You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Justin Edelson (JIRA)" <ji...@apache.org> on 2010/09/14 20:57:33 UTC
[jira] Created: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
provide a (relatively) simple way to disable anonymous access to the security workspace
---------------------------------------------------------------------------------------
Key: JCR-2748
URL: https://issues.apache.org/jira/browse/JCR-2748
Project: Jackrabbit Content Repository
Issue Type: Improvement
Components: jackrabbit-core, security
Reporter: Justin Edelson
As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
The attached patch provides a simpler mechanism. By adding
<param name="anonymousAccessToSecurityWorkspace" value="false" />
to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson updated JCR-2748:
--------------------------------
Attachment: JCR-2748-take2.patch
updated patch which restricts the change to *only* be within UserAccessControlProvider.
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748-take2.patch, JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917620#action_12917620 ]
angela commented on JCR-2748:
-----------------------------
> IIUC, this requires manual configuration of the security workspace. Isn't that a bit onerous - 15-20 lines of XML vs. one?
if the default setup get's changed in jackrabbit, you will need to have a manual ac provider configuration of your security workspace anyway.
as i said before, i just didn't do that for 2.0 because we changed the way we at day want to store users in a rather late stage and i didn't
want to cause troubles for all those using the old style jr 1.6 setup.
furthermore, i don't want to spoil the repository level security configuration for something that i consider end of life code.
having an configuration option for the UserAccessControlProvider should be configured where it belongs to.
and adding a repository level option for the inital ac-setup seems wrong to me... this would be yet another workaround for
something that will be addressed by JCR-2331.
> In other words, I think this should [...]
fair enough... but it doesn't make me change my opinion :)
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917515#action_12917515 ]
angela commented on JCR-2748:
-----------------------------
i would rather add a configuration option to this specific access control provider (similar to the other providers).
the patch adding the config option to the security manager seems wrong to me.
the current default ac-provider setup in case of missing configuration just reflects the state of jackrabbit 1.6 where users were stored in a separate, dedicated workspace and
i didn't change it for backwards compatibility reasons. in the mean time i changed the user management in a way that users having access to a given workspace can be stored in that workspace, which makes things a lot easier [see JCR-2313].
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-2748.
-------------------------
Resolution: Fixed
Fix Version/s: 2.2.0
applied patch2 with minor modification: the default value of the anonymousAccess if not present with the configuration should be 'true' (some existing tests
therefore failed with the unmodified patch2)
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Fix For: 2.2.0
>
> Attachments: JCR-2748-take2.patch, JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12920348#action_12920348 ]
Justin Edelson commented on JCR-2748:
-------------------------------------
thanks Angela
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Fix For: 2.2.0
>
> Attachments: JCR-2748-take2.patch, JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917588#action_12917588 ]
Justin Edelson commented on JCR-2748:
-------------------------------------
> i would rather add a configuration option to this specific access control provider (similar to the other providers).
> the patch adding the config option to the security manager seems wrong to me.
IIUC, this requires manual configuration of the security workspace. Isn't that a bit onerous - 15-20 lines of XML vs. one?
In other words, I think this should be configured in the <Security> section of repository.xml, not <Workspace> as it is a property of the security subsystem.
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JCR-2748) provide a (relatively) simple way to
disable anonymous access to the security workspace
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Edelson updated JCR-2748:
--------------------------------
Attachment: JCR-2748.patch
patch
> provide a (relatively) simple way to disable anonymous access to the security workspace
> ---------------------------------------------------------------------------------------
>
> Key: JCR-2748
> URL: https://issues.apache.org/jira/browse/JCR-2748
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-core, security
> Reporter: Justin Edelson
> Attachments: JCR-2748.patch
>
>
> As discussed in this thread: http://sling.markmail.org/thread/st52jejjuxykfxtj, the security workspace is, by default, configured with an AccessControlProvider which provides a fixed access control policy (i.e. o.a.j.core.security.user.UserAccessControlProvider). In order to prevent anonymous access to security-related nodes requires the use of an alternate AccessControlProvider.
> The attached patch provides a simpler mechanism. By adding
> <param name="anonymousAccessToSecurityWorkspace" value="false" />
> to the configuration of the DefaultSecurityManager, anonymous access to the security workspace is forbidden.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.