Return-Path: Delivered-To: apmail-incubator-jackrabbit-dev-archive@www.apache.org Received: (qmail 78029 invoked from network); 20 Jan 2006 16:52:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 20 Jan 2006 16:52:06 -0000 Received: (qmail 48192 invoked by uid 500); 20 Jan 2006 16:52:05 -0000 Mailing-List: contact jackrabbit-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jackrabbit-dev@incubator.apache.org Delivered-To: mailing list jackrabbit-dev@incubator.apache.org Received: (qmail 48181 invoked by uid 99); 20 Jan 2006 16:52:04 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jan 2006 08:52:04 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [199.89.64.104] (HELO pivsbh2.ms.com) (199.89.64.104) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Jan 2006 08:52:04 -0800 Received: from pivsbh2.ms.com (localhost [127.0.0.1]) by localhost.ms.com (Postfix) with ESMTP id 6AB50B7C8 for ; Fri, 20 Jan 2006 11:51:43 -0500 (EST) Received: from ny16im01.ms.com (unknown [144.14.206.242]) by pivsbh2.ms.com (internal Postfix) with ESMTP id 48FACFF6F for ; Fri, 20 Jan 2006 11:51:43 -0500 (EST) Received: from PAWEXOB02.msad.ms.com (pawexob02 [205.228.46.101]) by ny16im01.ms.com (Sendmail MTA Hub) with ESMTP id k0KGphv28924 for ; Fri, 20 Jan 2006 11:51:43 -0500 (EST) Received: from PIWEXBH01.msad.ms.com ([205.228.46.151]) by PAWEXOB02.msad.ms.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 20 Jan 2006 11:51:35 -0500 Importance: normal Priority: normal Received: from NYWEXMB81.msad.ms.com ([144.203.227.12]) by PIWEXBH01.msad.ms.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 20 Jan 2006 11:51:34 -0500 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: Value based AccessManager? Date: Fri, 20 Jan 2006 11:51:34 -0500 Message-ID: <1F8E762E1B3F814F9630D0D32A1C65F8251519@NYWEXMB81.msad.ms.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Value based AccessManager? thread-index: AcYd4cVl1s34m/ihQCySvNOdkVpNgQ== From: "Daglian, Michael \(IT\)" To: X-OriginalArrivalTime: 20 Jan 2006 16:51:34.0920 (UTC) FILETIME=[C5C05080:01C61DE1] X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Hello everyone, I am having a bit of trouble determining how to use the AccessManager interface to provide authorization rather than authentication. We have a Jackrabbit-external authorization service based upon certain attributes of the repository data (the path and declaring node type of the modified item as well as property values - we don't authorize to the individual property level). I can work around the access manager configuration not including a session instance (albeit a less than ideal solution). However, an issue arises when attempting to authorize removal operations. Jackrabbit appears only to invoke the access manager to check for removal permissions upon save (i.e. in the validateTransientItems method of ItemImpl). However, access to property values (or even the removed item) at this point isn't possible since the item has been removed from the session (even it's state is not very accessible as it's in the attic of the TransientItemStateManager). Has anyone else ventured down this path and come up with a clean solution? Apologies if this has been addressed in earlier discussions but a search of the archives did not yield anything. Regards, -- Mike -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender = does not waive confidentiality or privilege, and use is prohibited.