My app will have 1-n workspaces.
Requirement 1: Each workspace will have its own set of users. User's from
one workspace cannot access other workspaces.
Requirement 2: In some exceptional cases, users may access other workspace
userperworkspace usermanager would be the right option. if you combine
it with the corresponding security manager then users will only be
allowed to access the workspace if the user exists therein (in contrast
to e.g. the simple-workspace-ac-mgr which allows everyone to access
every workspace, see below).
To highlight this with an example: say the workspaces are Legal, Marketing
and Sales. They will have their own users and they cannot see each others
stuff. Now a new workspace Cafeteria is added, that users from all other
workspaces should be able to see [and perhaps write comments on the menu
etc] that workspace.
you can either create users with the same userID in the cafeteria
workspace (the user nodes will be 'corresponding' to those in the other
workspaces based on the nodeID which stores the hashed identifier) or
simply clone the nodes.
Since, Jackrabbit gives everyone read access to all workspaces, using the
DefaultSecurityManager was not an option. I ended up using
this configurable (omit-default-permissions parameter with the access
control provider which can be configured for each workspace) and not
related to the user manager at all.
UserPerWorkspaceSecurityManager, which now allows me to fulfill requirement
see above. that's fine but not related to the default permission
setup which depends on the per workspace ac provider.
1.
However I am puzzling over how to get to requirement 2.
see above.
I tried giving a user from workspace 1 access to workspace 2, but obviously
it does not work, since users are per workspace. I tried using
as stated above you have to make sure that the users are present
in the workspace. that's the default if you use the u-p-w-security
manager.
if you can't deal with this, you optionally could change the the
security configuration to use a different workspace-access-mgr
that applies a different logic to determine if a given user can
access the workspace... but that you potentially have to fiddle
around with a custom loginmodule and/or principal provider if the
users were not present in the cafeteria workspace but still
need to have access and access control entries assigned.
DefaultSecurityManager, but that then gives everyone access to all
workspaces.
see above.
So, is there a mechanism to fulfill the requirements or is it asking too
much of jackrabbit ??
not at all.
PS: Please don't ask me to use a single workspace. Due to requirements of
total isolation, strong file system level security requirements and possible
future migration of workspaces independently to other machines, our
architects have decided on separate workspaces per community of users. I
cannot change that requirement.
that shouldn't be a problem from my point of view.
regards
angela
