Yes, I think my first answer was wrong (Note to myself, don't answer mails after long distance travels...) and you're right. The difference between provider and application type is exactly that. If there is no provider RAS and the provider does not declare to require one, the resource is visible. Same with application type, but also if application RAS is there but doesn't restrcit it.
Carsten 2014-03-17 3:09 GMT-07:00 Marius Petria <[email protected]>: > > > Furthermore the implementation of the ResourceAccessSecurity for the > > > provider context does not behave like the one for the application > > > context: If we for example check the read access for a resource the > > > implementation calls all ResourceAccessGates till a gate is found > > > which grants read access. That's correct but only done in the provider > > > context. > > > In the application context the implementation also calls all > > > ResourceAccessGates till a gate is found which grants read access. But > > > if no gate is found which grants read access and there's also no gate > > > which denies access (returns GateResult.DONTCARE), access will be > > > granted. This seems wrong in terms of security. The two > > > implementations for provider context and application context should > > > behave the same. With the only difference that ResourceResolver will > > > ignore the application context if the service could not be found. > > I thought the difference in defaults between application scoped access > security and provider scoped is intended. > Provider scoped access security is requested by the resource provider > itself using USE_RESOURCE_ACCESS_SECURITY, so it makes sense to deny access > if no gate is present because the provider really cares about security. > > However, the application scoped access security is requested by the one > that installs a gate, so it should only restrict access if the gate is > present, as the provider does not really care about security. > > Or, am I understanding it wrong? > > Marius > > -- Carsten Ziegeler [email protected]
