incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmuer <reto.bachm...@trialox.org>
Subject Re: [Users] Clerezza Rights and Thumbnail Service
Date Wed, 03 Mar 2010 15:59:51 GMT
Hi Oli

The most important rights that can be granted or denied in Clerezza
are the rights on Graphs. The Content Graph is thought a the location
for publicly available content, well content available to everybody
that has access to the platform. Its possible to create other Graphs
but currently the data stored by PUT operations or by the thumbnail
generator is stored in the Content Graph.

For application code it is possible to do operations requiring more
rights than the user executing it has. This is done via the
doAsPrivileged method from the Subject Class. This should be done
cautiously and typically only after checking for another permission.

So with your problem you should consider if not granting read access
to the content-graph is the right thing to do, moving data that is
more sensitive to other graphs would be closer to the current
architecture. If however you really want to work with a read-protected
Content Graph you can write services that use doAsPriviledged and
selectively return some data from the protected Graph.

For Clerezza it might be an improvement to allow different Content
Graphs (UnionGraphs with a different set of graphs and possibly a
different primary) for different URI spaces, this would allow PUT
operation in one URI space to go to a more protected graph than PUTs
in another URI space, but I think this is for after the first
release....

Reto


On Tue, Mar 2, 2010 at 5:09 PM, Oliver Strässer
<oliver.straesser@getunik.com> wrote:
> Since the latest updates, I can protect the hole clerezza perfectly, by
> deleting the right "reading content graph".
>
>
>
> How I can configure the anonymous user, so that the user  can access
> http://192.168.0.207:8080/thumbnail-service?uri=http://192.168.0.207:8080/digital-assets/3884a083-9e8b-4a8c-9c85-df615e0b08ca&height=410&width=275
> , but the system is protected anyway?
>
>
>
>
>
> The problem I have in another project, where I have an specific url wich the
> anonymous user is allowed  to request - without access to other bundle url.
>
>
>
>
>
>  cheers
>
> oli
>
>
>
>
>
>
>
> --getunik ag-------------------------------------------
>   oliver straesser              oliver.straesser@getunik.com
>
>   hardturmstrasse 101    fon: +41 (0)44 388 55 88
>   ch-8005 zuerich              fax: +41 (0)44 388 55 89
>
>    --aktuelles getunik projekt-------------------------
>
>    Agieren Sie lokal! Geo Marketing für Ihre E-Mail Kampagne:
> www.geomarketing.com
>
>
>
>  --best of swiss web awards 2009------------------
>
>    Gold & Silber für Connect2Earth / Bronze für WWF UK
>
>
>
> we make the web a better place - www.getunik.com
>
>
>
>
>
>
>
>
>
> *****************************************************************
>
> P Bitte drucken Sie dieses E-Mail nur bei Bedarf aus. Die Umwelt dankt es
> Ihnen.
>
> *****************************************************************
>
>
>
> _______________________________________________
> Users mailing list
> Users@lists.trialox.org
> http://lists.trialox.org/mailman/listinfo/users
>
>

Mime
View raw message