> On Sun, Nov 9, 2008 at 11:35 PM, David Nuescheler <[EMAIL PROTECTED]> wrote: > > starting to expose services like access control on the resource tree is > > something that i find dangerous and problematic. access control should > > really be enforced at the data (jcr) layer > > I think it's only the credentials that are passed through the resource > API, the underlying JCR will still provide the ACL handling. > > Then, what happens if you have to integrate legacy databases, rss feeds, 3rd-party services, whatever?. As far as integration and aggregation is concerned, this is the technological reality nowadays.
Adding custom resource providers in Sling, we are be able to support this state of affairs. That is great. Because of that, IMHO ACL handling would not be restricted to JCR data. Has sense? BR, Juanjo.
