jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Herman" <MHer...@NBME.org>
Subject RE: Access Control Management with JCR
Date Thu, 18 Aug 2011 14:19:22 GMT
1. I think that should work.  This approach is kind of a "everything open
unless I close it" mindset, where you may want to consider "everything is
closed unless I open it."  If myapp and blog need anonymous access for some
reason you may want to restructure so the content folders don't need to be
under them.

2. All permissions will only go down a hierarchy.  Changing the permissions
on a child won't have any effect on the parent (except for the fact that it's
child was changed).  Obviously changed to the parents security will be
inherited by the children.

3. I'm not too familiar but through trial and error it looks like you need to
add jcr:nodeTypeManagement as well.  I guess choosing a primary node type for
a new node counts as nodeTypeManagement.

-----Original Message-----
From: Anuj Kumar [mailto:anujsays@gmail.com] 
Sent: Tuesday, August 16, 2011 12:27 PM
To: users@sling.apache.org; users@jackrabbit.apache.org
Subject: Access Control Management with JCR

Hello Everyone,

I am trying to understand the access management with JCR, using an example
of Blog posts. I am using espblog example of Apache Sling and trying to work
with the permissions on different blog posts. I am trying to create some
content in such a way that it is accessible to only a certain group of
users. Also, there are posts that are public and private.

It is my first attempt with Jackrabbit and Sling, so, please let me know
what works and what does not. That would be of great help. Here are the

Suppose, I have a repository structure as-

-- myapp
    --- blogs
        --- private
        --- public
        --- shared

As, the folder name suggest, I am trying to organize the content depending
on the required security, i.e.
1. If a user wants to publish the blog for everyone, the content is posted
to /myapp/blogs/public/*
2. If a user wants to keep some articles private, it is posted to
3. If a user wants to publish the blog for a limited group of people, the
content is posted to /myapp/blogs/shared/* with appropriate permissions.

Depending on the scenario-

1. The 'private' folder disallows any anonymous access and each content is
accessible only to the author. (All Permissions for the author)
2. The 'public' folder allows everyone, including anonymous (Read, Write)
3. The 'shared' folder has the policies set per content, depending on the
author (Read, Write, Read Permission, Write Permission only to the author or
participating entities)

For this scenario, my questions are-

1. Does it makes sense to have this kind of access policies?
Are there better ways to do so?
2. When I assign the permission to folders- private, public and shared, how
does it effect the permission for parent folders- myapp and blogs?
3. Isn't 'write' permission enough for adding new content nodes to the
existing node on which the 'write' permission is given? I tried assigning
the read, write permissions to a group of blog users on 'private' folder but
it didn't work. The write permission allows you to create child nodes as
well but still I am getting access denied exception. Moreover, if I assign
all the permissions on 'private' node it works, but that includes the read,
write access to permissions as well.

Thanks for your help.


View raw message