jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Deparvu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-8101) AccessControlValidator prevents alternative authorization models to use restrictions
Date Wed, 06 Mar 2019 12:30:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16785576#comment-16785576

Alex Deparvu commented on OAK-8101:

looks good to me.

> AccessControlValidator prevents alternative authorization models to use restrictions
> ------------------------------------------------------------------------------------
>                 Key: OAK-8101
>                 URL: https://issues.apache.org/jira/browse/OAK-8101
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Major
>         Attachments: OAK-8101.patch
> [~stillalex], while working on an authorization related PoC I noticed that the {{AccessControlValidator}}
present with the default implementation essentially prevents additional authorization models
to make use of the default {{RestrictionProvider}} implementation that stores restrictions
in a dedicated tree of type _rep:Restrictions_. It does so by asserting that a {{NodeState}}
with this primary type is always located below an access control entry with the format defined
by the default impl before validating the restrictions.
> This could e.g. be fixed as follows:
> - if the parent {{NodeState}} is indeed an entry as defined by the default implementation
-> validate using implementation details
> - otherwise: throw {{CommitFailedException}} if the parent {{NodeState}} does not denotes
an access control tree as defined by the (composite) {{Context}}.
> This would allow other models to make use of restrictions and validate them accordingly,
while still failing the commit if an isolated restriction tree was spotted i.e. one outside
of the access control context.

This message was sent by Atlassian JIRA

View raw message