Retrieve effective permissions in AEM 6.0 using REST services

Avatar

Avatar
Validate 1
Level 1
matthieu_théria
Level 1

Like

1 like

Total Posts

12 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
matthieu_théria
Level 1

Like

1 like

Total Posts

12 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
matthieu_théria
Level 1

15-10-2015

Hi,

I'm new in the world of AEM. I have installed AEM 6.0 (author and publish instances).

I'm interested to find a way to retrieve effective permissions on a specific repository node by using a REST call.

For this, I have installed the last version of the OSGi Bundle "jackrabbit.accessmanager" (v2.1.2). With this, we can do this call to get the effective permissions for pa particular not in JSON format: http://localhost:4502/content/mynode.eacl.json.

However, its seems that the effective permissions are not correctly computed... it seems that the ACLs defined with restrictions are not correctly resolved. I think that it's something new in AEM 6.0 because it uses the JackRabbit Oak 1.0.0 Repository instead of a JackRabbit 2.0 Repository... and maybe restrictions are a new concept not correctly handled in the "jackrabbit.accessmanager" bundle?!?

In fact, in the default demo Geometrixx, some ACLs are defined for the "Everyone" group with restrictions (path), for example:

  • everyone - Deny jcr:read - Restrictions rep:glob-libs*/config/*
  • everyone - Deny jcr:read - Restrictions rep:glob-apps*/config/*
  • everyone - Allow jcr:read

The effective permissions for all nodes excluding nodes under the path "libs" and "apps" should be "Allow jcr:read", but the call returns for the "content" node for example:

everyone: { principal: "everyone",denied: [ jcr:read ], order: 3 }

I think that the restrictions are not correctly handled by this bundle... maybe it is outdated and not compatible with the JackRabbit Oak 1.0.0 Repository...

Is there an equivalent or something new to get effective permissions with a REST call in AEM 6.0?

Thanks for your help.

Matthieu

View Entire Topic

Avatar

Avatar
Validate 1
Level 1
matthieu_théria
Level 1

Like

1 like

Total Posts

12 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile

Avatar
Validate 1
Level 1
matthieu_théria
Level 1

Like

1 like

Total Posts

12 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 1
View profile
matthieu_théria
Level 1

15-10-2015

Hi Jörg,

Yes, it seems that the OSGi Bundle "JackRabbit.AccessManager" doesn't correctly compute the effective permissions when one or more restrictions are defined. They simply compute the deny set and the allow set no matter if the restrictions is applied or not to the specific resource path...

I have implemented my own servlet (with another custom selector) that calls the AccessManager.getEffectivePolicies(resourcePath) of the JCR API and I have all policies including these with a restriction. I will probably need to do my own algorithm to compute the final denied and allowed sets.

For you last question, no sure to understand it... this call is Restful, however, it doesn't return the expected result...

Thanks,

Matthieu