jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian Boston <...@tfd.co.uk>
Subject everyone and administrators
Date Sun, 01 Nov 2009 22:59:07 GMT
This is Jackrabbit 1.5.6 I had a quick look at later versions and I  
think what I am about to say holds for those later version.
My Jackrabbit deployment is in Sling.

I have been having a look at an ACL setup on a private subtree, and at  
the moment it looks like this is not possible in Jackrabbit/Sing, but  
before I go and try and make it work, I would like to verify some  

1. IIUC, the DefaultAccessControlManager (DACM) does not allow deny on  
a group, so if everyone is granted read at the root node, then they  
cannot be denied read in any subnode.
2. Everyone has to be granted read at the root node, since they will  
need to read the whole path to any Resource. (Sling)
3. If there is any anonymous browse of the URL tree, then anonymous  
also needs read at the root node.
4. Denying anonymous read is easy, as its a user principal and so can  
be applied in an ACL only effecting anonymous.

So, as it stands it looks like its not possible to make a sub tree  
private from authenticated users, but it can be made private from  
individual users.

If I patch the DACM et al to allow denied permissions on groups I can  
now add an ACL with everyone:denied:jcr:all, however, now no one can  
access the node or subtree.

IIUC, when that is processed "everyone" contains all authenticated  
user, including the user I explicitly granted access. IMHO, if there  
isnt a bug in the DACM et al, then permissions should be compiled at a  
node giving preference to users, followed by groups, allowing an  
explicit grant to a user to override a group deny.

Does that make sense ?
If this works, what are the chances of getting this into JR 1.5.x, I  
think it is a genuine use case, or is there a different way of  
achieving the same result ?


View raw message