On Tue, Jul 6, 2010 at 16:42, Ian Boston <i...@tfd.co.uk> wrote: > I understand the principal based ACLs (or at least I think I do). I will have > to integrate it into the extension of the Standard ACE/ACE > AccessControlProvider since in this workspace we also need the normal ACL and > IIRC the repository.xml does not allow you to configure more than one > AccessControlProvider per workspace ?
There is a org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider that combines both the default resource-based provider (org.apache.jackrabbit.core.security.authorization.acl.ACLProvider) and the principal-one. Not sure exactly in which order both are applied, though. But if you don't mix principal- and resource-based ACLs for certain subtrees, it shouldn't be a problem at all. > I *will* give this a go, however > I cant see how this will work when the AccessManager/AccessControlProvider > does not discriminate between a listChildNodes call and a getNode call ? > > IIRC The Sling ResourceResolver impl requires jcr:read to all the elements of > a path leading to a node, not just the final node. I remember looking at the > resolution process and seeing it walk up path. As I said above, listing child nodes in getNodes() will check the read permission on each child node before including it. But for your use case it is not even necessary to separate the two cases at all, since these are _different_ child nodes, IIUC. The one with access is the user's node under /_user/foo, and all the others under /_user (expressed by /_user/* in the resource based ACLs) are not readable for the user: Node users = session.getNode("/_user"); // works users.getNodes(); // returns only "/_user/foo" session.getNode("/_user/foo"); // works, too session.getNode("/_user/bar"); // no rights => PathNotFoundException Or am I missing something in your use case? > Let me do the work and validate is this is the case or not. (after all, I was > the one asking the question, so I should be prepared to spend time checking a > possible solution :)) Ok, hope it works out as a good solution for you! Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com