Re: Dynamic ACLs in Oak?
hi note however, that this just covers the authentication part. as far as pluggable authorization is concerned this is definitely planned for OAK 1.0 but still work in progress. see https://issues.apache.org/jira/browse/OAK-1268 for a short description what is planned in this area... we basically need that for our own closed user group handling but obviously this can be used for any other kind of additional access restrictions. kind regards angela On 12/9/13 5:41 PM, Bertrand Delacretaz bdelacre...@apache.org wrote: Hi, On Mon, Dec 9, 2013 at 5:34 PM, Jukka Zitting jukka.zitt...@gmail.com wrote: ...Assuming a working JAAS setup, you can configure a custom optional LoginModule that adds extra principals to the current subject based on whatever criteria you want (source IP, HTTP header, phase of the moon, etc.) Ok, thanks! phase of the moon, as in any arbitrary external value is indeed the kind of use case we're looking at. This looks like another reason to use the Felix Jaas stuff [1] which is good as this will be useful for Sling as well. -Bertrand [1] http://felix.apache.org/documentation/subprojects/apache-felix-jaas.html
Dynamic ACLs in Oak?
Hi, Does Oak have an extension point where I can plugin my own dynamic ACL logic? A typical use case is hiding a content subtree to some of the JCR Sessions that are created, based on a decision done in my code at session creation time, without having to change any actual ACLs. To avoid security issues, such a dynamic ACL should only be able to deny permissions on top of what Oak grants, but not grant any by itself. For now my goal is just to experiment with this, even if it's inefficient or incomplete that would be useful. -Bertrand
Re: Dynamic ACLs in Oak?
Hi, On Mon, Dec 9, 2013 at 5:34 PM, Jukka Zitting jukka.zitt...@gmail.com wrote: ...Assuming a working JAAS setup, you can configure a custom optional LoginModule that adds extra principals to the current subject based on whatever criteria you want (source IP, HTTP header, phase of the moon, etc.) Ok, thanks! phase of the moon, as in any arbitrary external value is indeed the kind of use case we're looking at. This looks like another reason to use the Felix Jaas stuff [1] which is good as this will be useful for Sling as well. -Bertrand [1] http://felix.apache.org/documentation/subprojects/apache-felix-jaas.html
