Are you reusing a session? When I have ran into security issues such as this it has mostly been due to JackRabbit caching permissions. If within a session you read the document node prior to having read permission revoked you will be able to read it for the life of the session or perhaps until its permission is flushed from cache which is a LRUMap (I think).
On Wed, Jan 21, 2009 at 9:16 AM, Alessandro Cosenza < [email protected]> wrote: > hi. > i have these folders node: > /documents/reviews > > when i revoke read permission on "documents" and recursively > on "reviews" and try to call > root.getNode("documents/reviews") it works fine. > (it throws an exception) > > but, when i revoke read permission only on "documents", > trying to call root.getNode("documents/reviews") doesn't > throw exception, > but i think that it should throws an exception the same, > because it > has however to first read to "documents" node. it seems that > it doesn't consider the "documents" node. > does anyone can explain me this strange behaviour? > thanks > >
