在版本控制节点上向 Jackrabbit 用户强制执行读写 ACL 时出现问题

发布于 2024-12-16 00:43:07 字数 3034 浏览 2 评论 0 原文

我们正在使用 Jackrabbit 2.2.7 开发 xml 文档的存储库。

我们希望为存储库创建一组用户，并对他们强制执行某种只读和读写访问权限。我们使用了基于资源的 ACL，如此处所述。只读权限就像魅力一样。然而，当用户尝试创建/删除可版本化的节点 (mix:versionable) 时，我们很难让读写工作正常进行，即使我们授予他尽可能高的权限，<代码>特权.JCR_ALL。到目前为止我们已经意识到，对版本化节点的修改实际上并不简单。在 Jackrabbit 中，它跨越多个节点 - /jcr:system/jcr:versionStorage 就是其中之一。看来除非用户本身是admin用户，否则无法对/jcr:system/及其子节点进行修改。

所以我的问题是

：a）有没有办法让普通用户修改版本控制节点？
b) 有没有办法在 jackrabbit 中创建多个管理员用户（指针、wiki、代码片段）？

以下是 repository.xml 中的安全部分：

<Security appName="Jackrabbit">
    <SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" 
        workspaceName="security">
        <!-- <WorkspaceAccessManager class="..."/> -->
        <!-- <param name="config" value="${rep.home}/security.xml"/> -->
    </SecurityManager>

    <AccessManager 
        class="org.apache.jackrabbit.core.security.DefaultAccessManager">
        <!-- <param name="config" value="${rep.home}/access.xml"/> -->
    </AccessManager>

    <LoginModule 
        class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
       <!--
          anonymous user name ('anonymous' is the default value)
        -->
       <param name="anonymousId" value="anonymous"/>
       <!--
          administrator user id (default value if param is missing is 'admin')
        -->
       <param name="adminId" value="admin"/>
    </LoginModule>
</Security>

以下是我们创建用户和启用访问控制的方式：

    {
        ...
        JackrabbitSession js = (JackrabbitSession) session;
        UserManager um = js.getUserManager();
        Authorizable grp = um.getAuthorizable("usergroup");
        Group userGroup = null;
        if(grp == null){
            userGroup = um.createGroup("usergroup");
        }else{
            userGroup = (Group) grp;
        }

        User user = um.createUser(newUserName, newUserPass);
        userGroup.addMember(user);

        Node node = session.getNode("/root");           

        AccessControlManager acm = session.getAccessControlManager();
        AccessControlList acl = getList(acm, node.getPath());

        Privilege[] privileges = null ;
        if(privilege.equals("r")){

            privileges = new Privilege[]
            {
                acm.privilegeFromName(Privilege.JCR_READ),
                acm.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
            };

        }else if(privilege.equals("rw")){
            privileges = new Privilege[]
            {

                acm.privilegeFromName(Privilege.JCR_ALL)
            };
        }else{

            return;
        }
        acl.addAccessControlEntry(new PrincipalImpl(user.getID()), privileges);
        acm.setPolicy(node.getPath(), acl);

        session.save();
 }

原文

We are using Jackrabbit 2.2.7 to develop a repository for xml documents.

We want to create a bunch of users for the repository and enforce some sort of read-only and read-write access privileges on them. We have used the resource based ACL as described here. Read-only permission works as charm. However, we are having hard time getting read-write to work when a user attempts to create/delete a node that is versionable (mix:versionable), even though we grant him the highest possible privilege, Privilege.JCR_ALL. So far we have realized that the modification to a versioned node actually is not simple. In Jackrabbit, it span across multiple nodes - /jcr:system/jcr:versionStorage is one of them. It seems that unless the user is the admin user himself, he cannot make modification to /jcr:system/ and its child nodes.

So my questions are

a) is there a way I enable normal users to modify versionable nodes?
b) is there a way to create multiple admin users in jackrabbit (pointers, wiki, code snippet)?

Here is the security section from the repository.xml:

<Security appName="Jackrabbit">
    <SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" 
        workspaceName="security">
        <!-- <WorkspaceAccessManager class="..."/> -->
        <!-- <param name="config" value="${rep.home}/security.xml"/> -->
    </SecurityManager>

    <AccessManager 
        class="org.apache.jackrabbit.core.security.DefaultAccessManager">
        <!-- <param name="config" value="${rep.home}/access.xml"/> -->
    </AccessManager>

    <LoginModule 
        class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
       <!--
          anonymous user name ('anonymous' is the default value)
        -->
       <param name="anonymousId" value="anonymous"/>
       <!--
          administrator user id (default value if param is missing is 'admin')
        -->
       <param name="adminId" value="admin"/>
    </LoginModule>
</Security>

Here is how we are creating users and enabling access control:

    {
        ...
        JackrabbitSession js = (JackrabbitSession) session;
        UserManager um = js.getUserManager();
        Authorizable grp = um.getAuthorizable("usergroup");
        Group userGroup = null;
        if(grp == null){
            userGroup = um.createGroup("usergroup");
        }else{
            userGroup = (Group) grp;
        }

        User user = um.createUser(newUserName, newUserPass);
        userGroup.addMember(user);

        Node node = session.getNode("/root");           

        AccessControlManager acm = session.getAccessControlManager();
        AccessControlList acl = getList(acm, node.getPath());

        Privilege[] privileges = null ;
        if(privilege.equals("r")){

            privileges = new Privilege[]
            {
                acm.privilegeFromName(Privilege.JCR_READ),
                acm.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
            };

        }else if(privilege.equals("rw")){
            privileges = new Privilege[]
            {

                acm.privilegeFromName(Privilege.JCR_ALL)
            };
        }else{

            return;
        }
        acl.addAccessControlEntry(new PrincipalImpl(user.getID()), privileges);
        acm.setPolicy(node.getPath(), acl);

        session.save();
 }

分享到QQ

分享到微博