On 6 Jul 2010, at 13:12, Alexander Klimetschek wrote: > On Tue, Jul 6, 2010 at 12:53, Ian Boston <[email protected]> wrote: >> All users have read to /_user/<userid> becuase there are public materials >> in /_user/<userid> >> No users have list on /_user because of the policy. > > With principal-based ACLs I think this would look like this, for a user "foo": > > Allow read /_user > Allow read+write /_user/foo > Deny read /_user/* > > The current implementation allows for a base path (/_user) + a glob (* > in this case). These are the "rep:nodePath" and "rep:glob" properties > of the rep:ACE node, which must be set as "constraints" using the > Jackrabbit-specific API [1] (the jcr 2.0 API is completely built > around resource-based acl storage, thus jackrabbit has to provide some > extensions to work with principal-based acls).
I understand the principal based ACLs (or at least I think I do). I will have to integrate it into the extension of the Standard ACE/ACE AccessControlProvider since in this workspace we also need the normal ACL and IIRC the repository.xml does not allow you to configure more than one AccessControlProvider per workspace ? I *will* give this a go, however I cant see how this will work when the AccessManager/AccessControlProvider does not discriminate between a listChildNodes call and a getNode call ? IIRC The Sling ResourceResolver impl requires jcr:read to all the elements of a path leading to a node, not just the final node. I remember looking at the resolution process and seeing it walk up path. Let me do the work and validate is this is the case or not. (after all, I was the one asking the question, so I should be prepared to spend time checking a possible solution :)) Ian > > Documentation is a bit scarce, but here are some links: > http://markmail.org/message/xveqaau6hvunsl6l > http://jackrabbit.apache.org/api/2.1/org/apache/jackrabbit/api/security/package-summary.html > > [1] > http://jackrabbit.apache.org/api/2.1/org/apache/jackrabbit/api/security/JackrabbitAccessControlList.html#addEntry(java.security.Principal,%20javax.jcr.security.Privilege[],%20boolean,%20java.util.Map) > > Regards, > Alex > > -- > Alexander Klimetschek > [email protected]
