jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Davis <...@media.berkeley.edu>
Subject How to implement 'everyone-except' access control in Jackrabbit 2.0
Date Mon, 22 Mar 2010 16:52:48 GMT
(This isn't a question -- just wanted to document it in case it helps 
anyone else or in case I got something badly wrong.)

It's not uncommon to want to restrict a resource's access to only a 
specific set of groups or users. For example, we might want the resource 
tree rooted at "/marketing_dept" to be mostly traversable by the general 
public but "/marketing_dept/budget.pdf" to only be readable by members 
of the "marketing.department" Principal.

The default resource AccessControlList provider in Jackrabbit 2 enables 
this, but you have to be aware that its AccessControlEntry resolves 
potential conflicts in an ordered fashion:

- More recent User ACEs override earlier User ACEs.
- Any User ACEs override any Group ACEs.
- More recent Group ACEs override earlier Group ACEs.

Thus, to get the desired access control for 
"/marketing_dept/budget.pdf", its ACL could be created as follows:

Privilege[] readPrivs = 

readPrivs, false);
readPrivs, false);

readPrivs, true);

If instead the "everyone" ACE appeared last in the ACL, it would block 
read access by members of the "marketing.department" (since they are 
also members of "everyone").


View raw message