Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

AEM 6.5 - Adding JCR access policy NOT CUG

Avatar

Level 4
Level 4
5/21/20 5:11:55 AM

I got stuck on CUG and this is NOT what I am looking for. 

 

We require to add jcr:write access for a single user to a new node that we create also through code.  All I can find is code examples prior 6.3 change to CUG, but these are no longer working

 

How can we still use AccessControlList.addEntry(principal, privileges, true) in AEM 6.5 or is this no longer allowed and should we user CUG?

 

(I understand this only is used to grant Read access to nodes)

 

Views

4.8K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/20 11:29:00 AM

Hi @Eric_Stricker,

Use AccessControlList.addAccessControlEntry(principal, privileges) followed by setPolicy using AccessControlManager API.

Code snippet:

try {
	Authorizable authorizable = userMgr.getAuthorizable(userIdStr); 
	Principal userPrincipal = authorizable.getPrincipal();	// prinicipal object from user/group id	
	Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };   // JCR_WRITE privilege object		
	AccessControlPolicyIterator itr = acmMgr.getApplicablePolicies(pageNode.getPath());   // pageNode -> node for which we are trying to set policy
	while (itr.hasNext()) {				
		AccessControlPolicy policy = itr.nextAccessControlPolicy();
		if (policy instanceof AccessControlList) {					
			AccessControlList acl = (AccessControlList) policy;
			acl.addAccessControlEntry(userPrincipal, writePrivileges); // creates ACE 
			acmMgr.setPolicy(pageNode.getPath(), acl); // adds ACL to the desired node
		}				
	}
	session.save();
}
catch (RepositoryException e) {
	LOG.error("Repository Exception={}", e.getMessage());
}

Reference:

https://docs.adobe.com/docs/en/spec/jsr170/javadocs/jcr-2.0/javax/jcr/security/AccessControlList.htm...

View solution in original post

Views

4.4K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
5/21/20 11:29:00 AM

Hi @Eric_Stricker,

Use AccessControlList.addAccessControlEntry(principal, privileges) followed by setPolicy using AccessControlManager API.

Code snippet:

try {
	Authorizable authorizable = userMgr.getAuthorizable(userIdStr); 
	Principal userPrincipal = authorizable.getPrincipal();	// prinicipal object from user/group id	
	Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };   // JCR_WRITE privilege object		
	AccessControlPolicyIterator itr = acmMgr.getApplicablePolicies(pageNode.getPath());   // pageNode -> node for which we are trying to set policy
	while (itr.hasNext()) {				
		AccessControlPolicy policy = itr.nextAccessControlPolicy();
		if (policy instanceof AccessControlList) {					
			AccessControlList acl = (AccessControlList) policy;
			acl.addAccessControlEntry(userPrincipal, writePrivileges); // creates ACE 
			acmMgr.setPolicy(pageNode.getPath(), acl); // adds ACL to the desired node
		}				
	}
	session.save();
}
catch (RepositoryException e) {
	LOG.error("Repository Exception={}", e.getMessage());
}

Reference:

https://docs.adobe.com/docs/en/spec/jsr170/javadocs/jcr-2.0/javax/jcr/security/AccessControlList.htm...

Views

4.4K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
5/21/20 11:46:49 PM
In response to Vijayalakshmi_S

Was getting stuck on 

...

if (policy instanceof AccessControlList) {

..

The only value I could in online samples are "instanceof PrincipalSetPolicy".

 

Question: Do you know if there is a complete list of possible values for "policy instanceof ????"

 

 

Views

4.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/22/20 4:06:50 AM
In response to Vijayalakshmi_S

Hi @Eric_Stricker,

Below is the hierarchy of Interface that policy can be instanceof

  • javax.jcr.security.AccessControlPolicy
    • javax.jcr.security.AccessControlList (sub Interface of javax.jcr.security.AccessControlPolicy)
    • javax.jcr.security.NamedAccessControlPolicy (sub Interface of javax.jcr.security.AccessControlPolicy)
    • org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy (extension/sub Interface of javax.jcr.security.AccessControlPolicy)
    • org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy (extension/sub Interface  of javax.jcr.security.AccessControlPolicy)
      • org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy (sub Interface of JackrabbitAccessControlPolicy, PrincipalSetPolicy and hence AccessControlPolicy)
      • org.apache.jackrabbit.api.security.JackrabbitAccessControlList (sub Interface of JackrabbitAccessControlPolicy  + also an extension of javax.jcr.security.AccessControlList)

Views

4.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate