cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <Ralph.Go...@dslextreme.com>
Subject Re: CoWarp (was Re: svn commit: r232855...)
Date Wed, 17 Aug 2005 13:52:40 GMT
That is a lot of Spring definitions.  Frankly, I suspect that to use 
Acegi we would require something like CoWarp in front of it anyway.  The 
thing is, we ended up writing something like Acegi for our use and it 
would be nice to use an open source framework instead.

I looked at CoWarp last night and I didn't see anything to support roles 
or permission.

Ralph

Leszek Gawron wrote:

> Ralph Goers wrote:
>
>> The only concern I would have in bringing CoWarp into Cocoon (beside 
>> the name making me think it is an add-on for OS/2 :-) ) is that I'd 
>> want to evaluate it against using acegi as the "standard" 
>> authentication mechanism.  Having said that, I have no familiarity 
>> with CoWarp and have only read some high level stuff about acegi, but 
>> from that reading it looks like a very robust framework.  There was 
>> some discussion about it on the users list a few months ago 
>> http://marc.theaimsgroup.com/?t=111755000500004&r=1&w=2
>
> Acegi is a very robust framework. Although the author states it could 
> be used without Spring [1] he strongly encourages not to :). I quite 
> got the point when I implemented the first application context which 
> just secures a single method in a dummy business service:
>
>> <beans>
>>     <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
>>     <bean id="accessDecisionManager" 
>> class="net.sf.acegisecurity.vote.AffirmativeBased">
>>         <property 
>> name="allowIfAllAbstainDecisions"><value>false</value></property>
>>         <property name="decisionVoters">
>>             <list>
>>                 <ref bean="roleVoter"/>
>>             </list>
>>       </property>
>>     </bean>
>>     <bean id="authenticationDao" 
>> class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
>>         <property name="userMap">
>>             <value>
>>                 marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR
>>                 dianne=emu,ROLE_TELLER
>>                 scott=wombat,ROLE_TELLER
>>                 peter=opal,disabled,ROLE_TELLER
>>                 ouzo=ouzo,ROLE_ADMIN
>>             </value>
>>         </property>
>>     </bean>
>>     <bean id="cacheManager" 
>> class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
>>         <property 
>> name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>

>>
>>     </bean>
>>     <bean id="userCacheBackend" 
>> class="org.springframework.cache.ehcache.EhCacheFactoryBean">
>>         <property name="cacheManager"><ref 
>> local="cacheManager"/></property>
>>         <property name="cacheName"><value>userCache</value></property>
>>     </bean>
>>     <bean id="userCache" 
>> class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
>>         <property name="cache"><ref 
>> local="userCacheBackend"/></property>
>>     </bean>
>>     <bean id="daoAuthenticationProvider" 
>> class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
>>         <property name="authenticationDao"><ref 
>> bean="authenticationDao"/></property>
>>         <property name="userCache"><ref bean="userCache"/></property>
>>     </bean>
>>     <bean id="testingAuthenticationProvider" 
>> class="net.sf.acegisecurity.providers.TestingAuthenticationProvider"/>
>>     <bean id="authenticationManager" 
>> class="net.sf.acegisecurity.providers.ProviderManager">
>>         <property name="providers">
>>             <list>
>>                 <!-- ref bean="daoAuthenticationProvider"/ -->
>>                 <ref bean="testingAuthenticationProvider"/>
>>             </list>
>>         </property>
>>     </bean>
>>     <bean id="beanSecurityInterceptor" 
>> class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">

>>
>>         <property 
>> name="validateConfigAttributes"><value>true</value></property>
>>         <property name="authenticationManager"><ref 
>> bean="authenticationManager"/></property>
>>         <property name="accessDecisionManager"><ref 
>> bean="accessDecisionManager"/></property>
>>         <!-- property name="runAsManager"><ref 
>> bean="runAsManager"/></property -->
>>         <property name="objectDefinitionSource">
>>             <value>
>>                 com.mobilebox.acegi.SecureBean.*=ROLE_ADMIN
>>             </value>
>>         </property>
>>     </bean>
>>     <bean id="autoProxyCreator" 
>> class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">

>>
>>         <property name="interceptorNames">
>>             <list>
>>                 <idref local="beanSecurityInterceptor"/>
>>             </list>
>>         </property>
>>         <property name="beanNames">
>>             <list>
>>                 <value>secureBean</value>
>>             </list>
>>         </property>
>>     </bean>
>>     <!-- 'application beans' -->
>>     <bean id="secureBean" class="com.mobilebox.acegi.SecureBeanImpl"/>
>> </beans>
>
>
> This is ONLY business method security. "Basic" acegi sample has 
> applicationContext.xml at least twice this big.
>
> Thing is: even if it's possible to use it without Spring it will be a 
> total hell to wrap everything as ECM components without Dependency 
> Injection.
>
> Still I would love to have a functionality that replaces ANT based 
> request URI expressions:
>
>>    <bean id="channelProcessingFilter" 
>> class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
>>       <property name="channelDecisionManager"><ref 
>> local="channelDecisionManager"/></property>
>>       <property name="filterInvocationDefinitionSource">
>>          <value>
>>                 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
>>                 \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
>>                 \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
>>                 \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
>>                 \A.*\Z=REQUIRES_INSECURE_CHANNEL
>>          </value>
>>       </property>
>>    </bean>
>>    <bean id="filterInvocationInterceptor" 
>> class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
>>       <property name="authenticationManager"><ref 
>> bean="authenticationManager"/></property>
>>       <property name="accessDecisionManager"><ref 
>> local="httpRequestAccessDecisionManager"/></property>
>>       <property name="objectDefinitionSource">
>>          <value>
>>                 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
>>                 PATTERN_TYPE_APACHE_ANT
>>                 /index.jsp=ROLE_ANONYMOUS,ROLE_USER
>>                 /hello.htm=ROLE_ANONYMOUS,ROLE_USER
>>                 /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
>>                 /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
>>                 /**=ROLE_USER
>>          </value>
>>       </property>
>>    </bean>
>
>
> and integrates it with our sitemap and pipelines definitions.
>
> [1] http://acegisecurity.sourceforge.net/standalone.html
> [2] http://acegisecurity.sourceforge.net/index.html


Mime
View raw message