Re: Private content in JCR

Sat, 05 Dec 2009 07:40:02 -0800 

 Ian,

Thanks for the detailed reply. I've left some comments below.
 
-----Ian Boston <[email protected]> wrote: -----

>To:&nbsp;[email protected]
>From:&nbsp;Ian&nbsp;Boston&nbsp;<[email protected]>
>Sent&nbsp;by:&nbsp;Ian&nbsp;Boston&nbsp;<[email protected]>
>Date:&nbsp;12/05/2009&nbsp;07:42AM
>Cc:&nbsp;[email protected]
>Subject:&nbsp;Re:&nbsp;Private&nbsp;content&nbsp;in&nbsp;JCR
>
>Branden,
>Depending&nbsp;on&nbsp;which&nbsp;version&nbsp;of&nbsp;Jackrabbit&nbsp;you&nbsp;are&nbsp;running&nbsp;you&nbsp;might&nbsp;be
>&nbsp;
>able&nbsp;to.
>
>Assuming
>/&nbsp;has
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;everyone:grant:jcr:write
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;admin:grant:jcr:all
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;anonomous:grant:jcr:read
>then&nbsp;/users/branden&nbsp;will&nbsp;need
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;branden:grant:jcr:write
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;everyone:deny:jcr:all
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;anonomous:deny:jcr:all
>

Ahh, an "everyone" group, that's one big concept I was missing (as well as info 
about the group deny). Is this a built-in group in JCR that I can reference? Or 
do I have to create and maintain it manually as I create more users?

>
>Certainly&nbsp;in&nbsp;1.5.7&nbsp;you&nbsp;cant&nbsp;deny&nbsp;access&nbsp;to&nbsp;a&nbsp;group,
>so&nbsp;since&nbsp;everyone&nbsp;was&nbsp;granted&nbsp;read&nbsp;at&nbsp;/&nbsp;you&nbsp;cant&nbsp;deny&nbsp;read&nbsp;at&nbsp;/users/
>
>branden
>
>I&nbsp;think&nbsp;in&nbsp;JR2&nbsp;group&nbsp;deny&nbsp;was&nbsp;enabled,&nbsp;but&nbsp;ATM&nbsp;we&nbsp;dont&nbsp;have&nbsp;JR2&nbsp;in&nbsp;&nbsp;
>Sling&nbsp;(Felix&nbsp;is&nbsp;working&nbsp;on&nbsp;it).
>

Is there a JIRA ticket I can track for the progress? Or even better, some 
incomplete prerequisite tickets I can complete to help the process along?

