2014-03-17 8:38 GMT-07:00 Mike Müller mike...@mysign.ch:
Hi
I think this is insecure by design and not correct:
The problem is not, that we do grant access if no ResourceAccessGate is
registered for application context. The problem is, that we grant access
also if there is a
Hi,
On Tue, Mar 18, 2014 at 8:48 AM, Mike Müller mike...@mysign.ch wrote:
... Maybe it would make sense to rename the DONTCARE to CANTDECIDE which would
explain the mechanism better
I'm only half-following those discussions - do we have a single place
which explains how the RAG works?
As
I created an issue to fix the initial problem encountered by Mike [1].
The issue was that an explicit application scoped gate was needed to deny
update access even if the access was denied by a provider scoped gate. That
problem was captured in a test [2].
WDYT?
Marius
[1]
From: Bertrand Delacretaz [mailto:bdelacre...@apache.org]
Subject: Re: [RT] Make ResourceAccessSecurity always restrict access if
installed and no ResourceAccessGate present
Hi,
On Tue, Mar 18, 2014 at 8:48 AM, Mike Müller mike...@mysign.ch wrote:
... Maybe it would make sense to rename
...snipsnap
Ok, I see your point and yes, partially this is related to the name
DONTCARE. I'm fine with renaming it to CANTDECIDE and then implementing
it the way you suggest :)
Regards
Carsten
Okay, created SLING-3462.
Best regards
mike
Furthermore the implementation of the ResourceAccessSecurity for the
provider context does not behave like the one for the application
context: If we for example check the read access for a resource the
implementation calls all ResourceAccessGates till a gate is found
which grants read
Yes, I think my first answer was wrong (Note to myself, don't answer mails
after long distance travels...)
and you're right. The difference between provider and application type is
exactly that.
If there is no provider RAS and the provider does not declare to require
one, the resource is visible.
[mailto:mike...@mysign.ch]
Sent: Monday, March 17, 2014 5:38 PM
To: dev@sling.apache.org
Subject: RE: [RT] Make ResourceAccessSecurity always restrict access if
installed and no ResourceAccessGate present
Hi
I think this is insecure by design and not correct:
The problem is not, that we do
-Original Message-
From: Carsten Ziegeler [mailto:cziege...@apache.org]
Sent: Monday, March 17, 2014 3:35 PM
To: dev@sling.apache.org
Subject: Re: [RT] Make ResourceAccessSecurity always restrict access if
installed and no ResourceAccessGate present
Yes, I think my first answer
Hi
As I worked on SLING-3435 [1] and added some more tests I noticed that
Even if resourceaccesssecurity is installed as a bundle the two implementing
classes ApplicationResourceAccessSecurityImpl (for application context) and
ProviderResourceAccessSecurityImpl (for provider context) are only
Hi,
the current implementation does actually this (if I read the code
correctly) :)
If useRAS is set, but no Gate available, the resource is not returned. At
least ProviderHandler#getReadableResource does this.
But of course if this is not the case, then you're totally right and we
need to change
11 matches
Mail list logo
