jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: Using rescrictions in Principal based ACL
Date Tue, 31 May 2011 12:39:23 GMT
hi husain

> What does the rep:glob stands for and how does it affects the permissions?

the default ACL (without the rep:glob restriction) effects the whole
subtree defined by the target node. the optional rep:glob restriction
allows you to limit the effect to certain items in that subtree
without having the create a separate policy at every single location
that matches.

the matching is similar to the one defined by Node.getNodes(String[]),
except that it works for paths an not only for names.

examples for a path /foo without and with rep:glob restriction:

----------------------------------------------------------------------------- 
rep:glob     |   Matches 
-----------------------------------------------------------------------------
              |
  null        |   matches /foo and all its children
              |
-----------------------------------------------------------------------------
              |
  ""          |   matches /foo only
  *           |   siblings of foo and foo's and the siblings' descendants
  /*cat       |   all children of /foo whose path ends with "cat"
  /*/cat      |   all non-direct descendants of /foo named "cat"
  /cat*       |   all descendant path of /foo that have the direct
                  foo-descendant segment starting with "cat"
  *cat        |   all siblings and descendants of foo that have a
                  name ending with cat
  */cat       |   all descendants of /foo and foo's siblings that have
                  a name segment "cat"
  cat/*       |   all descendants of '/foocat'
  /cat/*      |   all descendants of '/foo/cat'
  *cat/*      |   all descendants of /foo that have an intermediate
              |   segment ending with 'cat'
              |
-----------------------------------------------------------------------------

please not that this restriction does not distinguish between child
nodes and properties of a node as it performs a simplistic path-matching.

regards
angela

Mime
View raw message