jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2748) provide a (relatively) simple way to disable anonymous access to the security workspace
Date Mon, 04 Oct 2010 14:12:36 GMT

    [ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917620#action_12917620

angela commented on JCR-2748:

> IIUC, this requires manual configuration of the security workspace. Isn't that a bit
onerous - 15-20 lines of XML vs. one? 

if the default setup get's changed in jackrabbit, you will need to have a manual ac provider
configuration of your security workspace anyway.
as i said before, i just didn't do that for 2.0 because we changed the way we at day want
to store users in a rather late stage and i didn't
want to cause troubles for all those using the old style jr 1.6 setup.

furthermore, i don't want to spoil the repository level security configuration for something
that i consider end of life code.
having an configuration option for the UserAccessControlProvider should be configured where
it belongs to.

and adding a repository level option for the inital ac-setup seems wrong to me... this would
be yet another workaround for 
something that will be addressed by JCR-2331.

> In other words, I think this should [...]

fair enough... but it doesn't make me change my opinion :)

> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>                 Key: JCR-2748
>                 URL: https://issues.apache.org/jira/browse/JCR-2748
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>            Reporter: Justin Edelson
>         Attachments: JCR-2748.patch
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security
workspace is, by default, configured with an AccessControlProvider which provides a fixed
access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order
to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security
workspace is forbidden.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message