Branden,
Depending on which version of Jackrabbit you are running you might be
able to.
Assuming
/ has
everyone:grant:jcr:write
admin:grant:jcr:all
anonomous:grant:jcr:read
then /users/branden will need
branden:grant:jcr:write
everyone:deny:jcr:all
anonomous:deny:jcr:all
Certainly in 1.5.7 you cant deny access to a group,
so since everyone was granted read at / you cant deny read at /users/
branden
I think in JR2 group deny was enabled, but ATM we dont have JR2 in
Sling (Felix is working on it).
The other problem is that both the AccessManagerServlets and the
DefaultSecurityManager have blocks of code that prevent a
group:deny:* ACE being applied.
ie you cant set everyone:deny:jcr:all and its not processed even if
you could.
So as part of the upgrade to 2, the checks would need to be removed in
the access manager bundle to allow group deny.
Alternatively I think the security settings in the contentloader
bundle will allow you to set these ACE's directly
----------------
We had exactly the same issue, so we patched everything to make it
work. Sady the patch to the 1.5.7 DefaultSecurityManager is quite
extensive since it requires far greater control over the order in
which the ACL bitmap is compiled. (branded is a member of everyone is
just one issue)
I am in the process or reworking those patches for the JR1.6 based
server bundle, but I am not there yet, and can give you pointers to
the code if you like.
HTH
Ian
On 5 Dec 2009, at 01:30, Branden Visser wrote:
Hi all,
This sounds like more of a JCR question then Sling, but I'm hoping
it's a quick answer:
If I have a resource node: /users/branden, how would I make the
resource 'branden' and everything beneath it be private, so that no
other authenticated user (except branden) can read it? I looked at
the AccessControl spec and read up on the spec, but I didn't see
anything that could serve this purpose. Did I miss a document?
Thanks,
Branden
