Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B72FE7F3D for ; Fri, 30 Sep 2011 13:48:42 +0000 (UTC) Received: (qmail 87761 invoked by uid 500); 30 Sep 2011 13:48:42 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 87729 invoked by uid 500); 30 Sep 2011 13:48:42 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 87715 invoked by uid 99); 30 Sep 2011 13:48:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2011 13:48:42 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of markus.joschko@gmail.com designates 74.125.82.170 as permitted sender) Received: from [74.125.82.170] (HELO mail-wy0-f170.google.com) (74.125.82.170) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Sep 2011 13:48:34 +0000 Received: by wyg30 with SMTP id 30so2399992wyg.1 for ; Fri, 30 Sep 2011 06:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=jjhOII+oyRM9Hm+n4XQepq3FPogZM6znG4xgcFsnF48=; b=dEf+Gj2ZSPloLXL6nbbIGZuVs7yPtenQ4stySUQhsExv9XoI5EvIv3fcNkpuT4qPi+ vgWGLYJZYpUar3jFfm45uF5A0JQO2sRIJ8xQnILtgCMwfNco/ZFND0fkeIOIRfAjiiy9 8f4FvqN1Ff0rHF0p6EFR3uteFVh2QxMBKYesI= MIME-Version: 1.0 Received: by 10.216.161.66 with SMTP id v44mr2741953wek.32.1317390494232; Fri, 30 Sep 2011 06:48:14 -0700 (PDT) Received: by 10.216.158.66 with HTTP; Fri, 30 Sep 2011 06:48:14 -0700 (PDT) In-Reply-To: References: Date: Fri, 30 Sep 2011 15:48:14 +0200 Message-ID: Subject: Re: ACLs, GlobPattern and move From: Markus Joschko To: users@jackrabbit.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org On Fri, Sep 30, 2011 at 3:06 PM, Alexander Klimetschek wrote: > On 28.09.11 09:34, "Markus Joschko" wrote: >>Yep, I tried a refresh on the session with no effect. I also fetch the >>node everytime again with the getNode(path) method on the session. >>Does anybody know if there is a difference in the permission handling >>between CRX and jackrabbit? >>How are the permissions cached and when is the cache invalidated? > > AFAIK if you change permissions, they will only apply to newly created > sessions. I am not completely sure on this. At the moment I am totally confused about the behavior. With a mix of davex client and serverside sessions I've seen the described leakage: Only for newly created sessions the acls applied. On the other hand I just have written a test that works solely with an embedded jackrabbit and two sessions (admin & user) and here security seems to apply immediately on move, no leakage. Should it really only work with newly created session then that is IMO a security risk. In a setup like /departmentA/topsecret where topsecret is denied in rep:glob, topsecret should certainly not be visible to anyone even when the department is moved to /departmentB. As I said, I can not reproduce it programmatically but I am a bit uneasy about that at the moment. Regards, Markus > > Cheers, > Alex > > > -- > Alexander Klimetschek > Developer // Adobe (Day) // Berlin - Basel > > >