Return-Path: Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: (qmail 68900 invoked from network); 24 Aug 2009 00:59:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Aug 2009 00:59:17 -0000 Received: (qmail 9099 invoked by uid 500); 24 Aug 2009 00:59:36 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 9021 invoked by uid 500); 24 Aug 2009 00:59:36 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 9010 invoked by uid 99); 24 Aug 2009 00:59:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Aug 2009 00:59:36 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [68.180.197.150] (HELO web45312.mail.sp1.yahoo.com) (68.180.197.150) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 24 Aug 2009 00:59:25 +0000 Received: (qmail 39910 invoked by uid 60001); 24 Aug 2009 00:59:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1251075543; bh=Eirlo3MKhZHc6/8P8yRfqyGAlgeixZaaZjOnXhD3hhw=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=hQp37uEfcIlgz3ETaKc9CctOMl1PxoqqUPoiuwhc1Cb3Z1lv+6YjjLWwIj0vTJHjSOc2Ji/uhcvS6eYdbzihEbFMLpiB1uUD4aK3v8kpkfEE3OOQzvis9E8PLIs+S1HxYTE3xVo/J9YWDlOtXOWt3o3VrcrmznPtWn7K6apv3Oc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=PR2yCBBZCgaX0ZOZyyjriLyhUYrk54k5uXEo7FOa43TLraH4BBCB/gb6Hca7SMhA0XU/HqHNmBrRRSi8paPoq1Er677L/KMWu33ogBRe+T/+mRZyD6wsJOJDW6p67/mGwPCeUxEGo+vabq40HXJHmHlj2Yte/YsAzhcPQKWS0ts=; Message-ID: <419644.39836.qm@web45312.mail.sp1.yahoo.com> X-YMail-OSG: NxFfDzYVM1mp.Z66iH2tCBYw8hN3gLr4TVpBE7SKzc_JCUrjEjTY92aahORnbe2yRSh6bBiVn4QAFTpCdcI9iAMnWCPpzt0yVpVJ6eFJwSlpuJyjePB.gfobHB8eHKvkh1Z.X5fNYNPjSQZlWSkWkc7J1xePXKe1y8JWfMUIn841.RECzqTPWOzTQDOkFbVkiL9XJZC.MoantaqQPudyRJ7VwPvsdRYXe5Lk2otTF.jaZUyAx9304bR0TFFERlU_QI3iryXLqs4DgLA- Received: from [15.211.153.71] by web45312.mail.sp1.yahoo.com via HTTP; Sun, 23 Aug 2009 17:59:02 PDT X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.338.2 References: <819438.99843.qm@web45305.mail.sp1.yahoo.com> Date: Sun, 23 Aug 2009 17:59:02 -0700 (PDT) From: go canal Subject: Re: how to implement role based access control To: users@jackrabbit.apache.org In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1095105540-1251075542=:39836" X-Virus-Checked: Checked by ClamAV on apache.org --0-1095105540-1251075542=:39836 Content-Type: text/plain; charset=us-ascii Thanks Ian. Was thinking about the pros and cons of various options. Some questions: >> you will also need to protect the role property... Why this could potentially become a security concern? You mean configuring loginModule in repository.xml is not good enough? My other considerations for this approach (adding 'role' into node) are: - how should I reference the role definition (which is defined in an SQL database)? reference the role ID - is it considered as bad or accetptable design? - 'roles' in my application are defined at run time, not simple 'User' and 'Admin'. >> ... all configured by adding entries into repository.xml I did not find any 'Role' related configuration...or you mean something else, Access Manager ? >>it will be hard to make this secure, as there are many ways to get a node You mean WebDAV sort of stuff ? What if I do not enable it? What else ? rgds, canal ________________________________ From: Ian Boston To: users@jackrabbit.apache.org Sent: Monday, August 24, 2009 1:40:08 AM Subject: Re: how to implement role based access control On 23 Aug 2009, at 04:23, go canal wrote: > Hello, > would like to seek some advices on how to implement role based access control. > > let's say I have several thousands of files, two roles defined A and B. users are assigned role A or B. > file access control is based on roles. > > How should I implement this role based access control in Jackrabbit? > 1) should I add a 'role' property in the file node? and then implement my own access manager with isGranted() ? you could, however you will also need to protect the role property to make certain that only authorized users can change it. There are a number of examples to play with, all configured by adding entries into repository.xml > 2) or should I implement a filter which filters the returned list ? it will be hard to make this secure, as there are many ways to get a node and it all depends on the level of access the "client" has to the repository. For instance, approach 1 will generate valid sets of search results for the user in question. 2 Would require a custom filter for points at which a search was made. HTH Ian > > thanks in advance ! > > canal > > > --0-1095105540-1251075542=:39836--