[Commits] (bcm) add workarounds for odd or possibly misunderstood jackrabbit permission

commits at osafoundation.org commits at osafoundation.org
Tue Apr 5 17:48:48 PDT 2005


Commit by: bcm
Modified files:
server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java 1.4 1.5
server/webapps/webdav/etc/applicationContext-webdav-security.xml 1.3 1.4

Log message:
add workarounds for odd or possibly misunderstood jackrabbit permission
checking behavior:

  * jackrabbit seems to require read privilege on the root node when deleting
    a resource, so allow anybody to read the root node but nothing else.
    mitigate security exposure by adding web layer security to require root
    role membership for http access to the webdav root.

  * jackrabbit tries to check permissions on items that are being deleted, so
   humor it by granting permission.



ViewCVS links:
http://cvs.osafoundation.org/index.cgi/server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java.diff?r1=text&tr1=1.4&r2=text&tr2=1.5
http://cvs.osafoundation.org/index.cgi/server/webapps/webdav/etc/applicationContext-webdav-security.xml.diff?r1=text&tr1=1.3&r2=text&tr2=1.4

Index: server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java
diff -u server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.4 server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.5
--- server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java:1.4	Mon Apr  4 17:52:36 2005
+++ server/core/src/org/osaf/cosmo/jackrabbit/CosmoAccessManager.java	Tue Apr  5 17:48:46 2005
@@ -114,17 +114,39 @@
             throw new IllegalStateException("not initialized");
         }
 
+        // root users can do anything
         if (isRoot()) {
             return;
         }
 
+        Path path = null;
+        try {
+            path = id2path(id);
+        } catch (ItemNotFoundException e) {
+            // not quite sure why jackrabbit tries to check
+            // permissions on items that are being deleted, but it
+            // does, so just humor it.
+            return;
+        }
+
+        // Jackrabbit seems to require read privilege on the root node
+        // when deleting a resource in a home directory, so allow
+        // anybody to read it but nothing else
+        if (path.denotesRoot()) {
+            if ((permissions & READ) == READ) {
+                return;
+            }
+            log.error("write access not supported for root node");
+            throw new AccessDeniedException();
+        }
+
         // Jackrabbit does not use an AccessManager to enforce
         // security for version storage (yet), but it does check read
         // permissions for initializing a versionable node, so we need
         // to allow it to do that.
         // XXX remove when Jackrabbit gives us the ability to look up
         // the versionable node from a version storage item
-        if (isVersionStorageItem(id)) {
+        if (isVersionStorageItem(path)) {
             if ((permissions & WRITE) == WRITE ||
                 (permissions & REMOVE) == REMOVE) {
                 log.error("write access not supported for version storage");
@@ -133,7 +155,7 @@
             return;
         }
 
-        if (isOwner(id)) {
+        if (isOwner(path)) {
             return;
         }
 
@@ -153,17 +175,39 @@
             throw new IllegalStateException("not initialized");
         }
 
+        // root users can do anything
         if (isRoot()) {
             return true;
         }
 
+        Path path = null;
+        try {
+            path = id2path(id);
+        } catch (ItemNotFoundException e) {
+            // not quite sure why jackrabbit tries to check
+            // permissions on items that are being deleted, but it
+            // does, so just humor it.
+            return true;
+        }
+
+        // Jackrabbit seems to require read privilege on the root node
+        // when deleting a resource in a home directory, so allow
+        // anybody to read it but nothing else
+        if (path.denotesRoot()) {
+            if ((permissions & READ) == READ) {
+                return true;
+            }
+            log.error("write access not supported for root node");
+            return false;
+        }
+
         // Jackrabbit does not use an AccessManager to enforce
         // security for version storage (yet), but it does check read
         // permissions for initializing a versionable node, so we need
         // to allow it to do that.
         // XXX remove when Jackrabbit gives us the ability to look up
         // the versionable node from a version storage item
-        if (isVersionStorageItem(id)) {
+        if (isVersionStorageItem(path)) {
             if ((permissions & WRITE) == WRITE ||
                 (permissions & REMOVE) == REMOVE) {
                 log.error("write access not supported for version storage");
@@ -173,7 +217,7 @@
             return true;
         }
 
-        if (! isOwner(id)) {
+        if (! isOwner(path)) {
             if (log.isDebugEnabled()) {
                 log.debug("permissions " + permissions + " not granted for " +
                           " item at path " + id2path(id));
@@ -214,16 +258,8 @@
      *
      * @throws Exception
      */
-    public boolean isOwner(ItemId id)
-        throws ItemNotFoundException, RepositoryException {
-        Path path = id2path(id);
-
-        // if the item represents the root node, then only root users
-        // can access it
-        if (path.denotesRoot()) {
-            return isRoot();
-        }
-
+    public boolean isOwner(Path path)
+        throws RepositoryException {
         // if the item is a version history node, then find the
         // versionable node it represents and use that path instead
         // it will be of type nt:versionHistory with a 
@@ -281,9 +317,9 @@
         return securityManager;
     }
 
-    private boolean isVersionStorageItem(ItemId id)
+    private boolean isVersionStorageItem(Path path)
         throws RepositoryException {
-        Path.PathElement[] pathElements = id2path(id).getElements();
+        Path.PathElement[] pathElements = path.getElements();
         if (pathElements.length < 3) {
             return false;
         }

Index: server/webapps/webdav/etc/applicationContext-webdav-security.xml
diff -u server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.3 server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.4
--- server/webapps/webdav/etc/applicationContext-webdav-security.xml:1.3	Mon Apr  4 17:53:40 2005
+++ server/webapps/webdav/etc/applicationContext-webdav-security.xml	Tue Apr  5 17:48:47 2005
@@ -94,6 +94,9 @@
         <value>
 	  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 	  PATTERN_TYPE_APACHE_ANT
+          /=ROLE_ROOT
+          /jcr:system=ROLE_ROOT
+          /jcr:system/**=ROLE_ROOT
 	  /**=ROLE_USER,ROLE_ROOT
         </value>
       </property>



More information about the Commits mailing list