sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From my...@apache.org
Subject svn commit: r1579415 - /sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext
Date Wed, 19 Mar 2014 21:44:21 GMT
Author: mykee
Date: Wed Mar 19 21:44:20 2014
New Revision: 1579415

URL: http://svn.apache.org/r1579415
Log:
CMS commit to sling by mykee

Modified:
    sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext

Modified: sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext
URL: http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext?rev=1579415&r1=1579414&r2=1579415&view=diff
==============================================================================
--- sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext (original)
+++ sling/site/trunk/content/documentation/bundles/resource-access-security.mdtext Wed Mar
19 21:44:20 2014
@@ -16,6 +16,11 @@ Notice:    Licensed to the Apache Softwa
            specific language governing permissions and limitations
            under the License.
 
+<div class="note">
+The description here is work in progress and not complete. The Resource Access Security bundle
is not yet released.
+</div>
+
+## Summary 
 The ResourceAccessSecurity defines a service API which is used in two different context:
for securing resource providers which have no own access control and on the application level
to further restrict the access to resources in general. 
 
 A resource access security service is registered with the service property CONTEXT. Allowed
values are APPLICATION_CONTEXT and PROVIDER_CONTEXT. If the value is missing or invalid, the
service will be ignored. 
@@ -23,3 +28,16 @@ A resource access security service is re
 In the context of resource providers, this service might be used for implementations of resource
providers where the underlying persistence layer does not implement access control. The goal
is to make it easy to implement a lightweight access control for such providers. For example,
a JCR resource providers should *not* use the provider context resource access security -
in a JCR context, security is fully delegated to the underlying repository, and mixing security
models would be a bad idea. 
 
 In the context of the application, this service might be used to add additional or temporary
constraints across the whole resource tree. It is expected to only have a single service per
context in the framework/application (much like the OSGi LogService or ConfigurationAdmin
Service). In the case of multiple services per context, the one with the highest service ranking
is used.
+
+## How to use ResourceAccessSecurity
+
+To let use Resource Resolver the ResourceAccessSecurity service simply add the resourceaccesssecurity
bundle to your sling instance.
+The implementation of ResourceAccessSecurity defines a service provider interface named ResourceAccessGate.
+
+The ResourceAccessGate defines a service API which might be used to make some restrictions
to accessing resources. Implementations of this service interface must be registered like
ResourceProvider with a path (like provider.roots). If different ResourceAccessGateService
services match a path, not only the ResourceAccessGateService with the longest path will be
called, but all of them, that's in contrast to the ResourceProvider, but in this case more
logical (and secure!). The gates will be called in the order of the service ranking. If one
of the gates grants access for a given operation access will be granted. service properties:

+
+* path: regexp to define on which paths the service should be called (default .*) 
+* operations: set of operations on which the service should be called ("read,create,update,delete,execute",
default all of them) 
+* finaloperations: set of operations on which the service answer is final and no further
service should be called (default none of them), except the GateResult is GateResult.CANT_DECIDE

+
+The resource access gate can either have the context PROVIDER_CONTEXT, in this case the gate
is only applied to resource providers requesting the security checks. Or the context can be
APPLICATION_CONTEXT. In this case the access gate is invoked for the whole resource tree.
This is indicated by the required service property CONTEXT. If the property is missing or
invalid, the service is ignored.
\ No newline at end of file



Mime
View raw message