Hi! I did some examples on more granular access rights in slide. Here is my Domain.xml: <?xml version="1.0"?> <slide logger="org.apache.slide.util.logger.SimpleLogger" logger-level="6" default="slide"> <!-- logger ~~~~~~ org.apache.slide.util.logger.SimpleLogger default logger with 1 log level log4j.Log4jLogger logger with fine granularity see http://jakarta.apache.org/log4j/ logger-level ~~~~~~~~~~~~ 0 EMERGENCY 1 CRITICAL 2 ERROR 4 WARNING 6 INFO 7 DEBUG --> <namespace name="slide"> <!-- ### Memory Configuration ### The following memory configuration uses the MemoryDescriptorsStore for node, security, locks and revisions. For content the FileContentStore is used. Content is reset before start. --> <!-- definition> <store name="memory"> <nodestore classname="slidestore.reference. MemoryDescriptorsStore"/> <securitystore> <reference store="nodestore"/> </securitystore> <lockstore> <reference store="nodestore"/> </lockstore> <revisiondescriptorsstore> <reference store="nodestore"/> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore"/> </revisiondescriptorstore> <contentstore classname="slidestore.reference.FileContentStore"> <parameter name="rootpath">contentstore</parameter> <parameter name="version">false</parameter> <parameter name="resetBeforeStarting">true</parameter> </contentstore> </store> <scope match="/" store="memory"/> </definition --> <definition> <store name="draft"> <nodestore classname="pl.com.bull.slide.JDBCDescriptorsStore"> <parameter name="driver">oracle.jdbc.driver.OracleDriver</parameter> <parameter name="url">jdbc:oracle:oci8:@d2</parameter> <parameter name="user">pwalen_5</parameter><parameter name="password">pwalen_5</parameter> </nodestore> <securitystore> <reference store="nodestore" /> </securitystore> <lockstore> <reference store="nodestore" /> </lockstore> <revisiondescriptorsstore> <reference store="nodestore" /> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore" /> </revisiondescriptorstore> <contentstore classname="pl.com.bull.slide.OracleContentStore"> <parameter name="driver">oracle.jdbc.driver.OracleDriver</parameter> <parameter name="url">jdbc:oracle:oci8:@d2</parameter> <parameter name="user">pwalen_5</parameter><parameter name="password">pwalen_5</parameter> </contentstore> </store> <store name="web"> <nodestore classname="pl.com.bull.slide.JDBCDescriptorsStore"> <parameter name="driver">oracle.jdbc.driver.OracleDriver</parameter> <parameter name="url">jdbc:oracle:oci8:@d2</parameter> <parameter name="user">pwalen_7</parameter><parameter name="password">pwalen_7</parameter> </nodestore> <securitystore> <reference store="nodestore" /> </securitystore> <lockstore> <reference store="nodestore" /> </lockstore> <revisiondescriptorsstore> <reference store="nodestore" /> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore" /> </revisiondescriptorstore> <contentstore classname="pl.com.bull.slide.OracleContentStore"> <parameter name="driver">oracle.jdbc.driver.OracleDriver</parameter> <parameter name="url">jdbc:oracle:oci8:@d2</parameter> <parameter name="user">pwalen_7</parameter><parameter name="password">pwalen_7</parameter> </contentstore> </store> <scope match="/" store="draft"/> <scope match="/files/repository/web" store="web" /> </definition> <!-- ### JDBC Configuration ### The following jdbc sample configuration uses the hsql Database Engine a relational database engine written in Java, for more info: http://hsqldb.sourceforge.net/ --> <!-- <definition> <store name="jdbc"> <nodestore classname="slidestore.reference.JDBCDescriptorsStore"> <parameter name="driver">org.hsqldb.jdbcDriver</parameter> <parameter name="url">jdbc:hsqldb:slidestructure</parameter> <parameter name="user">sa</parameter> <parameter name="password"></parameter> </nodestore> <securitystore> <reference store="nodestore" /> </securitystore> <lockstore> <reference store="nodestore" /> </lockstore> <revisiondescriptorsstore> <reference store="nodestore" /> </revisiondescriptorsstore> <revisiondescriptorstore> <reference store="nodestore" /> </revisiondescriptorstore> <contentstore classname="slidestore.reference.JDBCContentStore"> <parameter name="driver">org.hsqldb.jdbcDriver</parameter> <parameter name="url">jdbc:hsqldb:slidecontent</parameter> <parameter name="user">sa</parameter> <parameter name="password"></parameter> </contentstore> </store> <scope match="/" store="jdbc" /> </definition> --> <!-- ### Mixed JDBC - Filesystem ### stores: slidestore.reference.JDBCDescriptorsStore slidestore.reference.FileContentStore !!! set resetBeforeStarting parameter for FileContentStore to false !!! --> <!-- ### Cloudscape configuration (embedded database) ### stores: slidestore.cloudscape.CloudscapeDescriptorsStore slidestore.cloudscape.CloudscapeContentStore driver: COM.cloudscape.core.JDBCDriver url: jdbc:cloudscape:slidestructure;create=true jdbc:cloudscape:slidecontent;create=true --> <!