On Wed, Jul 7, 2010 at 09:45, Ian Boston <[email protected]> wrote: > > On 6 Jul 2010, at 22:15, Alexander Klimetschek wrote: > >> You would not have an anonymous user here at all, as you'd enforce >> authentication for the /_user tree. > > > Unfortunately that does not work. > > /_user/<userid>/** > > *must* be accessible by anon so we cant force authentication.
What is the use case behind this? Something like "~user" dirs? It's a good practice to let the content model follow the access control (see also David's model, rule #2 [1]). ~user URLs are in conflict with this rule and not sure if they are a good practice anyway... However, I see two solutions: 1) the public part would be some subdirectory of the user node, ie. /_user/<userid>/public_html; then with a principal-based ACL like "read anon /_user/*/public_html" it should be accessible to the public; a special filter would then do the redirect from "~<userid>" URLs to the internal /_user/<userid>/public_html path 2) separate the user private and public trees completely, ie. for the public part have something like /content /users/<userid> > Without differentiation between "list child nodes" and "read child node" in > jcr-170 or jcr-283, I don't think what I need to be done, can be achieved by > any access manager/access control provider that conforms to the standard. > > So I have no option but to put the access control somewhere else. That doesn't solve the IMHO conceptually wrong content model, ie. if the /_user/<userid> node itself is both private and public at the same time. > I will look that the userdir suggestion that Bertrand made, perhaps as a > resource resolver as that is probably a better way of doing it in Sling. [1] http://wiki.apache.org/jackrabbit/DavidsModel#Rule_.232:_Drive_the_content_hierarchy.2C_don.27t_let_it_happen. Regards, Alex -- Alexander Klimetschek [email protected]
