Hi,
Our Project requirement is to create User Group and assign Permissions Programmatically.
Created a Postprocessor to get the SAML Response and based on that Creating group and permissions programmatically. While applying permissions to the newly created group, for the paths which are available in "/content" permission are not getting applied but for "/apps" and "/var" permissions are getting applied.
private void parseSAMLResponse(Set<String> runModes, String samlResponseString)throws ParserConfigurationException, SAXException, IOException, UnsupportedEncodingException
{
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
Map<String, String> samlAttributeMap = new HashMap<String, String>();
StringReader strReader = new StringReader(samlResponseString);
InputSource inputSource = new InputSource(strReader);
Document document = docBuilder.parse(inputSource);
NodeList samlAssertion = document.getElementsByTagName("saml:Assertion");
populateSAMLAttrMap(samlAttributeMap, samlAssertion);
String userType = samlAttributeMap.get("Display Name") ;
String userRole = samlAttributeMap.get("Given Name") ;
String brandCode = samlAttributeMap.get("Surname") ;
String dealerId = samlAttributeMap.get("Sign in name") ;
log.info("Attributes ::::"+userType+"........."+userRole+".........."+brandCode+"........"+dealerId);
try {
final UserManager userManager = ((JackrabbitSession) session).getUserManager();
Group group = null;
if (userManager.getAuthorizable(userRole) == null) {
group = userManager.createGroup(userRole);
ValueFactory valueFactory = session.getValueFactory();
Value groupNameValue = valueFactory.createValue(userRole, PropertyType.STRING);
group.setProperty("./profile/givenName", groupNameValue);
log.info("path of the group"+ group.getPath() +"principal of the group"+ group.getPrincipal()+ group.getID());
String groupPath = "/apps/POC_SSO";
log.info("---> {} Group successfully created.", group.getID());
setReadPermissions(group, groupPath, session);
setDeletePermissions(group, groupPath, session);
setModifyPermissions(group, groupPath, session);
setCreatePermissions(group, groupPath, session);
setReplicatePermissions(group, groupPath, session);
setReadACLPermissions(group, groupPath, session);
setEditACLPermissions(group, groupPath, session);
group.addMember(auth);
log.info("---> {} User added successfully.", group.getMembers());
} else {
log.info("---> Group already exist..");
}
session.save();
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @srikanthp689160,
Can you share details on how you have retrieved the "session" used in the below snippet.
Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object
See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path.
Details about the method
Hi @srikanthp689160,
Can you share details on how you have retrieved the "session" used in the below snippet.
Also, could see that you are casting to JackrabbitSession for getting UserManager and while setting permissions you are using direct session object
See if you can use JackrabbitSession for setting permissions as well which has method named hasPermission to check if you have permissions for actions on specified path.
Details about the method
Thanks for the help
We are getting session using resource resolver of a "post processor of SAML response"
code snippet:
@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {
try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());
Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);
}
session.save();
}
catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}
}
I have tried using JackrabbitSession for setting permissions as well, but it did not work only for the nodes under "/content".
When am taking groupPath(mentioned in previous code snippet) as any node of "/content" example: "/content/dam" getting the exception mentioned in below code snippet.
note: Not getting exception, if i took groupPath as any node under "/apps".
public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
hasPermission(aPath,"modify_property");
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
AccessControlList aclList = null;
try {
accessControlManager.getApplicablePolicies(aPath);
aclList =(AccessControlList) accessControlManager.getApplicablePolicies(aPath).next(); // Getting Exception at this line in log info ..org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (AccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}
Thanks
Views
Replies
Total Likes
We are getting session through resource resolver of a PostProcess.
