jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2748) provide a (relatively) simple way to disable anonymous access to the security workspace
Date Mon, 04 Oct 2010 08:15:33 GMT

    [ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917515#action_12917515
] 

angela commented on JCR-2748:
-----------------------------

i would rather add a configuration option to this specific access control provider (similar
to the other providers). 
the patch adding the config option to the security manager seems wrong to me. 

the current default ac-provider setup in case of missing configuration just reflects the state
of jackrabbit 1.6 where users were stored in a separate, dedicated workspace and
i didn't change it for backwards compatibility reasons.  in the mean time i changed the user
management in a way that users having access to a given workspace can be stored in that workspace,
which makes things a lot easier [see JCR-2313].

> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
>                 Key: JCR-2748
>                 URL: https://issues.apache.org/jira/browse/JCR-2748
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>            Reporter: Justin Edelson
>         Attachments: JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security
workspace is, by default, configured with an AccessControlProvider which provides a fixed
access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order
to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security
workspace is forbidden.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message