Confused about checking permissions

[Martin Perez <mp...@gmail.com>]

Hi.

I have to implement a security layer over my jackrabbit based repository.
I'm confused about how could be done. What's the purpose of the
checkPermission session's method ? Yes, it's clear that you can check
permissions, but how can those permissions can be set on jackrabbit?

Is actually using an AccessManager the only way to implement node-access
security under jackrabbit?

Thanks,

Martin

Re: Confused about checking permissions

[David Nuescheler <da...@gmail.com>]

> So, to summarize, if I want to add/remove restrictions/constraints to my
> nodes currently I must use an AccessManager (for example
> SimpleAccessManager), and forget the Session.checkPermission method (I
> really don't know the utility of this method if you can't configure
> nothing).
you should still use the Session.checkPermission() to check permissions.

to "manage" permissions you will have to use the proprietary
implementations.

regards,
david

Re: Confused about checking permissions

[Martin Perez <mp...@gmail.com>]

David, Stefan, thanks for your replies.

So, to summarize, if I want to add/remove restrictions/constraints to my
nodes currently I must use an AccessManager (for example
SimpleAccessManager), and forget the Session.checkPermission method (I
really don't know the utility of this method if you can't configure
nothing).

Have I understanded all?

Thanks again.

Martin

On 10/13/05, David Nuescheler <da...@gmail.com> wrote:
>
> > Yes, but AccessManager is jackrabbit-dependent, no? i.e. is not part of
> the
> > spec.
> yes, that's true.
>
> the only part of access control that made it into jsr-170 or (jcr v1.0) is
> the introspection of the permissions. not the management of permissions.
>
> this is in-line with the exclusion of all the management interfaces
> (nodetypes, workspaces, ...) from v1.0 of jcr.
>
> see jsr-283 (v2.0 of jcr) for further development on that, but for now you
> will
> have to resort to proprietary mechanisms of the repository.
> however, the access control "management" portion normally does not make
> for a lot of source code in most applications that i am familiar with,...
>
> in addition to that a number of repository implementation are based
> on jackrabbit and therefore expose the same or similar interfaces
> as jackrabbit, so using the jackrabbit interfaces may be a good choice in
> the first place.
>
> regards,
> david
>

Re: Confused about checking permissions

[David Nuescheler <da...@gmail.com>]

> Yes, but AccessManager is jackrabbit-dependent, no? i.e. is not part of the
> spec.
yes, that's true.

the only part of access control that made it into jsr-170 or (jcr v1.0) is
the introspection of the permissions. not the management of permissions.

this is in-line with the exclusion of all the management interfaces
(nodetypes, workspaces, ...) from v1.0 of jcr.

see jsr-283 (v2.0 of jcr) for further development on that, but for now you will
have to resort to proprietary mechanisms of the repository.
however, the access control "management" portion normally does not make
for a lot of source code in most applications that i am familiar with,...

in addition to that a number of repository implementation are based
on jackrabbit and therefore expose the same or similar interfaces
as jackrabbit, so using the jackrabbit interfaces may be a good choice in
the first place.

regards,
david

Re: Confused about checking permissions

[Stefan Guggisberg <st...@gmail.com>]

On 10/13/05, Martin Perez <mp...@gmail.com> wrote:
> Yes, but AccessManager is jackrabbit-dependent, no? i.e. is not part of the
> spec.

correct. access control management has been intentionally left out in
version 1.0 of the spec. version 2.0 (jsr 283,
http://jcp.org/en/jsr/detail?id=283)
will address access control management as well as other areas that have
been omitted in version 1.0.

cheers
stefan

>
> Thanks.
>
> On 10/13/05, Stefan Guggisberg <st...@gmail.com> wrote:
> >
> > On 10/13/05, Martin Perez <mp...@gmail.com> wrote:
> > > Hi.
> > >
> > > I have to implement a security layer over my jackrabbit based
> > repository.
> > > I'm confused about how could be done. What's the purpose of the
> > > checkPermission session's method ? Yes, it's clear that you can check
> > > permissions, but how can those permissions can be set on jackrabbit?
> > >
> > > Is actually using an AccessManager the only way to implement node-access
> > > security under jackrabbit?
> >
> > well that's exactly the idea of the AccessManager interface. by
> > implementing
> > AccessManager you can provide your own access control mechanism.
> >
> > cheers
> > stefan
> >
> > >
> > > Thanks,
> > >
> > > Martin
> > >
> > >
> >
>
>

Re: Confused about checking permissions

[Martin Perez <mp...@gmail.com>]

Yes, but AccessManager is jackrabbit-dependent, no? i.e. is not part of the
spec.

Thanks.

On 10/13/05, Stefan Guggisberg <st...@gmail.com> wrote:
>
> On 10/13/05, Martin Perez <mp...@gmail.com> wrote:
> > Hi.
> >
> > I have to implement a security layer over my jackrabbit based
> repository.
> > I'm confused about how could be done. What's the purpose of the
> > checkPermission session's method ? Yes, it's clear that you can check
> > permissions, but how can those permissions can be set on jackrabbit?
> >
> > Is actually using an AccessManager the only way to implement node-access
> > security under jackrabbit?
>
> well that's exactly the idea of the AccessManager interface. by
> implementing
> AccessManager you can provide your own access control mechanism.
>
> cheers
> stefan
>
> >
> > Thanks,
> >
> > Martin
> >
> >
>

Re: Confused about checking permissions

[Stefan Guggisberg <st...@gmail.com>]

On 10/13/05, Martin Perez <mp...@gmail.com> wrote:
> Hi.
>
> I have to implement a security layer over my jackrabbit based repository.
> I'm confused about how could be done. What's the purpose of the
> checkPermission session's method ? Yes, it's clear that you can check
> permissions, but how can those permissions can be set on jackrabbit?
>
> Is actually using an AccessManager the only way to implement node-access
> security under jackrabbit?

well that's exactly the idea of the AccessManager interface. by implementing
AccessManager you can provide your own access control mechanism.

cheers
stefan

>
> Thanks,
>
> Martin
>
>