Hi,
[1] says "The default SimpleAccessManager class included in Jackrabbit implements a trivially simple authorization mechanism that grants full read access to all users and write access to everyone except anonymous users.” I just found that this is only true if the SimplePrincipalProvider is used at the same time and if it isn’t, SAM will allow grant jcr:all to anonymous (ouch!) So I’m wondering - is this as expected and just lacking precise documentation - is this unexpected and an issue - am I missing something? SAM relies on the following code: import org.apache.jackrabbit.core.security.AnonymousPrincipal ... anonymous = !subject.getPrincipals(AnonymousPrincipal.class).isEmpty(); This will work if the principal provider is org.apache.jackrabbit.core.security.simple.SimpleSecurityManager.SimplePrincipalProvider, which is only ever the case if the security manager is org.apache.jackrabbit.core.security.simple.SimpleSecurityManager In a default setup, however, I see the following principals in the subject an anonymous login - org.apache.jackrabbit.core.security.user.AuthorizableImpl$NodeBasedPrincipal - org.apache.jackrabbit.core.security.principal.EveryonePrincipal Cheers Ben [1] http://jackrabbit.apache.org/jackrabbit-configuration.html#JackrabbitConfiguration-Securityconfiguration
