Sandro Boehme wrote > > Maybe it's best practice in Sling and/or Jackrabbit to allow anonymous > to read the root node. I don't know. But it seems not preferable to me > because one would need to make sure to set the permissions for every new > child node he should not see. But maybe I miss something. >
You don't exactly need anonymous at the root node, so you can still disable it. For example, in our implementation, we disabled anonymous access, left permission at the root for "everyone". In this case "everyone" is more like "authenticated users" since sling won't let you in unless you authenticate. Then at the /content/mydata node, we put an "everyone deny jcr:all" followed by "UserGroup allow jcr:all" where UserGroup is a group that we created. Then our structure goes under the mydata node. Note, ordering of ACLs does matter. See [1] for a ticket about the issue. I thought I've seen another related one with more discussion from the devs but I can't find it at the moment. [1] https://issues.apache.org/jira/browse/JCR-2963 -- View this message in context: http://apache-sling.73963.n3.nabble.com/remove-the-read-permission-of-anonymous-from-the-root-node-tp3866195p3894713.html Sent from the Sling - Users mailing list archive at Nabble.com.
