Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-1171

Contribute Pluggable Permission and User Management to Jackrabbit

Details

    • New Feature
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.4
    • 1.5
    • security
    • None

    Description

      Working with a Jackrabbit based appliction I had to extend its security handling.
      The aim of this extension has been to allow for a eitable resource based authorization.
      The solution ended up in beeing plugable and extendable.
      As there have been some questions in the Jackrabbit Developper-list about custom implementation of security or the management of privileges in Jackrabbit, I like to suggest my implementation as contribution with attached patches.

      Below you can find some high-level explanation of the contained files and concepts

      I hope the prove to be usable and enhance this great repository.
      I welcome your feed-back and like to thank for your kind inspection

      Regards
      Christian Keller

      The patch contains the following:
      =========================

      1) API [jackrabbit-core-changes.20071010.patch]
      -------------------------------------------------------------------
      API which allows to implement and configure a mechanisms for Authentication and Authorization.
      The API is ACL- and Principal-based.
      ACL and Principals Management is independent of the JCR api, to allow implementations to use different back-end systems like a Directory Server.

      2) Changes to current core [jackrabbit-core-changes.20071010.patch]
      -----------------------------------------------------------------------------------------------
      Some small changes have been necessary to core to enable configuration and access of Management, like session access to UserManager.

      3) Implementation [jackrabbit-core-implementation.20071010.patch]
      -----------------------------------------------------------------------------------------------
      Additionally an implemenation is contained. It is not dependent on any back-end system, and may therefore be used as a default.

      Description:
      ==========
      The extensions hook into Jackrabbit bei implementations of the Intefaces: AccessManager and LoginModule.
      Additionally there are changes for configuration, set-up and access of the used Object.

      The patch extends the API, in order to allow client inspections of Users and Permission. These are contained in the api.patch

      See a short Introduction below:
      =========================

      The Security extensions of this Patch contain both, Authentication and Authorization extensions for which the follwoing two modells are introduced:

      I) The Authorizable
      ----------------------------
      These are User's and Groups of Users. Users can authenticate.
      Authentication in Jackrabbit is done by LoginModules which issue Principals as result of an Authentication.
      The Users are the objects which can be represented by such an Principal
      They are therfore are the base for the Authorization.

      II) The ACL
      ----------------
      The ACL is the Policy for Authorziation.
      The ACL grants or denies a Principal Privileges which are called Actions.

      Additional ther is a Management for Principals:

      The Principal is the link between User and permission.
      A User may related to multiple Principals. As this dependes on the LoginModules verfiying the Idendity of the login-attemp.
      The LoginModules may expose their Principals to the Repository via a Provider interface, to allow for usage in ACEs.

      All Modells and their Managing Classes API's are abstracted from the fact, that they are used in a JC-Repository. Aka there is no reference to javax.jcr.Items, Sessions etc.
      This should allow to implement both for external sources for both without imposing any JCR specific methods. Taken an LDAP as UserBase for example.

      The managing classes are UserManger, PrincpalManager and ACLManager.
      They are set-up and maintained by a repsoitory singular SecurityManger.
      Session specific versions of this Managers are exposed via Session.

      PrincipalManger and ACLManger are feed by one to multiple Providers.
      PrincipalProviders may exist per LoginModule, ACLProvider per Workspace.

      Authentication:
      --------------------
      The User will be used by the LoginModule. It will be resolved based on the given Credentials. If the Credentials can be validated, the User will be used to resolve Principals according its Group-Membership. As a result the Session's Subject will be extended by this principals.

      Authorization:
      -------------------
      The ACL will be use be an Implementation of the AccessManager-Interface
      An ACLManger relates Items to ACLs and the ACL evaluates the Permission for the current Subject's Principals.

      Default Implementation
      ===================
      The Default Implementation uses the Repository itself to store its security data.
      The Users are stored within a dedicated workspace.
      The ACL are attached to the Nodes they relate to.
      The ACLs are inherited along the Item-Hierarchy.
      The Principals are taken from the Authorables.

