You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Sandro Boehme <sa...@gmx.de> on 2012/09/16 20:40:38 UTC
Avoiding to show acls, users and groups to anonymous
Hello,
when logged in as anonymous I can see all users, groups and acls with
the following URLs:
http://localhost:8080/index.html.eacl.json
http://localhost:8080/system/userManager/user.tidy.infinity.json
http://localhost:8080/system/userManager/group.tidy.1.json
http://localhost:8080/system/userManager/user/admin.tidy.1.json
I tried to avoid that by denying jcr:readAccessControl to the root node
with with following statement.
curl -FprincipalId=everyone -Fprivilege@jcr:readAccessControl=denied
http://admin:admin@localhost:8080/.modifyAce.html
The response was a http 200 status but I can still see the information
as anonymous. Is there a way to avoid that?
Best,
Sandro
Re: Avoiding to show acls, users and groups to anonymous
Posted by Sandro Boehme <sa...@gmx.de>.
It works. Of course *.eacl.json produces a 404 for anonymous after
denying readAccessControl to the root node! Thanks for the hint Erik!
Am 17.09.12 02:40, schrieb Eric Norman:
> Instead of denying rights to the everyone group, deny rights to the
> anonymous principal instead. Like this:
>
> curl -FprincipalId=anonymous -Fprivilege@jcr:readAccessControl=denied
> http://admin:admin@localhost:8080/.modifyAce.html
>
> Regards,
> Eric
>
> On Sun, Sep 16, 2012 at 11:40 AM, Sandro Boehme <sa...@gmx.de>wrote:
>
>> Hello,
>>
>> when logged in as anonymous I can see all users, groups and acls with the
>> following URLs:
>> http://localhost:8080/index.**html.eacl.json<http://localhost:8080/index.html.eacl.json>
>> http://localhost:8080/system/**userManager/user.tidy.**infinity.json<http://localhost:8080/system/userManager/user.tidy.infinity.json>
>> http://localhost:8080/system/**userManager/group.tidy.1.json<http://localhost:8080/system/userManager/group.tidy.1.json>
>> http://localhost:8080/system/**userManager/user/admin.tidy.1.**json<http://localhost:8080/system/userManager/user/admin.tidy.1.json>
>>
>> I tried to avoid that by denying jcr:readAccessControl to the root node
>> with with following statement.
>> curl -FprincipalId=everyone -Fprivilege@jcr:**readAccessControl=denied
>> http://admin:admin@localhost:**8080/.modifyAce.html
>> The response was a http 200 status but I can still see the information as
>> anonymous. Is there a way to avoid that?
>>
>> Best,
>>
>> Sandro
>>
>
Re: Avoiding to show acls, users and groups to anonymous
Posted by Eric Norman <er...@gmail.com>.
Instead of denying rights to the everyone group, deny rights to the
anonymous principal instead. Like this:
curl -FprincipalId=anonymous -Fprivilege@jcr:readAccessControl=denied
http://admin:admin@localhost:8080/.modifyAce.html
Regards,
Eric
On Sun, Sep 16, 2012 at 11:40 AM, Sandro Boehme <sa...@gmx.de>wrote:
> Hello,
>
> when logged in as anonymous I can see all users, groups and acls with the
> following URLs:
> http://localhost:8080/index.**html.eacl.json<http://localhost:8080/index.html.eacl.json>
> http://localhost:8080/system/**userManager/user.tidy.**infinity.json<http://localhost:8080/system/userManager/user.tidy.infinity.json>
> http://localhost:8080/system/**userManager/group.tidy.1.json<http://localhost:8080/system/userManager/group.tidy.1.json>
> http://localhost:8080/system/**userManager/user/admin.tidy.1.**json<http://localhost:8080/system/userManager/user/admin.tidy.1.json>
>
> I tried to avoid that by denying jcr:readAccessControl to the root node
> with with following statement.
> curl -FprincipalId=everyone -Fprivilege@jcr:**readAccessControl=denied
> http://admin:admin@localhost:**8080/.modifyAce.html
> The response was a http 200 status but I can still see the information as
> anonymous. Is there a way to avoid that?
>
> Best,
>
> Sandro
>