Hi Experts
I've been struggling getting ACLs built on a JCR structure for a while now.
The requirement seems super simple, but I can't seem to find the solution.
Let's say I have the following node structure:
car-types (Properties: jcr:primaryType, jcr:mixinType)
- bmw (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
brandHeadquarters, marketShare)
- car-instances
- bmw-320i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
price, fuelEfficiency, colour)
- bmw-m3 (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
price, fuelEfficiency, colour)
- bmw-530i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
price, fuelEfficiency, colour)
- audi (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
brandHeadquarters, marketShare)
- car-instances
- etc.
- mercedes (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid,
brandHeadquarters, marketShare)
- car-instances
- etc.
If want to give a specific principal access to the bmw node and ONE OF the
instances underneath bmw (for example, bmw-320i), so that I can reference
it from a Sling Model, but I DON'T want him to have access to all the child
nodes of bmw.
So my approach is to add 4 specific ACEs to each node in my tree using a
rep:glob pattern "" (See code snippet below)
This works "fine", because the user is then only able to access the
required nodes, but unfortunately, he is not able to see the properties of
the relevant nodes, which makes it impossible for me to build my sling
model. If I use a more lenient glob pattern (like null, or /*) then he can
see the properties, but also ALL the other cars.
So the question is. What would the glob pattern be to make him see the
nodes I want him to see along with their properties, but not the other
nodes.
(Or of course, if I'm approaching this entirely wrong, please guide me in
the right direction)
Below is a snippet of my code (simplified slightly for forum-sake):
Privilege[] readOnlyPrivileges = new Privilege[]
{aclMgr.privilegeFromName(Privilege.JCR_READ)};
...
addAceToNode("/content/app/car-types", principal, readOnlyPrivileges, "",
session);
addAceToNode("/content/app/car-types/bmw", principal, readOnlyPrivileges,
"", session);
addAceToNode("/content/app/car-types/bmw/car-instances", principal,
readOnlyPrivileges, "", session);
addAceToNode("/content/app/car-types/bmw/car-instances/bmw-320i",
principal, readOnlyPrivileges, "", session);
...
private void addAceToNode(String path, Principal principal, Privilege[]
privilegeArray, String globPattern, Session session) {
...
AccessControlList acl =
AccessControlUtils.getAccessControlList(session, path);
JackrabbitAccessControlList jacl = (JackrabbitAccessControlList) acl;
restrictions = new HashMap<String, Value>();
ValueFactory vf = session.getValueFactory();
restrictions.put("rep:glob", vf.createValue(globPattern));
jacl.addEntry(principal, privilegeArray, true, restrictions);
acMgr.setPolicy(jacl.getPath(), jacl);
session.save();
}
Note: I've probably read this page (
https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html)
a thousand times by now, but the examples provided only make sense if your
sub-nodes have specific naming patterns, which doesn't really apply in my
case.
Note2: This issue is in an AEM project, but I'm sure the actual question is
Jackrabbit OAK specific.
Will really appreciate if someone can point me in the right direction
Tx
Greg Fullard
