jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yusuf Aaji <yusuf.a...@gmail.com>
Subject Re: hiding some sub-folders from mr.anonymous
Date Tue, 25 Jan 2011 21:09:48 GMT
thanks a lot Angela, this make great sense.

BR,
Yusuf

On Tue, Jan 25, 2011 at 11:50 PM, Angela Schreiber <anchela@adobe.com>wrote:

> hi yusuf
>
>
>  I guess I found something usefull here
>>
>> *JCR* 2 only defines the ability to add privileges. You need to use the
>> *Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
>> control entry.
>>
>
> one additional hint: please note that in the default implementation
> privileges granted/denied for a given user always take precedence over
> those defined any group the user is member of.
>
> in general we advise to create access control entries for groups
> as this improves maintainability of the access control content.
> similarly we advise to use allow/deny entries for individual users
> where you really want to target that specific user and nobody else...
>
> regards
> angela
>
>
>
>
>> http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td2403697.html
>>
>> thanks again Justin :)
>>
>>
>> On Sun, Jan 23, 2011 at 2:01 AM, Yusuf Aaji<yusuf.aaji@gmail.com>  wrote:
>>
>>  Hi,
>>>
>>> I have managed to use the default* security classes with jackrabbit and
>>> used the access policies in a good way so far.
>>>
>>> But there is a strange behaviour I'm getting. If I grant everyone or
>>> anonymous jcr:read on the root folder, I can't revoke that or override it
>>> on
>>> any sub-folder no matter what the policies on that sub-folder is.
>>>
>>> Is this ok, or am I missing something?
>>>
>>> I mean I need Mr.anonymous to access my repo but I need to hide some
>>> folders from him. Sorry anonymous, don't take it personal, but every
>>> business have some confidential documents :)
>>>
>>> any idea jackrabbit developers?!
>>>
>>> BR,
>>> Yusuf
>>>
>>>
>>
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message