>The&nbsp;other&nbsp;problem&nbsp;is&nbsp;that&nbsp;both&nbsp;the&nbsp;AccessManagerServlets&nbsp;and&nbsp;the&nbsp;&nbsp;
>DefaultSecurityManager&nbsp;have&nbsp;blocks&nbsp;of&nbsp;code&nbsp;that&nbsp;prevent&nbsp;a&nbsp;&nbsp;
>group:deny:*&nbsp;&nbsp;ACE&nbsp;being&nbsp;applied.
>
>ie&nbsp;you&nbsp;cant&nbsp;set&nbsp;everyone:deny:jcr:all&nbsp;and&nbsp;its&nbsp;not&nbsp;processed&nbsp;even&nbsp;if&nbsp;&nbsp;
>you&nbsp;could.
>
>So&nbsp;as&nbsp;part&nbsp;of&nbsp;the&nbsp;upgrade&nbsp;to&nbsp;2,&nbsp;the&nbsp;checks&nbsp;would&nbsp;need&nbsp;to&nbsp;be&nbsp;removed
>in&nbsp;&nbsp;
>the&nbsp;access&nbsp;manager&nbsp;bundle&nbsp;to&nbsp;allow&nbsp;group&nbsp;deny.
>Alternatively&nbsp;I&nbsp;think&nbsp;the&nbsp;security&nbsp;settings&nbsp;in&nbsp;the&nbsp;contentloader&nbsp;&nbsp;
>bundle&nbsp;will&nbsp;allow&nbsp;you&nbsp;to&nbsp;set&nbsp;these&nbsp;ACE's&nbsp;directly
>
>----------------
>
>We&nbsp;had&nbsp;exactly&nbsp;the&nbsp;same&nbsp;issue,&nbsp;so&nbsp;we&nbsp;patched&nbsp;everything&nbsp;to&nbsp;make&nbsp;it&nbsp;&nbsp;
>work.&nbsp;Sady&nbsp;the&nbsp;patch&nbsp;to&nbsp;the&nbsp;1.5.7&nbsp;DefaultSecurityManager&nbsp;is&nbsp;quite&nbsp;&nbsp;
>extensive&nbsp;since&nbsp;it&nbsp;requires&nbsp;far&nbsp;greater&nbsp;control&nbsp;over&nbsp;the&nbsp;order&nbsp;in&nbsp;&nbsp;
>which&nbsp;the&nbsp;ACL&nbsp;bitmap&nbsp;is&nbsp;compiled.&nbsp;(branded&nbsp;is&nbsp;a&nbsp;member&nbsp;of&nbsp;everyone&nbsp;is
>&nbsp;
>just&nbsp;one&nbsp;issue)
>
>I&nbsp;am&nbsp;in&nbsp;the&nbsp;process&nbsp;or&nbsp;reworking&nbsp;those&nbsp;patches&nbsp;for&nbsp;the&nbsp;JR1.6&nbsp;based&nbsp;&nbsp;
>server&nbsp;bundle,&nbsp;but&nbsp;I&nbsp;am&nbsp;not&nbsp;there&nbsp;yet,&nbsp;and&nbsp;can&nbsp;give&nbsp;you&nbsp;pointers&nbsp;to&nbsp;&nbsp;
>the&nbsp;code&nbsp;if&nbsp;you&nbsp;like.

If you don't mind giving pointers to the code, that would be great. Depending 
on the timeline of Sling+JR2, I wouldn't mind looking at group-deny for 1.6 if 
there are any open JIRA's associated to it.

>HTH
>Ian
>

Thanks again, it was a great help.

Branden

>On&nbsp;5&nbsp;Dec&nbsp;2009,&nbsp;at&nbsp;01:30,&nbsp;Branden&nbsp;Visser&nbsp;wrote:
>
>>&nbsp;Hi&nbsp;all,
>>
>>&nbsp;This&nbsp;sounds&nbsp;like&nbsp;more&nbsp;of&nbsp;a&nbsp;JCR&nbsp;question&nbsp;then&nbsp;Sling,&nbsp;but&nbsp;I'm&nbsp;hoping&nbsp;
>
>>&nbsp;it's&nbsp;a&nbsp;quick&nbsp;answer:
>>
>>&nbsp;If&nbsp;I&nbsp;have&nbsp;a&nbsp;resource&nbsp;node:&nbsp;/users/branden,&nbsp;how&nbsp;would&nbsp;I&nbsp;make&nbsp;the&nbsp;&nbsp;
>>&nbsp;resource&nbsp;'branden'&nbsp;and&nbsp;everything&nbsp;beneath&nbsp;it&nbsp;be&nbsp;private,&nbsp;so&nbsp;that&nbsp;no
>&nbsp;
>>&nbsp;other&nbsp;authenticated&nbsp;user&nbsp;(except&nbsp;branden)&nbsp;can&nbsp;read&nbsp;it?&nbsp;I&nbsp;looked&nbsp;at&nbsp;
>
>>&nbsp;the&nbsp;AccessControl&nbsp;spec&nbsp;and&nbsp;read&nbsp;up&nbsp;on&nbsp;the&nbsp;spec,&nbsp;but&nbsp;I&nbsp;didn't&nbsp;see&nbsp;&nbsp;
>>&nbsp;anything&nbsp;that&nbsp;could&nbsp;serve&nbsp;this&nbsp;purpose.&nbsp;Did&nbsp;I&nbsp;miss&nbsp;a&nbsp;document?
>>
>>&nbsp;Thanks,
>>&nbsp;Branden
>>
>>

Reply via email to