jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cory Prowse <c...@prowse.com>
Subject Re: ACL Order reversed?
Date Mon, 02 Aug 2010 12:36:34 GMT
I thought that if I set the ACL in the order "ALLOW:authors, DENY:everyone" that when a Principal
in the authors group attempted access it would be allowed since the ALLOW would apply first.
This is not the case and in fact any author us denied.

However if I set the ACL in the order "DENY:everyone, ALLOW:authors" then authors are allowed

Actually, it's a bit more weird than that even.  When set "ALLOW:authors, DENY:everyone" by
a Principal who is an author, then while their session is active they get access to the node
but not to the properties of the node (this is after the Session.save() to apply the ACL).
However if I restart the App Server then the authors are consistently denied access to the
node, which seems to me to point to something weird going on.

For now it seems to work fine if I set the ACL in reverse order.  I haven't tested with more
than two ACL entries applied to a node.

 -- Cory

On 02/08/2010, at 8:08 PM, Alexander Klimetschek wrote:

> On Sun, Aug 1, 2010 at 11:28, Cory Prowse <cory@prowse.com> wrote:
>> I am attempting to set an ACL on a node which allows the AUTHORS group all privileges,
and denies EVERYONE all privileges, and it seems the order of the entries in the ACL is reversed.
>> I use the following snippet of code to set the ACL on a node:
>> // ALLOW authors ALL
>> jackrabbitAccessControlList.addAccessControlEntry(AUTHORS_GROUP,
>>        new Privilege[] { acm.privilegeFromName(Privilege.JCR_ALL) });
>> // DENY everyone ALL
>> jackrabbitAccessControlList.addEntry(EveryonePrincipal.getInstance(),
>>        new Privilege[] { acm.privilegeFromName(Privilege.JCR_ALL) }, false);
>> This does not work, however if these entries are added in reverse order (DENY:everyone
first, followed by ALLOW:authors) then I get the outcome I'm looking for.
> What do you mean by it does not work? Are the entries not saved? Is
> one missing? Are the final privileges different from what you expect?
> What exactly do you expect?
>> I have verified the order is reversed by stepping through the method "ACLProvider.buildResult()".
>> Is this expected behaviour?
> I think so, because DENY wins over ALLOW entries in general. And in
> the authors group is also everyone...
> Regards,
> Alex
> -- 
> Alexander Klimetschek
> alexander.klimetschek@day.com

View raw message