jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Joschko <markus.josc...@gmail.com>
Subject Re: Conditional access control
Date Tue, 11 Oct 2011 07:14:41 GMT
Hi Alex,
principal-based ACL do not ease the setup. The real problem is, that
the nodes with the different types are mixed in the hierarchies.
So even with principal based ACLs I have to define the ACLs for each
path separately which is not much easier to maintain the resource
based ACLs.


On Tue, Oct 11, 2011 at 12:15 AM, Alexander Klimetschek
<aklimets@adobe.com> wrote:
> On 10.10.11 23:02, "Markus Joschko" <markus.joschko@gmail.com> wrote:
>>In my repository I have a structure that has many deep branches.
>>Within these branches there are three different types of nodes.
>>Each type is maintained by another group of users. These groups can be
>>configured per branch
>>(it's a bit like in a file system where one group can only maintain
>>the folders and the other group only the files in a branch).
>>Now the question is how to best handle the access control here.
>>I can:
>>- either add an ace to each and every node in the repository and pay
>>the price that I have to maintain a lot of them in case ownership of a
>>branch changes or subbranches are moved into different branches.
>>- find a way to hook into the accesscontrol mechanism of jackrabbit to
>>make this easier. So far I have failed to find a good way to do so.
>>  I initially thought about introducing custom privileges that can be
>>used as markers and then extend the ACLProvider to take these
>>privileges also into account when calculating permissions.
>>  However from looking at the code it seems to me, that custom
>>privileges can only be defined as aggregates of existing privileges
>>and then also the aggregate can not exist twice. I guess it is not a
>>  idea to create artificial aggregates just to define new privileges.
>>- an alternative might be to create new accesscontrol entries that do
>>not only have path restrictions but also nodetype restrictions.
>>However that seems to be quite invasive and a lot of work.
>>Any other ideas how to tackle that problem?
> Principal-based ACLs maybe?
> Alex
> --
> Alexander Klimetschek
> Developer // Adobe (Day) // Berlin - Basel

View raw message