[
https://issues.apache.org/jira/browse/JCR-2867?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12984370#action_12984370
]
Alexander Klimetschek commented on JCR-2867:
--------------------------------------------
> anonymous isn't necessarily a read-only user, and isn't necessarily a user
> that can-read-everything
Yes, but isn't it the job of the repository to do that? Implementing such a
thing on the application level, and saying "the request will never write", is
something that won't work in the long run. For example, if you have the common
model in Sling, where a session is automatically created for a request, based
on authentication, you don't know if it is going to be read-only.
> Read-only session
> -----------------
>
> Key: JCR-2867
> URL: https://issues.apache.org/jira/browse/JCR-2867
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-core
> Reporter: Jukka Zitting
>
> It would be nice to have a way to declare that a given JCR session will only
> be used for reading, regardless of the access rights of the logged in user.
> This would be useful for example in web applications that want to enforce
> constraints like allowing no writes during processing of GET requests.
> This could be implemented for example as a per-session flag that could be set
> through an extra parameter in the login() call, like this:
> repository.login("workspace-name?readonly", credentials);
> Alternatively a security manager could be connected with a ThreadLocal
> variable set for example by a servlet filter based on the current request
> method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
