[
https://issues.apache.org/jira/browse/SLING-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13592242#comment-13592242
]
Julian Sedding commented on SLING-2698:
---------------------------------------
I had a quick look at the implementation and there are three things that worry
me:
* The implementation is in the resourceresolver bundle and therefore not
optional
* Checking permissions using regular expressions seems troublesome to me for
performance considerations. While rendering a moderately complex website, a lot
of RR#getResource() calls are made, each of which would trigger a regexp
evaluation. Would a String#startsWith() call be enough? This should definitely
be backed by performance tests.
* Implementing AccessGates using a ResourceDecorator seems pretty insecure,
because the resource can easily be unwrapped (intentionally or by accident). We
had this issue recently in the context of the Resource#isResourceType() checks
(see SLING-2739).
> Add a minimal resource access gate
> ----------------------------------
>
> Key: SLING-2698
> URL: https://issues.apache.org/jira/browse/SLING-2698
> Project: Sling
> Issue Type: New Feature
> Components: ResourceResolver
> Reporter: Mike Müller
> Assignee: Mike Müller
> Fix For: Resource Resolver 1.1.0
>
>
> Adding a minmal resource access gate as discussed in [1].
> First step is to define the API interface and a minimal implementation which
> allows to define READ access (rest of CRUD can follow later)
> [1] http://markmail.org/thread/4ctczoiy533tquyl
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
