On Tue, Jul 6, 2010 at 12:53, Ian Boston <i...@tfd.co.uk> wrote: > All users have read to /_user/<userid> becuase there are public materials in > /_user/<userid> > No users have list on /_user because of the policy.
With principal-based ACLs I think this would look like this, for a user "foo": Allow read /_user Allow read+write /_user/foo Deny read /_user/* The current implementation allows for a base path (/_user) + a glob (* in this case). These are the "rep:nodePath" and "rep:glob" properties of the rep:ACE node, which must be set as "constraints" using the Jackrabbit-specific API [1] (the jcr 2.0 API is completely built around resource-based acl storage, thus jackrabbit has to provide some extensions to work with principal-based acls). Documentation is a bit scarce, but here are some links: http://markmail.org/message/xveqaau6hvunsl6l http://jackrabbit.apache.org/api/2.1/org/apache/jackrabbit/api/security/package-summary.html [1] http://jackrabbit.apache.org/api/2.1/org/apache/jackrabbit/api/security/JackrabbitAccessControlList.html#addEntry(java.security.Principal,%20javax.jcr.security.Privilege[],%20boolean,%20java.util.Map) Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com