RE: Feedback on the current ResourceAccessSecurity API

, 2013 10:05 AM > To: dev@sling.apache.org > Subject: Re: Feedback on the current ResourceAccessSecurity API > > Hi Mike, > > On Wed, Apr 3, 2013 at 9:18 PM, Mike Müller wrote: > > ...I commited a last shot of the SPI API. The Sling API hasn't changed > > anymor

Re: Feedback on the current ResourceAccessSecurity API

Hi Mike, On Wed, Apr 3, 2013 at 9:18 PM, Mike Müller wrote: > ...I commited a last shot of the SPI API. The Sling API hasn't changed > anymore. I think the API is now complete and after all the discussions > enough mature I have added/tweaked javadocs on the ResourceAccessSecurity interface

RE: Feedback on the current ResourceAccessSecurity API

03, 2013 1:48 PM > To: dev@sling.apache.org > Subject: Re: Feedback on the current ResourceAccessSecurity API > > We discussed this API in length and as I said, the impl is missing. So yes, > we're not releasing until it's implemented > > > 2013/4/3 Bertrand De

Re: Feedback on the current ResourceAccessSecurity API

We discussed this API in length and as I said, the impl is missing. So yes, we're not releasing until it's implemented 2013/4/3 Bertrand Delacretaz > On Wed, Apr 3, 2013 at 12:17 PM, Carsten Ziegeler > wrote: > > ...I would like to cut some releases shortly, especially a new API, > > resourcer

Re: Feedback on the current ResourceAccessSecurity API

On Wed, Apr 3, 2013 at 12:17 PM, Carsten Ziegeler wrote: > ...I would like to cut some releases shortly, especially a new API, > resourceresolver and jcr resource release... Do we really want to include Mike's new APIs in a release already? I'd feel more comfortable if we can look at them in par

Re: Feedback on the current ResourceAccessSecurity API

applied. How about the implementation? Regards Carsten 2013/3/27 Mike Müller > +1 > > > -Original Message- > > From: Bertrand Delacretaz [mailto:bdelacre...@apache.org] > > Sent: Wednesday, March 27, 2013 5:53 PM > > To: dev@sling.apache.org > >

RE: Feedback on the current ResourceAccessSecurity API

+1 > -Original Message- > From: Bertrand Delacretaz [mailto:bdelacre...@apache.org] > Sent: Wednesday, March 27, 2013 5:53 PM > To: dev@sling.apache.org > Subject: Re: Feedback on the current ResourceAccessSecurity API > > On Wed, Mar 27, 2013 at 5:48 PM, Cars

Re: Feedback on the current ResourceAccessSecurity API

On Wed, Mar 27, 2013 at 5:48 PM, Carsten Ziegeler wrote: > ...What about a neutral name? It's up to the implementation whether it > optimizes or sanitizes - transformQuery maybe?... Works for me, suggested javadoc: ** Allows the ResourceProvider to transform the query based on the current user's

Re: Feedback on the current ResourceAccessSecurity API

What about a neutral name? It's up to the implementation whether it optimizes or sanitizes - transformQuery maybe? Carsten 2013/3/27 Mike Müller : >> >> So it is optimizeQuery really ;-) >> >> -Bertrand > > optimizeQuery in matters of performant security checks :-) > Maybe you are right in this c

RE: Feedback on the current ResourceAccessSecurity API

> > So it is optimizeQuery really ;-) > > -Bertrand optimizeQuery in matters of performant security checks :-) Maybe you are right in this case, that we rather should name the method optimizeQuery than sanitizeQuery. mike

Re: Feedback on the current ResourceAccessSecurity API

Hi Mike, On Wed, Mar 27, 2013 at 12:50 PM, Mike Müller wrote: > ...It shouldn't scare at all: With or without the use of sanitizeQuery, the > resulting > list of resources (or the resulting resource) is checked against security > anyway... ok, good then. > ...The use case is very simple as sh

RE: Feedback on the current ResourceAccessSecurity API

> > It's not really an optimization in the sense of a QueryOptimizer, that > > could be > done > > by every ResourceProvider by now, without any new API. The sanitizeQuery > functionality > > has to come with the ResourceAccessSecurity service: The query can be > injected > > (sanitized) only from

Re: Feedback on the current ResourceAccessSecurity API

Hi Mike, On Wed, Mar 27, 2013 at 8:54 AM, Mike Müller wrote: >> > Bertrand wrote: >> Could sanitizeQuery be done by having the ResourceProvider implement a >> QueryOptimizer API instead?... > It's not really an optimization in the sense of a QueryOptimizer, that could > be done > by every Resou

RE: Feedback on the current ResourceAccessSecurity API

> On Mon, Mar 25, 2013 at 8:14 PM, Mike Müller wrote: > ... > > Bertrand wrote: > >> // Calling that canRead would be more consistent with other names > >> public Resource checkReadPermission( Resource resource ); > > > > I choosed another naming because canCreate, canDelete, etc. returns

Re: Feedback on the current ResourceAccessSecurity API

Hi Mike, Thanks for your replies - as usual I'm a stickler for names...I think good naming helps a lot in making APIs understandable. On Mon, Mar 25, 2013 at 8:14 PM, Mike Müller wrote: ... > Bertrand wrote: >> // Calling that canRead would be more consistent with other names >> public R

Re: Feedback on the current ResourceAccessSecurity API

2013/3/25 Mike Müller : >> Notes on ResourceAccessSecurity: >> > > At this time ResourceResolver has a method named getUserID() which > returns a String. The Javadoc of this method says: > * Get the user ID, if any, associated with this resource resolver. The > * meaning of this identifie

RE: Feedback on the current ResourceAccessSecurity API

> Notes on ResourceAccessSecurity: > > 1) javadocs says "* - Expected to only be implemented once in the > framework/application...", I'm not sure about that. If you have both a > filesystem and an HBase resource providers, they might use very > different implementations? > > 2) Notes as comments

Feedback on the current ResourceAccessSecurity API

Hi, See below for a few comments about the recently added ResourceAccessSecurity. IMO these show that this API will still evolve, which makes me think that this belongs in the whiteboard for now - maybe using a forked sling.api bundle if that's easier. -Bertrand Notes on ResourceAccessSecurity