Hi Slider, I added a switch to the NamspaceTokenImpl which allows to run slide with the legacy all-grant-before-any-deny or with the changed/fixed all-grant-before-any-deny semantic. To run with the legacy acl semanitc add the following parameter: <parameter name="acl_semantics">legacy-all-grant-before-any-deny</parameter> to the <configuration> of your namespace in the Domain.xml file. But however, if you run with the legacy sematic where the order of the ACEs in the ACL is not relevant, you still build up on a bug. The old and new ACL standard defines that the order in which the ACEs appear in an ACL is relevant if the all-grant-before-any-deny ACL semantic is used. regards Eckehard
-----Original Message----- From: Pill, Juergen [mailto:Juergen.Pill@;softwareag.com] Sent: Tuesday, October 29, 2002 17.34 PM To: 'Slide Developers Mailing List' Subject: Re: ACL sematic changed Hi Michael, o.k., I will make the ACL Sematics switchable. regards Eckehard -----Original Message----- From: Michael Smith [mailto:msmith@;xn.com.au] Sent: Monday, October 28, 2002 2:28 AM To: Slide Developers Mailing List Subject: Re: ACL sematic changed "Pill, Juergen" wrote: > > Hi Sliders, > > Because of currently the implemented ACL semantic brings up some great > problems in usage and contains some inconsistencies, I added the planned > changes in the ACL standard for chapter 6.1.2 in advance to slide. Now slide > implements the ACL semantic: > > Dav:all-grant-before-any-deny: The ACEs are evaluated in the order in which > they appear in the ACL, until all privileges needed for the request have > been granted. If an evaluated ACE denies a privilege needed for the request, > the request MUST fail If all ACEs have been evaluated without the user being > granted all privileges needed for the request, the request MUST fail. An > example is the NT file system. > > !!!!! So be careful, the ACL semantic changed !!!! Now the order of the ACEs > in an ACL is relevant > > regards > Eckehard > This sounds like a pretty major problem - whilst I agree that the old ACL semantics were a pain to use and had various other problems, this new way simply cannot work without store-layer changes. The slide store interface does NOT guarantee (and in practice does NOT provide) guaranteed ordering to the ACEs in an ACL. So essentially, with this change, the evaluation of an ACL is undefined if there is more than one ACE. If this is required (which is fine in principle), it is absolutely critical that the store interface be changed _first_, and that this be implemented in at least all the reference stores. Michael -- To unsubscribe, e-mail: <mailto:slide-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:slide-dev-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:slide-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:slide-dev-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:slide-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:slide-dev-help@;jakarta.apache.org>
