[使用Jackrabbit Oak,我一直在尝试通过SecurityProvider和SecurityConfiguration配置安全性。特别是,我一直在使用通常可以按预期使用的限制。但是,在处理JCR-SQL2查询时,比预期更多的过滤掉了。
详细信息
可以在下面的存储库中复制。
/
node [nt:unstructured]
subnode [nt:unstructured]
在node上,我为JCR_ALL添加了具有user特权的访问控制条目以及对rep:glob的限制-> "",使得user无法访问[ C0]。
[使用node时可以正常工作:
session.getNode返回节点session.getNode("/node")由于限制而按预期方式抛出session.getNode("/node/subnode")。但是,当我执行以下PathNotFoundException查询时:
JCR-SQL2我得到没有结果回来。我本来希望得到SELECT * FROM [nt:unstructured]
,因为使用/node时可以使用它。
代码
session.getNode如果要从上面的代码中删除public static void main(String[] args) throws Exception {
Repository repository = new Jcr().with(new MySecurityProvider()).createRepository();
Session session = repository.login(new UserIdCredentials("")); // principal is "SystemPrincipal.INSTANCE"
// Create nodes
Node node = session.getRootNode().addNode("node", "nt:unstructured");
node.addNode("subnode", "nt:unstructured");
// Add access control entry + restriction
AccessControlManager acm = session.getAccessControlManager();
JackrabbitAccessControlList acl = (JackrabbitAccessControlList) acm
.getApplicablePolicies("/node").nextAccessControlPolicy();
Privilege[] privileges = new Privilege[]{acm.privilegeFromName(Privilege.JCR_ALL)};
Map<String, Value> restrictions = new HashMap<String, Value>() {{put("rep:glob", new StringValue(""));}};
acl.addEntry(new PrincipalImpl("user"), privileges, true, restrictions);
acm.setPolicy("/node", acl);
session.save();
// executes query
RowIterator rows = repository.login(new UserIdCredentials("user")).getWorkspace().getQueryManager()
.createQuery("SELECT * FROM [nt:unstructured]", Query.JCR_SQL2).execute().getRows();
System.out.println("Number of rows: " + rows.getSize()); //Prints 0
}
,则restrictions和node都将按预期显示在查询结果中。
[subnode使用MySecurityProvider和所有ConfigurationParameters.EMPTY的默认实现,除了我自己实现的SecurityConfiguration:
AuthenticationConfiguration我正在使用Jackrabbit Oak版本1.10.0
这原来是Jackrabbit Oak的错误-class MyAuthenticationConfiguration extends AuthenticationConfigurationImpl {
public MyAuthenticationConfiguration(SecurityProvider securityProvider) {
super(securityProvider);
}
@NotNull
@Override
public LoginContextProvider getLoginContextProvider(ContentRepository contentRepository) {
return new LoginContextProvider() {
@NotNull
public LoginContext getLoginContext(Credentials credentials, String workspaceName) {
String userId = ((UserIdCredentials) credentials).getUserId();
Set<Principal> principalSets = new HashSet<>();
if (userId.isEmpty()) {
principalSets.add(SystemPrincipal.INSTANCE);
} else {
principalSets.add(new PrincipalImpl(userId));
}
Map<String, ? extends Principal> publicPrivileges = new HashMap<>();
AuthInfoImpl authInfoImpl = new AuthInfoImpl(userId, publicPrivileges, principalSets);
Subject subject = new Subject(true, principalSets, Collections.singleton(authInfoImpl), new HashSet<Principal>());
return new PreAuthContext(subject);
}
};
}
}
。
此问题已从1.12.0版本开始解决