Wildcard ACL issue | Community
Skip to main content
mira_goncharenk
mira_goncharenk
October 16, 2015
Solved

Wildcard ACL issue

  • October 16, 2015
  • 1 reply
  • 1073 views

Hi!
While working on User/Group setup I faced the problem. 
I have such an hierarchy:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
  |__cq:Page (subpage1)
  |__...
  |__cq:Page (subpageN)
|__...
|__cq:Page (pageN)

I need deny access to all the pages except page1 and page2/subpage1. 

So, restricted hierarchy must be the following:
sling:OrderedFolder (folder1)
|__cq:Page (page1)
|__cq:Page (page2)
  |__cq:Page (subpage1).

I need use Wildcard ACLs (using rep:glob) because total amount of pages is unknown and differs from one environment to another.
My _rep_policy.xml for the folder1`s parent level is:

<?xml version="1.0" encoding="UTF-8"?> <jcr:root xmlns:crx="http://www.day.com/crx/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal" jcr:primaryType="rep:ACL"> <deny jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/*" rep:ntNames="{Name}[cq:Page]"/> </deny> <allow0 jcr:primaryType="rep:GrantACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2"/> </allow0> <deny0 jcr:primaryType="rep:DenyACE" rep:principalName="editors" rep:privileges="{Name}[jcr:read]"> <rep:restrictions jcr:primaryType="rep:Restrictions" rep:glob="/folder1/page2/*" rep:ntNames="{Name}[cq:Page]"/> </deny0> </jcr:root>

In useradmin console checkboxes are choosen correctly but when I try to open siteadmin the following exception appears:
org.apache.sling.jcr.resource.internal.helper.jcr.JcrNodeResourceIterator seek: Problem creating Resource for next node, skipping
javax.jcr.RepositoryException: Node /folder1/page2 doesn't have primary type set.


Besides, http://localhost:4502/folder1/page2.json returns 404 error.
My assumption is that rep:glob="/folder1/page2/*" as well as children denies parent node (page2).

Does anyone know how to restrict all the pages except one using Wildcard ACL to implement needed hierarchy?
Thank you in advance!

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aanchal-sikka

This can be achieved by using rep:glob for setting up access. It uses GlobPattern which uses pattern matching to grant/revoke permissions.

 

For details please refer to https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html

 

Slide 22 on https://adapt.to/2015/presentations/adaptto2015-how-to-use-acls-effectively-mateusz-chrominski.pdf

1 reply

aanchal-sikka
Community Advisor
aanchal-sikkaCommunity AdvisorAccepted solution
Community Advisor
December 6, 2023

This can be achieved by using rep:glob for setting up access. It uses GlobPattern which uses pattern matching to grant/revoke permissions.

 

For details please refer to https://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html

 

Slide 22 on https://adapt.to/2015/presentations/adaptto2015-how-to-use-acls-effectively-mateusz-chrominski.pdf

Aanchal Sikka
    Terms & ConditionsAccessibility statement

    Loading footer...