jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From go canal <goca...@yahoo.com>
Subject Re: how to implement role based access control
Date Mon, 24 Aug 2009 00:59:02 GMT
Thanks Ian. 

Was thinking about the pros and cons of various options. 

Some questions:
>> you will also need to protect the role property...

Why this could potentially become a security concern? You mean configuring loginModule in
repository.xml is not good enough? 

My other considerations for this approach (adding 'role' into node) are:
  - how should I reference the role definition (which is defined in an SQL database)? reference
the role ID - is it considered as bad or accetptable design?
  - 'roles' in my application are defined at run time, not simple 'User' and 'Admin'.

>> ... all configured by adding entries into repository.xml
I did not find any 'Role' related configuration...or you mean something else, Access Manager
?

>>it will be hard to make this secure, as there are many ways to get a node
You mean WebDAV sort of stuff ? What if I do not enable it? What else ?

rgds,
canal




________________________________
From: Ian Boston <ieb@tfd.co.uk>
To: users@jackrabbit.apache.org
Sent: Monday, August 24, 2009 1:40:08 AM
Subject: Re: how to implement role based access control


On 23 Aug 2009, at 04:23, go canal wrote:

> Hello,
> would like to seek some advices on how to implement role based access control.
> 
> let's say I have several thousands of files, two roles defined A and B. users are assigned
role A or B.
> file access control is based on roles.
> 
> How should I implement this role based access control in Jackrabbit?
> 1) should I add a 'role' property in the file node? and then implement my own access
manager with isGranted() ?

you could, however you will also need to protect the role property to make certain that only
authorized users can change it.

There are a number of examples to play with, all configured by adding entries into repository.xml


> 2) or should I implement a filter which filters the returned list ?

it will be hard to make this secure, as there are many ways to get a node and it all depends
on the level of access the "client" has to the repository.

For instance, approach 1 will generate valid sets of search results for the user in question.
2 Would require a custom filter for points at which a search was made.

HTH
Ian

> 
> thanks in advance !
> 
> canal
> 
> 
> 


      
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message