lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Hostetter <hossman_luc...@fucit.org>
Subject Re: Implementing security in search
Date Tue, 29 Mar 2005 18:33:31 GMT
: maybe it is not the best solution, but
:
: you can form restriction clause like (+allowedRole1 +allowedRole2
: +allowedRole2 -forbiddenRole1 -forbiddenRole2 ... -forbiddenRoleN)
:
: where (forbiddenRole1 ... forbiddenRoleN)  are all posible roles except
: allowed roles.

One catch there is that you don't acctually want "+" on the allowed roles,
because the person might have more roles then the document requires.

In fact, I don't think you really need the "allowed roles" clauses at all
-- just generate the list of all roles the user does *NOT* have and make
negative clauses for them.

You mentioned that the list of roles is not fixed, so that may sound hard,
but thatns to the wonders of "IndexReader.terms(Term t)" it's trivial to
get Lucene to tell you the list of all Terms in the index for the a
specific field.

The only other suggestion I would make, is that instead of building up
the list of "forbidden roles" as a additional query clauses, you might
consider using the ChainedFilter class in the sandbox ...

http://svn.apache.org/viewcvs.cgi/lucene/java/trunk/sandbox/contributions/miscellaneous/src/java/org/apache/lucene/misc/ChainedFilter.java?rev=151018&view=markup

(you'll have to wrap it in a simple "NotFilter" since you want the
negetion, but thta's fairly straight forward)

: >Hi! I need to implement security in search. When I'm indexing contents,
: >I set a field with the roles assigned to that particular content. The
: >problem is that a content should be retrieved from a search only if the
: >user has *all* the roles assigned to the indexed content, not just one
: >(in that case it would be easy). So, for example, if a content has the
: >roles Role1, Role2 and Role3, and the user only has Role1 and Role3, the
: >
: >content should not be retrieved. The set of roles available to both
: >contents and users is not fixed. So far I haven't seen an easy way to do
: >
: >that in Lucene. Any idea?


-Hoss


---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscribe@lucene.apache.org
For additional commands, e-mail: java-user-help@lucene.apache.org


Mime
View raw message