1 Reply Latest reply on Feb 27, 2013 9:34 AM by rhauch

    Access Control on Nodes


      The JCR 2.0 specification says the following:


      16 Access Control Management

      A repository may support access control management, enabling the following:

      • Privilege discovery: Determining the privileges that a user has in relation to a node.
      • Assigning access control policies: Setting the privileges that a user has in relation to a node using access control policies specific to the implementation.

      Whether a particular implementation supports access control can be determined by querying the repository descriptor table with


      A return value of true indicates support (see §24.2 Repository Descriptors).



      A repository MAY support access control management (on nodes). We would like to use ModeShape as our content repository, but an essential requirement is a reliable access control mechanism on node-level.

      Jackrabbit has implemented this functionality last year. Is ModeShape planning to implement this functionality too in the near future or is there a proper workaround?

        • 1. Re: Access Control on Nodes

          ModeShape does not currently implement this feature, but we've been asked a few times about it. At this time most of the committer's plates are full with other features/enhancements/improvements/fixes, but we'd absolutely welcome any help to add the feature.


          It's been a while since I spent any time in that portion of the spec, but IIRC part of the challenge is that the spec does not define how the policies are actually defined/managed. Yes, if there is a policy, you can assign/use them. But the API to manage policies is likely to be a non-standard API anyway.


          If someone is interested in contributing, one of the first steps would be discuss/decide what ModeShape policies would look like. Would they be based upon ACLs or something else? We'd probably want to consider if it's possible to leverage an existing authorization framework (e.g., PicketBox/PicketLink), and if that would somehow inform the policy requirements.