jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Edelson (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2748) provide a (relatively) simple way to disable anonymous access to the security workspace
Date Mon, 04 Oct 2010 13:25:35 GMT

    [ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917588#action_12917588

Justin Edelson commented on JCR-2748:

> i would rather add a configuration option to this specific access control provider (similar
to the other providers). 
> the patch adding the config option to the security manager seems wrong to me. 

IIUC, this requires manual configuration of the security workspace. Isn't that a bit onerous
- 15-20 lines of XML vs. one?

In other words, I think this should be configured in the <Security> section of repository.xml,
not <Workspace> as it is a property of the security subsystem.

> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>                 Key: JCR-2748
>                 URL: https://issues.apache.org/jira/browse/JCR-2748
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>            Reporter: Justin Edelson
>         Attachments: JCR-2748.patch
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security
workspace is, by default, configured with an AccessControlProvider which provides a fixed
access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order
to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security
workspace is forbidden.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message