You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by stephan lohwasser <st...@systemone.at> on 2006/02/15 15:55:37 UTC
custom AccessManager: overwrite isGranted() or checkPermissions()
hi,
i am currently working on an own AccessManager-implementaion based on
acls. (first of all: is there any prior art, or are examples availible?)
to to this i wrote my own access manager which subclasses the simple
access manager.
the question is: shall i overwrite isGranted() or checkPermissions()?
which of the methods is called when accessing the repository? or doesn't
it matter at all? or do i have to overwrite both? or is this the
completely wrong way?
thanks a lot
stephan
Re: custom AccessManager: overwrite isGranted() or checkPermissions()
Posted by Stefan Guggisberg <st...@gmail.com>.
hi stephan,
On 2/15/06, stephan lohwasser <st...@systemone.at> wrote:
> hi,
> i am currently working on an own AccessManager-implementaion based on
> acls. (first of all: is there any prior art, or are examples availible?)
> to to this i wrote my own access manager which subclasses the simple
> access manager.
> the question is: shall i overwrite isGranted() or checkPermissions()?
> which of the methods is called when accessing the repository? or doesn't
> it matter at all? or do i have to overwrite both? or is this the
> completely wrong way?
both methods are defined by the AccessManager interface so a custom
AccessManager has to implement both (or override both if it extends from
SimpleAccessManager).
note that SimpleAccessManager is just a dummy/sample implementation
that doesn't do much. however it contains several @todo comments that
should give you some pointers where a custom implementation may want
to add code.
cheers
stefan
>
> thanks a lot
> stephan
>
Re: custom AccessManager: overwrite isGranted()
or checkPermissions()
Posted by Torgeir Veimo <to...@pobox.com>.
On Thu, 2006-02-16 at 10:19 +0100, stephan lohwasser wrote:
> Torgeir Veimo schrieb:
> > On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
> >
> >> i am currently working on an own AccessManager-implementaion based on
> >> acls. (first of all: is there any prior art, or are examples
> >> availible?)
> >>
> >
> > Are you storing your ACLs as node properties?
> >
> acls are stored as subnodes of a page with other subnodes for the acutal
> acl entries, which have the properties owner, isNegative and permissions.
> the problems arising are the overhaed (performance) and complications of
> asking the repoisitory each time i ask for a permission.
> what i do is: during system startup the acls are read and put into
> java.security.acl datastructures, which are then queried by the access
> manager. also, the acl structure observes the repository and each time
> an access right is changed for an item the ram structure is synchronized
> with the repository data.
My initial thought about it would be to create a mixin nodetype that
defines a few acl specific properties; an owner property, a multivalue
property for principals that can read, another one for delete, modify
etc. One can have similar properties for negative values, eg. canNotRead
etc. This does not provide for making ace's inheritable though.
With a subnode approach you'd still have to add a mixin node to the
parent to allow the acl specific subnode?
--
Torgeir Veimo <to...@pobox.com>
Re: custom AccessManager: overwrite isGranted()
or checkPermissions()
Posted by Torgeir Veimo <to...@pobox.com>.
On Thu, 2006-02-16 at 10:19 +0100, stephan lohwasser wrote:
>
> acls are stored as subnodes of a page with other subnodes for the
> acutal acl entries, which have the properties owner, isNegative and
> permissions. the problems arising are the overhaed (performance) and
> complications of asking the repoisitory each time i ask for a
> permission. what i do is: during system startup the acls are read and
> put into java.security.acl datastructures, which are then queried by
> the access manager. also, the acl structure observes the repository
> and each time an access right is changed for an item the ram structure
> is synchronized with the repository data.
Do you have any sample code to share?
--
Torgeir Veimo <to...@pobox.com>
Re: custom AccessManager: overwrite isGranted() or checkPermissions()
Posted by stephan lohwasser <st...@systemone.at>.
Torgeir Veimo schrieb:
> On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
>
>> i am currently working on an own AccessManager-implementaion based on
>> acls. (first of all: is there any prior art, or are examples
>> availible?)
>>
>
> Are you storing your ACLs as node properties?
>
acls are stored as subnodes of a page with other subnodes for the acutal
acl entries, which have the properties owner, isNegative and permissions.
the problems arising are the overhaed (performance) and complications of
asking the repoisitory each time i ask for a permission.
what i do is: during system startup the acls are read and put into
java.security.acl datastructures, which are then queried by the access
manager. also, the acl structure observes the repository and each time
an access right is changed for an item the ram structure is synchronized
with the repository data.
does this make sense?
thanks a lot.
stephan
Re: custom AccessManager: overwrite isGranted() or
checkPermissions()
Posted by Torgeir Veimo <to...@pobox.com>.
On Wed, 2006-02-15 at 15:55 +0100, stephan lohwasser wrote:
>
> i am currently working on an own AccessManager-implementaion based on
> acls. (first of all: is there any prior art, or are examples
> availible?)
Are you storing your ACLs as node properties?
--
Torgeir Veimo <to...@pobox.com>