You might want to consider not using html on lists :), came through a
bit odd.
Comments inline
On 5 Dec 2009, at 15:39, Branden Visser wrote:
Ian,
Thanks for the detailed reply. I've left some comments below.
-----Ian Boston <[email protected]> wrote: -----
To: [email protected]
From: Ian Boston <[email protected]>
Sent by: Ian Boston <[email protected]>
Date: 12/05/2009 07:42AM
Cc: [email protected]
Subject: Re: Private content in JCR
Branden,
Depending
 
;on
 
;which
 
;version
 
;of
 
;Jackrabbit
you are running you might be
able to.
Assuming
/ has
 
; 
; 
; 
; everyone:grant:jcr:write
 
; 
; 
; admin:grant:jcr:all
 
; 
; 
; 
; anonomous:grant:jcr:read
then /users/branden will need
 
; 
; 
; branden:grant:jcr:write
 
; 
; 
; everyone:deny:jcr:all
 
; 
; 
; anonomous:deny:jcr:all
Ahh, an "everyone" group, that's one big concept I was missing (as
well as info about the group deny). Is this a built-in group in JCR
that I can reference?
Yes I think it is you should use the PrincipalManager.getEveryone()
method to get its principal which you can use to reference it. I think
it might be a bit unsafe to use "everyone" as a string.
Or do I have to create and maintain it manually as I create more
users?
IIRC the PrincipalManager impl does it all auto for you.
Certainly in
1.5.7
you cant deny access to a group,
so
 
;since everyone was granted read at /
you cant deny read at /users/
branden
I
 
;think
 
;in
 
;JR2
 
;group
 
;deny
 
;was
 
;enabled
, 
;but
ATM we dont have JR2 in
Sling (Felix is working on it).
Is there a JIRA ticket I can track for the progress? Or even better,
some incomplete prerequisite tickets I can complete to help the
process along?
https://issues.apache.org/jira/browse/SLING-1093
The
 
;other
 
;problem
 
;is
 
;that
 
;both
the AccessManagerServlets and the
DefaultSecurityManager
 
;have
 
;blocks of code that prevent a
group:deny:* ACE being applied.
ie
 
;you
 
;cant
 
;set
 
;everyone:deny:jcr:all
 
;and its not processed even if
you could.
So as part of the upgrade to
2
, 
;the checks would need to be removed
in
the
 
;access
manager bundle to allow group deny.
Alternatively
 
;I
 
;think
 
;the
 
;security
settings in the contentloader
bundle
 
;will
 
;allow you to set these ACE's directly
----------------
We
 
;had
 
;exactly
 
;the
 
;same
 
;issue
, 
;so
 
;we
patched everything to make it
work. Sady the patch to the
1.5.7 DefaultSecurityManager is quite
extensive
 
;since
 
;it
 
;requires
 
;far
 
;greater
control over the order in
which the ACL bitmap is compiled.
(branded is a member of everyone is
just one issue)
I
 
;am
 
;in
 
;the
 
;process
 
;or
 
;reworking
 
;those
patches for the JR1.6 based
server
 
;bundle
, 
;but
 
;I
 
;am
 
;not
 
;there
 
;yet
, 
;and can give you pointers to
the code if you like.
If you don't mind giving pointers to the code, that would be great.
Depending on the timeline of Sling+JR2, I wouldn't mind looking at
group-deny for 1.6 if there are any open JIRA's associated to it.
My server bundle is [1], access manager [2], user manager [3], however
the user manager is highly custom (and you might not need it)
These are JR1.5.7 versions, and may include dependencies you dont want
(esp user)
Ian
1.
http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/server/
2.
http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/sling/accessmanager/
3.
http://github.com/ieb/open-experiments/tree/master/slingtests/osgikernel/bundles/user/
HTH
Ian
Thanks again, it was a great help.
Branden
On 5 Dec 2009, at
01:30, Branden Visser wrote:
Hi all,
 
;This
 
;sounds
 
;like
 
;more
 
;of
 
;a
 
;JCR
 
;question then Sling, but I'm hoping
it's a quick answer:
If I have a resource node: /
users/
branden, how would I make the
 
;resource
 
;'branden
' 
;and
 
;everything
 
;beneath it be private, so that no
other authenticated user
(except branden) can read it?
I looked at
 
;the
 
;AccessControl
 
;spec
 
;and
 
;read
 
;up
 
;on
 
;the spec, but I didn't see
 
;anything
 
;that
 
;could
 
;serve
 
;this purpose. Did I miss a document?
Thanks,
Branden
