On Fri, Jul 2, 2010 at 11:29, Bertrand Delacretaz
<[email protected]> wrote:
>> Anon, cant list the contents of /_user
>> /_user/
>
> Deny a (custom? new?) "list child nodes" permission on /_user to anon
Currently you would have to deny the jcr:read permission on all child
nodes to get this effect.
I think this whole situation is best resolved by using principal-based
access control, which is available in Jackrabbit 2.0 already. It
stores the permissions via something like path regexps on the user,
instead of on the resources. The rest would be modeled via groups. You
can do things like this:
allow = /_user
deny = /_user/*
To enable it, you have to set this config in the workspace.xml:
<WorkspaceSecurity>
<AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.prinicipalbased.ACLProvider"
/>
</WorkspaceSecurity>
See the jackrabbit dev list for more information.
Regards,
Alex
--
Alexander Klimetschek
[email protected]
