You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jackrabbit.apache.org by Mat Lowery <ml...@pentaho.com> on 2009/12/15 23:42:34 UTC

Two ACLProviders

What are the differences between
org.apache.jackrabbit.core.security.authorization.acl.ACLProvider and
org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider?

Re: Two ACLProviders

Posted by Ian Boston <ie...@tfd.co.uk>.

On 15 Dec 2009, at 22:42, Mat Lowery wrote:

> What are the differences between
> org.apache.jackrabbit.core.security.authorization.acl.ACLProvider and

IIRC, acl enforces acls expressed on content nodes, where an acl is made up of a map of Access Control Entries, mapped by principal name, each ACE containing 2 arrays, one of granted privileges, one of dened privileges.

eg as json 
{
"everyone":{"granted":["jcr:read"]}
"ieb":{"granted":["jcr:read","jcr:write"]}

}

> org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider?

AFAICT, this is not used in the default configuration of 1.6, although it looks like it uses the order of the principals rather than the order of the acls when resolving/compiling a permission at a node. Certainly the order in which the bit map is constructed changes the final permissions bitmap.

Ian