You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Yusuf Aaji <yu...@gmail.com> on 2011/01/23 00:01:38 UTC
hiding some sub-folders from mr.anonymous
Hi,
I have managed to use the default* security classes with jackrabbit and used
the access policies in a good way so far.
But there is a strange behaviour I'm getting. If I grant everyone or
anonymous jcr:read on the root folder, I can't revoke that or override it on
any sub-folder no matter what the policies on that sub-folder is.
Is this ok, or am I missing something?
I mean I need Mr.anonymous to access my repo but I need to hide some folders
from him. Sorry anonymous, don't take it personal, but every business have
some confidential documents :)
any idea jackrabbit developers?!
BR,
Yusuf
Re: hiding some sub-folders from mr.anonymous
Posted by Yusuf Aaji <yu...@gmail.com>.
Thanks Alex, It working wonderfully now.. Strange how the specs doesn't
cover such a usecase, really useful and required.
BR,
Yusuf
On Mon, Jan 24, 2011 at 12:04 PM, Alexander Klimetschek
<ak...@adobe.com>wrote:
> On 23.01.11 12:06, "Yusuf Aaji" <yu...@gmail.com> wrote:
>
> >I guess I found something usefull here
> >
> >*JCR* 2 only defines the ability to add privileges. You need to use the
> >*Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
> >control entry.
> >
> >
> http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td24
> >03697.html
>
> This is correct. You need to add a deny for anonymous on the subpath. Deny
> entries will overwrite any allow entries in the ACL evaluation.
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> Developer // Adobe (Day) // Berlin - Basel
>
>
>
>
>
Re: hiding some sub-folders from mr.anonymous
Posted by Yusuf Aaji <yu...@gmail.com>.
thanks a lot Angela, this make great sense.
BR,
Yusuf
On Tue, Jan 25, 2011 at 11:50 PM, Angela Schreiber <an...@adobe.com>wrote:
> hi yusuf
>
>
> I guess I found something usefull here
>>
>> *JCR* 2 only defines the ability to add privileges. You need to use the
>> *Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
>> control entry.
>>
>
> one additional hint: please note that in the default implementation
> privileges granted/denied for a given user always take precedence over
> those defined any group the user is member of.
>
> in general we advise to create access control entries for groups
> as this improves maintainability of the access control content.
> similarly we advise to use allow/deny entries for individual users
> where you really want to target that specific user and nobody else...
>
> regards
> angela
>
>
>
>
>> http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td2403697.html
>>
>> thanks again Justin :)
>>
>>
>> On Sun, Jan 23, 2011 at 2:01 AM, Yusuf Aaji<yu...@gmail.com> wrote:
>>
>> Hi,
>>>
>>> I have managed to use the default* security classes with jackrabbit and
>>> used the access policies in a good way so far.
>>>
>>> But there is a strange behaviour I'm getting. If I grant everyone or
>>> anonymous jcr:read on the root folder, I can't revoke that or override it
>>> on
>>> any sub-folder no matter what the policies on that sub-folder is.
>>>
>>> Is this ok, or am I missing something?
>>>
>>> I mean I need Mr.anonymous to access my repo but I need to hide some
>>> folders from him. Sorry anonymous, don't take it personal, but every
>>> business have some confidential documents :)
>>>
>>> any idea jackrabbit developers?!
>>>
>>> BR,
>>> Yusuf
>>>
>>>
>>
>>
>>
Re: hiding some sub-folders from mr.anonymous
Posted by Angela Schreiber <an...@adobe.com>.
hi yusuf
> I guess I found something usefull here
>
> *JCR* 2 only defines the ability to add privileges. You need to use the
> *Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
> control entry.
one additional hint: please note that in the default implementation
privileges granted/denied for a given user always take precedence over
those defined any group the user is member of.
in general we advise to create access control entries for groups
as this improves maintainability of the access control content.
similarly we advise to use allow/deny entries for individual users
where you really want to target that specific user and nobody else...
regards
angela
> http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td2403697.html
>
> thanks again Justin :)
>
>
> On Sun, Jan 23, 2011 at 2:01 AM, Yusuf Aaji<yu...@gmail.com> wrote:
>
>> Hi,
>>
>> I have managed to use the default* security classes with jackrabbit and
>> used the access policies in a good way so far.
>>
>> But there is a strange behaviour I'm getting. If I grant everyone or
>> anonymous jcr:read on the root folder, I can't revoke that or override it on
>> any sub-folder no matter what the policies on that sub-folder is.
>>
>> Is this ok, or am I missing something?
>>
>> I mean I need Mr.anonymous to access my repo but I need to hide some
>> folders from him. Sorry anonymous, don't take it personal, but every
>> business have some confidential documents :)
>>
>> any idea jackrabbit developers?!
>>
>> BR,
>> Yusuf
>>
>
>
>
Re: hiding some sub-folders from mr.anonymous
Posted by Alexander Klimetschek <ak...@adobe.com>.
On 23.01.11 12:06, "Yusuf Aaji" <yu...@gmail.com> wrote:
>I guess I found something usefull here
>
>*JCR* 2 only defines the ability to add privileges. You need to use the
>*Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
>control entry.
>
>http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td24
>03697.html
This is correct. You need to add a deny for anonymous on the subpath. Deny
entries will overwrite any allow entries in the ACL evaluation.
Regards,
Alex
--
Alexander Klimetschek
Developer // Adobe (Day) // Berlin - Basel
Re: hiding some sub-folders from mr.anonymous
Posted by Yusuf Aaji <yu...@gmail.com>.
I guess I found something usefull here
*JCR* 2 only defines the ability to add privileges. You need to use the
*Jackrabbit*-specific *JackrabbitAccessControlList* to add a "deny" access
control entry.
http://jackrabbit.510166.n4.nabble.com/Help-with-JCR-2-access-control-td2403697.html
thanks again Justin :)
On Sun, Jan 23, 2011 at 2:01 AM, Yusuf Aaji <yu...@gmail.com> wrote:
> Hi,
>
> I have managed to use the default* security classes with jackrabbit and
> used the access policies in a good way so far.
>
> But there is a strange behaviour I'm getting. If I grant everyone or
> anonymous jcr:read on the root folder, I can't revoke that or override it on
> any sub-folder no matter what the policies on that sub-folder is.
>
> Is this ok, or am I missing something?
>
> I mean I need Mr.anonymous to access my repo but I need to hide some
> folders from him. Sorry anonymous, don't take it personal, but every
> business have some confidential documents :)
>
> any idea jackrabbit developers?!
>
> BR,
> Yusuf
>
--
--
*Yusuf Aaji*
Solutions Developer
*Mob. +966 561527193*
GCC Standardization Organization
P.O.Box 85245 Riyadh 11691, KSA
www.gso.org.sa
Re: hiding some sub-folders from mr.anonymous
Posted by Yusuf Aaji <ya...@gso.org.sa>.
Please, just a hint!!!
On يناير 23, 2011 2:01 ص, "Yusuf Aaji" <yu...@gmail.com> wrote:
Hi,
I have managed to use the default* security classes with jackrabbit and used
the access policies in a good way so far.
But there is a strange behaviour I'm getting. If I grant everyone or
anonymous jcr:read on the root folder, I can't revoke that or override it on
any sub-folder no matter what the policies on that sub-folder is.
Is this ok, or am I missing something?
I mean I need Mr.anonymous to access my repo but I need to hide some folders
from him. Sorry anonymous, don't take it personal, but every business have
some confidential documents :)
any idea jackrabbit developers?!
BR,
Yusuf