Problem with SecurityPolicy

Hi,

I am using the SecurityPolicy class and overriding the checkPermission () method to define access to listing documents. This worked everything perfect. When I start Tomcat, the following is happening WARN:

2014-06-30 16:35:00,002 WARN [Quartz_Worker-1] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:38:19,695 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:38:19,702 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:38:19,707 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:40:00,003 WARN [Quartz_Worker-1] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:43:19,695 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:43:19,700 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query. 2014-06-30 16:43:19,702 WARN [Nuxeo-Administrative-Statuses-Notify-Scheduler] [org.nuxeo.ecm.core.security.SecurityPolicyServiceImpl] Security policy 'org.br.ezute.security.policy.ListDocSecurityPolicy' for repository 'default' cannot be expressed in SQL query.

Follow my code

@Override

public Access checkPermission(Document doc, ACP mergedAcp,
        Principal principal, String permission,
        String[] resolvedPermissions, String[] additionalPrincipals) {

    String confident = null;
    if (DocumentUtil.verifyTypeName(doc.getType().getName())) {
        try {
            confident = (String) doc
                    .getPropertyValue("dcns-common:confidentiality");
        } catch (DocumentException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        if (confident != null){

            NuxeoPrincipal targetUser = (NuxeoPrincipal) principal;
            int levelDoc = Utils.getConfidentLevel(confident);

            boolean acces = false;
            for (String group : targetUser.getGroups()) {

                if (group.startsWith("confidentiality_")) {
                    group = group.replace("confidentiality_", "");
                }

                int levelUser = Utils.getConfidentLevel(group);

                if (levelUser >= levelDoc) {
                    acces = true;
                }
            }
            if (acces == false) {
                return Access.DENY;
            }

        }

    }
    return Access.UNKNOWN;
}

Could someone give me support? I'm not using Sql Query

0 votes

1 answers

1003 views

ANSWER



Hello, this means your policy can't be expressed in NXQL ie it must be checked individually for each document that a query may return.

It only a warnign and is not a big deal unless you have queries that retrieves a lot of documents. In that case Nuxeo allow to express the policy by decorating each NXQL query by adding some where clauses. See http://doc.nuxeo.com/display/NXDOC/Security+Policy+Service for SQLTransformer.

0 votes



Hello, Exactly what I'm doing, checking each document, I'm not using NXQL in my security policy. As seen in the above method
07/01/2014

So don't care about the warnings
07/01/2014