Re: order of ACEs changed

[Oliver Zeigermann]

Michael Smith wrote:

Marc Sommer wrote:

Strange behaviour!

After setting the ACL with WebdavResource.aclMethod the ACL-Info shows
the correct settings and the server acts as expected:
Subject                        Action      Inheritable    Deny 
/files/users/slideadmin        /actions    true           false
/files/users/ockenfeld         /actions    true           false
+/files/users/groups/12200963  /actions    true           false
/files/users                   /actions    true           true

But in some cases the order of the ACEs changes(I don't know why) and
the server denies access to everybody!
Subject                        Action      Inheritable    Deny 
/files/users                   /actions    true           true
+/files/users/groups/12200963  /actions    true           false 
/files/users/ockenfeld         /actions    true           false 
/files/users/slideadmin        /actions    true           false

Does anybody know, whats going on here?!?

I'm using slide from 21-04-2003 on JBoss 3.2.1 with a MySQL-DB
and I have got a big security-problem...
Please help!

Regards
Marc

Marc,

Here's my best guess at what's going on - I'll note, however, that I 
haven't used a JDBC slide store for some time, and I haven't actually 
seen this error, so I certainly could be wrong.

The security layer obviously relies on the ACEs being in a particular 
order - which is fine. However, the store layer does not enforce any 
ordering, and many of the stores (all the database-backed ones, at 
least) make no attempt to keep the ordering.

That was fine when the stores were written (at that time, the security 
layer didn't depend on ACE order, I think), but when the security layer 
was changed, the store interfaces were not. I pointed out at the time 
that this was broken, but my advice was apparently ignored.
Well, your advice has not been ignored completely as it seems. In

http://marc.theaimsgroup.com/?l=slide-dev&m=103637094431479&w=2

Eckehard Hermann pointed that there now is a switch to use the old acl 
semantics. Maybe this can help. Even though this might imply 
reorganizing all existing ACL entries (I am no expert at this, I just 
interpret what is in the thread given above).

Oliver



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]