Thanks Ian. Was thinking about the pros and cons of various options.
Some questions: >> you will also need to protect the role property... Why this could potentially become a security concern? You mean configuring loginModule in repository.xml is not good enough? My other considerations for this approach (adding 'role' into node) are: - how should I reference the role definition (which is defined in an SQL database)? reference the role ID - is it considered as bad or accetptable design? - 'roles' in my application are defined at run time, not simple 'User' and 'Admin'. >> ... all configured by adding entries into repository.xml I did not find any 'Role' related configuration...or you mean something else, Access Manager ? >>it will be hard to make this secure, as there are many ways to get a node You mean WebDAV sort of stuff ? What if I do not enable it? What else ? rgds, canal ________________________________ From: Ian Boston <[email protected]> To: [email protected] Sent: Monday, August 24, 2009 1:40:08 AM Subject: Re: how to implement role based access control On 23 Aug 2009, at 04:23, go canal wrote: > Hello, > would like to seek some advices on how to implement role based access control. > > let's say I have several thousands of files, two roles defined A and B. users > are assigned role A or B. > file access control is based on roles. > > How should I implement this role based access control in Jackrabbit? > 1) should I add a 'role' property in the file node? and then implement my own > access manager with isGranted() ? you could, however you will also need to protect the role property to make certain that only authorized users can change it. There are a number of examples to play with, all configured by adding entries into repository.xml > 2) or should I implement a filter which filters the returned list ? it will be hard to make this secure, as there are many ways to get a node and it all depends on the level of access the "client" has to the repository. For instance, approach 1 will generate valid sets of search results for the user in question. 2 Would require a custom filter for points at which a search was made. HTH Ian > > thanks in advance ! > > canal > > >
