Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 530AF7432 for ; Fri, 30 Sep 2011 16:01:16 +0000 (UTC) Received: (qmail 97893 invoked by uid 500); 30 Sep 2011 16:01:15 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 97862 invoked by uid 500); 30 Sep 2011 16:01:15 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 97854 invoked by uid 99); 30 Sep 2011 16:01:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2011 16:01:15 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aklimets@adobe.com designates 64.18.1.185 as permitted sender) Received: from [64.18.1.185] (HELO exprod6og103.obsmtp.com) (64.18.1.185) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2011 16:01:06 +0000 Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob103.postini.com ([64.18.5.12]) with SMTP ID DSNKToXnraXr4DrL4W36OC9bynemJJS6VXeU@postini.com; Fri, 30 Sep 2011 09:00:46 PDT Received: from inner-relay-4.eur.adobe.com (inner-relay-4.adobe.com [193.104.215.14]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id p8UFxDdI018516 for ; Fri, 30 Sep 2011 08:59:14 -0700 (PDT) Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-4.eur.adobe.com (8.12.10/8.12.9) with ESMTP id p8UG0eLX010592 for ; Fri, 30 Sep 2011 09:00:43 -0700 (PDT) Received: from eurhub01.eur.adobe.com (10.128.4.30) by nacas02.corp.adobe.com (10.8.189.100) with Microsoft SMTP Server (TLS) id 8.3.192.1; Fri, 30 Sep 2011 09:00:42 -0700 Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurhub01.eur.adobe.com ([10.128.4.30]) with mapi; Fri, 30 Sep 2011 17:00:41 +0100 From: Alexander Klimetschek To: "users@jackrabbit.apache.org" Date: Fri, 30 Sep 2011 17:00:39 +0100 Subject: Re: ACLs, GlobPattern and move Thread-Topic: ACLs, GlobPattern and move Thread-Index: Acx/ihozFx2+Sm5GRHKml2qe24vkwA== Message-ID: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.13.0.110805 acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 On 30.09.11 15:48, "Markus Joschko" wrote: >I am not completely sure on this. At the moment I am totally confused >about the behavior. >With a mix of davex client and serverside sessions I've seen the >described leakage: Only for newly created sessions the acls applied. > >On the other hand I just have written a test that works solely with an >embedded jackrabbit and two sessions (admin & user) and here security >seems to apply immediately on move, no leakage. If you use Workspace.move() that this is working outside of a session (no session.save() needed), i.e. acts like a new session. >Should it really only work with newly created session then that is IMO >a security risk. Hmm, yes, maybe I am wrong :-) >In a setup like /departmentA/topsecret where topsecret is denied in >rep:glob, topsecret should certainly not be visible to anyone even >when the department is moved to /departmentB. Yes. Alex --=20 Alexander Klimetschek Developer // Adobe (Day) // Berlin - Basel