Hi,

On Wed, 2018-11-07 at 14:52 -0600, kevintv wrote:
> Hello,
>
> I'm a new developer trying to tackle the Jackrabbit/JCR library. My
> team and
> I have been using the EveryonePrincipal for a couple of months now,
> but
> we've been wanting to implement more capabilities per user
> roles/principals
> so we can grant them necessary read/write access to each node.
> However,
> we're having some difficulties figuring out how to create a new
> Principal
> object.
>
> I've been using:
>
> PrincipalImpl newPrincipal = new PrincipalImpl("MyPrincipal");
>
> Then creating a new RolePrincipal class matching the
> EveryonePrincipal,
> except the name would be "MyPrincipal" inside the RolePrincipal
> class. This
> method doesn't work unfortunately. Is there anything else we're
> missing from
> this? And how does the 'everyone' principal gets stored?

You might find [1] useful, it outlines how access control is managed
specifically in jackrabbit. You should also take a look at [2].

Hope this helps,

Robert

[1]: https://wiki.apache.org/jackrabbit/AccessControl
[2]: https://docs.adobe.com/content/docs/en/spec/jcr/2.0/16_Access_Control_Management.html

Hi


Unfortunately JSR 170 and 283 don't define how principals can be managed or retrieved. That's why there exists a bit of additional API with jackrabbit-api:


- org.apache.jackrabbit.api.JackrabbitSession.getPrincipalManager

- org.apache.jackrabbit.api.security.principal.PrincipalManager


so, the shortest answer would be: everything that is exposed by the PrincipalManager is a valid principal. And since the specification mandates that any access control management operation makes sure on valid principals are passed as arguments, this is the default behaviour out of the box. however, there are cases where we found that limitation to be too strict. i don't recall if we relaxed that in Jackrabbit 2.x outside of the xml-import but with the new implementation at Jackrabbit Oak there exists a configuration option ImportBehavior that allows to relax the validation checks for principals across all access control operations (adding principals within policies, importing the later etc).


There exists no proper documentation for Jackrabbit 2.x but for Oak you can find the documentation at http://jackrabbit.apache.org/oak/docs/security/overview.html


kind regards

angela




________________________________
From: kevintv <***@gmail.com>
Sent: Wednesday, November 7, 2018 9:52 PM
To: ***@jackrabbit.apache.org
Subject: How to create new Principal Object

Hello,

I'm a new developer trying to tackle the Jackrabbit/JCR library. My team and
I have been using the EveryonePrincipal for a couple of months now, but
we've been wanting to implement more capabilities per user roles/principals
so we can grant them necessary read/write access to each node. However,
we're having some difficulties figuring out how to create a new Principal
object.

I've been using:

PrincipalImpl newPrincipal = new PrincipalImpl("MyPrincipal");

Then creating a new RolePrincipal class matching the EveryonePrincipal,
except the name would be "MyPrincipal" inside the RolePrincipal class. This
method doesn't work unfortunately. Is there anything else we're missing from
this? And how does the 'everyone' principal gets stored?



--
Sent from: http://jackrabbit.510166.n4.nabble.com/Jackrabbit-Users-f510167.html