jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Schreiber <anch...@adobe.com>
Subject Re: Security on JR through Webdav
Date Thu, 12 Apr 2012 07:11:28 GMT
hi francisco

> regarding security on Webdav accessed JR repositories i would like to hear
> expertise opinions as access control is very permissive by default

that depends on your configuration. in the default jackrabbit setup
you can configure the AccessControlProvider such that it doesn't
setup any permissions by default. in that case only admin had
access to the repository.

> (and ACLs don't work through Webdav).

that's correct.

> About authentication, what would be necessary in order to authenticate all
> kinds of access??

that should already be the case. and again there are configuration
options with the webdav server that define how request without
any kind of user identification should be dealt with (it's called
missing-auth-param or similar)

> (i.e.: opening a session with read / write permissions
> through Java code and access through the web browser too).

sorry. you lost me here... authentication is a different story
than authorization. you may allow access for GuestCredentials
(such as the default login module does) but it might well be
that this session is not able to read anything.

> Would suffice creating a custom access manager?

i don't think this is required.

> I did it previously but i don't know if
> this is the best practice...

that maybe depends a bit on your use-cases...

> Any orientation (or expertise opinion) about the right way of providing
> authentication and authorization on webdav accessed JR repositories will be
> appreciated.

what we did at adobe (former day) to circumvent the missing access
control management in the webdav layer: we have a separate repository
browser (crx) that allowed to edit access control from a browser, so
we don't have to do this in the webdav access.

alternatively, you may want to provide patches that would help
us implement RFC 3744 in the standard webdav implementation (the simple 
server)... your contribution was definitely welcome.

kind regards

> Thanks in advance for your time!

View raw message