Apache Jackrabbit : SimpleJbossAccessManager

THIS CLASS WILL BE REMOVED IN JACKRABBIT 2.18, PLEASE SEE https://issues.apache.org/jira/browse/JCR-4258 FOR DETAILS

The simple jboss access manager is a specialized Access Manager to handle Authorization of individuals authenticated through jboss login modules. It maps roles from the jboss simplegroup class to jackrabbit permissions.

The intent of this document is to

  • Deploy and enable a SimpleJbossAccessManager.
  • Configure the mappings between groups/roles from the authentication system to jackrabbit permissions.

Files that will be modified

  • Deploy SimpleJbossAccessManager.jar to WEB-INF/lib or somewhere else to add to the classpath.
  • repository.xml
  • $REPO_HOMEDIR/rolemappings.properties

Add SimpleJbossAccessManager to classpath

All code is apache licensed.

For the server .WAR deployment option, go to the attachments section and save the SimpleJbossAccessManager.jar under /WEB-INF/lib/SimpleJbossAccessManager.jar.

For JCA deployment option, save that same .jar and add it to the RAR file.

Configure Jackrabbit to use SimpleJbossAccessManager

Go to your repository.xml and modify the following:

<Security appName="Jackrabbit">
<AccessManager class="org.apache.jackrabbit.core.security.jboss.SimpleJbossAccessManager">
<!-- remove this loginmodule so only use the login-config.xml configured modules. _ <LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule">_ _ <param name="anonymousId" value="anonymous"/>_ _ </LoginModule>_ -->

Authorization - mapping roles to permissions

This module uses the Jboss simplegroup class to get a list of Roles from the login-modules. This has specifically been tested on AD (active directory), although should be transparent for other security implementations.

Under your repository homedir (defined in your repository.xml as 'path') that usually shows /repository, /version, and /workspace directories create a rolemappings.properties file. If someone wanted to modify the code to allow positioning where the mapping file is, that would be fine.

rolemappings.properties (without the bullets):

  • #SimpleJbossAccessManager Jackrabbit permissions.
  • #permissions must be:
  • # read, full, or none
  • #Roles that are not defined are defaulted to none.
  • developers=full
  • admin=full
  • active_directory_group_called_jackrabbit_ro=read


SimpleJbossAccessManager.jar (application/octet-stream)
SimpleJbossAccessManager.java (text/x-java-source)
pom.xml (text/xml)