I did not mean to imply that you couldn't browse the tree :) Rather, for me to configure ACL on a script right now I can use composum or crxde to go to the script and change the ACL on the parent of that script. My expectation for "the best way" to handle authentication for a servlet would be to use composum or crxde and go to the resource that the servlet creates and sets the authentication for that servlet on it's parent the same way that I would do for a script.
IMHO I think the loose end is that the focus is too narrow. One of the things that came out of the adaptTo is the desire to be able to replace the jcr with other resourceProviders. The last real step to that goal is an implementation of a security architecture that replaces what the jcr provides and instead turns the jcr into just another resourceprovider that also plugs into the Sling security architecture. -- Jason On Thu, Oct 4, 2018, at 11:43 AM, Carsten Ziegeler wrote: > I would say, yes you can to both of it :) > > ResourceAccessGate has different permissions, one of them is execute. So > if we base the solution on that, you can still browse the tree. The > implementation of a RAG can do whatever it wants, so it can read > permissions from somewhere. > > But maybe I'm overlooking something, when it comes to reading/executing > a script, atm a service user is used for that, not the current user. > That's to avoid to open up the search paths for everyone to read. > > So I think there are more loose ends here. > > Regards > > Carsten > > > Jason E Bailey wrote > > I'm beginning to think that there is two different mental models that > > people who work with Sling take on. One is an OSGi model, where a solution > > can be achieved via a Service and the creation and configuration of that > > service(s). The other is a resource centric model where everything must be > > exposed as a resource, and be configurable by changing properties on a > > resource. > > > > From a resource pov the ResourceAccessGate is difficult and potentially > > fails because I can't go through the resource tree and see what is and > > isn't protected on the tree itself, nor can I configure a ResourcAccessGate > > by defining permissions on a node. > > > > -- > > Jason > > > > On Thu, Oct 4, 2018, at 11:15 AM, Carsten Ziegeler wrote: > >> Why is that? I think that's a bold statement. > >> > >> ResourceAccessGate has been developed (afaik) with this use case in mind. > >> > >> Carsten > >> > >> > >> Bertrand Delacretaz wrote > >>> Hi, > >>> > >>> On Thu, Oct 4, 2018 at 4:43 PM Julian Sedding <[email protected]> wrote: > >>>> ...I am still convinced that this issue could be simply and > >>>> elegantly be solved with a ResourceAccessGate for both servlets and > >>>> scripts in a generic way... > >>> > >>> This would probably work but I think it's not intuitive at all, and as > >>> such error-prone. > >>> > >>> -Bertrand > >>> > >> -- > >> Carsten Ziegeler > >> Adobe Research Switzerland > >> [email protected] > -- > Carsten Ziegeler > Adobe Research Switzerland > [email protected]
