Return-Path: X-Original-To: apmail-jackrabbit-users-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 79E817CD0 for ; Mon, 10 Oct 2011 21:03:04 +0000 (UTC) Received: (qmail 90092 invoked by uid 500); 10 Oct 2011 21:03:02 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 90060 invoked by uid 500); 10 Oct 2011 21:03:01 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 90051 invoked by uid 99); 10 Oct 2011 21:03:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Oct 2011 21:03:01 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of markus.joschko@gmail.com designates 209.85.160.170 as permitted sender) Received: from [209.85.160.170] (HELO mail-gy0-f170.google.com) (209.85.160.170) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Oct 2011 21:02:53 +0000 Received: by gyb11 with SMTP id 11so10992181gyb.1 for ; Mon, 10 Oct 2011 14:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=mMxbyxNqpm45puy2Zg4BUsBFSFdQIvMqBuabeaSDTb8=; b=TXSK+crfKhQL/zUoa2xiNJLv22NhWYKm0HeEbm8Q6Lwrm5OyNZpIpIZ4OfMcTvjCQk Fxqfb57q9N5I+s+xGcMXULJiQ6ithqq1+XRPUcKSIeurPRZEMjVdgZdz0zWBwIgt/yGs v9KP0bS97KqRrQUElJO0YP7riLEPt+4xMIxBA= MIME-Version: 1.0 Received: by 10.236.123.37 with SMTP id u25mr27153697yhh.50.1318280552732; Mon, 10 Oct 2011 14:02:32 -0700 (PDT) Received: by 10.236.103.19 with HTTP; Mon, 10 Oct 2011 14:02:32 -0700 (PDT) Date: Mon, 10 Oct 2011 23:02:32 +0200 Message-ID: Subject: Conditional access control From: Markus Joschko To: users@jackrabbit.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Hi, In my repository I have a structure that has many deep branches. Within these branches there are three different types of nodes. Each type is maintained by another group of users. These groups can be configured per branch (it's a bit like in a file system where one group can only maintain the folders and the other group only the files in a branch). Now the question is how to best handle the access control here. I can: - either add an ace to each and every node in the repository and pay the price that I have to maintain a lot of them in case ownership of a branch changes or subbranches are moved into different branches. - find a way to hook into the accesscontrol mechanism of jackrabbit to make this easier. So far I have failed to find a good way to do so. I initially thought about introducing custom privileges that can be used as markers and then extend the ACLProvider to take these privileges also into account when calculating permissions. However from looking at the code it seems to me, that custom privileges can only be defined as aggregates of existing privileges and then also the aggregate can not exist twice. I guess it is not a good idea to create artificial aggregates just to define new privileges. - an alternative might be to create new accesscontrol entries that do not only have path restrictions but also nodetype restrictions. However that seems to be quite invasive and a lot of work. Any other ideas how to tackle that problem? - Markus