      Configuration
      ===========
      The LoginModules may declare their PrincipalProvider class via a property key with the name "principal_provider.class"

      The Workspace specific ACL Providers may be added via a configuration element in Worskspace.xml, called WorkspaceSecurity.
      A Factory class can be configured there.

      Attachments

        1. jackrabbit-core-changes.20071010.patch
          110 kB
          christian
        2. jackrabbit-core-implementation.20071010.patch
          358 kB
          christian
        3. jackrabbit-security-api.20071010.patch
          65 kB
          christian
        4. JCR-1171_comments_angela.txt
          13 kB
          Angela Schreiber

        Activity

          chrisk christian added a comment -

          security related extensions to api

          chrisk christian added a comment - security related extensions to api
          chrisk christian added a comment -

          changes to core necessary for adding security management

          chrisk christian added a comment - changes to core necessary for adding security management
          chrisk christian added a comment -

          suggested implementation of User- and Permission-Management

          chrisk christian added a comment - suggested implementation of User- and Permission-Management

          hi christian

          thanks a lot for that patches. from what i have seen so far (just taking a first glance at it), your work will fit quite nicely into the access control management as it is planned for jcr283, which i recently started to implemented for jackrabbit.

          the only that i just happen to see and that is not totally compatible with the jsr 283 access control are the
          'actions'. In fact jsr283 uses the term actions for the general permission check on the Session interface
          but for the access control discovery and management is defines 'Privilege' (s).
          And the actions are somewhat different from the predefined privileges. From what i've seen your are - in jsr 283 terms -dealing with privileges and i hope your are fine, if that's going to change a bit once jackrabbit
          is the jsr 283 reference implementation.

          more feedback to come as soon as i take a closer look at it.
          thanks & gruss

          angela Angela Schreiber added a comment - hi christian thanks a lot for that patches. from what i have seen so far (just taking a first glance at it), your work will fit quite nicely into the access control management as it is planned for jcr283, which i recently started to implemented for jackrabbit. the only that i just happen to see and that is not totally compatible with the jsr 283 access control are the 'actions'. In fact jsr283 uses the term actions for the general permission check on the Session interface but for the access control discovery and management is defines 'Privilege' (s). And the actions are somewhat different from the predefined privileges. From what i've seen your are - in jsr 283 terms -dealing with privileges and i hope your are fine, if that's going to change a bit once jackrabbit is the jsr 283 reference implementation. more feedback to come as soon as i take a closer look at it. thanks & gruss

          In this case, I would strongly suggest to modifiy the patch to comply with JSR-283. I don't think it would be a good idea to integrate it as is and later have to change a lot.

          Not sure, but would we have to vote on this contribution given its size ?

          fmeschbe Felix Meschberger added a comment - In this case, I would strongly suggest to modifiy the patch to comply with JSR-283. I don't think it would be a good idea to integrate it as is and later have to change a lot. Not sure, but would we have to vote on this contribution given its size ?

          hi felix,

          > In this case, I would strongly suggest to modifiy the patch to comply with JSR-283.
          > I don't think it would be a good idea to integrate it as is and later have to change a lot.

          from what i have seen at a first glance, i don't think that there is need for lots of changes.
          in any case i will update this issue as soon as i'm through and list all things, that would from my
          point of view conflict with the jsr 283 access control section.

          be asserted that i don't want to do the integration work twice

          angela

          angela Angela Schreiber added a comment - hi felix, > In this case, I would strongly suggest to modifiy the patch to comply with JSR-283. > I don't think it would be a good idea to integrate it as is and later have to change a lot. from what i have seen at a first glance, i don't think that there is need for lots of changes. in any case i will update this issue as soon as i'm through and list all things, that would from my point of view conflict with the jsr 283 access control section. be asserted that i don't want to do the integration work twice angela

          unordered and incomplete list of notes and comments based on my recent work on JSR 283 security features.

          angela Angela Schreiber added a comment - unordered and incomplete list of notes and comments based on my recent work on JSR 283 security features.

          committed initial (incomplete) version

          angela Angela Schreiber added a comment - committed initial (incomplete) version

          scheduled for 1.5

          angela Angela Schreiber added a comment - scheduled for 1.5

          People

            angela Angela Schreiber
            chrisk christian
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: