You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Davide Giannella (JIRA)" <ji...@apache.org> on 2019/04/15 09:20:10 UTC

[jira] [Closed] (OAK-8101) AccessControlValidator prevents alternative authorization models to use restrictions

     [ https://issues.apache.org/jira/browse/OAK-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Davide Giannella closed OAK-8101.
---------------------------------

bulk close 1.12.0

> AccessControlValidator prevents alternative authorization models to use restrictions
> ------------------------------------------------------------------------------------
>
>                 Key: OAK-8101
>                 URL: https://issues.apache.org/jira/browse/OAK-8101
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Major
>             Fix For: 1.12.0
>
>         Attachments: OAK-8101.patch
>
>
> [~stillalex], while working on an authorization related PoC I noticed that the {{AccessControlValidator}} present with the default implementation essentially prevents additional authorization models to make use of the default {{RestrictionProvider}} implementation that stores restrictions in a dedicated tree of type _rep:Restrictions_. It does so by asserting that a {{NodeState}} with this primary type is always located below an access control entry with the format defined by the default impl before validating the restrictions.
> This could e.g. be fixed as follows:
> - if the parent {{NodeState}} is indeed an entry as defined by the default implementation -> validate using implementation details
> - otherwise: throw {{CommitFailedException}} if the parent {{NodeState}} does not denotes an access control tree as defined by the (composite) {{Context}}.
> This would allow other models to make use of restrictions and validate them accordingly, while still failing the commit if an isolated restriction tree was spotted i.e. one outside of the access control context.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)