dkocher
commented
11 years ago From dkocher@sudo.ch on November 09, 2011 10:26:27 A patch would be welcome.
Open dkocher opened 11 years ago
dkocher
commented
11 years ago From dkocher@sudo.ch on November 09, 2011 10:26:27 A patch would be welcome.
dkocher
commented
11 years ago From tch...@gmail.com on November 09, 2011 15:26:23 i have none for now :)
Still need to investigate how ACL work behind the scene :)
dkocher
commented
11 years ago From tch...@gmail.com on November 09, 2011 16:14:38 for references: http://webdav.org/specs/rfc3744.html
if i find time to implement this for my needs, will upload patch :)
dkocher
commented
11 years ago From tch...@gmail.com on November 18, 2011 16:47:10 Here is a first patch that implements the following:
Getting owner / group / ACLs of a specific node. Principals supported are href and property. Just call
public DavAcl Sardine.getAcl(String uri)
dkocher
commented
11 years ago From dkocher@sudo.ch on November 18, 2011 21:03:23 Do you plan to implement a corresponding #setAcl for writing as well?
dkocher
commented
11 years ago From dkocher@sudo.ch on November 18, 2011 22:29:09 Do we need to extend the interface or can't we just add the acl property to DavResource and use Sardine#list?
dkocher
commented
11 years ago From dkocher@sudo.ch on November 18, 2011 22:33:33 In r315. Will leave this open until we have more tests.
dkocher
commented
11 years ago From tch...@gmail.com on November 18, 2011 23:48:04 Don't know if i'll have time to implement but missing features are
-> set acl -> get inherited acl -> get list of principals -> get capabilities.
It's not recommanded to add ACL to DavResource, Spec for ACL mandates that server does not return ACL on a "allprop" PROPFIND request, because gathering ACL can be time consuming for server. Whatever you do, you can't in same request get all properties + ACL.
dkocher
commented
11 years ago From dkocher@sudo.ch on November 19, 2011 10:32:20 Thanks for the update. I should read the RFC first myself. Removed in r317.
dkocher
commented
11 years ago From tch...@gmail.com on November 21, 2011 14:40:23 Hello,
here is another patch that add support for
-> inherited ACL, -> protected ACL, -> property principal -> D:all D:self D:unauthenticated D:authenticated principals. -> Setting ACL on a node -> Getting principalCollectionSet and listing principals in a Collection
dkocher
commented
11 years ago From dkocher@sudo.ch on November 23, 2011 16:55:17 That's a great patchset. What server have you tested against? What server implementations are available?
dkocher
commented
11 years ago From tch...@gmail.com on November 23, 2011 21:35:33 Tested against a jakarta-slide DAV server.
I have seen there exists and ACL extension on sourceforge for apache httpd, but did not try to compile / install it.
The http response used by test in handlertest were constructed using documentation and examples from the RFC
dkocher
commented
11 years ago From tch...@gmail.com on December 02, 2011 10:32:52 Do you plan on putting my second patch in subversion or do i need to make changes to it?
dkocher
commented
11 years ago From dkocher@sudo.ch on December 07, 2011 14:23:27 I have integrated the patch in my working copy but haven't commited yet because I hoped I could get some solution for testability of the code. We badly need some mock service to test against.
dkocher
commented
11 years ago From tch...@gmail.com on December 07, 2011 15:56:53 Maybe run this http://code.google.com/p/sabredav/wiki/ACL on a localserver and test against it? Unfortunately, their implementation is not complete. Other solution is to run the server against which code was tested: jakarta-slide, which is not longer supported. Other option: start and run a milton server. http://milton.ettrema.com/compat/index.html
dkocher
commented
11 years ago From tch...@gmail.com on December 07, 2011 15:57:55 am not sure, but maybe milton server could be started locally as part of unit test (pure java webdav server, i don't think it need tomcat and such)
dkocher
commented
11 years ago From dkocher@sudo.ch on December 10, 2011 14:04:28 We are waiting for http://jira.ettrema.com:8080/browse/MIL-101 to be fixed where we can test against until we have a mock service.