code snippet:
@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
throws LoginException {
// TODO Auto-generated method stub
try {
resourceResolver = resourceResolverFactory.getResourceResolver(info);
session = resourceResolver.adaptTo(Session.class);
userManager = resourceResolver.adaptTo(UserManager.class);
auth = userManager.getAuthorizable(session.getUserID());
Set<String> runModes = slingSettingsService.getRunModes();
if (runModes.contains("publish") && auth.hasProperty("samlResponse") ){
samlResponeProperty = auth.getProperty("samlResponse");
samlResponseString = cryptoSupport.unprotect(samlResponeProperty[0].getString());
parseSAMLResponse(runModes, samlResponseString);
}
session.save();
}
catch (Exception e) {
e.printStackTrace();
log.info("error message"+e);
}
}
I have used JackrabbitSession while setting up permissions too, but it didn't worked only for the nodes under "/content". and getting exception: "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList " in the log info.
code snippet:
public static void setModifyPermissions(final Authorizable sampleGroup, String aPath, JackrabbitSession session){
try {
log.info("inside setModifyPermissions method");
JackrabbitAccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
log.info("accessControlManager...... "+accessControlManager);
hasPermission(aPath,"modify_property");
Privilege[] privileges = {
accessControlManager.privilegeFromName(Privilege.JCR_VERSION_MANAGEMENT),
accessControlManager.privilegeFromName(Privilege.JCR_MODIFY_PROPERTIES),
accessControlManager.privilegeFromName(Privilege.JCR_LOCK_MANAGEMENT)
};
log.info("accessControlManager...... "+accessControlManager.getPrivileges(aPath));
JackrabbitAccessControlList aclList = null;
try {
accessControlManager.getApplicablePolicies(aPath);
log.info("appicable policies:::::::: " +accessControlManager.getApplicablePolicies(aPath));
aclList =(JackrabbitAccessControlList) accessControlManager.getApplicablePolicies(aPath).next(); // getting exception at this line ....org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl cannot be cast to org.apache.jackrabbit.api.security.JackrabbitAccessControlList
} catch (NoSuchElementException e) {
aclList = (JackrabbitAccessControlList) accessControlManager.getPolicies(aPath)[0];
}
(aclList).addAccessControlEntry(sampleGroup.getPrincipal(), privileges);
accessControlManager.setPolicy(aPath, (AccessControlPolicy) aclList);
log.info("policies set up completed in settModify Permissions");
} catch (Exception e) {
log.info("---> Exception.." + e.getMessage());
}
}
Thanks
Views
Replies
Total Likes
Hi @srikanthp689160,
AccessControlPolicy(ACP) can be of any type from CugPolicy or JackrabbitAccessControlPolicy/List etc. Hence use the below snippet in the iteration part to check which instance of ACP and add ACL accordingly.
Authorizable authorizable = userMgr.getAuthorizable(userIdStr);
Principal userPrincipal = authorizable.getPrincipal();
Privilege[] writePrivileges = new Privilege[] { acmMgr.privilegeFromName(Privilege.JCR_WRITE) };
AccessControlPolicyIterator it = acmMgr.getApplicablePolicies(pageNode.getPath());
while (it.hasNext()) {
AccessControlPolicy policy = it.nextAccessControlPolicy();
/* Add below conditional check in your iteration logic as well */
if (policy instanceof AccessControlList) {
AccessControlList acl = (AccessControlList) policy;
acl.addAccessControlEntry(userPrincipal, writePrivileges);
acmMgr.setPolicy(pageNode.getPath(), acl);
}
if (policy instanceof PrincipalSetPolicy) {
LOG.info("PrinicipalSetPolicy={}", policy.getClass());
}
if (policy instanceof NamedAccessControlPolicy) {
LOG.info("NamedAccessControlPolicy={}", policy.getClass());
}
if (policy instanceof CugPolicy) {
LOG.info("CugPolicy={}", policy.getClass());
}
if (policy instanceof JackrabbitAccessControlPolicy) {
LOG.info("JackrabbitAccessControlPolicy={}", policy.getClass());
}
if (policy instanceof JackrabbitAccessControlList) {
LOG.info("JackrabbitAccessControlList={}", policy.getClass());
}
}
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies