continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: Security in Continuum
Date Thu, 12 Jan 2006 22:19:10 GMT
Seraph also wraps around osuser, I believe.

I think that standalone should be a secondary concern (a nice to have).
I think as long as it can be backed by the same permissions data, the
web part is the "hard part" we don't want to have to reproduce and maintain.

I'd go with further investigation on Acegi. IIRC they only use Spring
utilities and the injection is clean. If that's true, we could maybe
minijar it, or provide patches to them to split it out in some way.

Thanks!

- Brett

Emmanuel Venisse wrote:
> Hi,
> 
> In 1.1, we have decided to rework all security features.
> 
> I tried to use osuser but this framework is crappy :
> - UserManager is a final class that load a osuser config file, we can't
> set parameters with plexus because all initialization phase are done in
> constuctor that read config file
> - need to duplicate code between Authenticator and AccessProvider
> - all providers interface extends a base provider interface that require
> some methods without relation with provider must do
> 
> I looked at berkano too. This project use actually dao pattern and
> hibernate and permission doesn't seems to be supported
> 
> I looked at seraph too. This project seems to be interesting, it's used
> by confluence and jira. It seems we have all we need in it but it
> require to be used in a web app environment, so i think we can't use it
> if we want to use security framework in a standalone app in future.
> 
> jaas: i think we need a more high level framework. I'd prefer to use a
> plugin where jaas can be plugged
> 
> acegisecurity: this framework seems to be the more advanced. The most
> important problem for its usage, it's that required spring framework. I
> don't like to include in continuum a new IOC container only for this
> feature especially with a 2Mo jar. Can we exclude easily spring
> dependency from acegi by writing a mockimplementation? Can we use it in
> a standalone app?
> 
> last possibility : we can write our own security framework. If we choose
> it, we'll can start with features required by continuum (user, group,
> general and per project permission schemes) and we'll add more
> functionalities later if we need more.
> 
> What do you think about all these frameworks?
> Which do we choose?
> 
> Emmanuel
> 


Mime
View raw message