Hi, I am working on the JCR2/Jackrabbit 2 integration in my whiteboard at [1]
Regards Felix [1] https://svn.apache.org/repos/asf/sling/whiteboard/fmeschbe/jackrabbit2upgrade/ Branden Visser schrieb: > Ian, > > Thanks for the detailed reply. I've left some comments below. > > -----Ian Boston <[email protected]> wrote: ----- > >> To: [email protected] >> From: Ian Boston <[email protected]> >> Sent by: Ian Boston <[email protected]> >> Date: 12/05/2009 07:42AM >> Cc: [email protected] >> Subject: Re: Private content in JCR >> >> Branden, >> Depending on which version of Jackrabbit you are running you might be >> >> able to. >> >> Assuming >> / has >> everyone:grant:jcr:write >> admin:grant:jcr:all >> anonomous:grant:jcr:read >> then /users/branden will need >> branden:grant:jcr:write >> everyone:deny:jcr:all >> anonomous:deny:jcr:all >> > > Ahh, an "everyone" group, that's one big concept I was missing (as well as > info about the group deny). Is this a built-in group in JCR that I can > reference? Or do I have to create and maintain it manually as I create more > users? > >> Certainly in 1.5.7 you cant deny access to a group, >> so since everyone was granted read at / you cant deny read at /users/ >> >> branden >> >> I think in JR2 group deny was enabled, but ATM we dont have JR2 in >> Sling (Felix is working on it). >> > > Is there a JIRA ticket I can track for the progress? Or even better, some > incomplete prerequisite tickets I can complete to help the process along? > >> The other problem is that both the AccessManagerServlets and the >> DefaultSecurityManager have blocks of code that prevent a >> group:deny:* ACE being applied. >> >> ie you cant set everyone:deny:jcr:all and its not processed even if >> you could. >> >> So as part of the upgrade to 2, the checks would need to be removed >> in >> the access manager bundle to allow group deny. >> Alternatively I think the security settings in the contentloader >> bundle will allow you to set these ACE's directly >> >> ---------------- >> >> We had exactly the same issue, so we patched everything to make it >> work. Sady the patch to the 1.5.7 DefaultSecurityManager is quite >> extensive since it requires far greater control over the order in >> which the ACL bitmap is compiled. (branded is a member of everyone is >> >> just one issue) >> >> I am in the process or reworking those patches for the JR1.6 based >> server bundle, but I am not there yet, and can give you pointers to >> the code if you like. > > If you don't mind giving pointers to the code, that would be great. Depending > on the timeline of Sling+JR2, I wouldn't mind looking at group-deny for 1.6 > if there are any open JIRA's associated to it. > >> HTH >> Ian >> > > Thanks again, it was a great help. > > Branden > >> On 5 Dec 2009, at 01:30, Branden Visser wrote: >> >>> Hi all, >>> >>> This sounds like more of a JCR question then Sling, but I'm hoping >>> it's a quick answer: >>> >>> If I have a resource node: /users/branden, how would I make the >>> resource 'branden' and everything beneath it be private, so that no >> >>> other authenticated user (except branden) can read it? I looked at >>> the AccessControl spec and read up on the spec, but I didn't see >>> anything that could serve this purpose. Did I miss a document? >>> >>> Thanks, >>> Branden >>> >>> > >
