On 16 Jul 2007, at 15:43, David Nuescheler wrote:
(2) Access Control Management to go beyond the introspection that is already specified in JCR v1.0
It seems that access control in JCR 2.0 is limited to declarative security?
I think this is a very bad restriction. Declarative security was never sufficient enough for EJBs, and is surely not sufficient for all types of applications which might be built on top of a JCR repository, and is very often much more verbatim than implied or programmatic security.
What I'd like to see would be some means of getting access to Nodes in a read-only "before" session and an "after" session in a security manager. This would allow implementing a wide range of different security managers depending on the application at hand.
I guess there are technical challenges with implementing such session access, but it could be an optional feature, and the suggested next generation persistence architecture would probably easily support it.
-- Torgeir Veimo [EMAIL PROTECTED]
