Expand my Community achievements bar.

SOLVED

Unable to set ACL permission for nodes under "/content" but its working for nodes under "/apps"

Avatar

Level 4
Level 4
9/21/20 4:21:46 AM

Hi, 

Our Project requirement is to create User Group and assign Permissions Programmatically.

Created a Postprocessor to get the SAML Response and based on that Creating group and permissions programmatically. While applying permissions to the newly created group, for the paths which are available in "/content" permission  are not getting applied but for "/apps" and "/var" permissions are getting applied.  

 

private void parseSAMLResponse(Set<String> runModes, String samlResponseString)throws ParserConfigurationException, SAXException, IOException, UnsupportedEncodingException
{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Map<String, String> samlAttributeMap = new HashMap<String, String>();
StringReader strReader = new StringReader(samlResponseString);
InputSource inputSource = new InputSource(strReader);
Document document = docBuilder.parse(inputSource);
NodeList samlAssertion = document.getElementsByTagName("saml:Assertion");
populateSAMLAttrMap(samlAttributeMap, samlAssertion);

String userType = samlAttributeMap.get("Display Name") ;
String userRole = samlAttributeMap.get("Given Name") ;
String brandCode = samlAttributeMap.get("Surname") ;
String dealerId = samlAttributeMap.get("Sign in name") ;
log.info("Attributes ::::"+userType+"........."+userRole+".........."+brandCode+"........"+dealerId);
try {
final UserManager userManager = ((JackrabbitSession) session).getUserManager();
Group group = null;
if (userManager.getAuthorizable(userRole) == null) {
group = userManager.createGroup(userRole);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(userRole, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
log.info("path of the group"+ group.getPath() +"principal of the group"+ group.getPrincipal()+ group.getID());
String groupPath = "/apps/POC_SSO";
log.info("---> {} Group successfully created.", group.getID());

setReadPermissions(group, groupPath, session);
setDeletePermissions(group, groupPath, session);
setModifyPermissions(group, groupPath, session);
setCreatePermissions(group, groupPath, session);
setReplicatePermissions(group, groupPath, session);
setReadACLPermissions(group, groupPath, session);
setEditACLPermissions(group, groupPath, session);
group.addMember(auth);
log.info("---> {} User added successfully.", group.getMembers());
} else {
log.info("---> Group already exist..");
}

session.save();
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

Views

838

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
9/22/20 5:21:11 PM

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

View solution in original post

Views

807

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
9/22/20 5:21:11 PM

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

Views

808

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
9/23/20 8:32:39 AM
In response to Vijayalakshmi_S

Hi @Vijayalakshmi_S

 Thanks for the help

 We are getting session using resource resolver of a "post processor of SAML response"

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

 

I have tried using JackrabbitSession for setting permissions as well, but it did not work only for the nodes under "/content".

When am taking groupPath(mentioned in previous code snippet) as any node of "/content" example: "/content/dam" getting the exception mentioned in below code snippet.

note: Not getting exception, if i took groupPath as any node under "/apps".

 

 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
hasPermission(aPath,"modify_property");
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
AccessControlList aclList = null;
try {
accessControlManager.getApplicablePolicies(aPath);
aclList =(AccessControlList) accessControlManager.getApplicablePolicies(aPath).next();         // Getting Exception at this line in log info ..org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

 

Views

747

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
9/24/20 12:17:51 AM
In response to Vijayalakshmi_S

Hi @Vijayalakshmi_S

We are getting session through resource resolver of a PostProcess.

 

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {
// TODO Auto-generated method stub

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

I have used JackrabbitSession while setting up permissions too, but it didn't worked only for the nodes under "/content". and getting exception: "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList " in the log info.

 

code snippet: 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
log.info("inside setModifyPermissions method");
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
log.info("accessControlManager...... "+accessControlManager);
hasPermission(aPath,"modify_property");

Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
log.info("accessControlManager...... "+accessControlManager.getPrivileges(aPath));
JackrabbitAccessControlList aclList = null;
try {

accessControlManager.getApplicablePolicies(aPath);
log.info("appicable policies:::::::: " +accessControlManager.getApplicablePolicies(aPath));
aclList =(JackrabbitAccessControlList) accessControlManager.getApplicablePolicies(aPath).next();  // getting exception at this line ....org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (JackrabbitAccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
log.info("policies set up completed in settModify Permissions");
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

Views

771

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
9/30/20 7:21:08 AM
In response to Vijayalakshmi_S

Hi @srikanthp689160,

AccessControlPolicy(ACP) can be of any type from CugPolicy or JackrabbitAccessControlPolicy/List etc. Hence use the below snippet in the iteration part to check which instance of ACP and add ACL accordingly.

Authorizable authorizable = userMgr.getAuthorizable(userIdStr);
			Principal userPrincipal = authorizable.getPrincipal();			
			Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };			
			AccessControlPolicyIterator it = acmMgr.getApplicablePolicies(pageNode.getPath());
			while (it.hasNext()) {				
				AccessControlPolicy policy = it.nextAccessControlPolicy();
/* Add below conditional check in your iteration logic as well */
				if (policy instanceof AccessControlList) {					
					AccessControlList acl = (AccessControlList) policy;
					acl.addAccessControlEntry(userPrincipal, writePrivileges);
					acmMgr.setPolicy(pageNode.getPath(), acl);
				}
				if (policy instanceof PrincipalSetPolicy) {					
					LOG.info("PrinicipalSetPolicy={}", policy.getClass());
				}
				if (policy instanceof NamedAccessControlPolicy) {					
					LOG.info("NamedAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof CugPolicy) {					
					LOG.info("CugPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlPolicy) {					
					LOG.info("JackrabbitAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlList) {					
					LOG.info("JackrabbitAccessControlList={}", policy.getClass());
				}
				
			}

Views

734

Replies

0
Sign in to like this content

Total Likes

Translate
Translate