jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marian Schedenig (qs)" <Marian.Schede...@qualysoft.com>
Subject Re: WebDAV ACLs referring to deleted principals
Date Wed, 12 Aug 2009 15:52:07 GMT


Julian Reschke wrote:
> 
> Some years ago we implemented WebDAV ACL on a content management system, 
> and that was able to return Access Control Information even if some if 
> the principals involved had become invalid. One way to do this is to 
> allow deleted principals to be exposed as working Java objects, and just 
> restricting the set of operations you can use on them.
> 
> Does the proposed JSR-283 precludes an implementation like that? If yes, 
> we will have to discuss this.

Not as far as I can see, at least in "16 Access Control Management". What it
does say is:

"The privileges granted to a user can be controlled by assigning access
control policies to nodes. The content and semantics of these policies are
implementation specific and may be based on any mechanism, including access
control lists or role/responsibility assignments. JCR does not expose the
internals of policies, nor does it provide a mechanism for defining them."

And later:

"The discovery of java.security.Principals is outside the scope of this
specification"

So the fact that getPolicies() fails may even be ok with the spec (although
still problematic, I'd say). But I don't think getApplicablePolicies()
should be affected by any problems the current ACL of a node may have.

I think the implementation should, at the very least, be able to ignore
"dead" principals. My application at least doesn't care for privileges
granted to unavailable principals, so whether they're returned as "unknown
principal" instances or simply ommited doesn't matter to me. But I do think
the principal manager's NoSuchPrincipalException should be caught and
handled (at least: ignored) by the methods building the policies.

Cheers,
Marian.

-- 
View this message in context: http://www.nabble.com/WebDAV-ACLs-referring-to-deleted-principals-tp24934748p24939481.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.


Mime
View raw message