Hello Carsten On 03/06/2013 12:45 PM, Carsten Ziegeler wrote: > 2013/3/6 Lars Krapf <[email protected]>: >> if time-based access control >> is really needed. > Time based access restriction is one of the main use cases as Mike has > explained repeatedly.
Yes - I understand that. The important part of my quote is the one before that. If needed (which I don't want to argue), then why not implement it with the rest of the access control? Why put it on a different layer, which until now has nothing to do with access restrictions? > >> This is also an example of how this feature would weaken >> security. In order to allow access to a resource within a certain >> time-frame, you will have to open access completely on repository >> level, so the whole access control would depend on the Sling layer, > No, this is wrong - as I mentioned in my first post here and as has > been explained over and over again since Mike came up with the > proposal, this is an additional filter. The intention is not to > replace ACLs. As Angela mentionend in the bug, there seem to be two possible ways of implementing time-based access on Sling layer. Either remove ACLs on the repository, or do it with an admin session. Both will shift access control enforcement from the repository to Sling. Of course technically this is just an additional filter (which arguably might already be dangerous), but in practice you will have to replace/ignore repository access control to make it work. This violates the single-point-of-access principle which has proven to be very valuable for CQ security in the past. I'm not against this idea in general, I just think this should all be done at one central place. In Oak you can provide your custom access control implementation. To me, this seems to be the natural place to implement additional requirements. What are the arguments against that? > > I'm really wondering why we are having this discussion over and over > again - we agreed some months ago to implement this feature in Sling. > Now Mike has started work and immediately everyone and his dog is > going back to the old discussion. :( I agree this is annoying, and I'm sorry if I missed the discussion the first time. But it really seems there are multiple concerns from different perspectives to this proposal which obviously were not resolved the first time. Sometimes it (or I) just needs a little concrete code to understand what one is debating about and find a good solution. Cheers Lars > > Carsten >
