On 8/18/11 4:19 PM, Mark Herman wrote:
1. I think that should work. This approach is kind of a "everything open unless I close it" mindset, where you may want to consider "everything is closed unless I open it." If myapp and blog need anonymous access for some reason you may want to restructure so the content folders don't need to be under them. 2. All permissions will only go down a hierarchy. Changing the permissions on a child won't have any effect on the parent (except for the fact that it's child was changed). Obviously changed to the parents security will be inherited by the children.
... unless you explicitly stop the inheritance by specifying an extra restriction with that ACE that only matches the parent node. this is part of the jackrabbit-specific extension of the JCR access control API.
3. I'm not too familiar but through trial and error it looks like you need to add jcr:nodeTypeManagement as well. I guess choosing a primary node type for a new node counts as nodeTypeManagement.
correct, Node.addNode(String) does not need the extra privilege but Node.addNode(String, String ntName) does. regards angela
