I think you can just deny the jcr:all privilege for the anonymous userid. The everyone only applies to users who have logged in.
For example: curl -FprincipalId=anonymous -Fprivilege@jcr:all=denied http://admin:admin@localhost:**8080/sling6/.modifyAce.html Regards, Eric On Sep 16, 2012 11:41 AM, "Sandro Boehme" <[email protected]> wrote: > Hello, > > in the configuration of the "Apache Sling Authentication Service" I can > "disable anonymous access" which I understand as the user needs to log in. > Still, when I use "anonymous" as user and an empty password I can log in > and see the page for the path "/" and all child resources. Changing the > password for anonymous is not allowed by design. The source code looks like: > if ("anonymous".equals(name)) { > throw new RepositoryException( > "Can not change the password of the anonymous user."); > } > Looking at the privileges for the root path with > http://localhost:8080/.eacl.**json <http://localhost:8080/.eacl.json> > got me this json response: > { > "everyone":{ > "principal":"everyone", > "granted":["jcr:all"], > "order":0 > } > } > So I tried to remove the jcr:all privilege with > curl -FprincipalId=everyone -Fprivilege@jcr:all=denied > http://admin:admin@localhost:**8080/sling6/.modifyAce.html > to deny everything from the root on and grant it selectively on child > nodes. > But the response is http 310 ("too many redirects") when accessing "/". > Granting jcr:all to the everyone group to signup.html,... didn't help. > > But granting everyone the jcr:all privilege at "/" and denying jcr:all at > a subnode results in an http 404 response for http://localhost:8080/** > mysubnode.json <http://localhost:8080/mysubnode.json> as I would expect > it. > > Is there a way to avoid, that every new node under the root node has > jcr:all by default? > > Best, > > Sandro >
