내 커뮤니티 업적 표시줄을 확대합니다.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

Mark Solution

활동이 없어 이 대화는 잠겼습니다. 새 게시물을 작성해 주세요.

해결됨

Unable to set ACL permission for nodes under "/content" but its working for nodes under "/apps"

Avatar

Level 4
Level 4
20. 9. 21. 4:21:46 AM

Hi, 

Our Project requirement is to create User Group and assign Permissions Programmatically.

Created a Postprocessor to get the SAML Response and based on that Creating group and permissions programmatically. While applying permissions to the newly created group, for the paths which are available in "/content" permission  are not getting applied but for "/apps" and "/var" permissions are getting applied.  

 

private void parseSAMLResponse(Set<String> runModes, String samlResponseString)throws ParserConfigurationException, SAXException, IOException, UnsupportedEncodingException
{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Map<String, String> samlAttributeMap = new HashMap<String, String>();
StringReader strReader = new StringReader(samlResponseString);
InputSource inputSource = new InputSource(strReader);
Document document = docBuilder.parse(inputSource);
NodeList samlAssertion = document.getElementsByTagName("saml:Assertion");
populateSAMLAttrMap(samlAttributeMap, samlAssertion);

String userType = samlAttributeMap.get("Display Name") ;
String userRole = samlAttributeMap.get("Given Name") ;
String brandCode = samlAttributeMap.get("Surname") ;
String dealerId = samlAttributeMap.get("Sign in name") ;
log.info("Attributes ::::"+userType+"........."+userRole+".........."+brandCode+"........"+dealerId);
try {
final UserManager userManager = ((JackrabbitSession) session).getUserManager();
Group group = null;
if (userManager.getAuthorizable(userRole) == null) {
group = userManager.createGroup(userRole);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(userRole, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
log.info("path of the group"+ group.getPath() +"principal of the group"+ group.getPrincipal()+ group.getID());
String groupPath = "/apps/POC_SSO";
log.info("---> {} Group successfully created.", group.getID());

setReadPermissions(group, groupPath, session);
setDeletePermissions(group, groupPath, session);
setModifyPermissions(group, groupPath, session);
setCreatePermissions(group, groupPath, session);
setReplicatePermissions(group, groupPath, session);
setReadACLPermissions(group, groupPath, session);
setEditACLPermissions(group, groupPath, session);
group.addMember(auth);
log.info("---> {} User added successfully.", group.getMembers());
} else {
log.info("---> Group already exist..");
}

session.save();
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

조회 수

1.3K

답글

4
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
1 채택된 해결책 개

Avatar

정확한 답변 작성자:
Level 10
Level 10
20. 9. 22. 5:21:11 PM

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

원본 게시물의 솔루션 보기

조회 수

1.3K

답글

3
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동
4 답변 개

Avatar

정확한 답변 작성자:
Level 10
Level 10
20. 9. 22. 5:21:11 PM

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

조회 수

1.3K

답글

3
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
답변으로 이동

Avatar

Level 4
Level 4
20. 9. 23. 8:32:39 AM
Vijayalakshmi_S에 대한 응답

Hi @Vijayalakshmi_S

 Thanks for the help

 We are getting session using resource resolver of a "post processor of SAML response"

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

 

I have tried using JackrabbitSession for setting permissions as well, but it did not work only for the nodes under "/content".

When am taking groupPath(mentioned in previous code snippet) as any node of "/content" example: "/content/dam" getting the exception mentioned in below code snippet.

note: Not getting exception, if i took groupPath as any node under "/apps".

 

 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
hasPermission(aPath,"modify_property");
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
AccessControlList aclList = null;
try {
accessControlManager.getApplicablePolicies(aPath);
aclList =(AccessControlList) accessControlManager.getApplicablePolicies(aPath).next();         // Getting Exception at this line in log info ..org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

 

조회 수

1.2K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Level 4
Level 4
20. 9. 24. 12:17:51 AM
Vijayalakshmi_S에 대한 응답

Hi @Vijayalakshmi_S

We are getting session through resource resolver of a PostProcess.

 

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {
// TODO Auto-generated method stub

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

I have used JackrabbitSession while setting up permissions too, but it didn't worked only for the nodes under "/content". and getting exception: "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList " in the log info.

 

code snippet: 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
log.info("inside setModifyPermissions method");
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
log.info("accessControlManager...... "+accessControlManager);
hasPermission(aPath,"modify_property");

Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
log.info("accessControlManager...... "+accessControlManager.getPrivileges(aPath));
JackrabbitAccessControlList aclList = null;
try {

accessControlManager.getApplicablePolicies(aPath);
log.info("appicable policies:::::::: " +accessControlManager.getApplicablePolicies(aPath));
aclList =(JackrabbitAccessControlList) accessControlManager.getApplicablePolicies(aPath).next();  // getting exception at this line ....org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (JackrabbitAccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
log.info("policies set up completed in settModify Permissions");
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

조회 수

1.2K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역

Avatar

Level 10
Level 10
20. 9. 30. 7:21:08 AM
Vijayalakshmi_S에 대한 응답

Hi @srikanthp689160,

AccessControlPolicy(ACP) can be of any type from CugPolicy or JackrabbitAccessControlPolicy/List etc. Hence use the below snippet in the iteration part to check which instance of ACP and add ACL accordingly.

Authorizable authorizable = userMgr.getAuthorizable(userIdStr);
			Principal userPrincipal = authorizable.getPrincipal();			
			Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };			
			AccessControlPolicyIterator it = acmMgr.getApplicablePolicies(pageNode.getPath());
			while (it.hasNext()) {				
				AccessControlPolicy policy = it.nextAccessControlPolicy();
/* Add below conditional check in your iteration logic as well */
				if (policy instanceof AccessControlList) {					
					AccessControlList acl = (AccessControlList) policy;
					acl.addAccessControlEntry(userPrincipal, writePrivileges);
					acmMgr.setPolicy(pageNode.getPath(), acl);
				}
				if (policy instanceof PrincipalSetPolicy) {					
					LOG.info("PrinicipalSetPolicy={}", policy.getClass());
				}
				if (policy instanceof NamedAccessControlPolicy) {					
					LOG.info("NamedAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof CugPolicy) {					
					LOG.info("CugPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlPolicy) {					
					LOG.info("JackrabbitAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlList) {					
					LOG.info("JackrabbitAccessControlList={}", policy.getClass());
				}
				
			}

조회 수

1.2K

답글

0
이 콘텐츠를 좋아요 표시하려면 로그인하십시오

좋아요 수

번역
번역
관련 대화
How to mock/unit test a Sling filter that does a redirect? (and other questions) Solved

조회 수

73

Likes

0

답글

2
AIO Plugin unable to push code to RDE environment or use any commands Solved

조회 수

296

Likes

0

답글

2
Facing org.apache.pdfbox.pdmodel.encryption.InvalidPasswordException while converting PDF to JSON using Tika in AEM Solved

조회 수

959

Likes

0

답글

4
Official link for Adobe Summit 2025

조회 수

38

Likes

0

답글

1
OIDC Performance Improvement and Solution for Constraint Violation

조회 수

251

Likes

0

답글

2