> > > speaking of JSR 283... it will also allow you to create prepared queries > with > variables that you can bind values to. >
Thank's for the pointer, I didn't know. > >> 2) XPath syntax is much more specific, so you cannot easily add > >> another statement in an injection > > > > "cannot easily add" is not very reassuring in a security context ;-) > > I actually meant "cannot add" ;-) An Xpath query is one single query only. Yeah, I thought that you wanted to say that... > > But taken 1), the worst thing that could happen is that the user gets > more > > results. Providing ACL in jsr283 is going to work fine, the user has no > > access to hidden information. > > > Correct. Although you could have that with JCR 1.0 alredy, too. You > would "just" have to implement access control restrictions in > Jackrabbit (write an AccessManager). It is already proven in a > commercial JCR repository (CRX). > Implementing such a basic security component makes me somewhat nervous. As far as I know, there is already a first implementation in the trunk. I can wait for that and go from there. Thanks for all the comments, Marc
