Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 21776 invoked from network); 4 Oct 2010 08:15:59 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 4 Oct 2010 08:15:59 -0000 Received: (qmail 61562 invoked by uid 500); 4 Oct 2010 08:15:59 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 61302 invoked by uid 500); 4 Oct 2010 08:15:55 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 61294 invoked by uid 99); 4 Oct 2010 08:15:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Oct 2010 08:15:54 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Oct 2010 08:15:53 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o948FXJC019307 for ; Mon, 4 Oct 2010 08:15:33 GMT Message-ID: <5262903.526061286180133353.JavaMail.jira@thor> Date: Mon, 4 Oct 2010 04:15:33 -0400 (EDT) From: "angela (JIRA)" To: dev@jackrabbit.apache.org Subject: [jira] Commented: (JCR-2748) provide a (relatively) simple way to disable anonymous access to the security workspace In-Reply-To: <28975296.185951284490653119.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917515#action_12917515 ] angela commented on JCR-2748: ----------------------------- i would rather add a configuration option to this specific access control provider (similar to the other providers). the patch adding the config option to the security manager seems wrong to me. the current default ac-provider setup in case of missing configuration just reflects the state of jackrabbit 1.6 where users were stored in a separate, dedicated workspace and i didn't change it for backwards compatibility reasons. in the mean time i changed the user management in a way that users having access to a given workspace can be stored in that workspace, which makes things a lot easier [see JCR-2313]. > provide a (relatively) simple way to disable anonymous access to the security workspace > --------------------------------------------------------------------------------------- > > Key: JCR-2748 > URL: https://issues.apache.org/jira/browse/JCR-2748 > Project: Jackrabbit Content Repository > Issue Type: Improvement > Components: jackrabbit-core, security > Reporter: Justin Edelson > Attachments: JCR-2748.patch > > > As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider. > The attached patch provides a simpler mechanism. By adding > > to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.