You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by Torgeir Veimo <to...@pobox.com> on 2006/02/15 22:57:16 UTC
Re: custom AccessManager: overwrite isGranted() or
checkPermissions()
On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
>
> i am currently working on an own AccessManager-implementaion based on
> acls. (first of all: is there any prior art, or are examples
> availible?)
Are you storing your ACLs as node properties?
--
Torgeir Veimo <to...@pobox.com>
Re: custom AccessManager: overwrite isGranted()
or checkPermissions()
Posted by Torgeir Veimo <to...@pobox.com>.
On Thu, 2006-02-16 at 10:19 +0100, stephan lohwasser wrote:
> Torgeir Veimo schrieb:
> > On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
> >
> >> i am currently working on an own AccessManager-implementaion based on
> >> acls. (first of all: is there any prior art, or are examples
> >> availible?)
> >>
> >
> > Are you storing your ACLs as node properties?
> >
> acls are stored as subnodes of a page with other subnodes for the acutal
> acl entries, which have the properties owner, isNegative and permissions.
> the problems arising are the overhaed (performance) and complications of
> asking the repoisitory each time i ask for a permission.
> what i do is: during system startup the acls are read and put into
> java.security.acl datastructures, which are then queried by the access
> manager. also, the acl structure observes the repository and each time
> an access right is changed for an item the ram structure is synchronized
> with the repository data.
My initial thought about it would be to create a mixin nodetype that
defines a few acl specific properties; an owner property, a multivalue
property for principals that can read, another one for delete, modify
etc. One can have similar properties for negative values, eg. canNotRead
etc. This does not provide for making ace's inheritable though.
With a subnode approach you'd still have to add a mixin node to the
parent to allow the acl specific subnode?
--
Torgeir Veimo <to...@pobox.com>
Re: custom AccessManager: overwrite isGranted()
or checkPermissions()
Posted by Torgeir Veimo <to...@pobox.com>.
On Thu, 2006-02-16 at 10:19 +0100, stephan lohwasser wrote:
>
> acls are stored as subnodes of a page with other subnodes for the
> acutal acl entries, which have the properties owner, isNegative and
> permissions. the problems arising are the overhaed (performance) and
> complications of asking the repoisitory each time i ask for a
> permission. what i do is: during system startup the acls are read and
> put into java.security.acl datastructures, which are then queried by
> the access manager. also, the acl structure observes the repository
> and each time an access right is changed for an item the ram structure
> is synchronized with the repository data.
Do you have any sample code to share?
--
Torgeir Veimo <to...@pobox.com>
Re: custom AccessManager: overwrite isGranted() or checkPermissions()
Posted by stephan lohwasser <st...@systemone.at>.
Torgeir Veimo schrieb:
> On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
>
>> i am currently working on an own AccessManager-implementaion based on
>> acls. (first of all: is there any prior art, or are examples
>> availible?)
>>
>
> Are you storing your ACLs as node properties?
>
acls are stored as subnodes of a page with other subnodes for the acutal
acl entries, which have the properties owner, isNegative and permissions.
the problems arising are the overhaed (performance) and complications of
asking the repoisitory each time i ask for a permission.
what i do is: during system startup the acls are read and put into
java.security.acl datastructures, which are then queried by the access
manager. also, the acl structure observes the repository and each time
an access right is changed for an item the ram structure is synchronized
with the repository data.
does this make sense?
thanks a lot.
stephan