On Mon, Aug 25, 2008 at 4:51 PM, Marc Speck <[EMAIL PROTECTED]> wrote: >> 2) XPath syntax is much more specific, so you cannot easily add >> another statement in an injection > > "cannot easily add" is not very reassuring in a security context ;-)
I actually meant "cannot add" ;-) An Xpath query is one single query only. > But taken 1), the worst thing that could happen is that the user gets more > results. Providing ACL in jsr283 is going to work fine, the user has no > access to hidden information. Correct. Although you could have that with JCR 1.0 alredy, too. You would "just" have to implement access control restrictions in Jackrabbit (write an AccessManager). It is already proven in a commercial JCR repository (CRX). Regards, Alex -- Alexander Klimetschek [EMAIL PROTECTED]
