I've been struggling getting ACLs built on a JCR structure for a while now. The requirement seems super simple, but I can't seem to find the solution.
Let's say I have the following node structure:
- car-types (Properties: jcr:primaryType, jcr:mixinType)
- bmw (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
- car-instances
- bmw-320i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
- bmw-m3 (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
- mbw-530i (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, price, fuelEfficiency, colour)
- audi (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
- mercedes (Properties: jcr:primaryType, jcr:mixinType, jcr:uuid, brandHeadquarters, marketShare)
If want to give a specific principal access to the bmw node and ONE OF the instances underneath bmw (for example, bmw-320i), so that I can reference it from a Sling model, but I DON'T want him to have access to all the child nodes of bmw.
So my approach is to add 4 specific ACEs to each node in my tree using a rep:glob pattern "" (See code snippet below)
This works "fine", because the user is then only able to access the required nodes, but unfortunately, he is not able to see the properties of the relevant nodes, which makes it impossible for me to build my sling model. If I use a more lenient glob pattern (like null, or /*) then he can see the properties, but also ALL the other cars.
So the question is. What would the glob pattern be to make him see the nodes I want him to see along with their properties, but not the other nodes.
(Or of course, if I'm approaching this entirely wrong, please guide me in the right direction)
Below is a snippet of my code (simplified slightly for forum-sake):
Privilege[] readOnlyPrivileges =
new Privilege[] {aclMgr.privilegeFromName(Privilege.JCR_READ)};
...
addAceToNode("/content/app/car-types", principal, readOnlyPrivileges, "", session);
addAceToNode("/content/app/car-types/bmw", principal, readOnlyPrivileges, "", session);
addAceToNode("/content/app/car-types/bmw/car-instances", principal, readOnlyPrivileges, "", session);
addAceToNode("/content/app/car-types/bmw/car-instances/bmw-320i", principal, readOnlyPrivileges, "", session);
...
private void addAceToNode(String path, Principal principal, Privilege[] privilegeArray,
String globPattern, Session session) {
...
AccessControlList acl = AccessControlUtils.getAccessControlList(session, path);
JackrabbitAccessControlList jacl = (JackrabbitAccessControlList) acl;
restrictions = new HashMap<String, Value>();
ValueFactory vf = session.getValueFactory();
restrictions.put("rep:glob", vf.createValue(globPattern));
jacl.addEntry(principal, privilegeArray, true, restrictions);
acMgr.setPolicy(jacl.getPath(), jacl);
session.save();
}
Note: I've probably read this page (Jackrabbit Oak – Restriction Management ) a thousand times by now, but the examples provided only make sense if your sub-nodes have specific naming patterns, which doesn't really apply in my case.