dkocher
commented
11 years ago From dkocher@sudo.ch on December 10, 2011 14:04:56 On another note, http://jira.ettrema.com:8080/browse/MIL-100 has been resolved which should allow testing against this implementation.
dkocher
commented
11 years ago From dkocher@sudo.ch on December 10, 2011 14:42:15 Latest patchset commited in r322. Tests pending.
jcmarfilph
commented
11 years ago Hi,
I've tried the 5.0 version but I am getting null Aces value as well as Group and Owner value. Here is the snippet....
try {
DavAcl resourceACL = sardine.getAcl(curDir + "/" + doc.getTitle());
if (resourceACL.getAces() != null && resourceACL.getAces().size() <= 0) {
doc.setAcl("None");
}
else {
for (DavAce davace : resourceACL.getAces()) {
if (!davace.getInherited().isEmpty()) {
doc.setAcl(doc.getAcl() + ", Inherited: " + davace.getInherited());
}
if (davace.getPrincipal() != null) {
doc.setAcl(doc.getAcl() + ", Principals: ");
doc.setAcl(doc.getAcl() + ", " + davace.getPrincipal().getDisplayName() + "-" + davace.getPrincipal().getValue());
}
if (davace.getGranted().size() > 0) {
doc.setAcl(doc.getAcl() + ", Granted: ");
for (String granted : davace.getGranted()) {
doc.setAcl(doc.getAcl() + ", " + granted);
}
}
if (davace.getDenied().size() > 0) {
doc.setAcl(doc.getAcl() + ", Denied: ");
for (String denied : davace.getDenied()) {
doc.setAcl(doc.getAcl() + ", " + denied);
}
}
}
}
if (resourceACL.getGroup() != null) {
doc.setAcl(doc.getAcl() + ", Group: " + resourceACL.getGroup());
}
if (resourceACL.getOwner() != null) {
doc.setAcl(doc.getAcl() + ", Owner: " + resourceACL.getOwner());
}
} catch (IOException e) {
if (logger.isErrorEnabled()) {
logger.error("Error while getting ACL of resource", e);
}
}Here are my Maven dependencies...
<dependency>
<groupId>com.github.lookfirst</groupId>
<artifactId>sardine</artifactId>
<version>5.0</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
<version>4.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.2.4</version>
</dependency>Pulling out resource is working fine...
List
Is there something that I need to do other than executing the sardine.getAcl?
TIA
lookfirst
commented
11 years ago I'm not sure if it'll help at all but 5.0.1 is the latest version.
jcmarfilph
commented
11 years ago Thanks for replying back.
I've tried 5.0.1 and I am still getting null Aces. Just an additional question, do I need admin permission to pull-out ACL?
Right now the service account has Contributor right only.
Thanks again.
lookfirst
commented
11 years ago Just an additional question, do I need admin permission to pull-out ACL?
That isn't a Sardine question, but I suspect that you'll need some sort of access to do so, otherwise you will probably get nulls.
jcmarfilph
commented
11 years ago Ok so I've tried an admin account just to see if that will help but it didn't. I can't even get the Owner or the Group where it belongs.
I would appreciate if you or someone can share a piece of code (that worked properly) to get/list the ACL of a SharePoint resource.
TIA.
dkocher
commented
11 years ago Post the HTTP wire log and we can see if the ACLs are present and add a test case to fix this if it is an issue in the Sardine code base that ACLs aren't parsed correctly.
jcmarfilph
commented
11 years ago Here the wire log after executing just sardine.getAcl. You will see that I am getting a mixture of status codes here...
401, then 207 then 200. You can that on the last few lines, it has 200 status code but the MultiStatus data is empty.
Note: I stripped off the random characters.....
