Hi, On Sat, Jan 10, 2009 at 1:03 AM, Alessandro Cosenza <[email protected]> wrote: > 1. using AccessManager for authorization in Jackrabbit means that JAAS classes > are automatically involved (Subject, Principal), or I can use AccessManager > also > without involving JAAS classes?
The authenticated Subject is passed to the AccessManager instance inside the AMContext object, but it's of course up to you whether you want or need to use the Subject. > 2.if i want to realize authorization with an external mechanism without JAAS, > which mechanism can I use? Implement your own AccessManager and configure Jackrabbit to use it. > 3. on jsr170 1.0.1 at 6.9 Access Control it says: "...these permissions may be > determined by the Credentials passed on login". I don't understand this. The user can be authenticated based on the explicitly passed Credentials or based on some out-of-band information available to the LoginModule implementation. And authentication can obviously affect authorization. Alternatively, a Credentials implementation could also include explicit authorization information in the form of access tickets like authorization certificates that grant specific access rights to the session. > 4.which is the usage for Session.checkPermissions? it doesn't accept a user > kind-of parameter, how can I determine which user should be checked for > permissions? Session.checkPermission() checks the access rights of the current session. JSR 170 does not specify a mechanism for checking the access rights of other users or sessions. See the JSR 283 draft specification if you need such functionality. BR, Jukka Zitting
