Hi all There have been a number of threads and proposal flying around recently in an attempt to make the Resource API more secure: It started with Mike's ResourceAccessGate and currently is at Carsten's ResourceProviderDecorator.
I would like to promote a third strategy: * ResourceProviders are expected to implement access control at their own level. They do so in their own implementation or they leverage access control support of the underlying data store (as the JCR ResourceProvider does). * The ResourceAccessGate is a helper service for ResourceProviders to implement access control if they wish to do so. WDYT ? Regards Felix -- Felix Meschberger | Principal Scientist | Adobe