-- ### Oracle configuration (thin driver) ### stores: slidestore.reference.JDBCDescriptorsStore slidestore.oracle.OracleContentStore driver: oracle.jdbc.OracleDriver url: jdbc:oracle:thin:@localhost:1521:slide --> <configuration> <!-- Actions mapping --> <read-object>/actions/read/readobject</read-object> <create-object>/actions/write/createobject</create-object> <remove-object>/actions/write/removeobject</remove-object> <grant-permission>/actions/manage/grantpermission</grant-permission> <revoke-permission>/actions/manage/revokepermission</revoke-permissio n> <read-permissions>/actions/manage/readpermission</read-permissions> <lock-object>/actions/write/lockobject</lock-object> <kill-lock>/actions/manage/killlock</kill-lock> <read-locks>/actions/read/readlocks</read-locks> <read-revision-metadata>/actions/read/readrevisionmetadata</read-revi sion-metadata> <create-revision-metadata>/actions/write/createrevisionmetadata</crea te-revision-metadata> <modify-revision-metadata>/actions/write/modifyrevisionmetadata</modi fy-revision-metadata> <remove-revision-metadata>/actions/write/removerevisionmetadata</remo ve-revision-metadata> <read-revision-content>/actions/read/revisioncontent</read-revision-c ontent> <create-revision-content>/actions/write/createrevisioncontent</create -revision-content> <modify-revision-content>/actions/write/modifyrevisioncontent</modify -revision-content> <remove-revision-content>/actions/write/removerevisioncontent</remove -revision-content> <bind-member>/actions/write/bindmember</bind-member> <unbind-member>/actions/write/unbindmember</unbind-member> <!-- Paths configuration --> <userspath>/users</userspath> <guestpath>guest</guestpath> <filespath>/files</filespath> <actionspath>/actions</actionspath> <parameter name="dav">true</parameter> <parameter name="standalone">true</parameter> <!-- Roles definition --> <role name="root">slideroles.basic.RootRole</role> <role name="user">slideroles.basic.UserRole</role> <role name="guest">slideroles.basic.GuestRole</role> <!-- Users management --> <auto-create-users>true</auto-create-users> <!-- Default properties mapping --> <default-property namespace="http://jakarta.apache.org/slide/" name="password" value="" role="user"/> </configuration> <data> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/"> <!-- Subject can be: self "~" all "nobody" user "/users/john" group "+/users/groupA" role "root" --> <!-- Uncomment the following line to give all permissions to principals have the root role --> <permission action="/actions" subject="root"/> <permission action="/actions/read" subject="user" inheritable="false"/> <!-- /users --> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/users" /> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions"> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/manage"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read/readobject"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/createobject"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/removeobject"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/manage/grantpermission"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/manage/revokepermission"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/manage/readpermission"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/lockobject"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/manage/killlock"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read/readlocks"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read/readrevisionmetadata"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/createrevisionmetadata"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/modifyrevisionmetadata"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/removerevisionmetadata"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/read/revisioncontent"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/createrevisioncontent"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/modifyrevisioncontent"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/removerevisioncontent"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/bindmember"/> <objectnode classname="org.apache.slide.structure.ActionNode" uri="/actions/write/unbindmember"/> </objectnode> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/files"> <!-- ### Give read/write/manage permission to guest ### Uncomment the following line to give permission to do all actions on /files to guest (unauthenticated users) --> <!-- <permission action="/actions" subject="/users/guest"/> --> <permission action="/actions/read" subject="user"/> <permission action="/actions/write" subject="user"/> </objectnode> <!