This is an automated email from the ASF dual-hosted git repository.
thomasm pushed a commit to branch OAK-9780
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
commit 6052ef60e1a2ff275eb2023c077e5bfe84f4d1de
Author: angela <anch...@adobe.com>
AuthorDate: Tue Jun 7 10:59:42 2022 +0200
OAK-9795 : Best practices: explicitly discourage ac setup for anonymous
---
oak-doc/src/site/markdown/security/authorization/bestpractices.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/oak-doc/src/site/markdown/security/authorization/bestpractices.md
b/oak-doc/src/site/markdown/security/authorization/bestpractices.md
index 2bbdf0948e..6c4ddebee4 100644
--- a/oak-doc/src/site/markdown/security/authorization/bestpractices.md
+++ b/oak-doc/src/site/markdown/security/authorization/bestpractices.md
@@ -201,6 +201,13 @@ your `PrincipalProvider` resolves principal membership
according to your needs.
Further, note that the default authorization model will give precedence to
user principals upon evaluation in other words
default access control entries for user principals will overwrite the effect
of groups irrespective of the order in the list (see next section).
+The above rule is particularly important for the anonymous user marking access
with `GuestCredentials`.
+If you setup access control for anonymous it will result in the guest account
to have effective permissions that do
+not apply for any authenticated session.
+
+What is usually intended instead is setting up permissions for the _everyone_
group. See also
+[PrincipalManager.getEveryone()](/oak/docs/apidocs/org/apache/jackrabbit/api/security/principal/PrincipalManager.html#getEveryone)
+
### Understand default access control and permission management
#### Remember inheritance
