1

在 jackrabbit 存储库中,我正在尝试向 GROUP 添加权限。我想要什么“设计师”组可以写入 /templates 节点。

此节点 (/templates) 是类型为 nt:folder 的节点

首先,我创建了一个名为“设计师”的组

userManager = jkSession.getUserManager();

        Roles[] rolesTable = { Roles.EDITOR, Roles.DESIGNER,
                Roles.OPERATOR, Roles.ADMINISTRATOR };

        for (Roles role : rolesTable) {


                userManager.createGroup(role.toString());

            ...

并为此组分配 /templates 节点的权限:

    p = principalManager.findPrincipals(
                                Roles.DESIGNER.toString(),
                                PrincipalManager.SEARCH_TYPE_GROUP)
                                .nextPrincipal();
    Node catalogNode = session.getRootNode().getNode("templates");

                AccessControlPolicyIterator accessControlPolicyIterator = accessControlManager
                        .getApplicablePolicies(catalogNode.getPath());

    AccessControlPolicy policy = accessControlPolicyIterator
                                .nextAccessControlPolicy();

                        if (polic

y instanceof AccessControlList) {

                        AccessControlList acl = (AccessControlList) policy;

                        JackrabbitAccessControlList jackAcl = (JackrabbitAccessControlList) acl;
                        jackAcl
                                .addEntry(
                                        p,
                                        new Privilege[] {
                                                accessControlManager
                                                        .privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
                                                accessControlManager
                                                        .privilegeFromName(Privilege.JCR_READ),
                                                accessControlManager
                                                        .privilegeFromName(Privilege.JCR_WRITE),
                                                accessControlManager
                                                        .privilegeFromName(Privilege.JCR_REMOVE_NODE) },
                                        true, null);

现在,创建用户并使他成为设计师组的成员:

    Principal principal = principalManager.findPrincipals(DESIGNER.toString(),
            PrincipalManager.SEARCH_TYPE_GROUP).nextPrincipal();
Group roleToAssign = (Group) userManager.getAuthorizable(principal);

        user = userManager.createUser(login, password);

        roleToAssign.addMember(user);

现在使用该用户登录并尝试将节点添加到 /templates

lCredentials = new SimpleCredentials(login, new String(pPassword)
                    .toCharArray());
        }

        Repository tmpRepository = null;

        try {
            tmpRepository = repositoryFactory.getRepository(repositoryParams);
            session = tmpRepository.login(lCredentials, pWorkspace);

并将节点添加到 /templates:

session.getRootNode().getNode("templates").addNode("test","nt:unstructured");

但是抛出 accessDenied:

javax.jcr.AccessDeniedException: Access denied.
    at org.apache.jackrabbit.core.security.DefaultAccessManager.checkPermission(DefaultAccessManager.java:193)
    at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1266)
    at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:111)
    at org.apache.jackrabbit.core.session.AddNodeOperation.perform(AddNodeOperation.java:37)
    at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
    at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
    at org.apache.jackrabbit.core.NodeImpl.addNodeWithUuid(NodeImpl.java:1814)
    at org.apache.jackrabbit.core.NodeImpl.addNode(NodeImpl.java:1774)
    at org.apache.jackrabbit.commons.JcrUtils.getOrAddNode(JcrUtils.java:519)

我没有在 jackrabbits 组上找到有关 ACL 的文档。请¿有人可以帮助我吗?谢谢。

4

1 回答 1

2

固定的。

对于主体(组或用户)的权限,必须使用基于主体的 ACL,而不是像我在这篇文章中所做的那样使用资源 ACL。

Principal-Base ACL 描述如下:

Jackrabbit ACL(是的,这篇文章是 RTFM 案例)

另外有必要在权限列表中添加权限JCR_NODE_TYPE_MANAGEMENT以添加特定类型的子节点。

    privileges = new Privilege[] {
                                    accessControlManager
                                            .privilegeFromName(Privilege.JCR_ADD_CHILD_NODES),
                                    accessControlManager
                                            .privilegeFromName(Privilege.JCR_READ),
                                    accessControlManager
                                            .privilegeFromName(Privilege.JCR_WRITE),
                                    accessControlManager
                                            .privilegeFromName(Privilege.JCR_NODE_TYPE_MANAGEMENT) };

谢谢。

于 2012-10-26T13:26:18.107 回答