-- DeltaV: default history and workspace paths --> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/history"> <permission action="/actions/read" subject="user"/> <permission action="/actions/write" subject="user"/> <permission action="/actions/write/removeobject" subject="user" negative="true" /> </objectnode> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workspace"/> <objectnode classname="org.apache.slide.structure.SubjectNode" uri="/workingresource"/> </objectnode> </data> </namespace> <!-- DeltaV global parameters ======================== * historypath (mandatory=no, default="/history"): Specifies a Slide path which determines the location where this DeltaV server stores history data. * workspacepath (mandatory=no, default="/workspace"): Specifies a Slide path which determines the location where this DeltaV server allows workspaces to reside. * workingresourcepath (mandatory=no, default="/workingresource"): Specifies a Slide path which determines the location where this DeltaV server stores working resources. * auto-version (mandatory=no, default="checkout-checkin"): Controls the DeltaV auto-version behaviour. * auto-version-control (mandatory=no, default="false"): Indicates if a resource just created by a PUT should be set under version-control. * versioncontrol-exclude (mandatory=no, default=""): Specifies a Slide path which determines resources which are excluded from version-control. The default value "" makes no path being excluded. * checkout-fork (mandatory=no, default="forbidden"): Controls the DeltaV check-out behaviour when a version is already checked-out or has a successor. * checkin-fork (mandatory=no, default="forbidden"): Controls the DeltaV check-out behaviour when a version has already a successor. * standardLivePropertiesClass (mandatory=no, default="org.apache.slide.webdav.util.resourcekind.AbstractResourceKind"): Determines the "agent" knowing about what the standard live properties are. It should be a loadable class containing the following static methods: - boolean isLiveProperty(String propName) - boolean isProtectedProperty(String propName) - boolean isComputedProperty(String propName) - Set getAllLiveProperties() - Set getAllProtectedProperties() - Set getAllComputedProperties() * uriRedirectorClass (mandatory=no, default="org.apache.slide.webdav.util.DeltavUriRedirector"): Determines the URI redirector class. The DeltaV URI redirector is in charge of the following redirections: - version URI to history URI, e.g. /history/2/1.4 to /history/2 - latest revision number for history resource to 0.0 - latest revision number for version resource to last URI token, e.g. /history/2/1.4 to 1.4 It should be a loadable class containing the following static methods: - String redirectUri(String uri) - NodeRevisionNumber redirectLatestRevisionNumber(String uri) --> <parameter name="historypath">/history</parameter> <parameter name="workspacepath">/workspace</parameter> <parameter name="workingresourcepath">/workingresource</parameter> <!--parameter name="auto-version">locked-checkout</parameter--> <parameter name="auto-version">checkout-checkin</parameter> <!--parameter name="auto-version-control">false</parameter--> <parameter name="auto-version-control">true</parameter> <parameter name="versioncontrol-exclude">/files/repository/books</parameter> <parameter name="checkout-fork">forbidden</parameter> <parameter name="checkin-fork">forbidden</parameter> </slide> I used it to limit possibility of removing something from history. From the document (http://jakarta.apache.org/slide/security.html) that describes access rights in slide I read that those should work in such way: /files , /actions/write , /users/john - granted all actions under /actions/write /files/a , /actions/write/removeobject, negative, /users/john - denied /actions/write/removeobject action, so I can create but can not remove (check access definition for the history) /files/a/b , /actions/write, /users/john - granted again all actions under /actions/write /files/a , /actions/write, /users/john /files/a/c , /actions/write, negative, /users/john - granted again all actions under /actions/write - denied again all actions under /actions/write So summarizing: -john can create and remove in /files and /files/a/b -john can create but not remove in /files/a -john can not create nor remove in /files/a/c Here is a path to have this working: org/apache/slide/security/SecurityImpl.java: 508c508 < while (!granted && !denied && !rootObjectReached) { --- > while (!denied && !(granted && !denied) && !rootObjectReached) { org/apache/slide/security/SecurityImplAllGrant.java 140c140 < while (!granted && !denied && !rootObjectReached) { --- > while (!denied && !(granted && !denied) && !rootObjectReached) { 146c146 < while (!granted && !denied && permissions.hasMoreElements()) { --- > while (permissions.hasMoreElements()) { Bye
To me it seems you changed the semantics of the security check algorithm. Is that right?