In jackrabbit repository, i'm trying to add privileges to a GROUP. I want what "designers" group can write into /templates node.
This node (/templates) is a node with type nt:folder
First, i create a group named "designers"
userManager = jkSession.getUserManager();
Roles[] rolesTable = { Roles.EDITOR, Roles.DESIGNER,
Roles.OPERATOR, Roles.ADMINISTRATOR };
for (Roles role : rolesTable) {
userManager.createGroup(role.toString());
...
and assign privileges to this group for /templates node:
p = principalManager.findPrincipals(
Roles.DESIGNER.toString(),
PrincipalManager.SEARCH_TYPE_GROUP)
.nextPrincipal();
Node catalogNode = session.getRootNode().getNode("templates");
AccessControlPolicyIterator accessControlPolicyIterator = accessControlManager
.getApplicablePolicies(catalogNode.getPath());
AccessControlPolicy policy = accessControlPolicyIterator
.nextAccessControlPolicy();
if (polic
y instanceof AccessControlList) {
AccessControlList acl = (AccessControlList) policy;
JackrabbitAccessControlList jackAcl = (JackrabbitAccessControlList) acl;
jackAcl
.addEntry(
p,
new Privilege[] {
accessControlManager
.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
accessControlManager
.privilegeFromName(Privilege.JCR_READ),
accessControlManager
.privilegeFromName(Privilege.JCR_WRITE),
accessControlManager
.privilegeFromName(Privilege.JCR_REMOVE_NODE) },
true, null);
Now, create user and makes him members to designers group:
Principal principal = principalManager.findPrincipals(DESIGNER.toString(),
PrincipalManager.SEARCH_TYPE_GROUP).nextPrincipal();
Group roleToAssign = (Group) userManager.getAuthorizable(principal);
user = userManager.createUser(login, password);
roleToAssign.addMember(user);
now login with that user and try addNode to /templates
lCredentials = new SimpleCredentials(login, new String(pPassword)
.toCharArray());
}
Repository tmpRepository = null;
try {
tmpRepository = repositoryFactory.getRepository(repositoryParams);
session = tmpRepository.login(lCredentials, pWorkspace);
and add node to /templates:
session.getRootNode().getNode("templates").addNode("test","nt:unstructured");
But throw accessDenied:
javax.jcr.AccessDeniedException: Access denied.
at org.apache.jackrabbit.core.security.DefaultAccessManager.checkPermission(DefaultAccessManager.java:193)
at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1266)
at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:111)
at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:37)
at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
at org.apache.jackrabbit.core.NodeImpl.addNodeWithUuid(NodeImpl.java:1814)
at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1774)
at org.apache.jackrabbit.commons.JcrUtils.getOrAddNode(JcrUtils.java:519)
I don't find documentation about ACL on jackrabbits groups. Please ¿can someone help me? Thanks.
Fixed.
For privileges on principals (groups or users) must use Principal-Based ACL, not resource ACL like i did in this post.
Principal-Base ACL is described in:
Jackrabbit ACL (yes, this post has been a RTFM case)
But Additionally is necessary adding privilege JCR_NODE_TYPE_MANAGEMENT in privileges list for adding child nodes of a particular type.
privileges = new Privilege[] {
accessControlManager
.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
accessControlManager
.privilegeFromName(Privilege.JCR_READ),
accessControlManager
.privilegeFromName(Privilege.JCR_WRITE),
accessControlManager
.privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT) };
Thanks.