Yes, the jackrabbit implementation does not allow denying privileges on a group. The ModifyAcesServlet mirrors that behavior. I don't know the exact reasoning behind that, I'd suggest posting your question to the jackrabbit list.
Denying privileges is not part of the JCR spec, so this is a jackrabbit extension. On Apr 23, 2009 3:28 AM, "Ian Boston" <[email protected]> wrote: Hi, I am looking at the ModifyAceServlet. in the o.a.s.jackrabbit.accessmanager bundle I notice that if a requests privileges are denied from a principal that references a group, then the request to deny privileges is ignored. Does this mean its not possible to deny a privilege from a group ? If so, I would like to understand the reasoning. Thanks Ian
