Is it true that the first ACE applying to a principal that refers to the permission being sought wins? If so, then I still am confused by the order of the ACEs. Why are they ordered the way that they are? Thanks again!
On Tue, 2009-12-15 at 18:40 -0500, Mat Lowery wrote: > Can someone provide some background on the implementation of > o.a.j.core.security.authorization.acl.ACLProvider? > > For example, why is the entire path of nodes from root to leaf consulted > when making authorization decisions? One could imagine an > implementation that consults only the first non-empty ACL starting at > the leaf and moving up towards the root. > > Additionally, why are the access control entries ordered by principal? > At first I thought that ACE order mattered but now I'm not sure. > > In general, the logic behind buildResult() is a mystery. Any help would > be appreciated.
