jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kent <simonk...@sky.com>
Subject Custom Security with Jackrabbit 2.0
Date Wed, 09 Dec 2009 14:52:10 GMT

Hi everyone,

I'm curious as to how best approach a design for a custom role based
security ACL with JCR 2.0 API's.  

Current, each user has 1 or more RolePrincipal's which are implementation of
java.security.Principal which are allocated to the Subject during
authentication.

Each 'RolePrincipal' has an array of javax.jcr.security.Privilege's which
define the permissions of each role.

I think I should implement the security policy for each RolePrincipal using
an implementation of javax.jcr.security.AccessControlList where each access
control entry represents the role and its associated set of privileges. 
These would then be applied to each node path.  A custom implementation of
the JackrabbitAccessControlManager would then allow me to flexibly check
privileges based on the subject of the authenticated user without expecting
static roles such as 'Administrator' or 'Guest'.

The problem I am facing which makes me doubt this solution is as follows;

- If the Privileges against the role are adjusted, would every node in the
repository have to be visited and have its Policies removed and re-applied?

This does not sound right, unless the access control policies are held like
JCR REFERENCES which I don't think they are.

Has anyone here implemented role based security before?  I am particularly
interested in Permission based against roles, so not saying 'if (user =
ADMINISTRATOR) {... and so on, but rather 'if (user has Permission) {...

Any ideas would be great,

Thanks
Simon
-- 
View this message in context: http://n4.nabble.com/Custom-Security-with-Jackrabbit-2-0-tp956104p956104.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Mime
View raw message