[
https://issues.apache.org/jira/browse/JCR-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12984364#action_12984364
]
angela commented on JCR-2867:
-----------------------------
> Aren't you supposed to use a read-only user in that case? Like anonymous?
anonymous isn't necessarily a read-only user, and isn't necessarily a user that
can-read-everything. that's just the
case in the simple-security-setup in jackrabbit.
the suggestion here - as far as i am concerned - was to be allow to indicate
that given session would
never make any attempt to write: it was a read-only-Session which isn't the
same thing as creating a
session for a user that doesn't have any write-permission, nowhere at all.
> Read-only session
> -----------------
>
> Key: JCR-2867
> URL: https://issues.apache.org/jira/browse/JCR-2867
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-core
> Reporter: Jukka Zitting
>
> It would be nice to have a way to declare that a given JCR session will only
> be used for reading, regardless of the access rights of the logged in user.
> This would be useful for example in web applications that want to enforce
> constraints like allowing no writes during processing of GET requests.
> This could be implemented for example as a per-session flag that could be set
> through an extra parameter in the login() call, like this:
> repository.login("workspace-name?readonly", credentials);
> Alternatively a security manager could be connected with a ThreadLocal
> variable set for example by a servlet filter based on the current request
> method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
