[
https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917588#action_12917588
]
Justin Edelson commented on JCR-2748:
-------------------------------------
> i would rather add a configuration option to this specific access control
> provider (similar to the other providers).
> the patch adding the config option to the security manager seems wrong to me.
IIUC, this requires manual configuration of the security workspace. Isn't that
a bit onerous - 15-20 lines of XML vs. one?
In other words, I think this should be configured in the <Security> section of
repository.xml, not <Workspace> as it is a property of the security subsystem.
> provide a (relatively) simple way to disable anonymous access to the security
> workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread:
> http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is,
> by default, configured with an AccessControlProvider which provides a fixed
> access control policy (i.e.
> o.a.j.core.security.user.UserAccessControlProvider). In order to prevent
> anonymous access to security-related nodes requires the use of an alternate
> AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the
> security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
