You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/03/06 13:14:00 UTC

[jira] [Comment Edited] (OAK-8101) AccessControlValidator prevents alternative authorization models to use restrictions

    [ https://issues.apache.org/jira/browse/OAK-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16785618#comment-16785618 ] 

angela edited comment on OAK-8101 at 3/6/19 1:13 PM:
-----------------------------------------------------

[~stillalex], thanks a lot for the review. i committed the fix at revision 1854921 together with a test illustrating the issue.



was (Author: anchela):
Committed revision 1854921.


> AccessControlValidator prevents alternative authorization models to use restrictions
> ------------------------------------------------------------------------------------
>
>                 Key: OAK-8101
>                 URL: https://issues.apache.org/jira/browse/OAK-8101
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Major
>             Fix For: 1.12, 1.11.0
>
>         Attachments: OAK-8101.patch
>
>
> [~stillalex], while working on an authorization related PoC I noticed that the {{AccessControlValidator}} present with the default implementation essentially prevents additional authorization models to make use of the default {{RestrictionProvider}} implementation that stores restrictions in a dedicated tree of type _rep:Restrictions_. It does so by asserting that a {{NodeState}} with this primary type is always located below an access control entry with the format defined by the default impl before validating the restrictions.
> This could e.g. be fixed as follows:
> - if the parent {{NodeState}} is indeed an entry as defined by the default implementation -> validate using implementation details
> - otherwise: throw {{CommitFailedException}} if the parent {{NodeState}} does not denotes an access control tree as defined by the (composite) {{Context}}.
> This would allow other models to make use of restrictions and validate them accordingly, while still failing the commit if an isolated restriction tree was spotted i.e. one outside of the access control context.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)