Hi Anjela
Thanks for your quick response, really appreciate it.
I still need some clarity on the following aspect:
If you look at my Java client code which is creating users,
--> it is login in using admin user
--> Then I am creating new users
--> then we are retrieving JackrabbitAccessControlManager
and AccessControlPolicy, from the newly created user.
--> this is always empty
Principal principal = user.getPrincipal();
// get the Jackrabbit access control manager
JackrabbitAccessControlManager acMgr =
(JackrabbitAccessControlManager) session.getAccessControlManager();
JackrabbitAccessControlPolicy[] ps =
acMgr.getApplicablePolicies(principal); // or getApplicablePolicies()
System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
JackrabbitAccessControlList list = (JackrabbitAccessControlList)
ps[0];
-----> since this list is empty, I am not able to add privilege to the
newly created user.
The example which I am referring from jackrabbit wiki page is not complete
and there are error in that as well.
As per jackrabbit wiki user creation + access control link, program get a
session by login to repository and taking
principal from the same user. In that case how will I attach
principal/privilege / policies to the newly created users ?
*If you could guide me with the exact security section to be put in
repository.xml and some sample code for user creation and setting
privileges n policies* would be a great help.
On Wed, Jun 12, 2019 at 1:47 PM Angela Schreiber <[email protected]>
wrote:
> Hi Tuhin
>
> First of all: is there a reason not to use Jackrabbit Oak? It's the
> successor project of Jackrabbit, which is essentially in maintenance mode.
> Also there is a lot more documentation about Jackrabbit Oak at
> http://jackrabbit.apache.org/oak/docs/index.html
>
> Regarding your questions:
> - creating uses -> see Jackrabbit API -> user management
> - creating access control -> see JCR 2.0 API and extensions in Jackrabbit
> API
> - token login: as far as i remember that should work out of the box unless
> you explicitly token authentication.
>
> Regarding your code snippet:
> - you should pass an absolute path and not a principal to obtain the
> (applicable) policies
> - second, if no applicable policies exists, there might already have been
> one applied to the target node before, in which case
> AccessControlManager.getPolicies(String absPath) is the right call.
> see JCR 2.0 specification for details
>
> Hope that helps
> Angela
>
>
> ________________________________________
> From: Tuhin Subhra Mandal <[email protected]>
> Sent: Wednesday, June 12, 2019 7:53 AM
> To: [email protected]
> Subject: Issue with security & authorization in Jackrabbit 2.18.0
>
> Dear Jackrabbit team
>
> I have been working on developing a Jackrabbit pass system.
>
> Now I am trying to enable the security module.
>
> My requirement is:
>
>
> 1. will have to create users and provide them access to different nodes on
> the Jackrabbit server.
> For example there are 2 tenants that I need to onboard,
> So under the root folder I may have tenant1, and tenant2 folder.
> 2. we need to create 2 users: t1user and t2user.
> 3. t1user should access only the tree that starts under tenant1, and
> t2user for tenant2.
> 4. And the login mechanism should be token based.
>
>
> Now I have been exploring AccessControl,
> https://wiki.apache.org/jackrabbit/AccessControl
> and few other links to create users with proper priviledges.
>
>
> But it does not seem to work.
>
> How do I create users with proper privileges ?
>
> How do I enable token based authentication on Jackrabbit 2.18
>
> I did not find proper documentation to follow along.
>
>
> Need your kind help in solving this issue.
>
> I am attaching some code snippet from repository.xml and user creation
> java client.
>
>
>
> --
> Regards
> Tuhin
>
>
>
--
*Regards*
*Tuhin*
<Security appName="Jackrabbit">
<!-- SecurityManager
class="org.apache.jackrabbit.core.UserPerWorkspaceSecurityManager"
workspaceName="security" -->
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager">
<!--
optional user manager configuration
-->
<UserManager
class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
<param name="usersPath" value="/home/users"/>
<param name="groupsPath" value="/home/groups"/>
<param name="defaultDepth" value="1"/>
<param name="autoExpandTree" value="true"/>
<AuthorizableAction
class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
<param name="groupPrivilegeNames" value="jcr:read"/>
<param name="userPrivilegeNames" value="jcr:all"/>
</AuthorizableAction>
</UserManager>
<!--
optional workspace access manager configuration
-->
</SecurityManager>
<AccessManager
class="org.apache.jackrabbit.core.security.DefaultAccessManager">
</AccessManager>
<LoginModule
class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
<param name="adminId" value="user1" />
</LoginModule>
</Security>
================= User creation code which is not
working=============================
I always get following exception:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
at securitynstuff.CreateUser.createUsers(CreateUser.java:69)
at securitynstuff.CreateUser.main(CreateUser.java:28)
Because when I create a new user, the policies are empty at line :
JackrabbitAccessControlPolicy[] ps = acMgr.getApplicablePolicies(principal); //
or getApplicablePolicies()
System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
======Code here=======
package securitynstuff;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.RepositoryImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.config.RepositoryConfig;
import javax.jcr.*;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
public abstract class CreateUser {
public static void main(String[] args) {
// createUsers("workspace1", "james");
createUsers("tyler3");
}
private static void createUsers(String userName) {
Session session = null;
try {
// Repository repository =
JcrUtils.getRepository("http://localhost:8080/server";);
// Repository repository = new TransientRepository();
RepositoryConfig config = null;
try {
config = RepositoryConfig.install(new
File("/Users/tuhinsubhramandal/jack-repo/"));
} catch (IOException e) {
e.printStackTrace();
}
Repository repository = RepositoryImpl.create(config);
session = repository.login(new SimpleCredentials("user1",
"user1".toCharArray()), "jcrlocal");
Node rootNode = session.getRootNode();
Node grantedNode = rootNode.addNode("granted");
rootNode.save();
System.out.println("Granted node: " + grantedNode.getPath());
UserManager userManager = ((SessionImpl) session).getUserManager();
User user = userManager.createUser(userName, userName);
AccessControlManager acm = ((SessionImpl)
session).getAccessControlManager();
AccessControlPolicyIterator acpi =
acm.getApplicablePolicies(grantedNode.getPath());
session.save();
///////////////////////////////////////////
Principal principal = user.getPrincipal();
// get the Jackrabbit access control manager
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager)
session.getAccessControlManager();
JackrabbitAccessControlPolicy[] ps =
acMgr.getApplicablePolicies(principal); // or getApplicablePolicies()
System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
// list entries
JackrabbitAccessControlEntry[] entries = (JackrabbitAccessControlEntry[])
list.getAccessControlEntries();
JackrabbitAccessControlEntry entry = entries[0];
// remove entry
list.removeAccessControlEntry(entry);
// add entry
Privilege[] privileges = new
Privilege[]{acMgr.privilegeFromName(Privilege.JCR_READ)};
Map<String, Value> restrictions = new HashMap<String, Value>();
ValueFactory vf = session.getValueFactory();
restrictions.put("rep:nodePath", vf.createValue("/bookstore/catalog/",
PropertyType.PATH));
restrictions.put("rep:glob", vf.createValue("*"));
list.addEntry(principal, privileges, true /* allow or deny */,
restrictions);
System.out.println("User is created & all the new privileges are set= " +
user);
// Apply the policy
session.save();
} catch (LoginException e) {
e.printStackTrace();
} catch (RepositoryException e) {
e.printStackTrace();
} finally {
if (session != null)
session.logout();
}
}
}
