 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
4 messages in org.apache.jackrabbit.usersRe: RepositoryImpl in the AccessManager| From | Sent On | Attachments |
|---|---|---|
| bilobag | Oct 23, 2007 11:47 am | |
| (Berry) A.W. van Halderen | Oct 31, 2007 9:32 am | |
| Nick Stolwijk | Oct 31, 2007 9:44 am | |
| bilobag | Oct 31, 2007 10:06 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: RepositoryImpl in the AccessManager | Actions... |
|---|---|---|
| From: | bilobag (bilo...@hotmail.com) | |
| Date: | Oct 31, 2007 10:06:40 am | |
| List: | org.apache.jackrabbit.users | |
Well i attempted a solution I found that instantiated a subclassed AccessManager. This AccessManager uses a system user to access the repository which would allow full access to any repository node. However, I ran into issues trying to get a reference to my RepositoryImpl inside my AccessManager and I had the same concerns about performance due to the number node lookups being done. My initial strategy was to load an Access Control List(ACL) into the session when a user logged in. Then i could use the AccessManager to check the node uuid against this ACL and allow access if the uuid was in the ACL. However, the AccessManager is run for every type of node including version nodes and nt:resource nodes. Now this would mean that I would have to load every single type of node at login which included version nodes etc... and this could possibly take forever. I really only wanted to restrict access to certain types of nodes and let everything else through. Therefore the only extra piece of information I really needed was the primary node type of the uuid that was passed to the AccessManager. Then I could check the nodeType and restrict access against my ACL if it was a nodeType that needed restriction...unlike the version and resource nodes. After much pain trying to implement an AccessManager that could get the nodeType, i decided to move on and implement a less elegant solution which involved restricting nodes in multiple places instead of in one place like the AcessManager. If anyone has an update or advice on this, I would love to try to implement it again as I think it is the ideal place to put node restriction. I just think the current jackrabbit AccessManager should provide a way to access more specific node information which in my case is the nodeType. I understand that it could be a potential performance issue, but there must be ways to optimize it. Otherwise I can not use the AccessManager to control node specific access. Any ideas or comments?
(Berry) A.W. van Halderen wrote:
On Tue, Oct 23, 2007 at 11:47:27AM -0700, bilobag wrote:
So I am attempting to create a SessionImpl with a system subject so that it can have full access to the repository. I want to use this SessionImpl in my custom AccessManager to query properties of the nodes(ie. node type) to determine whether a user should have access to a particular node. I am using spring with jackrabbit and I'm not sure what the best way is to get a ref to a RepositoryImpl. Can someone please give some advise. i have been working on this for a week straight now. Thanks in advance.
Check out our AccessManager, source available in public available SVN:
The trick is that you have to extend a number of JackRabbit classes, such that you are using your own, extended, RepositoryImpl, SessionImpl, etcetera, in order to create a own (extended) version of a HierarchyManager. This HierarchyManager can then expose, the otherwise protected method which allows you to get the actual ItemState.
HOWEVER: be very aware that there may be severe implications with this approach. I think (but maybe a jackrabbit architect can comment) that it is not by change that you have only access to ItemId in the access manager, and not to ItemState as well. This because an access manager might be required to quickly filter out non accessible items (nodes or properties) before returning. If it would need to constantly access the actual state, it might have fatal performance consequences.
We don't have experience with this yet, but it is on our mid-term to-do list. So if you gain further experience, let us (all) know.
\Berry -- Berry A.W. van Halderen b.va...@hippo.nl / ber...@halderen.net Disclaimer: the above is the author's personal opinion and is not the opinion or policy of his employer or of the little green men that have been following him all day.
--
View this message in context:
http://www.nabble.com/RepositoryImpl-in-the-AccessManager-tf4679552.html#a13514098
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.