> > Furthermore the implementation of the ResourceAccessSecurity for the > > provider context does not behave like the one for the application > > context: If we for example check the read access for a resource the > > implementation calls all ResourceAccessGates till a gate is found > > which grants read access. That's correct but only done in the provider > > context. > > In the application context the implementation also calls all > > ResourceAccessGates till a gate is found which grants read access. But > > if no gate is found which grants read access and there's also no gate > > which denies access (returns GateResult.DONTCARE), access will be > > granted. This seems wrong in terms of security. The two > > implementations for provider context and application context should > > behave the same. With the only difference that ResourceResolver will > > ignore the application context if the service could not be found.
I thought the difference in defaults between application scoped access security and provider scoped is intended. Provider scoped access security is requested by the resource provider itself using USE_RESOURCE_ACCESS_SECURITY, so it makes sense to deny access if no gate is present because the provider really cares about security. However, the application scoped access security is requested by the one that installs a gate, so it should only restrict access if the gate is present, as the provider does not really care about security. Or, am I understanding it wrong? Marius
