I think its an all or nothing proposition, not sure if you can selectively apply it other then using a seperate session etc ?
A custom query manager could make sense for you, but the foolproof way is to use the AccessManager - that way all access in centrally controlled. I know it sounds expensive, but with ACLs, I think the lookups have to be fast and in memory cached. Sure, it means you are retrieving more data then you need to, so you shouldn't use ACL to partition lists for different users, but ideally you will use the access manager as a "fail safe" to make sure data is secure, and also use specific queries to filter the data that will reduce the data set that will also be (double) checked by the AccessManager. Any of that make sense? On another note, JCR2 looks like it is addressing ACLs directly, so my recommendation is to keep it simple, and see where JCR2 goes (it will be a superset of the current JCR spec from my reading). Last I read JCR2 spec, it had not fleshed out the access control section (but it was mentioned in detail). On 10/1/06, Magnus Grimsell <[EMAIL PROTECTED]> wrote:
Hi Michael, Yes, I do mean access control. After looking through the code it seems like the AccessManager will get invoked for every hit in the result list. I would like to implement a simple access control scheme based on node type. From a performance point of view it would be good to avoid a check for every hit. On the other hand its simple to implement a custom QueryManager that narrows the search to only include the node types that the subject has access rights to, right? Is there a suitable place to do the access control check that does not get called when performing searches? /Magnus -----Ursprungligt meddelande----- Från: Michael Neale [mailto:[EMAIL PROTECTED] Skickat: den 1 oktober 2006 19:00 Till: [email protected] Ämne: Re: how does authorization works in jackrabbit? Hi Magnus. Firstly, I think by authorisation in this context you mean access control? (authorisation is via JAAS I believe). I worked out a little by plugging in a dummy AccessManager and looked at the callbacks. I did not try it with searching though, but I gather it will use it to honour the access rules with returning results - thus your acess list lookups better be really fast and in memory ! Anyone else with real experience, please do share ! On 10/1/06, Magnus Grimsell <[EMAIL PROTECTED]> wrote: > > I would like to learn more how JackRabbit handles authorization to the > repository content. Especially when it comes to searching. > I've seen that there is a plugable AccessManager but I'm not sure how this > is used to filter the search result. > Can somebody point me to some documentation or where in the code to look? >
