Jackrabbit user management

Question

I can hardly find any documentation on how to design and build a repository for multiple users.

I'm quite new to Jackrabbit and I was always using one master user credentials to build a repository that was accessed by only one master user.

Now I need a repository that is shared by thousands of users and each user works with his nodes and doesn't have permissions to the others.

The SimpleAccessManager is quite simple :

public boolean isGranted(ItemId id, int permissions) throws RepositoryException {
    checkInitialized();
    if (system) {
        // system has always all permissions
        return true;
    } else if (anonymous) {
        // anonymous is always denied WRITE & REMOVE permissions
        if ((permissions & WRITE) == WRITE
                || (permissions & REMOVE) == REMOVE) {
            return false;
        }
    }

    return true;
}

It looks that one cannot create such a multi-user repository with SimpleLoginModule and SimpleAccessManager. Because it differentiates only between ADMIN and anonymous users that can read everything but cannot write...

So that one have to use DefaultAccessManager and perhaps do something like this :

Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray())); 

UserManager um = ((JackrabbitSession) session).getUserManager(); 
User user = um.createUser("john", "doe"); 

/*   And assign some ALC as follows... And then play with it like this, which really sucks without proper documentation, one has to reverse engineer everything, wtf */

AccessControlManager acm = session.getAccessControlManager();     
AccessControlPolicyIterator it = acm.getApplicablePolicies(testRootNode.getPath()); 
while ( it.hasNext() ) { 
    AccessControlPolicy acp = it.nextAccessControlPolicy(); 

    Privilege[] privileges = new Privilege[]{acm.privilegeFromName(Privilege.JCR_WRITE)}; 

    ((AccessControlList)acp).addAccessControlEntry(new PrincipalImpl(user.getUserID()), privileges); 

    acm.setPolicy(testRootNode.getPath(), acp); 
} 

The repository will be accessible via OpenCMIS that supplies user credentials from client.

EDIT: this is what I was looking for AccessControl

Answer 1

I'm not sure what all the necessary steps are, but you could have a look at the Hippo CMS repository, which is based on Apache JackRabbit. It's an open source CMS and content repository that has implemented it's own user management based on domains and facets.

You can find the source of the security part of Hippo CMS here.

Answer 2

If you need a repository with "thousands of users" you are better off using JAAS login module that authenticates the users based on some external system (LDAP or Database etc.) and gives the Roles. A session is returned when you login to the repository using a workspace name and optional credentials. And as you can see from here: http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/Session.html the session only exposes the nodes to which the user has access to.

If you need to apply different access controls, clearly the default SimpleAccessManager isn't enough for you, so you might need to implement your own AccessManager.