continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Sanchez <car...@apache.org>
Subject Re: Security in Continuum
Date Tue, 17 Jan 2006 19:44:13 GMT
I can talk about acegi as I'm committer there:

acegi provides three points of security

- filter level, protect urls by using web filters
- method invocation level
- instance level (ACL)

1. filter level
By adding filters to the webapp you can control what patterns of urls
require what user roles
This is transparent to your application so it doesn't matter what web
framework do you use.

2. method invocation level
You can specify what methods and classes a user is allowed to call
based on the user roles, mostly used with spring managed beans

3. instance level (ACL)
For each instance of an object you can define if the user rights,
that's the same as a file system where files have user, group and
everybody permissions, in fact this is the sample used in one of the
Spring books.
This is accomplished using Aspectj JoinPoints.
http://www.acegisecurity.org/docbook/acegi.html#acls

The best feature about acegi is that it almost doesn't interfere with
your application.

Authentication can be done using web forms, http basic, certificates, ...
For the backend you can use LDAP, database, container managed users,
JAAS, CAS (single sign on),...

It also provides a lot of goodies like password encryption, forcing
https, remember me, ... and everthing through configuration so you
don't need to change code to enable/disable them

About the concern of using spring, if you don't configure acegi
through spring IOC you'll need to instantiate the objects and make the
callbacks that spring does after. You'll still need some spring
interfaces and utils that acegi depends on.

Hope this helps.


On 1/11/06, Emmanuel Venisse <emmanuel@venisse.net> wrote:
> Hi,
>
> In 1.1, we have decided to rework all security features.
>
> I tried to use osuser but this framework is crappy :
> - UserManager is a final class that load a osuser config file, we can't set parameters
with plexus
> because all initialization phase are done in constuctor that read config file
> - need to duplicate code between Authenticator and AccessProvider
> - all providers interface extends a base provider interface that require some methods
without
> relation with provider must do
>
> I looked at berkano too. This project use actually dao pattern and hibernate and permission
doesn't
> seems to be supported
>
> I looked at seraph too. This project seems to be interesting, it's used by confluence
and jira. It
> seems we have all we need in it but it require to be used in a web app environment, so
i think we
> can't use it if we want to use security framework in a standalone app in future.
>
> jaas: i think we need a more high level framework. I'd prefer to use a plugin where jaas
can be plugged
>
> acegisecurity: this framework seems to be the more advanced. The most important problem
for its
> usage, it's that required spring framework. I don't like to include in continuum a new
IOC container
> only for this feature especially with a 2Mo jar. Can we exclude easily spring dependency
from acegi
> by writing a mockimplementation? Can we use it in a standalone app?
>
> last possibility : we can write our own security framework. If we choose it, we'll can
start with
> features required by continuum (user, group, general and per project permission schemes)
and we'll
> add more functionalities later if we need more.
>
> What do you think about all these frameworks?
> Which do we choose?
>
> Emmanuel
>
>

Mime
View raw message