Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@jackrabbit.apache.org
Message-ID: <537481999.1246983974820.JavaMail.jira@brutus>
Date: Tue, 7 Jul 2009 09:26:14 -0700 (PDT)
From: "Ian Boston (JIRA)" <jira@apache.org>
To: dev@jackrabbit.apache.org
Subject: [jira] Commented: (JCR-2103) Make the Princpal Resolution in the
 acl.ACLProvider dynamic
In-Reply-To: <1943273182.1241715450715.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/JCR-2103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12728171#action_12728171 ] 

Ian Boston commented on JCR-2103:
---------------------------------


We have external principal providers and the membership of a group is  
dynamic so cant be determined at login.

For example:
1. Membership that needs to be granted at a point in time and  
withdrawn after a period of time (eg the Collaboration tool is  
available from 14:00 - 16:00 on 23 July 2009)

2. Membership is determined from the request as well as membership.
eg The the "Owner" of resources in a subtree can write to those  
resources

In addition we have many external stores of Group membership and its  
not practical to push group membership into the JCR, however it is  
practical to push the Group container into JCR.

Its quite possible the approach I have taken to addressing these  
issues is not the best approach and would be interested in an  
alternative. If this is the right approach I will be happy to update  
the patch.

At the moment we have a patched version of the jackrabbit code inside  
a replacement Sling Server bundle, but I would rather not have our  
community run with a patched version, as they may want to use the  
*same* backend repository for other applications, like Enterprise  
Content Management rather than Virtual Learning Environments.  
(community is Higher Education, about 160 institutions world wide). I  
am only trying to explain the pressure I am under to share the use  
cases, and would not want Jackrabbit to consider the use cases if they  
are not relevant to Jackrabbit. (please just say if this is the case)


Where the membership is externally resolved, timestamps allow a TTL on  
the data avoiding slow network call outs.


ok I can address these if required.


> Make the Princpal Resolution in the acl.ACLProvider dynamic
> -----------------------------------------------------------
>
>                 Key: JCR-2103
>                 URL: https://issues.apache.org/jira/browse/JCR-2103
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>    Affects Versions: 1.5.5
>            Reporter: Ian Boston
>            Assignee: angela
>         Attachments: ExtendACLProvider.patch
>
>
> At the moment, extending the DefaultAccessManager is hard and requires full access to the o.a.j.core. 
> This patch makes it possible to change the way in which a users set of Principals are resolved by providing an extension point in the ACLProvider so that an alternative AccessControlProvider could be delivered from SecurityManager.
> The patch that follows does not address the extension of the SecurityManager which needs to be inside o.a.j.core

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.