2009/4/23 Ian Boston <[email protected]>: > Hi, > I've spent the last few days looking at the impl of the AccessControlManager > and I have noticed several things. > > ACL's contain , multiple ACE's mapped by a Principal which must resolve by > the UserManager to an Authorizable. (the ModifyAceServlet indicates this) > The set of Authorizables that a user is a member of must be pre-determined > at jcr session time so the privileges can be compiled. > > --- > > I want to add 2 concepts to AuthZ, but keep the DefaultAccessControlManager > and the accessmanger servlet bundle if possible. > > The additions are, owner and dynamic group. > > Owner. > Permissions are granted to a sub tree on the basis that the user owns the > node in question. There may be many nodes, owned by different users, and the > ownership (denoted by a jcr property xyz:owner) may change. > > Dynamic Group: > Non determinable. > There is a class of memberships that can only be determined by querying. eg > The resource is only readable between 10:00 and 12:00 on 23/04/2009 to > members of First Year Physics class accessing the resource from the IP range > 131.111.21.0/128 (although *if* you knew this group existed, you could test > on every request, but that could become expensive when only 1 resource out > of millions needed this sophistication) > > Is there a better way of implementing Owner and a Dynamic membership which > wont generate huge load at session initiation ?
I have been doing some stuff with dynamic policies myself, and ended up with writing a PluggableAccessManager. This way you can supply your access control logic in your own bundle, and have Sling using it, without touching the default bundles in Sling. The only thing you need to change is the AccessManager element in your repository.xml. The PluggableAccessManager extends DefaultAccessManager, and provides an interface for you to implement your own access control logic. To be able to plugin an access manager, I had to make some minor changes in the Jackrabbit Server bundle. These changes are waiting in a patch at SLING-880 [1]. I'll see if I can get consensus on applying that patch. [1] https://issues.apache.org/jira/browse/SLING-880 -- Vidar S. Ramdal <[email protected]> - http://www.idium.no Akersgata 16, N-0158 Oslo, Norway +47 21 531941, ext 2070
