jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting" <jukka.zitt...@gmail.com>
Subject Re: authorization
Date Sat, 10 Jan 2009 10:03:39 GMT

On Sat, Jan 10, 2009 at 1:03 AM, Alessandro Cosenza
<alessandro.cosenza@itkey.it> wrote:
> 1. using AccessManager for authorization in Jackrabbit means that JAAS classes
> are automatically involved (Subject, Principal), or I can use AccessManager also
> without involving JAAS classes?

The authenticated Subject is passed to the AccessManager instance
inside the AMContext object, but it's of course up to you whether you
want or need to use the Subject.

> 2.if i want to realize authorization with an external mechanism without JAAS,
> which mechanism can I use?

Implement your own AccessManager and configure Jackrabbit to use it.

> 3. on jsr170 1.0.1 at 6.9 Access Control it says: "...these permissions may be
> determined by the Credentials passed on login". I don't understand this.

The user can be authenticated based on the explicitly passed
Credentials or based on some out-of-band information available to the
LoginModule implementation. And authentication can obviously affect

Alternatively, a Credentials implementation could also include
explicit authorization information in the form of access tickets like
authorization certificates that grant specific access rights to the

> 4.which is the usage for Session.checkPermissions? it doesn't accept a user
> kind-of parameter, how can I determine which user should be checked for permissions?

Session.checkPermission() checks the access rights of the current
session. JSR 170 does not specify a mechanism for checking the access
rights of other users or sessions. See the JSR 283 draft specification
if you need such functionality.


Jukka Zitting

View raw message