Expand my Community achievements bar.

Join us in celebrating the outstanding achievement of our AEM Community Member of the Year!
SOLVED

rep:glob pattern that allows user to see the node and all properties, but not child nodes

Avatar

Level 2

I've been struggling getting ACLs built on a JCR structure for a while now. The requirement seems super simple, but I can't seem to find the solution.

Let's say I have the following node structure:

  • car-types (Properties: jcr:primaryType, jcr:mixinType)
    • bmw (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
      • car-instances
        • bmw-320i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
        • bmw-m3 (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
        • mbw-530i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
    • audi (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
      • car-instances
        • etc.
    • mercedes (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
      • car-instances
        • etc.

If want to give a specific principal access to the bmw node and ONE OF the instances underneath bmw (for example, bmw-320i), so that I can reference it from a Sling model, but I DON'T want him to have access to all the child nodes of bmw.

So my approach is to add 4 specific ACEs to each node in my tree using a rep:glob pattern "" (See code snippet below)

This works "fine", because the user is then only able to access the required nodes, but unfortunately, he is not able to see the properties of the relevant nodes, which makes it impossible for me to build my sling model. If I use a more lenient glob pattern (like null, or /*) then he can see the properties, but also ALL the other cars.

So the question is. What would the glob pattern be to make him see the nodes I want him to see along with their properties, but not the other nodes.

(Or of course, if I'm approaching this entirely wrong, please guide me in the right direction)

Below is a snippet of my code (simplified slightly for forum-sake):

Privilege[] readOnlyPrivileges =

          new Privilege[] {aclMgr.privilegeFromName(Privilege.JCR_READ)};

...

addAceToNode("/content/app/car-types", principal, readOnlyPrivileges, "", session);

addAceToNode("/content/app/car-types/bmw", principal, readOnlyPrivileges, "", session);

addAceToNode("/content/app/car-types/bmw/car-instances", principal, readOnlyPrivileges, "", session);

addAceToNode("/content/app/car-types/bmw/car-instances/bmw-320i", principal, readOnlyPrivileges, "", session);

...

private void addAceToNode(String path, Principal principal, Privilege[] privilegeArray,

      String globPattern, Session session) {

    ...

    AccessControlList acl = AccessControlUtils.getAccessControlList(session, path);

    JackrabbitAccessControlList jacl = (JackrabbitAccessControlList) acl;

   

    restrictions = new HashMap<String, Value>();

    ValueFactory vf = session.getValueFactory();

    restrictions.put("rep:glob", vf.createValue(globPattern));

    jacl.addEntry(principal, privilegeArray, true, restrictions);

    acMgr.setPolicy(jacl.getPath(), jacl);

    session.save();

}

Note: I've probably read this page (Jackrabbit Oak – Restriction Management ) a thousand times by now, but the examples provided only make sense if your sub-nodes have specific naming patterns, which doesn't really apply in my case.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Hi Greg,

Not sure if you are able to solve it or not, but you can use reference of this URL

How to leverage rep:glob ACEs to manage permissions on multi-tenant systems

You can try to add below rep:glob values and check it is resolves your issue :

rep:glob=/jcr:primaryType

rep:glob=/:childOrder

rep:glob=/<any_property_name_which_your_service_is_trying_to_read>

Hopefully this will work for you.

Cheers,

:Roshan

View solution in original post

1 Reply

Avatar

Correct answer by
Level 1

Hi Greg,

Not sure if you are able to solve it or not, but you can use reference of this URL

How to leverage rep:glob ACEs to manage permissions on multi-tenant systems

You can try to add below rep:glob values and check it is resolves your issue :

rep:glob=/jcr:primaryType

rep:glob=/:childOrder

rep:glob=/<any_property_name_which_your_service_is_trying_to_read>

Hopefully this will work for you.

Cheers,

:Roshan