DEBUG [org.apache.http.impl.client.DefaultHttpClient] Stale connection check
DEBUG [org.apache.http.client.protocol.RequestAddCookies] CookieSpec selected: best-match
DEBUG [org.apache.http.client.protocol.RequestAuthCache] Auth cache not set in the context
DEBUG [org.apache.http.client.protocol.RequestTargetAuthentication] Target auth state: UNCHALLENGED
DEBUG [org.apache.http.client.protocol.RequestProxyAuthentication] Proxy auth state: UNCHALLENGED
DEBUG [org.apache.http.impl.client.DefaultHttpClient] Attempt 1 to execute request
DEBUG [org.apache.http.impl.conn.DefaultClientConnection] Sending request: PROPFIND /sites/TEST/default.aspx HTTP/1.1
DEBUG [org.apache.http.wire] >> "PROPFIND /sites/TEST/default.aspx HTTP/1.1[\r][\n]"
DEBUG [org.apache.http.wire] >> "Depth: 0[\r][\n]"
DEBUG [org.apache.http.wire] >> "Content-Type: text/xml; charset=utf-8[\r][\n]"
DEBUG [org.apache.http.wire] >> "Content-Length: 124[\r][\n]"
DEBUG [org.apache.http.wire] >> "Host: teamspace.company.com[\r][\n]"
DEBUG [org.apache.http.wire] >> "Connection: Keep-Alive[\r][\n]"
DEBUG [org.apache.http.wire] >> "User-Agent: Apache-HttpClient/4.2.4 (java 1.5)[\r][\n]"
DEBUG [org.apache.http.wire] >> "[\r][\n]"
DEBUG [org.apache.http.headers] >> PROPFIND /sites/TEST/default.aspx HTTP/1.1
DEBUG [org.apache.http.headers] >> Depth: 0
DEBUG [org.apache.http.headers] >> Content-Type: text/xml; charset=utf-8
DEBUG [org.apache.http.headers] >> Content-Length: 124
DEBUG [org.apache.http.headers] >> Host: teamspace.company.com
DEBUG [org.apache.http.headers] >> Connection: Keep-Alive
DEBUG [org.apache.http.headers] >> User-Agent: Apache-HttpClient/4.2.4 (java 1.5)
DEBUG [org.apache.http.wire] >> "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
lookfirst
commented
11 years ago Actually, the propfind looks ok. It is a multi step auth. Notice the 207 response near the end. It would be nice to see the body of the responses.
On Thu, Aug 8, 2013 at 12:09 PM, jcmarfilph notifications@github.comwrote:
Here the wire log after executing getAcl
Looks like the account is unauthorized to execute the PROPFIND. Note: I stripped off the random characters.....
2013-08-08 15:02:32,415 [conn.BasicClientConnectionManager] DEBUG: Get connection for route {}->http://teamspace.company.com 2013-08-08 15:02:32,416 [client.DefaultHttpClient] DEBUG: Stale connection check 2013-08-08 15:02:32,418 [protocol.RequestAddCookies] DEBUG: CookieSpec selected: best-match 2013-08-08 15:02:32,418 [protocol.RequestAuthCache] DEBUG: Auth cache not set in the context 2013-08-08 15:02:32,418 [protocol.RequestTargetAuthentication] DEBUG: Target auth state: UNCHALLENGED 2013-08-08 15:02:32,418 [protocol.RequestProxyAuthentication] DEBUG: Proxy auth state: UNCHALLENGED 2013-08-08 15:02:32,418 [client.DefaultHttpClient] DEBUG: Attempt 1 to execute request 2013-08-08 15:02:32,418 [conn.DefaultClientConnection] DEBUG: Sending request: PROPFIND /sites/test/default.aspx HTTP/1.1 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> PROPFIND /sites/test/default.aspx HTTP/1.1 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> Depth: 0 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> Content-Type: text/xml; charset=utf-8 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> Content-Length: 124 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> Host: teamspace.company.com 