The web application we're working on will be Java EE 6 based and JBoss 7.x will be the app server. Additionally a network drive mapping via webdav would be fine. The user information (credentials, ...) will be stored in a database or in our LDAP directory. The roles are stored in the database.

Be aware that ModeShape is built on top of Infinispan, and that the version of Infinispan used in JBoss AS7.x is quite old (relatively speaking) and has lots of clustering issues. For this reason, ModeShape switch our kit to install on EAP 6.1.

 

My first question:

 

Can I reuse the data stored in the Backends for Modeshape authentication/authorization (users & roles)? Can I reuse the credentials from the form-based login of the web app I already asked the user for?

After that I would like to create folder structures with fine grained authorization such as:

 

Given is a structure like that:

 

/projects/project_a

/projects/project_b

/public

 

User A should be able to read write access project a

User B should be able to read write access project b

User B should be able to just read project a

User C should only see /public

 

Out of the box, ModeShape can reuse the same basic authentication mechanism that AS7/EAP provides for your web applications. Typically this is JAAS. So if you can have AS7/EAP authenticate your web application's users via your backend systems, then ModeShape would just work with that.

If you need fine-grained authorization, then I'd suggest looking at the Access Control List (ACL) feature recently added. Note that because it is new, we still consider it tech preview.

My second question:

 

Is such a system possible with Modeshape? Can I use groups to assign priviledges?

 

I played around a bit with the ACLs of version 3.5. Here is a bit of my code:

 

First I create or retrieve an AccessControlList object

 

 

Then I clear the existing ACLs

 

 

To set ACL entries I do

 

 

I have the following directory structure

 

/test1

 

As I understand if I set an ACL of JCR_ALL for user admin on the test1 folder no other user should be able to access this folder. But this is not the case. The nodes have the mixin of mode:accessControllable.

Perhaps a more complete set of code might be useful. What is the 'admin' object?

 

 

My third question:

 

Where am I wrong? Do I have to do special config changes to activate ACLs? Is there some example code or test cases on how to use ACLs? Will there be some documentation in the future about this topic?

 

Yes, we do plan to add documentation for this quite soon. I'll ask that Oleg provide some samples, but you can look at some of the tests that are in https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr/src/test/java/org/modeshape/jcr/security/AccessControlM…

Does your dummy user correspond to a user that you can authenticate as? For example, if you add an ACL to a node with a Principal for "admin", then that ACL should apply only when you log into the repository with that "admin" username. In other words, the principal MUST correspond to a valid user (unless you're using the "everyone" principal).

I'm not sure there are appropriate debug or trace log messages in the ACL code yet (we need to fix that), but can you debug? If so, put a breakpoint in the private JcrSession.hasPermission(...) method, and step through that method to see what logic is being considered.

Or, create a simple test case that we can run locally.

as I understand the JcrSession.hasPermissions method checks if an AuthorizationProvider is configured. If not, only role-based authorization takes place on the repository level (read, read-write, admin). In the sample repository that is available after executing the setup, no authorization provider is configured. So no ACLs are checked. The corresponding if statements are skipped.

Yes, that's what the method does. However, all of this is predicated on the repository knowing it needs to check ACLs - if that is wrong, then this greatly helps isolate the problem. Can you verify by debugging that the checkAcl variable has a value of 'true'?

After looking at the authorization providers of the Modeprobe distribution I found that none of them implements the interface AuthorizationProvider. So it seems to me that it is not possible to implement an ACL based access control using only the distribution. Of course one can implement a custom AuthorizationProvider class.

Actually, the ACL checking is not done via the AuthorizationProvider or AdvancedAuthorizationProvider implementations. Instead, the ACLs are applied on top of any (Advanced)AuthorizationProvider implementation or (if there are none) the role-based authorizations. You can see the ACL checks here, here and here.

Once again, I'm going to ask you for a complete test case that replicates the problem. A test case will make it much easier for us to find and fix the underlying problem. If not, the first thing we have to do is build a test case that does replicate the problem - sometimes this is easy to do, but when it is not easy we often have to spend hours (and sometimes days) just trying to reproduce a problem. Please help us help you by providing that test case.

Dieter, what you are doing with code is correct and the result you are expecting also correct. Let me check what actually happens.

--Oleg

Dieter, I have just completed several tests and everything work fine. Can you please provide more details about privileges applied to the node? What I need to know to replicate the problem:

-list of privileges;

-relative path of the node;

-principal name of the access list;

-method you are calling and with which principal.

Thanks,

Oleg

New JIRA created [#MODE-2036] Missing permission testing inside node's methods - JBoss Issue Tracker

Hi Dieter, thanks you for discovering problem. The fix is available with this pull request https://github.com/ModeShape/modeshape/pull/934

Can you please try it and confirm that problem fixed from your side?

Thanks,

Oleg

Yes, you need to merge pull request and then rebuild the server.

I got you primary question regarding access right, let me think a bit and provide most best solution.

--Oleg