On Tue, Jul 6, 2010 at 17:35, Ian Boston <[email protected]> wrote: > Yes, I am not explaining myself clearly. Sorry. > > /_user/aaa is jcr:read anon > ... > /_user/ieb is jcr:read anon > ... > /_user/zzz is jcr:read anon > > but when I do > users.getNodes(); I want to see a list size 0 not a list size n. > > Its the entire list that must be protected. > If I know the ID (aaa,ieb,zzz) I should be able to access it.
Then you should login with the ID into the repository, ie. have them as users, because that's what they are. Then you can easily set ACLs for those paths. Doing this based on anonymous + filter servlets would just be another ACL system on top of an existing one. > If I know every singe ID, I should be able to access every URL, but I should > not be able to discover all the IDs from the system. > > The ID's are Student IDs and under the Data Protection Act as interpreted by > the University of Cambridge IDs are not listable by anyone, IIUC this is part > of the privacy policy of the University. > > In the US the regulation is FERPA [1] and its interpretation by the > institution. > > 1 http://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act Regards, Alex -- Alexander Klimetschek [email protected]
