hi ferry
we don't want to define users per workspace because most of our users
will have access to different workspaces.
Therefore we would like to use the security workspace which comes with the
DefaultSecurityManager.
ok.
Furthermore a user should only access workspaces where he has a defined ACL in
that workspace.
... so your implementation of the WorkspaceAccessManager would need to
verify in some way if there are any acls applying for that subject
in the target workspace, right?
the implementation of the WorkspaceAccessManager#grants method in
your custom wsp-ac-manager could for example look something like:
public boolean grants(Set<Principal> principals, String workspaceName) {
AccessControlProvider pvd = getAccessControlProvider(workspaceName);
CompiledPermissions cp = ... /* granting everything */
AccessControlPolicy[] acls = pvd.getEffectivePolicies(principals, cp);
return acls.length > 0;
}
to avoid that every user could read every workspace, we create a new workspace
with ACLProvider as Workspace-AccessControlProvider with option
omit-default-permission=true.
no sure i understand what you do mean with
Workspace-AccessControlProvider.... imo your config should look as follows:
1. repository config:
<Repository>
[...]
<Security appName="...">
<SecurityManager
class="org.apache.jackrabbit.core.DefaultSecurityManager"
workspaceName="security">
<WorkspaceAccessManager class="**your-custom-wsp-access-mgr**"/>
</SecurityManager>
</Security>
[...]
</Repository>
2. workspace config
<?xml version="1.0" encoding="UTF-8"?>
<Workspace name="...">
[...]
<WorkspaceSecurity>
<AccessControlProvider
class="org.apache.jackrabbit.core.security.authorization.principalbased.AccessControlProvider">
<param name="omit-default-permission" value="true"/>
</AccessControlProvider>
</WorkspaceSecurity>
[...]
</Workspace>
hope that helps
angela
