hi carsten
On 3/6/13 12:45 PM, Carsten Ziegeler wrote:
2013/3/6 Lars Krapf<[email protected]>:
if time-based access control
is really needed.
Time based access restriction is one of the main use cases as Mike has
explained repeatedly.
and time-based access restriction is as much an ACL feature
as any other restriction (node type, value type, path, etcetc).
however, i agree with lars that in this particular case access
control was most probably abused for something that should
be handled within the authentication: generating an access token
that expires after some time.
how would you want to enforce a time-based access restriction
in a global environment? which time are you referring to
if you state "carsten is allowed from 8 to 17"?
the second example provided by mike was just the same as disabling
the anonymous access in sling.
having said that: i am still not convinced by the necessity of
this feature.
This is also an example of how this feature would weaken
security. In order to allow access to a resource within a certain
time-frame, you will have to open access completely on repository
level, so the whole access control would depend on the Sling layer,
No, this is wrong - as I mentioned in my first post here and as has
been explained over and over again since Mike came up with the
proposal, this is an additional filter. The intention is not to
replace ACLs.
but what you in fact do is interfering with the permissions enforced
by the underlying store: weakening permissions imposed by the repo
in sling is impossible (unless you really do ugly hacks) and hardening
those permissions is generating a false sense of security.
IMO this is going to open pandora's box without really adding any
true benefit. you can argue that extending the repositories access
control functionality is not flexible enough, that it is not
pluggable at runtime... that's all perfectly true. but introducing
a ResourceAccessGate in Sling is most probably the wrong answer to
that.
I'm really wondering why we are having this discussion over and over
again - we agreed some months ago to implement this feature in Sling.
Now Mike has started work and immediately everyone and his dog is
going back to the old discussion. :(
better now that never :-)
lessons learned no. 2 from SlingRepository#loginAdministrative...
best regards
angela
