5

I can hardly find any documentation on how to design and build a repository for multiple users.

I'm quite new to Jackrabbit and I was always using one master user credentials to build a repository that was accessed by only one master user.

Now I need a repository that is shared by thousands of users and each user works with his nodes and doesn't have permissions to the others.

The SimpleAccessManager is quite simple :

public boolean isGranted(ItemId id, int permissions) throws RepositoryException {
    checkInitialized();
    if (system) {
        // system has always all permissions
        return true;
    } else if (anonymous) {
        // anonymous is always denied WRITE & REMOVE permissions
        if ((permissions & WRITE) == WRITE
                || (permissions & REMOVE) == REMOVE) {
            return false;
        }
    }

    return true;
}

It looks that one cannot create such a multi-user repository with SimpleLoginModule and SimpleAccessManager. Because it differentiates only between ADMIN and anonymous users that can read everything but cannot write...

So that one have to use DefaultAccessManager and perhaps do something like this :

Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); 

UserManager um = ((JackrabbitSession) session).getUserManager(); 
User user = um.createUser("john", "doe"); 

/*   And assign some ALC as follows... And then play with it like this, which really sucks without proper documentation, one has to reverse engineer everything, wtf */

AccessControlManager acm = session.getAccessControlManager();     
AccessControlPolicyIterator it = acm.getApplicablePolicies(testRootNode.getPath()); 
while ( it.hasNext() ) { 
    AccessControlPolicy acp = it.nextAccessControlPolicy(); 

    Privilege[] privileges = new Privilege[]{acm.privilegeFromName(Privilege.JCR_WRITE)}; 

    ((AccessControlList)acp).addAccessControlEntry(new PrincipalImpl(user.getUserID()), privileges); 

    acm.setPolicy(testRootNode.getPath(), acp); 
}

The repository will be accessible via OpenCMIS that supplies user credentials from client.

EDIT: this is what I was looking for AccessControl

lisak
  • 21,611
  • 40
  • 152
  • 243
  • 2
    Actually Victor it's because JackRabbit is an implementation of a Java Content Repository - which is a specification. JCR ... JackRabbit....get it? – MJB Jun 16 '11 at 06:45

3 Answers3

2

I'm not sure what all the necessary steps are, but you could have a look at the Hippo CMS repository, which is based on Apache JackRabbit. It's an open source CMS and content repository that has implemented it's own user management based on domains and facets.

You can find the source of the security part of Hippo CMS here.

Jeroen
  • 3,076
  • 1
  • 17
  • 16
  • I barely know jackrabbit, I'm gonna implement this with JR for starters, moreover this project is mostly about document/metadata CRUD without any UI, so hippo wouldn't be a good choice. But I've been trying to get some free time to play with Hippo, especially because of Hippo Portal, I've been developing on Liferay for a few years now, so that Hippo + JetSpeed 2 sounds very good to me – lisak Jun 17 '11 at 16:09
2

If you need a repository with "thousands of users" you are better off using JAAS login module that authenticates the users based on some external system (LDAP or Database etc.) and gives the Roles. A session is returned when you login to the repository using a workspace name and optional credentials. And as you can see from here: http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/Session.html the session only exposes the nodes to which the user has access to.

If you need to apply different access controls, clearly the default SimpleAccessManager isn't enough for you, so you might need to implement your own AccessManager.

Vijay Kiran
  • 545
  • 2
  • 9
0

From the documentation,

the security configuration element is used to specify authentication and authorization settings for the repository

See JackRabbit Security configuration docs for more information.

hoipolloi
  • 7,984
  • 2
  • 27
  • 28
  • Specifically this piece "Once a user has been authenticated, Jackrabbit will use the configured AccessManager to control what parts of the repository content the user is allowed to access and modify. The default SimpleAccessManager class included in Jackrabbit implements a trivially simple authorization mechanism that grants full read access to all users and write access to everyone except anonymous users." – MJB Jun 16 '11 at 06:44
  • This doesn't answer my question much. Actually I was reading this yesterday, it just says that LoginModule takes care of auth and AccessManager takes care of ACL ... – lisak Jun 16 '11 at 08:37