I am trying to understand the way in which the
DefaultAccessControlManager works within Sling. I 'think' this is the
default AccessControManager that is active when Sling is built and
would like to use it.
If my understanding is correct, a set of ACE's is constructed based
the full set of ACE's from the ACL of the node in question, and all
parent nodes. This set is filtered by the set of principals held by
the user (connected to the session), and any restriction filteres to
control/limit inheritance of ACE's.
The filtered set is compiled into a CompiledPermission set for the
node in question (which is cached with the session), and privilages
are evaluated against that compiled permission set.
If I have that correct, does that mean that all Principal(s) for the
user must be known *before* the ACL is constructed, and, in the
default implementation of the AccessControlManager in Jackrabbit its
not possible to have Principal(s), that are given to the user on
request, or from a performance point of view a massive set of
principals (ie resolve all possible Principals in advance)
?
Ian
