jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Davis <...@media.berkeley.edu>
Subject How to implement 'everyone-except' access control in Jackrabbit 2.0
Date Mon, 22 Mar 2010 16:52:48 GMT
(This isn't a question -- just wanted to document it in case it helps 
anyone else or in case I got something badly wrong.)

It's not uncommon to want to restrict a resource's access to only a 
specific set of groups or users. For example, we might want the resource 
tree rooted at "/marketing_dept" to be mostly traversable by the general 
public but "/marketing_dept/budget.pdf" to only be readable by members 
of the "marketing.department" Principal.

The default resource AccessControlList provider in Jackrabbit 2 enables 
this, but you have to be aware that its AccessControlEntry resolves 
potential conflicts in an ordered fashion:

- More recent User ACEs override earlier User ACEs.
- Any User ACEs override any Group ACEs.
- More recent Group ACEs override earlier Group ACEs.

Thus, to get the desired access control for 
"/marketing_dept/budget.pdf", its ACL could be created as follows:

Privilege[] readPrivs = 
{accessControlManager.privilegeFromName(Privilege.JCR_READ)};
jackrabbitAccessControlList.addEntry(principalManager.getPrincipal(SecurityConstants.ANONYMOUS_ID),

readPrivs, false);
jackrabbitAccessControlList.addEntry(principalManager.getEveryone(), 
readPrivs, false);
jackrabbitAccessControlList.addEntry(principalManager.getPrincipal("marketing.department"),

readPrivs, true);

If instead the "everyone" ACE appeared last in the ACL, it would block 
read access by members of the "marketing.department" (since they are 
also members of "everyone").

Best,
Ray

Mime
View raw message