...
- better performance
- JCR repository can be exposed otherwise (the ACLs are then still taken into account)
- we want to use the JCR API without needing to wrap the objects everywhere
Resources
- http://wiki.apache.org/jackrabbit/AccessControl
- http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/security/AccessControlManager.html
- https://confluence.sakaiproject.org/display/KERNDOC/Jackrabbit+Permissions+Resolution
Conclusion
- we cannot use "Resource-based ACLs". We had to update all the nodes on ACL changes and the permissions are only inherited on creation.
- we will provide a custom AccessControlManager. This is very similar to our current solution, its not tied to the jackrabbit API.
AccessControlManagerAPI defined by spec is insufficient to control privileges. The control could be done at this level in JackRabbit, but only by overriding JR specific methods. - we will provide our own privilege provider. Privilege provider is already swappable in both JR and MS as each provides Resource based provider and limited role based provider.
- JR already allows specifying custom privilege provider. MS currently supports only two of its own implementation. We will initiate request to open this to custom implementations.
...