Return-Path: X-Original-To: apmail-jackrabbit-dev-archive@www.apache.org Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B72A8E1B for ; Wed, 10 Aug 2011 12:20:59 +0000 (UTC) Received: (qmail 76427 invoked by uid 500); 10 Aug 2011 12:20:59 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 76093 invoked by uid 500); 10 Aug 2011 12:20:52 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 76085 invoked by uid 99); 10 Aug 2011 12:20:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Aug 2011 12:20:50 +0000 X-ASF-Spam-Status: No, hits=-2000.8 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Aug 2011 12:20:47 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 2D254B5CDC for ; Wed, 10 Aug 2011 12:20:27 +0000 (UTC) Date: Wed, 10 Aug 2011 12:20:27 +0000 (UTC) From: "angela (JIRA)" To: dev@jackrabbit.apache.org Message-ID: <1730423489.23574.1312978827181.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <577144844.61955.1306991148593.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Updated] (JCR-2982) Extend syntax of ACL glob restrictions for properties MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/JCR-2982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela updated JCR-2982: ------------------------ Component/s: security > Extend syntax of ACL glob restrictions for properties > ----------------------------------------------------- > > Key: JCR-2982 > URL: https://issues.apache.org/jira/browse/JCR-2982 > Project: Jackrabbit Content Repository > Issue Type: Improvement > Components: jackrabbit-core, security > Affects Versions: 2.3.0 > Reporter: Tobias Bocanegra > Fix For: 2.3.0 > > > the current glob restrictions on resource based ACL simply adds the glob pattern to the path of the defining node. the resulting pattern is then used to match against the path of the item to be evaluated. > eg: jcr:read on /content with /foo* will match all items having a path that matches "/content/foo*" including the properties of /content starting with foo'. > A common usecase for using ACL restrictions is to allow read access to a node and it's properties, but generally deny it for it's child nodes: > allow jcr:read on /content > deny jcr:read on /content with /* > this would be easy, but as mentioned above, would also include the node's properties, thus preventing them from being read. > Suggest to modify the pattern matching by explicitly address properties differently by using a special prefix, like "|" (an illegal jcr char). > eg: > allow jcr:read on /content > deny jcr:read on /content with "|jcr:*" (denies all properties starting with "jcr:*") > deny jcr:read on /content with /* (denies all child nodes) > if the type of an item can be easily transported to the ACL evaluation, then composing the path to be matched is simple: > eg: > if the item is a property /content/jcr:title, then the match-path is: /content|jcr:title so would not match /content/*, but /content|jcr:* of the example above. > (Another option would be to support xpath restrictions - but this might be not performant enough) -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira