Hi Lukas, On Mon, Mar 25, 2013 at 5:09 PM, Lukas Eder <lukas.e...@gmail.com> wrote: > Are there any such plans in OAK?
Yes, but not exactly as you outline. Instead of having a special "secure realm" or other special modes that allows things like JCR API calls without access restrictions, we've built Oak using a set of layers with with different responsibilities and limitations. The lowest ones of these levels, the NodeState model [1] and the underlying MicroKernel, offer an unrestricted view on the content stored in the repository. Access controls are currently built into the next level that consists of the TreeImpl class and other components that make up the Oak API [2]. Just recently we've been discussion about whether access control checks should be pushed even further down the stack into the NodeState level. See [3] for the relevant (and ongoing) thread. It would be great if you could take a look at those layers and the recent discussion to see whether they address the issues you've encountered with Jackrabbit's access control model. [1] https://github.com/apache/jackrabbit-oak/blob/trunk/doc/nodestate.md [2] https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/README.md [3] http://markmail.org/message/a4vviwtddoajx4ua BR, Jukka Zitting
