Jackrabbit permissions for multiple principals

0
votes

I'm developing custom security scheme for web application based on Apache Jackrabbit. I've extended standard Jackrabbit security implementation for my needs, and so far it's working correctly. But, I'm having problems with multiple principals being assigned permissions on a node.

For example, user U is a member of group G. Groups G has no read permissions on a node, but user U has read permissions. What I mean by this is, group G has jcr:read privilege set to deny, and user U has jcr:read set to allow on a node.

Based on this, I would assume that user U would be able to read the node, even if he is a member of a group which is not allowed to read. However, the node does not show up for a user U (not expected), or for any other member of group G (expected).

Could somebody help me shed some light on this? Is my assumption correct, or does Jackrabbit calculate actual permissions differently? Or is this just an error in my security implementation?

1
jcrjackrabbit
You can also use Privilege[] AccessControlManager.getPrivileges(String absPath) to get all privillés for the current session on the nodeAroniaina
Try to download the JCR spec download.oracle.com/otndocs/jcp/… . and be sure you read it if you work on JackRabbit. The Access Control Management is at section 16Aroniaina

1 Answers

1
votes

From this article :

The list of access rights applicable for the subject is constructed from:

    - the rights that you assign directly to the user account
    - plus all rights assigned to any of the groups that the user belongs to

Means that, Jackrabbit take group privilege instead of user's privilege. You can read the entire article, it is good for JackRabbit secutiry.