jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Neale" <michael.ne...@gmail.com>
Subject Re: how does authorization works in jackrabbit?
Date Mon, 02 Oct 2006 10:02:45 GMT
I think its an all or nothing proposition, not sure if you can selectively
apply it other then using a seperate session etc ?

A custom query manager could make sense for you, but the foolproof way is to
use the AccessManager - that way all access in centrally controlled. I know
it sounds expensive, but with ACLs, I think the lookups have to be fast and
in memory cached. Sure, it means you are retrieving more data then you need
to, so you shouldn't use ACL to partition lists for different users, but
ideally you will use the access manager as a "fail safe" to make sure data
is secure, and also use specific queries to filter the data that will reduce
the data set that will also be (double) checked by the AccessManager.

Any of that make sense?


On another note, JCR2 looks like it is addressing ACLs directly, so my
recommendation is to keep it simple, and see where JCR2 goes (it will be a
superset of the current JCR spec from my reading). Last I read JCR2 spec, it
had not fleshed out the access control section (but it was mentioned in
detail).

On 10/1/06, Magnus Grimsell <magnus.grimsell@idainfront.se> wrote:
>
> Hi Michael,
>
> Yes, I do mean access control.
>
> After looking through the code it seems like the AccessManager will get
> invoked for every hit in the result list.
> I would like to implement a simple access control scheme based on node
> type. From a performance point of view
> it would be good to avoid a check for every hit. On the other hand its
> simple to implement a custom QueryManager that
> narrows the search to only include the node types that the subject has
> access rights to, right?
> Is there a suitable place to do the access control check that does not get
> called when performing searches?
>
> /Magnus
>
> -----Ursprungligt meddelande-----
> Från: Michael Neale [mailto:michael.neale@gmail.com]
> Skickat: den 1 oktober 2006 19:00
> Till: users@jackrabbit.apache.org
> Ämne: Re: how does authorization works in jackrabbit?
>
>
> Hi Magnus.
> Firstly, I think by authorisation in this context you mean access control?
> (authorisation is via JAAS I believe).
>
> I worked out a little by plugging in a dummy AccessManager and looked at
> the
> callbacks. I did not try it with searching though, but I gather it will
> use
> it to honour the access rules with returning results - thus your acess
> list
> lookups better be really fast and in memory !
>
> Anyone else with real experience, please do share !
>
> On 10/1/06, Magnus Grimsell <magnus.grimsell@idainfront.se> wrote:
> >
> > I would like to learn more how JackRabbit handles authorization to the
> > repository content. Especially when it comes to searching.
> > I've seen that there is a plugable AccessManager but I'm not sure how
> this
> > is used to filter the search result.
> > Can somebody point me to some documentation or where in the code to
> look?
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message