > > >> > On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote: > >> > > Atif, just beware that the "addChildren" privilege doesn't work as > >> > > one > >> > > would expect. If you want a principle to be able to add children to > a > >> > > node > >> > > you must add ALL of the following privileges: > >> > > > >> > > "read", "write", "addChildren", "nodeTypeManagement" > >> > > >> > I think you can simply use rep:write ( not jcr:write ) as a shorthand. > >> > > >> > > > >> > > That costed me many hours of headache, and at least one other person > >> > > also. > >> > > My personal belief this functionality requirement was an accident > >> > > rather > >> > > than by design and no one who is an Adobe customer has complained so > >> > > they > >> > > are leaving it as is. > >> > > >> > As far as I can tell the behaviour is according to the Access Control > >> > Management chapter of the JCR 2.0 specification [1]. If there's a gap > >> > between the spec and the implementation it's definitely worth a bug > >> > report. > >> > > >> > Cheers, > >> > > >> > Robert > >> > > >> > [1]: > http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html > >> > #16.2.3%20Standard%20Privileges > >> > > >> > > > >> > > > >> > > Best regards, > >> > > Clay Ferguson > >> > > [email protected] > >> > > > >> > > > >> > > On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor < > [email protected] > >> > > > > >> > > wrote: > >> > > > >> > > > Hi Karsten > >> > > > > >> > > > No actually I was just trying out the simplest case to control > >> > > > access to a > >> > > > particular code. At later stage I will allow or restrict read / > >> > > > write > >> > > > access to a node for different users. > >> > > > > >> > > > Kind regards, > >> > > > Atif > >> > > > > >> > > > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz < > >> > > > [email protected]> > >> > > > wrote: > >> > > > > >> > > > > Hi Atif > >> > > > > > >> > > > > reading your code it seems to me you just want to add JCR_ALL > >> > > > > privileges > >> > > > > to some user. This is what allow() does. No need to do something > >> > > > > else. > >> > > > And: > >> > > > > "admin" normally already has these privileges. > >> > > > > > >> > > > > I'd try this (not tested) > >> > > > > > >> > > > > AccessControlUtils.allow(session.getRootNode(), > >> > > > > EveryonePrincipal.getInstance() > >> > > > > .getName(), Privilege.JCR_ALL); > >> > > > > > >> > > > > > >> > > > > What do you want to accomplish? Make everyone admin? > >> > > > > > >> > > > > > >> > > > > Karsten R. Priegnitz > >> > > > > > >> > > > > programmierer | web-entwickler | linux administrator | digitaler > >> > > > > nomade > >> > > > > business: kontakt <http://petoria.de/portfolio/contact-about/> > | > >> > > > > portfolio <http://petoria.de/portfolio/> > >> > > > > > ----------------------------------------------------------------- > >> > > > > ------- > >> > > > > > >> > > > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor: > >> > > > > > >> > > > > > Hi Karsten > >> > > > > > > >> > > > > > Thanks a lot for your help. I tried > AccessControlUtils.allow(), > >> > > > > > however > >> > > > > > AccessControlUtils.getACL() is still returning NULL. I think I > >> > > > > > may have > >> > > > > > also have to do something else to enable access control that > >> > > > > > particular > >> > > > > > node. Following is my code complete code that tried > >> > > > > > AccessControlUtils. > >> > > > I > >> > > > > > am still getting Null for acl. > >> > > > > > > >> > > > > > Repository repository = new TransientRepository(); > >> > > > > > Session session = repository.login(new > >> > > > > > SimpleCredentials("admin", > >> > > > > > "password".toCharArray())); > >> > > > > > Node root = session.getRootNode(); > >> > > > > > root.addNode("leftChild"); > >> > > > > > root.addNode("rightChild"); > >> > > > > > > >> > > > > > session.save(); > >> > > > > > String path = session.getRootNode().getPath(); > >> > > > > > System.out.println(path); > >> > > > > > AccessControlManager acm = session.getAccessControlManager(); > >> > > > > > AccessControlUtils.allow(session.getRootNode(), "admin", > >> > > > > > Privilege.JCR_ALL); > >> > > > > > AccessControlList acl = > >> > > > > > AccessControlUtils.getAccessControlList(session, > >> > > > > > path); > >> > > > > > for (AccessControlEntry e : acl.getAccessControlEntries()) { > >> > > > > > acl.removeAccessControlEntry(e); > >> > > > > > } > >> > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new > >> > > > Privilege[] > >> > > > > > { acm > >> > > > > > .privilegeFromName(Privilege.JCR_ALL) }); > >> > > > > > acm.setPolicy(path, acl); > >> > > > > > session.save(); > >> > > > > > > >> > > > > > Regards, > >> > > > > > Atif > >> > > > > > > >> > > > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz < > >> > > > > > [email protected]> > >> > > > > > wrote: > >> > > > > > > >> > > > > > Hi Atif, > >> > > > > > > > >> > > > > > > I had the same problem as you and then I found > >> > > > > > > > >> > > > > > > > >> > > > > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro > >> > > > lUtils: > >> > > > > > > > >> > > > > > > and that's all: > >> > > > > > > AccessControlUtils.allow(session.getRootNode(), > >> > > > username, > >> > > > > > > Privilege.JCR_ALL); > >> > > > > > > > >> > > > > > > Best > >> > > > > > > Karsten > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > Karsten R. Priegnitz > >> > > > > > > > >> > > > > > > programmierer | web-entwickler | linux administrator | > >> > > > > > > digitaler nomade > >> > > > > > > business: kontakt < > http://petoria.de/portfolio/contact-about/ > >> > > > > > > > | > >> > > > > > > portfolio <http://petoria.de/portfolio/> > >> > > > > > > > >> > > > > ------------------------------------------------------------------- > >> > > > ----- > >> > > > > > > > >> > > > > > > > >> > > > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson: > >> > > > > > > > >> > > > > > > I'm not *that* much of an expert, but it kind of works by > >> > > > > > > bubbling up > >> > > > > > > > towards the root I believe. So if you query for ACL on a > >> > > > > > > > node and it > >> > > > > > > > finds > >> > > > > > > > none, that is fine. It just means that node is effectively > >> > > > > > > > controlled > >> > > > by > >> > > > > > > > an > >> > > > > > > > ancestor. Once you start adding AC L privs the that root > >> > > > > > > > starts > >> > > > applying > >> > > > > > > > those there and all beneath it on the tree recursively. By > >> > > > > > > > default > >> > > > > > > > 'admin' > >> > > > > > > > user has full privileges and everyone else has none. The > >> > > > > > > > session that > >> > > > > > > > creates a node i think by default has all privs on that > >> > > > > > > > node, but i'd > >> > > > > > > > have > >> > > > > > > > to check my code...I might be adding privs when creating. > >> > > > > > > > Look at my > >> > > > > > > > "controller" class, and that is the top level, and a lot > of > >> > > > > > > > stuff like > >> > > > > > > > creating new nodes, moving nodes, adding ACLs etc can be > >> > > > > > > > sussed out by > >> > > > > > > > just > >> > > > > > > > looking at my code and not even running it. It's not too > >> > > > > > > > complicated. > >> > > > > > > > Does > >> > > > > > > > that answer the question? > >> > > > > > > > > >> > > > > > > > Best regards, > >> > > > > > > > Clay Ferguson > >> > > > > > > > [email protected] > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor < > >> > > > > > > > [email protected] > >> > > > > > >> > > > > > > > wrote: > >> > > > > > > > > >> > > > > > > > Hi Clay > >> > > > > > > > > >> > > > > > > > > Thanks a lot for your response. I have been through your > >> > > > > > > > > code and > >> > > > have > >> > > > > > > > > found that you have also been using > >> > > > > > > > > getApplicablePolicies(path) and > >> > > > > > > > > getPolicies(path) function to get AccessControlList > (ACL) > >> > > > > > > > > object, > >> > > > > > > > > however > >> > > > > > > > > both of these function have not been returning any ACL > >> > > > > > > > > policies for > >> > > > me. > >> > > > > > > > > In > >> > > > > > > > > words my node does not contain any modifiable ACL. Can > >> > > > > > > > > you tell me > >> > > > why > >> > > > > > > > > is > >> > > > > > > > > that. What will I have to do, so that the node should > >> > > > > > > > > also have > >> > > > > > > > > modifiable > >> > > > > > > > > ACL. > >> > > > > > > > > > >> > > > > > > > > Kind regards, > >> > > > > > > > > Atif > >> > > > > > > > > > >> > > > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson < > >> > > > > > > > > [email protected]> > >> > > > > > > > > wrote: > >> > > > > > > > > > >> > > > > > > > > Hello Atif, > >> > > > > > > > > > >> > > > > > > > > > You should check out my open source project: > >> > > > > > > > > > https://github.com/Clay-Ferguson/meta64 > >> > > > > > > > > > > >> > > > > > > > > > Download the zip and search for the words 'privilege' > >> > > > > > > > > > and/or > >> > > > > > > > > > > >> > > > > > > > > > AccessControl, > >> > > > > > > > > > >> > > > > > > > > etc. > >> > > > > > > > > > > >> > > > > > > > > > The AclService.java class has ability to do basic > >> > > > > > > > > > listing of > >> > > > > > > > > > privileges > >> > > > > > > > > > > >> > > > > > > > > > for > >> > > > > > > > > > >> > > > > > > > > a node, and adding or removing privileges from a node, > >> > > > > > > > > and might help > >> > > > > > > > > > you > >> > > > > > > > > > some. Good luck. > >> > > > > > > > > > > >> > > > > > > > > > Best regards, > >> > > > > > > > > > Clay Ferguson > >> > > > > > > > > > [email protected] > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor < > >> > > > > > > > > > [email protected]> > >> > > > > > > > > > wrote: > >> > > > > > > > > > > >> > > > > > > > > > I am new to Jackrabbit and after going through the > >> > > > > > > > > > first hops and > >> > > > > > > > > > little > >> > > > > > > > > > bit of documentation, I was trying to configure Access > >> > > > > > > > > > Control for > >> > > > the > >> > > > > > > > > > > >> > > > > > > > > > > repository nodes. I was extending ThirdHop tutorial > >> > > > > > > > > > > for that > >> > > > purpose > >> > > > > > > > > > > > >> > > > > > > > > > > and > >> > > > > > > > > > was following access control wiki > >> > > > > > > > > > > >> > > > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl and > >> > > > > > > > > > > had the > >> > > > > > > > > > > following > >> > > > > > > > > > > code. > >> > > > > > > > > > > > >> > > > > > > > > > > Session session = repository.login(new > >> > > > SimpleCredentials("username", > >> > > > > > > > > > > "password" > >> > > > > > > > > > > .toCharArray())); > >> > > > > > > > > > > Node node = session.getRootNode(); > >> > > > > > > > > > > String path = node.getPath(); > >> > > > > > > > > > > AccessControlManager acm = > >> > > > > > > > > > > session.getAccessControlManager(); > >> > > > > > > > > > > > >> > > > > > > > > > > Privilege[] privileges = new Privilege[] { acm > >> > > > > > > > > > > .privilegeFromName(Privilege.JCR_ALL) }; > >> > > > > > > > > > > AccessControlList acl; > >> > > > > > > > > > > try { > >> > > > > > > > > > > acl = (AccessControlList) > >> > > > > > > > > > > acm.getApplicablePolicies(path) > >> > > > > > > > > > > .nextAccessControlPolicy(); > >> > > > > > > > > > > } catch (NoSuchElementException e) { > >> > > > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0]; > >> > > > > > > > > > > } > >> > > > > > > > > > > for (AccessControlEntry e : > >> > > > > > > > > > > acl.getAccessControlEntries()) { > >> > > > > > > > > > > acl.removeAccessControlEntry(e); > >> > > > > > > > > > > } > >> > > > > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan > >> > > > > > > > > > > ce(), > >> > > > > > > > > > > privileges); > >> > > > > > > > > > > acm.setPolicy(path, acl); > >> > > > > > > > > > > session.save(); > >> > > > > > > > > > > > >> > > > > > > > > > > My problem is that I could not get AccessControlList > >> > > > > > > > > > > with this > >> > > > code. > >> > > > > > > > > > > > >> > > > > > > > > > > Both > >> > > > > > > > > > functions (getApplicablePolicies and getAllPolicies) > >> > > > > > > > > > don't have any > >> > > > > > > > > > > >> > > > > > > > > > > AccessControlList attached with them. Can you tell > me > >> > > > > > > > > > > where I went > >> > > > > > > > > > > > >> > > > > > > > > > > wrong. I > >> > > > > > > > > > > >> > > > > > > > > > have been using the default security configuration. > >> > > > > > > > > > > > >> > > > > > > > > > > Thanks > >> > > > > > > > > > > Atif > >> > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > >> > > > > >> > > >> > > >> >
