Hi Tuhin
Wiki page.... as far as I know the content there is not accurate and I don't
know who put it there.
Regarding your code:
I don't get which entry you try to remove... why that? Is it the the default
entry created due to the configured AccessControlAction? then i would rather
change the action according to your needs.
What is the initial getApplicablePolicies for before the first save call?
Anyway: In order to obtain a modifiable policy for the given target path either
by calling JCR API or by using a utility method like
org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils.getAccessControlList(AccessControlManager
accessControlManager, String absPath), which internally calls
getApplicablePolicies(String absPath) and if not available getPolicies(String
absPath) as I described earlier.
So, something like
AccessControlManager acMgr = session.getAccessControlManager();
JackrabbitAccessControlList acl =
AccessControlUtils.getAccessControlList(acMgr, "/bookstore/catalog");
if (acl != null) {
Map<String, Value> restrictions = new HashMap<String, Value>();
restrictions.put("rep:glob", session.getValueFactory().createValue("*"));
if (acl.addEntry(principal, privileges, true, restrictions)) {
acMgr.setPolicy(acl.getPath(), acl);
session.save();
}
}
You may notice the following differences:
- your target path was invalid (containing trailing /)
- you have to write back the modified policy as defined by JCR 2.0 API contract
Regarding restrictions:
- please use them wisely... the glob restriction just works as a simplistic
path concatenation and all items mapping the pattern will be affected. You will
find quite some details in the Oak documentation and there are also exercises
available with Jackrabbit Oak. They might differ when it comes to inner working
but for the JCR API contract they might be useful as well.
I would definitely recommend to read the access control related part of JSR 283
to understand how access control management is defined in JCR 2.0.
Kind regards
Angela
________________________________________
From: Tuhin Subhra Mandal <[email protected]>
Sent: Wednesday, June 12, 2019 11:03 AM
To: [email protected]
Subject: Re: Issue with security & authorization in Jackrabbit 2.18.0
Hi Anjela
Thanks for your quick response, really appreciate it.
I still need some clarity on the following aspect:
If you look at my Java client code which is creating users,
--> it is login in using admin user
--> Then I am creating new users
--> then we are retrieving JackrabbitAccessControlManager and
AccessControlPolicy, from the newly created user.
--> this is always empty
Principal principal = user.getPrincipal();
// get the Jackrabbit access control manager
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager)
session.getAccessControlManager();
JackrabbitAccessControlPolicy[] ps =
acMgr.getApplicablePolicies(principal); // or getApplicablePolicies()
System.out.println("JackrabbitAccessControlPolicy = " + ps.length);
JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0];
-----> since this list is empty, I am not able to add privilege to the newly
created user.
The example which I am referring from jackrabbit wiki page is not complete and
there are error in that as well.
As per jackrabbit wiki user creation + access control link, program get a
session by login to repository and taking
principal from the same user. In that case how will I attach
principal/privilege / policies to the newly created users ?
If you could guide me with the exact security section to be put in
repository.xml and some sample code for user creation and setting privileges n
policies would be a great help.
On Wed, Jun 12, 2019 at 1:47 PM Angela Schreiber <[email protected]>
wrote:
Hi Tuhin
First of all: is there a reason not to use Jackrabbit Oak? It's the successor
project of Jackrabbit, which is essentially in maintenance mode. Also there is
a lot more documentation about Jackrabbit Oak at
http://jackrabbit.apache.org/oak/docs/index.html
Regarding your questions:
- creating uses -> see Jackrabbit API -> user management
- creating access control -> see JCR 2.0 API and extensions in Jackrabbit API
- token login: as far as i remember that should work out of the box unless you
explicitly token authentication.
Regarding your code snippet:
- you should pass an absolute path and not a principal to obtain the
(applicable) policies
- second, if no applicable policies exists, there might already have been one
applied to the target node before, in which case
AccessControlManager.getPolicies(String absPath) is the right call.
see JCR 2.0 specification for details
Hope that helps
Angela
________________________________________
From: Tuhin Subhra Mandal
<[email protected]<mailto:[email protected]>>
Sent: Wednesday, June 12, 2019 7:53 AM
To: [email protected]<mailto:[email protected]>
Subject: Issue with security & authorization in Jackrabbit 2.18.0
Dear Jackrabbit team
I have been working on developing a Jackrabbit pass system.
Now I am trying to enable the security module.
My requirement is:
1. will have to create users and provide them access to different nodes on the
Jackrabbit server.
For example there are 2 tenants that I need to onboard,
So under the root folder I may have tenant1, and tenant2 folder.
2. we need to create 2 users: t1user and t2user.
3. t1user should access only the tree that starts under tenant1, and t2user for
tenant2.
4. And the login mechanism should be token based.
Now I have been exploring AccessControl,
https://wiki.apache.org/jackrabbit/AccessControl
and few other links to create users with proper priviledges.
But it does not seem to work.
How do I create users with proper privileges ?
How do I enable token based authentication on Jackrabbit 2.18
I did not find proper documentation to follow along.
Need your kind help in solving this issue.
I am attaching some code snippet from repository.xml and user creation java
client.
--
Regards
Tuhin
--
Regards
Tuhin
