Hi As I worked on SLING-3435 [1] and added some more tests I noticed that Even if resourceaccesssecurity is installed as a bundle the two implementing classes ApplicationResourceAccessSecurityImpl (for application context) and ProviderResourceAccessSecurityImpl (for provider context) are only registered if there is at least one ResourceAccessGate registered for the appropriate context. The implementation of ResourceResolver itself only checks if there is an implementation for ResourceAccessSecurity registered. If no such service is available, ResourceResolver grants access for all operations. That means, even if a ResourceProvider implementation sets the useResourceAccessSecurity flag to true, access will be granted if no ResourceAccessGate is registered for the provider context.
I think this should be changed, because it makes resourceaccesssecurity somewhat weak. Imagine we do have a Mongo ResourceProvider with the useResourceAccessSecurity flag set to true and we even have installed the resourceaccesssecurity bundle. Now we either forgot to install also a ResourceAccessGate implementation or the bundle containing the gate is not started properly. With the actual behavour access will be granted on all resources from Mongo ResourceProvider for all operations. Even if the bundle with our ResourceAccessGate implementation is started correctly But not the resourceaccesssecurity bundle we do have the same problem. It think this is wrong in terms of security. I suggest we should do the following: - If a provider sets useResourceAccessSecurity flag to true we do not grant access to any Resource from this provider (for any operation) if ResourceAccessSecurity for the provider context can't be found. Furthermore the implementation of the ResourceAccessSecurity for the provider context does not behave like the one for the application context: If we for example check the read access for a resource the implementation calls all ResourceAccessGates till a gate is found which grants read access. That's correct but only done in the provider context. In the application context the implementation also calls all ResourceAccessGates till a gate is found which grants read access. But if no gate is found which grants read access and there's also no gate which denies access (returns GateResult.DONTCARE), access will be granted. This seems wrong in terms of security. The two implementations for provider context and application context should behave the same. With the only difference that ResourceResolver will ignore the application context if the service could not be found. WDYT? Best regards mike [1] https://issues.apache.org/jira/browse/SLING-3435
