Unable to set ACL permission for nodes under "/content" but its working for nodes under "/apps" | Community
Skip to main content
srikanthp689160
srikanthp689160
Level 4
September 21, 2020
Solved

Unable to set ACL permission for nodes under "/content" but its working for nodes under "/apps"

  • September 21, 2020
  • 1 reply
  • 1371 views

Hi, 

Our Project requirement is to create User Group and assign Permissions Programmatically.

Created a Postprocessor to get the SAML Response and based on that Creating group and permissions programmatically. While applying permissions to the newly created group, for the paths which are available in "/content" permission  are not getting applied but for "/apps" and "/var" permissions are getting applied.  

 

private void parseSAMLResponse(Set<String> runModes, String samlResponseString)throws ParserConfigurationException, SAXException, IOException, UnsupportedEncodingException
{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Map<String, String> samlAttributeMap = new HashMap<String, String>();
StringReader strReader = new StringReader(samlResponseString);
InputSource inputSource = new InputSource(strReader);
Document document = docBuilder.parse(inputSource);
NodeList samlAssertion = document.getElementsByTagName("saml:Assertion");
populateSAMLAttrMap(samlAttributeMap, samlAssertion);

String userType = samlAttributeMap.get("Display Name") ;
String userRole = samlAttributeMap.get("Given Name") ;
String brandCode = samlAttributeMap.get("Surname") ;
String dealerId = samlAttributeMap.get("Sign in name") ;
log.info("Attributes ::::"+userType+"........."+userRole+".........."+brandCode+"........"+dealerId);
try {
final UserManager userManager = ((JackrabbitSession) session).getUserManager();
Group group = null;
if (userManager.getAuthorizable(userRole) == null) {
group = userManager.createGroup(userRole);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(userRole, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
log.info("path of the group"+ group.getPath() +"principal of the group"+ group.getPrincipal()+ group.getID());
String groupPath = "/apps/POC_SSO";
log.info("---> {} Group successfully created.", group.getID());

setReadPermissions(group, groupPath, session);
setDeletePermissions(group, groupPath, session);
setModifyPermissions(group, groupPath, session);
setCreatePermissions(group, groupPath, session);
setReplicatePermissions(group, groupPath, session);
setReadACLPermissions(group, groupPath, session);
setEditACLPermissions(group, groupPath, session);
group.addMember(auth);
log.info("---> {} User added successfully.", group.getMembers());
} else {
log.info("---> Group already exist..");
}

session.save();
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Vijayalakshmi_S

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

1 reply

Vijayalakshmi_S
Vijayalakshmi_SAccepted solution
Level 10
September 23, 2020

Hi @srikanthp689160,

Can you share details on how you have retrieved the "session" used in the below snippet.

  • final UserManager userManager = ((JackrabbitSession) session).getUserManager();

Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object

See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path. 

Details about the method

    srikanthp689160
    srikanthp689160Author
    Level 4
    September 23, 2020

    Hi @vijayalakshmi_s

     Thanks for the help

     We are getting session using resource resolver of a "post processor of SAML response"

    code snippet: 

    @Override
    public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
    throws LoginException {

    try {
    resourceResolver = resourceResolverFactory.getResourceResolver(info);
    session = resourceResolver.adaptTo(Session.class);
    userManager = resourceResolver.adaptTo(UserManager.class);
    auth = userManager.getAuthorizable(session.getUserID());

    Set<String> runModes = slingSettingsService.getRunModes();
    if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
    samlResponeProperty = auth.getProperty("samlResponse");
    samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
    parseSAMLResponse(runModes, samlResponseString);

    }
    session.save();
    }

    catch (Exception e) {
    e.printStackTrace();
    log.info("error message"+e);
    }

    }

     

     

    I have tried using JackrabbitSession for setting permissions as well, but it did not work only for the nodes under "/content".

    When am taking groupPath(mentioned in previous code snippet) as any node of "/content" example: "/content/dam" getting the exception mentioned in below code snippet.

    note: Not getting exception, if i took groupPath as any node under "/apps".

     

     

    public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
    try {
    JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
    hasPermission(aPath,"modify_property");
    Privilege[] privileges = {
    accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
    accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
    accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
    };
    AccessControlList aclList = null;
    try {
    accessControlManager.getApplicablePolicies(aPath);
    aclList =(AccessControlList) accessControlManager.getApplicablePolicies(aPath).next();         // Getting Exception at this line in log info ..org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
    } catch (NoSuchElementException e) {
    aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
    }
    (aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
    accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
    } catch (Exception e) {
    log.info("---> Exception.." + e.getMessage());
    }
    }

     

    Thanks

     

    Terms & ConditionsAccessibility statement

    Loading footer...