Am 08.04.12 18:50, schrieb maikhorma:
Sandro Boehme wrote
Maybe it's best practice in Sling and/or Jackrabbit to allow anonymous
to read the root node. I don't know. But it seems not preferable to me
because one would need to make sure to set the permissions for every new
child node he should not see. But maybe I miss something.
You don't exactly need anonymous at the root node, so you can still disable
it. For example, in our implementation, we disabled anonymous access, left
permission at the root for "everyone". In this case "everyone" is more like
"authenticated users" since sling won't let you in unless you authenticate.
Then at the /content/mydata node, we put an "everyone deny jcr:all" followed
by "UserGroup allow jcr:all" where UserGroup is a group that we created.
Then our structure goes under the mydata node. Note, ordering of ACLs does
matter.
You are right! When disabling "Allow Anonymous Access" in the
configuration for "Apache Sling Authentication Service" one need to
authenticate for the root node. And there will be no redirect problem.
Thats a good description. Thanks!
See [1] for a ticket about the issue. I thought I've seen another related
one with more discussion from the devs but I can't find it at the moment.
[1] https://issues.apache.org/jira/browse/JCR-2963
Best,
Sandro
--
View this message in context:
http://apache-sling.73963.n3.nabble.com/remove-the-read-permission-of-anonymous-from-the-root-node-tp3866195p3894713.html
Sent from the Sling - Users mailing list archive at Nabble.com.
