[
https://issues.apache.org/jira/browse/SLING-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13593438#comment-13593438
]
angela commented on SLING-2698:
-------------------------------
from a security point of view if find the concept rather cumbersome
irrespective of my jackrabbit hut.
access control should be enforced by the lowest accessible layer. if you push
it up to the stack as in this case you
will likely end up with any of the following situations:
A) you have to grant broader access rights on the lower level and somehow close
it in the app (sling) layer
-> will introduce security issues if the is an alternative access mechanism
(there usually is one).
B) you look down the access on the lower level and need some sort of
'administrative' resource access
mechanism that will then enforce the extra access restrictions defined in
the sling layer. any kind of error is very likely
to result in a privilege escalation to admin (lesson no. 1 leaned from
SlingRepository#loginAdministrative).
kind regards
angela
> Add a minimal resource access gate
> ----------------------------------
>
> Key: SLING-2698
> URL: https://issues.apache.org/jira/browse/SLING-2698
> Project: Sling
> Issue Type: New Feature
> Components: ResourceResolver
> Reporter: Mike Müller
> Assignee: Mike Müller
> Fix For: Resource Resolver 1.1.0
>
> Attachments: resource-resolver-wrapper.patch
>
>
> Adding a minmal resource access gate as discussed in [1].
> First step is to define the API interface and a minimal implementation which
> allows to define READ access (rest of CRUD can follow later)
> [1] http://markmail.org/thread/4ctczoiy533tquyl
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