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> Connection: Keep-Alive 2013-08-08 15:02:32,419 [http.headers] DEBUG: >> User-Agent: Apache-HttpClient/4.2.4 (java 1.5) 2013-08-08 15:02:32,471 [conn.DefaultClientConnection] DEBUG: Receiving response: HTTP/1.1 401 Unauthorized 2013-08-08 15:02:32,471 [http.headers] DEBUG: << HTTP/1.1 401 Unauthorized 2013-08-08 15:02:32,471 [http.headers] DEBUG: << Server: Microsoft-IIS/7.5 2013-08-08 15:02:32,471 [http.headers] DEBUG: << SPRequestGuid: 851416cf-0873-4a3e-9ccf-dbbbfae9470a 2013-08-08 15:02:32,471 [http.headers] DEBUG: << WWW-Authenticate: Negotiate 2013-08-08 15:02:32,471 [http.headers] DEBUG: << WWW-Authenticate: NTLM 2013-08-08 15:02:32,472 [http.headers] DEBUG: << X-Powered-By: ASP.NET 2013-08-08 15:02:32,472 [http.headers] DEBUG: << MicrosoftSharePointTeamServices: 14.0.0.6131 2013-08-08 15:02:32,472 [http.headers] DEBUG: << X-MS-InvokeApp: 1; RequireReadOnly 2013-08-08 15:02:32,472 [http.headers] DEBUG: << Date: Thu, 08 Aug 2013 19:02:31 GMT 2013-08-08 15:02:32,472 [http.headers] DEBUG: << Content-Length: 0 2013-08-08 15:02:32,472 [client.DefaultHttpClient] DEBUG: Connection can be kept alive indefinitely 2013-08-08 15:02:32,473 [client.DefaultHttpClient] DEBUG: Authentication required 2013-08-08 15:02:32,473 [client.DefaultHttpClient] DEBUG: teamspace.company.com:80 requested authentication 2013-08-08 15:02:32,473 [client.TargetAuthenticationStrategy] DEBUG: Authentication schemes in the order of preference: [negotiate, Kerberos, NTLM, Digest, Basic] 2013-08-08 15:02:32,473 [auth.SPNegoScheme] DEBUG: Received challenge '' from the auth server 2013-08-08 15:02:32,473 [client.TargetAuthenticationStrategy] DEBUG: Challenge for Kerberos authentication scheme not available 2013-08-08 15:02:32,474 [client.TargetAuthenticationStrategy] DEBUG: Challenge for Digest authentication scheme not available 2013-08-08 15:02:32,474 [client.TargetAuthenticationStrategy] DEBUG: Challenge for Basic authentication scheme not available 2013-08-08 15:02:32,474 [client.DefaultHttpClient] DEBUG: Selected authentication options: [NEGOTIATE, NTLM] 2013-08-08 15:02:32,474 [protocol.RequestAddCookies] DEBUG: CookieSpec selected: best-match 2013-08-08 15:02:32,475 [protocol.RequestAuthCache] DEBUG: Auth cache not set in the context 2013-08-08 15:02:32,475 [protocol.RequestTargetAuthentication] DEBUG: Target auth state: CHALLENGED 2013-08-08 15:02:32,475 [protocol.RequestTargetAuthentication] DEBUG: Generating response to an authentication challenge using Negotiate scheme 2013-08-08 15:02:32,475 [auth.SPNegoScheme] DEBUG: init teamspace.company.com 2013-08-08 15:02:33,499 [auth.SPNegoScheme] DEBUG: Sending response 'some random text here....' back to the auth server 2013-08-08 15:02:33,500 [protocol.RequestProxyAuthentication] DEBUG: Proxy auth state: UNCHALLENGED 2013-08-08 15:02:33,500 [client.DefaultHttpClient] DEBUG: Attempt 2 to execute request 2013-08-08 15:02:33,500 [conn.DefaultClientConnection] DEBUG: Sending request: PROPFIND /sites/test/default.aspx HTTP/1.1 2013-08-08 15:02:33,500 [http.headers] DEBUG: >> PROPFIND /sites/test/default.aspx HTTP/1.1 2013-08-08 15:02:33,500 [http.headers] DEBUG: >> Depth: 0 2013-08-08 15:02:33,500 [http.headers] DEBUG: >> Content-Type: text/xml; charset=utf-8 2013-08-08 15:02:33,501 [http.headers] DEBUG: >> Content-Length: 124 2013-08-08 15:02:33,501 [http.headers] DEBUG: >> Host: