Unable to set ACL permission for nodes under "/content" but its working for nodes under "/apps"

Avatar

Avatar

srikanthp689160

Avatar

srikanthp689160

srikanthp689160

21-09-2020

Hi, 

Our Project requirement is to create User Group and assign Permissions Programmatically.

Created a Postprocessor to get the SAML Response and based on that Creating group and permissions programmatically. While applying permissions to the newly created group, for the paths which are available in "/content" permission  are not getting applied but for "/apps" and "/var" permissions are getting applied.  

 

private void parseSAMLResponse(Set<String> runModes, String samlResponseString)throws ParserConfigurationException, SAXException, IOException, UnsupportedEncodingException
{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Map<String, String> samlAttributeMap = new HashMap<String, String>();
StringReader strReader = new StringReader(samlResponseString);
InputSource inputSource = new InputSource(strReader);
Document document = docBuilder.parse(inputSource);
NodeList samlAssertion = document.getElementsByTagName("saml:Assertion");
populateSAMLAttrMap(samlAttributeMap, samlAssertion);

String userType = samlAttributeMap.get("Display Name") ;
String userRole = samlAttributeMap.get("Given Name") ;
String brandCode = samlAttributeMap.get("Surname") ;
String dealerId = samlAttributeMap.get("Sign in name") ;
log.info("Attributes ::::"+userType+"........."+userRole+".........."+brandCode+"........"+dealerId);
try {
final UserManager userManager = ((JackrabbitSession) session).getUserManager();
Group group = null;
if (userManager.getAuthorizable(userRole) == null) {
group = userManager.createGroup(userRole);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(userRole, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
log.info("path of the group"+ group.getPath() +"principal of the group"+ group.getPrincipal()+ group.getID());
String groupPath = "/apps/POC_SSO";
log.info("---> {} Group successfully created.", group.getID());

setReadPermissions(group, groupPath, session);
setDeletePermissions(group, groupPath, session);
setModifyPermissions(group, groupPath, session);
setCreatePermissions(group, groupPath, session);
setReplicatePermissions(group, groupPath, session);
setReadACLPermissions(group, groupPath, session);
setEditACLPermissions(group, groupPath, session);
group.addMember(auth);
log.info("---> {} User added successfully.", group.getMembers());
} else {
log.info("---> Group already exist..");
}

session.save();
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

ACL permissions SAML SSO

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Vijayalakshmi_S

MVP

Avatar

Vijayalakshmi_S

MVP

Vijayalakshmi_S
MVP

22-09-2020

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

Hi @Vijayalakshmi_S

 Thanks for the help

 We are getting session using resource resolver of a "post processor of SAML response"

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

 

I have tried using JackrabbitSession for setting permissions as well, but it did not work only for the nodes under "/content".

When am taking groupPath(mentioned in previous code snippet) as any node of "/content" example: "/content/dam" getting the exception mentioned in below code snippet.

note: Not getting exception, if i took groupPath as any node under "/apps".

 

 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
hasPermission(aPath,"modify_property");
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
AccessControlList aclList = null;
try {
accessControlManager.getApplicablePolicies(aPath);
aclList =(AccessControlList) accessControlManager.getApplicablePolicies(aPath).next();         // Getting Exception at this line in log info ..org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

 

Hi @Vijayalakshmi_S

We are getting session through resource resolver of a PostProcess.

 

code snippet: 

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {
// TODO Auto-generated method stub

try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());

Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);

}
session.save();
}

catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}

}

 

I have used JackrabbitSession while setting up permissions too, but it didn't worked only for the nodes under "/content". and getting exception: "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList " in the log info.

 

code snippet: 

public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
log.info("inside setModifyPermissions method");
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
log.info("accessControlManager...... "+accessControlManager);
hasPermission(aPath,"modify_property");

Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
log.info("accessControlManager...... "+accessControlManager.getPrivileges(aPath));
JackrabbitAccessControlList aclList = null;
try {

accessControlManager.getApplicablePolicies(aPath);
log.info("appicable policies:::::::: " +accessControlManager.getApplicablePolicies(aPath));
aclList =(JackrabbitAccessControlList) accessControlManager.getApplicablePolicies(aPath).next();  // getting exception at this line ....org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (JackrabbitAccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
log.info("policies set up completed in settModify Permissions");
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

 

Thanks

Hi @srikanthp689160,

AccessControlPolicy(ACP) can be of any type from CugPolicy or JackrabbitAccessControlPolicy/List etc. Hence use the below snippet in the iteration part to check which instance of ACP and add ACL accordingly.

Authorizable authorizable = userMgr.getAuthorizable(userIdStr);
			Principal userPrincipal = authorizable.getPrincipal();			
			Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };			
			AccessControlPolicyIterator it = acmMgr.getApplicablePolicies(pageNode.getPath());
			while (it.hasNext()) {				
				AccessControlPolicy policy = it.nextAccessControlPolicy();
/* Add below conditional check in your iteration logic as well */
				if (policy instanceof AccessControlList) {					
					AccessControlList acl = (AccessControlList) policy;
					acl.addAccessControlEntry(userPrincipal, writePrivileges);
					acmMgr.setPolicy(pageNode.getPath(), acl);
				}
				if (policy instanceof PrincipalSetPolicy) {					
					LOG.info("PrinicipalSetPolicy={}", policy.getClass());
				}
				if (policy instanceof NamedAccessControlPolicy) {					
					LOG.info("NamedAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof CugPolicy) {					
					LOG.info("CugPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlPolicy) {					
					LOG.info("JackrabbitAccessControlPolicy={}", policy.getClass());
				}
				if (policy instanceof JackrabbitAccessControlList) {					
					LOG.info("JackrabbitAccessControlList={}", policy.getClass());
				}
				
			}

Answers (0)