Hi,
I've spent the last few days looking at the impl of the
AccessControlManager and I have noticed several things.
ACL's contain , multiple ACE's mapped by a Principal which must
resolve by the UserManager to an Authorizable. (the ModifyAceServlet
indicates this)
The set of Authorizables that a user is a member of must be pre-
determined at jcr session time so the privileges can be compiled.
---
I want to add 2 concepts to AuthZ, but keep the
DefaultAccessControlManager and the accessmanger servlet bundle if
possible.
The additions are, owner and dynamic group.
Owner.
Permissions are granted to a sub tree on the basis that the user owns
the node in question. There may be many nodes, owned by different
users, and the ownership (denoted by a jcr property xyz:owner) may
change.
Dynamic Group:
Non determinable.
There is a class of memberships that can only be determined by
querying. eg The resource is only readable between 10:00 and 12:00 on
23/04/2009 to members of First Year Physics class accessing the
resource from the IP range 131.111.21.0/128 (although *if* you knew
this group existed, you could test on every request, but that could
become expensive when only 1 resource out of millions needed this
sophistication)
Is there a better way of implementing Owner and a Dynamic membership
which wont generate huge load at session initiation ?
Ian