teamspace.company.com 2013-08-08 15:02:33,501 [http.headers] DEBUG: >> Connection: Keep-Alive 2013-08-08 15:02:33,501 [http.headers] DEBUG: >> User-Agent: Apache-HttpClient/4.2.4 (java 1.5) 2013-08-08 15:02:33,501 [http.headers] DEBUG: >> Authorization: Negotiate 'some random text here....' 2013-08-08 15:02:33,616 [conn.DefaultClientConnection] DEBUG: Receiving response: HTTP/1.1 207 MULTI-STATUS 2013-08-08 15:02:33,616 [http.headers] DEBUG: << HTTP/1.1 207 MULTI-STATUS 2013-08-08 15:02:33,616 [http.headers] DEBUG: << Cache-Control: no-cache 2013-08-08 15:02:33,616 [http.headers] DEBUG: << Content-Length: 511 2013-08-08 15:02:33,616 [http.headers] DEBUG: << Content-Type: text/xml 2013-08-08 15:02:33,616 [http.headers] DEBUG: << Server: Microsoft-IIS/7.5 2013-08-08 15:02:33,616 [http.headers] DEBUG: << SPRequestGuid: 39153b87-10dd-4f4d-88d6-f5a624a33593 2013-08-08 15:02:33,616 [http.headers] DEBUG: << X-SharePointHealthScore: 3 2013-08-08 15:02:33,617 [http.headers] DEBUG: << Public-Extension: http://schemas.microsoft.com/repl-2 2013-08-08 15:02:33,617 [http.headers] DEBUG: << WWW-Authenticate: Negotiate 'some random text here....' 2013-08-08 15:02:33,617 [http.headers] DEBUG: << Persistent-Auth: false 2013-08-08 15:02:33,617 [http.headers] DEBUG: << X-Powered-By: ASP.NET 2013-08-08 15:02:33,617 [http.headers] DEBUG: << MicrosoftSharePointTeamServices: 14.0.0.6131 2013-08-08 15:02:33,617 [http.headers] DEBUG: << X-MS-InvokeApp: 1; RequireReadOnly 2013-08-08 15:02:33,617 [http.headers] DEBUG: << Date: Thu, 08 Aug 2013 19:02:32 GMT 2013-08-08 15:02:33,618 [client.DefaultHttpClient] DEBUG: Connection can be kept alive indefinitely 2013-08-08 15:02:33,618 [client.DefaultHttpClient] DEBUG: Authentication succeeded 2013-08-08 15:02:33,651 [conn.BasicClientConnectionManager] DEBUG: Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@25bd101https://github.com/org.apache.http.impl.conn.ManagedClientConnectionImpl/sardine/commit/25bd101b 2013-08-08 15:02:33,651 [conn.BasicClientConnectionManager] DEBUG: Connection can be kept alive indefinitely
— Reply to this email directly or view it on GitHubhttps://github.com/lookfirst/sardine/issues/109#issuecomment-22347629 .
jcmarfilph
commented
11 years ago For some reason it is not displaying properly....
<D:response><D:href>http://teamspace.company.com/sites/TEST/default.aspx</D:href><D:propstat><D:prop></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat><D:propstat><D:prop><D:owner/><D:group/><D:acl/></D:prop><D:status>HTTP/1.1 404 Not Found</D:status></D:propstat></D:response>But you can see that the fields are really blank
lookfirst
commented
11 years ago If you wrap things in [three backticks] XML or log output here [three backticks] it should display better.
jcmarfilph
commented
11 years ago Sorry the output is still wonky.
Can I attach or just email it to you?
jcmarfilph
commented
11 years ago Hi,
Any thoughts why the fields are blank?
Thanks,
Joms
Original author: tch...@gmail.com (November 08, 2011 18:14:57)
Some server support ACL (access control list) extension. It would be useful to us if sardine is able to 1) list the access control list of a specific node (informations inside propfind) 2) patch a node to change it's acl (add/remove right) 3) list the subject node in the server (users / roles / groups / ...)
Original issue: http://code.google.com/p/sardine/issues/detail?id=109