jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Klimetschek" <aklim...@day.com>
Subject Re: Access control and node types with WebDAV
Date Tue, 13 Jan 2009 12:18:58 GMT

just a short reply:

- I think ACLs that handle modification of properties is part of the
JCR 2.0 standard (but could be wrong here)
- if not, you should think about changing your content model - ACLs
are a main driver for it (see rule 2 in [1])
- BTW, have you looked at Apache Sling [2]? It should reduce your
effort to build a custom REST interface on top of JCR

[1] http://wiki.apache.org/jackrabbit/DavidsModel
[2] http://incubator.apache.org/sling/


On Tue, Jan 13, 2009 at 4:45 AM, Charles Brooking
<public+jackrabbit@charlie.brooking.id.au> wrote:
> Hi all,
> I'm currently developing an application that provides two front-ends:
>  * a WebDAV servlet (provided by Jackrabbit), and
>  * an application-specific REST (HTML, XML) interface.
> I'd be interested in hearing what the consensus is regarding access
> control and node typing in this context. The problem - as I see it - is
> that an application-specific interface can provide a layer between the
> user and the repository, thus preventing bad data being entered, but
> WebDAV potentially allows users to enter anything.
> If you use nt:unstructured (or subtypes of nt:folder etc) then there could
> potentially be errant nodes everywhere. I have found node types to be
> effective in preventing WebDAV users from uploading files in places they
> shouldn't. This works in a very crude way, returning a "500 Internal
> Server Error" response, but stops them at least. Is this the intended
> approach?
> (In my application, there are strongly-typed "project" nodes at the top
> level, and then only beneath this are subtrees where a user can freely
> manage files and folders. Only these subtrees are intended to be modified
> using WebDAV - the rest should be done through the custom web service.)
> The other interesting point is access control. I've written a custom
> AccessManager class and have found this useful both for WebDAV and my own
> servlets: in my servlets, I access the repository through a user-specific
> Jackrabbit session based on credentials provided through HTTP Auth and
> thus access control is handled at the repository level instead of the web
> application level (a very nice benefit of using a JCR, IMO). But it poses
> a minor problem with WebDAV. Although a user has write access to their
> projects - subject to node type constraints - it would be desirable to
> prevent them modifying certain properties. You can only have one
> AccessManager per repository instance, however.
> Do people just accept this limitation? Or do people write an AccessManager
> with WebDAV in mind and use a "system session" with additional access
> filters defined at the web application level? Or are there even further
> approaches like using/abusing workspaces that work better? There isn't a
> lot of reference material out there at this point in time...
> Look forward to hearing other's thoughts!
> Thanks
> Charlie

Alexander Klimetschek

View raw message