[jira] Commented: (JCR-2748) provide a (relatively) simple way to disable anonymous access to the security workspace

Mon, 04 Oct 2010 07:13:03 -0700 

    [ 
https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917620#action_12917620
 ] 

angela commented on JCR-2748:
-----------------------------

> IIUC, this requires manual configuration of the security workspace. Isn't 
> that a bit onerous - 15-20 lines of XML vs. one? 

if the default setup get's changed in jackrabbit, you will need to have a 
manual ac provider configuration of your security workspace anyway.
as i said before, i just didn't do that for 2.0 because we changed the way we 
at day want to store users in a rather late stage and i didn't
want to cause troubles for all those using the old style jr 1.6 setup.

furthermore, i don't want to spoil the repository level security configuration 
for something that i consider end of life code.
having an configuration option for the UserAccessControlProvider should be 
configured where it belongs to.

and adding a repository level option for the inital ac-setup seems wrong to 
me... this would be yet another workaround for 
something that will be addressed by JCR-2331.

> In other words, I think this should [...]

fair enough... but it doesn't make me change my opinion :)

> provide a (relatively) simple way to disable anonymous access to the security 
> workspace
> ---------------------------------------------------------------------------------------
>
>                 Key: JCR-2748
>                 URL: https://issues.apache.org/jira/browse/JCR-2748
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core, security
>            Reporter: Justin Edelson
>         Attachments: JCR-2748.patch
>
>
> As discussed in this thread: 
> http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, 
> by default, configured with an AccessControlProvider which provides a fixed 
> access control policy (i.e. 
> o.a.j.core.security.user.UserAccessControlProvider). In order to prevent 
> anonymous access to security-related nodes requires the use of an alternate 
> AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the 
> security workspace is forbidden.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to