Trouble enforcing read-write ACL to Jackrabbit users on versionable nodes

2
votes

We are using Jackrabbit 2.2.7 to develop a repository for xml documents.

We want to create a bunch of users for the repository and enforce some sort of read-only and read-write access privileges on them. We have used the resource based ACL as described here. Read-only permission works as charm. However, we are having hard time getting read-write to work when a user attempts to create/delete a node that is versionable (mix:versionable), even though we grant him the highest possible privilege, Privilege.JCR_ALL. So far we have realized that the modification to a versioned node actually is not simple. In Jackrabbit, it span across multiple nodes - /jcr:system/jcr:versionStorage is one of them. It seems that unless the user is the admin user himself, he cannot make modification to /jcr:system/ and its child nodes.

So my questions are

  • a) is there a way I enable normal users to modify versionable nodes?
  • b) is there a way to create multiple admin users in jackrabbit (pointers, wiki, code snippet)?

Here is the security section from the repository.xml: 

<Security appName="Jackrabbit">
    <SecurityManager class="org.apache.jackrabbit.core.DefaultSecurityManager" 
        workspaceName="security">
        <!-- <WorkspaceAccessManager class="..."/> -->
        <!-- <param name="config" value="${rep.home}/security.xml"/> -->
    </SecurityManager>

    <AccessManager 
        class="org.apache.jackrabbit.core.security.DefaultAccessManager">
        <!-- <param name="config" value="${rep.home}/access.xml"/> -->
    </AccessManager>

    <LoginModule 
        class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
       <!--
          anonymous user name ('anonymous' is the default value)
        -->
       <param name="anonymousId" value="anonymous"/>
       <!--
          administrator user id (default value if param is missing is 'admin')
        -->
       <param name="adminId" value="admin"/>
    </LoginModule>
</Security>

Here is how we are creating users and enabling access control:

    {
        ...
        JackrabbitSession js = (JackrabbitSession) session;
        UserManager um = js.getUserManager();
        Authorizable grp = um.getAuthorizable("usergroup");
        Group userGroup = null;
        if(grp == null){
            userGroup = um.createGroup("usergroup");
        }else{
            userGroup = (Group) grp;
        }

        User user = um.createUser(newUserName, newUserPass);
        userGroup.addMember(user);

        Node node = session.getNode("/root");           

        AccessControlManager acm = session.getAccessControlManager();
        AccessControlList acl = getList(acm, node.getPath());

        Privilege[] privileges = null ;
        if(privilege.equals("r")){

            privileges = new Privilege[]
            {
                acm.privilegeFromName(Privilege.JCR_READ),
                acm.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
            };

        }else if(privilege.equals("rw")){
            privileges = new Privilege[]
            {

                acm.privilegeFromName(Privilege.JCR_ALL)
            };
        }else{

            return;
        }
        acl.addAccessControlEntry(new PrincipalImpl(user.getID()), privileges);
        acm.setPolicy(node.getPath(), acl);

        session.save();
 }
1
jackrabbitjcr

1 Answers

1
votes

The content inside /jcr:system/jcr:versionStorage can not be directly modified. You need to use the VersionManager interface to create, remove or label versions inside the version storage. Any user with write access to the versionable node should be able to do that, as there are no extra access controls that apply to the version storage.

As for the versionable nodes themselves, note that they are read-only when checked in. You need to explicitly check out a versionable node to make it writable.