[Commits] (bcm) add workarounds for odd or possibly misunderstood
jackrabbit permission
commits at osafoundation.org
commits at osafoundation.org
Tue Apr 5 17:48:48 PDT 2005
Commit by: bcm
Modified files:
server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java 1.4 1.5
server/webapps/webdav/etc/applicationContext-webdav-security.xml 1.3 1.4
Log message:
add workarounds for odd or possibly misunderstood jackrabbit permission
checking behavior:
* jackrabbit seems to require read privilege on the root node when deleting
a resource, so allow anybody to read the root node but nothing else.
mitigate security exposure by adding web layer security to require root
role membership for http access to the webdav root.
* jackrabbit tries to check permissions on items that are being deleted, so
humor it by granting permission.
ViewCVS links:
http://cvs.osafoundation.org/index.cgi/server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java.diff?r1=text&tr1=1.4&r2=text&tr2=1.5
http://cvs.osafoundation.org/index.cgi/server/webapps/webdav/etc/applicationContext-webdav-security.xml.diff?r1=text&tr1=1.3&r2=text&tr2=1.4
Index: server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java
diff -u server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.4 server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.5
--- server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.4 Mon Apr 4 17:52:36 2005
+++ server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java Tue Apr 5 17:48:46 2005
@@ -114,17 +114,39 @@
throw new IllegalStateException("not initialized");
}
+ // root users can do anything
if (isRoot()) {
return;
}
+ Path path = null;
+ try {
+ path = id2path(id);
+ } catch (ItemNotFoundException e) {
+ // not quite sure why jackrabbit tries to check
+ // permissions on items that are being deleted, but it
+ // does, so just humor it.
+ return;
+ }
+
+ // Jackrabbit seems to require read privilege on the root node
+ // when deleting a resource in a home directory, so allow
+ // anybody to read it but nothing else
+ if (path.denotesRoot()) {
+ if ((permissions & READ) == READ) {
+ return;
+ }
+ log.error("write access not supported for root node");
+ throw new AccessDeniedException();
+ }
+
// Jackrabbit does not use an AccessManager to enforce
// security for version storage (yet), but it does check read
// permissions for initializing a versionable node, so we need
// to allow it to do that.
// XXX remove when Jackrabbit gives us the ability to look up
// the versionable node from a version storage item
- if (isVersionStorageItem(id)) {
+ if (isVersionStorageItem(path)) {
if ((permissions & WRITE) == WRITE ||
(permissions & REMOVE) == REMOVE) {
log.error("write access not supported for version storage");
@@ -133,7 +155,7 @@
return;
}
- if (isOwner(id)) {
+ if (isOwner(path)) {
return;
}
@@ -153,17 +175,39 @@
throw new IllegalStateException("not initialized");
}
+ // root users can do anything
if (isRoot()) {
return true;
}
+ Path path = null;
+ try {
+ path = id2path(id);
+ } catch (ItemNotFoundException e) {
+ // not quite sure why jackrabbit tries to check
+ // permissions on items that are being deleted, but it
+ // does, so just humor it.
+ return true;
+ }
+
+ // Jackrabbit seems to require read privilege on the root node
+ // when deleting a resource in a home directory, so allow
+ // anybody to read it but nothing else
+ if (path.denotesRoot()) {
+ if ((permissions & READ) == READ) {
+ return true;
+ }
+ log.error("write access not supported for root node");
+ return false;
+ }
+
// Jackrabbit does not use an AccessManager to enforce
// security for version storage (yet), but it does check read
// permissions for initializing a versionable node, so we need
// to allow it to do that.
// XXX remove when Jackrabbit gives us the ability to look up
// the versionable node from a version storage item
- if (isVersionStorageItem(id)) {
+ if (isVersionStorageItem(path)) {
if ((permissions & WRITE) == WRITE ||
(permissions & REMOVE) == REMOVE) {
log.error("write access not supported for version storage");
@@ -173,7 +217,7 @@
return true;
}
- if (! isOwner(id)) {
+ if (! isOwner(path)) {
if (log.isDebugEnabled()) {
log.debug("permissions " + permissions + " not granted for " +
" item at path " + id2path(id));
@@ -214,16 +258,8 @@
*
* @throws Exception
*/
- public boolean isOwner(ItemId id)
- throws ItemNotFoundException, RepositoryException {
- Path path = id2path(id);
-
- // if the item represents the root node, then only root users
- // can access it
- if (path.denotesRoot()) {
- return isRoot();
- }
-
+ public boolean isOwner(Path path)
+ throws RepositoryException {
// if the item is a version history node, then find the
// versionable node it represents and use that path instead
// it will be of type nt:versionHistory with a
@@ -281,9 +317,9 @@
return securityManager;
}
- private boolean isVersionStorageItem(ItemId id)
+ private boolean isVersionStorageItem(Path path)
throws RepositoryException {
- Path.PathElement[] pathElements = id2path(id).getElements();
+ Path.PathElement[] pathElements = path.getElements();
if (pathElements.length < 3) {
return false;
}
Index: server/webapps/webdav/etc/applicationContext-webdav-security.xml
diff -u server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.3 server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.4
--- server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.3 Mon Apr 4 17:53:40 2005
+++ server/webapps/webdav/etc/applicationContext-webdav-security.xml Tue Apr 5 17:48:47 2005
@@ -94,6 +94,9 @@
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
+ /=ROLE_ROOT
+ /jcr:system=ROLE_ROOT
+ /jcr:system/**=ROLE_ROOT
/**=ROLE_USER,ROLE_ROOT
</value>
</property>
More information about the Commits
mailing list