6 Replies Latest reply on May 5, 2010 1:31 PM by rhauch

Logging in as guest

kevin.thorley May 5, 2010 10:37 AM

I am trying to get a very simple demo of ModeShape up and running. I read the documentation on auth and understand that by default guest (anonymous) access is allowed. This is preferable to working with Jaas, at the moment. However I am unable to login to a new repository. Here is the code I am using (running against ModeShape 1.1.0-final):

JcrConfiguration config = new JcrConfiguration();
config.loadFrom(new File(args[0]));

engine = config.build();
System.out.println("Starting repository.");
engine.start();

JcrRepository repo = engine.getRepository("configrepo");
System.out.println(JcrRepository.Option.ANONYMOUS_USER_ROLES + ": " + repo.getOptions().get(JcrRepository.Option.ANONYMOUS_USER_ROLES));
Session session = repo.login();

This results in the following output:

Starting repository.
ANONYMOUS_USER_ROLES: admin

log4j:WARN No appenders could be found for logger (org.modeshape.graph.connector.RepositoryConnectionPool).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" javax.jcr.LoginException: login() can only be called successfully from within a java.security.PrivilegedAction or when the ANONYMOUS_USER_ROLES repository option is set
    at org.modeshape.jcr.JcrRepository.login(JcrRepository.java:881)
    at org.modeshape.jcr.JcrRepository.login(JcrRepository.java:829)
    at com.dealer.configrepo.modeshape.examples.FirstRepository.main(FirstRepository.java:31)

As you can see, the ANONYMOUS_USER_ROLES seems to be set correctly, yet the login fails. I also tried logging in with guest credentials (using both "guest" and "anonymous" as usernames with an email address as a password in a SimpleCredentials object) but that resulted in a different exception:

Exception in thread "main" java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:93)

I have to assume I'm just making a very basic mistake here, but I haven't been able to figure out what that is yet. Any suggestions?

Thanks,

Kevin

1. Re: Logging in as guest

rhauch May 5, 2010 1:35 PM (in response to kevin.thorley)

If you're not using JAAS, you need to tell ModeShape what roles the anonymous user can have, and that's done by as described in Section 9.2.4 of the Reference Guide.

Update: The documentation actually says that this is enabled by default, but as explained in MODE-746, ModeShape 1.1.0.Final (or earlier) does not recognize the default ANONYMOUS_USER_ROLES value. Thus, to enable anonymous users with ModeShape 1.1.0.Final (or earlier) you must explicitly set this in your configuration. ModeShape 1.2 behavior will match the documentation and will default to giving anonymous users full privileges (e.g., the 'admin' role).

You're using a configuration file, so the roles are set via the "anonymousUserRoles" option set with a string containing a comma-separated list of role names:

<mode:repositories>
    ...
    <mode:repository jcr:name="Your Repository Name">
      ...
      <mode:options>
        ...
        <mode:option jcr:name="anonymousUserRoles" mode:value="readonly,readwrite,admin"/>
        ...
      </mode:options>
...

BTW, this <mode:option> element creates a node in the engine's configuration repository called "anonymousUserRoles" with a primary type of "mode:option". Because the "jcr:name" attribute is set explicitly, the element name is used to set the node's primary type. It is just as valid to explicitly set the primary type using the "jcr:primaryType" attribute and the node name using the element name:

        <anonymousUserRoles jcr:primaryType="mode:option" mode:value="readonly,readwrite,admin"/>

If you are using ModeShape's fluent API to configure your engine (rather than reading a configuration file), your code would look something like this:

JcrConfiguration config = new JcrConfiguration();
...
config.setOption(Option.ANONYMOUS_USER_ROLES, ModeShapeRoles.READONLY + "," +
                                                ModeShapeRoles.READWRITE + "," +
                                                ModeShapeRoles.ADMIN);
...
JcrEngine engine = config.build();

Note that in these examples I'm setting the anonymous user to have all roles, but you can certainly choose which combination you'd like to use.
Actions
2. Re: Logging in as guest

kevin.thorley May 5, 2010 11:44 AM (in response to rhauch)

Thanks Randall. I had assumed that the admin role included read/write privileges. Once I added the read and write roles explicitly I was able to login and run my demo app.

Thanks!
Kevin
Actions
3. Re: Logging in as guest

rhauch May 5, 2010 12:15 PM (in response to kevin.thorley)

That's curious. Although you didn't include the fragment of your configuration file in your original post, the output does seem to show that it was set properly.

The intention is definitely that the "admin" role does include read and write privileges, just like the "readwrite" role also includes read privileges. (See the role table in the Reference Guide.) I even verified with a local test (running against trunk) that setting the anonymous role names to just "admin" does indeed allow read and write access in addition to admin functions.
Actions
4. Re: Logging in as guest

kevin.thorley May 5, 2010 12:35 PM (in response to rhauch)

Here is the relevant portion of the original config file:

<mode:repository jcr:name="configrepo" mode:source="config">
    <mode:options jcr:primaryType="mode:options">
        <jaasLoginConfigName jcr:primaryType="mode:option" mode:value="modeshape-jcr"/>
    </mode:options>
</mode:repository>

No anonymousUserRoles elements are specified, so it uses the default of "admin". However, apparently the presence of the jaasLoginConfigName element causes it to ignore the default admin anonymous user role? Is this expected behavior?

I found this config file on one of the modeshape wiki pages, though I can't remember the exact URL. It seemed like a pretty basic config starting point. That's what I get for grabbing a random config and expecting it to work!

Kevin
Actions
5. Re: Logging in as guest

rhauch May 5, 2010 1:01 PM (in response to kevin.thorley)

Ah, I found the problem - the default value for the option is in fact not used when setting up the anonymous access mechanism. I've created MODE-746. I've already made a change locally, am running the full suite of tests, and should be able to commit to trunk in a short while.

Obviously the workaround is to explicitly set the option.

Thanks for helping me identify and track down this problem!
Actions
6. Re: Logging in as guest

rhauch May 5, 2010 1:31 PM (in response to rhauch)

I just committed to trunk the fix for MODE-746, and I'll update my earlier post in this thread to reflect the bug in 1.1.0.Final.

Thanks again for helping us find this, Kevin!
Actions

Go to original post