Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Wildcard ACL issue

Avatar

Level 1

Hi!
While working on User/Group setup I faced the problem. 
I have such an hierarchy:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
  |__cq:Page (subpage1)
  |__...
  |__cq:Page (subpageN)
|__...
|__cq:Page (pageN)

I need deny access to all the pages except page1 and page2/subpage1. 

So, restricted hierarchy must be the following:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
  |__cq:Page (subpage1).

I need use Wildcard ACLs (using rep:glob) because total amount of pages is unknown and differs from one environment to another.
My _rep_policy.xml for the folder1`s parent level is:

<?xml version="1.0" encoding="UTF-8"?> <jcr:root xmlns:crx="http://www.day.com/crx/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal" jcr:primaryType="rep:ACL"> <deny jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/*" rep:ntNames="{Name}[cq:Page]"/> </deny> <allow0 jcr:primaryType="rep:GrantACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2"/> </allow0> <deny0 jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2/*" rep:ntNames="{Name}[cq:Page]"/> </deny0> </jcr:root>

In useradmin console checkboxes are choosen correctly but when I try to open siteadmin the following exception appears:
org.apache.sling.jcr.resource.internal.helper.jcr.JcrNodeResourceIterator seek: Problem creating Resource for next node, skipping
javax.jcr.RepositoryException: Node /folder1/page2 doesn't have primary type set.


Besides, http://localhost:4502/folder1/page2.json returns 404 error.
My assumption is that rep:glob="/folder1/page2/*" as well as children denies parent node (page2).

Does anyone know how to restrict all the pages except one using Wildcard ACL to implement needed hierarchy?
Thank you in advance!

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

This can be achieved by using rep:glob for setting up access. It uses GlobPattern which uses pattern matching to grant/revoke permissions.

 

For details please refer to https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html

 

Slide 22 on https://adapt.to/2015/presentations/adaptto2015-how-to-use-acls-effectively-mateusz-chrominski.pdf


Aanchal Sikka

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

This can be achieved by using rep:glob for setting up access. It uses GlobPattern which uses pattern matching to grant/revoke permissions.

 

For details please refer to https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html

 

Slide 22 on https://adapt.to/2015/presentations/adaptto2015-how-to-use-acls-effectively-mateusz-chrominski.pdf


Aanchal Sikka