(This isn't a question -- just wanted to document it in case it helps
anyone else or in case I got something badly wrong.)
It's not uncommon to want to restrict a resource's access to only a
specific set of groups or users. For example, we might want the resource
tree rooted at "/marketing_dept" to be mostly traversable by the general
public but "/marketing_dept/budget.pdf" to only be readable by members
of the "marketing.department" Principal.
The default resource AccessControlList provider in Jackrabbit 2 enables
this, but you have to be aware that its AccessControlEntry resolves
potential conflicts in an ordered fashion:
- More recent User ACEs override earlier User ACEs.
- Any User ACEs override any Group ACEs.
- More recent Group ACEs override earlier Group ACEs.
Thus, to get the desired access control for
"/marketing_dept/budget.pdf", its ACL could be created as follows:
Privilege[] readPrivs =
{accessControlManager.privilegeFromName(Privilege.JCR_READ)};
jackrabbitAccessControlList.addEntry(principalManager.getPrincipal(SecurityConstants.ANONYMOUS_ID),
readPrivs, false);
jackrabbitAccessControlList.addEntry(principalManager.getEveryone(),
readPrivs, false);
jackrabbitAccessControlList.addEntry(principalManager.getPrincipal("marketing.department"),
readPrivs, true);
If instead the "everyone" ACE appeared last in the ACL, it would block
read access by members of the "marketing.department" (since they are
also members of "everyone").
Best,
Ray
