jaas in jackrabbit using capability model

initial post: 07 sep 2009
last update: 07 sep 2009

This post is part of series of posts related to security:
This is the way i implemented security in my application.

First, in my application, the login is handled by tomcat(it can be managed by JackRabbit to).
For this i am using a LoginModule and a CallbackHandler (javax.security.auth.spi.LoginModule and javax.security.auth.callback.CallbackHandler).

All my requests runs in the name of the authenticated Subject, using a code like this:

This piece of code is inside Tomcat actually. And the subject must be stored in the session with the "javax.security.auth.subject" key in order to be found by Tomcat:
I have a filter that do this:

After that the login can be done without passing any credentials:
because JackRabbit is searching the subject in SecurityManager (i don't remember exactly what is doing)
JackRabbit has a default authorization implementation based on Access Control Lists. This mean that is storing the access rights on some lists on each node.
I found more suitable for my application to store the access rights on the role instead of nodes. This approach is named "Capability Model". For example the access checks done by jvm with FilePermission is capability based. Is using permissions like:
permission java.io.FilePermission "c:\\tomcat\\-", "read,write,execute,delete";
(of course, the jvm cannot use ACL in order to check file access permissions.)
Basically the two approaches are very similar but has some particularities:
  • in ACL you cant know what nodes a user can access. The only way is by searching this permission in all nodes in workspace.
  • in capability model you cannot know what users can access a specific node only if you search in all permissions from all existing users.

So, here is my approach:

I am using a custom access manager:

Here is the class: ArhinetJackRabbitAccessManager.java

In this class i only check one access permission against another:

Now about the permission classes.

When a user is authenticated in the app it has a set of JackRabbitAccessPermissions, for example:

in the first example the user has the permission to read and modify any file in user's home dir, in subfolder arnt:folder but only that files that are of type "nt:file" or "nt:unstructured".
in the second, the user can set any property named "z" in the user's home dir (and subfolders)
As you can see i am using xpath to specify the protected resource. I am using jaxen for this.
Here are the rest of the files:
1. some utility classes: