continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carlos Sanchez" <car...@apache.org>
Subject Re: rbac-integration continuum branch
Date Thu, 28 Sep 2006 07:28:09 GMT
is it using maven-user? there's already all user management code there
to avoid duplication in different applications.

On 9/28/06, Emmanuel Venisse <emmanuel@venisse.net> wrote:
> +1 for the merge
>
> Emmanuel
>
> Jesse McConnell a écrit :
> > Over the course of the past 3 weeks I've worked with joakim on the
> > plexus-security effort to bring rbac based security to Archiva.
> > We succeeded.
> >
> > Last Friday (or so) I took the continuum/trunk and created the
> > rbac-integration branch.
> > I wanted from to test the integration of rbac based security, using
> > the plexus-security project, into continuum.
> >
> > It integrated beautifully, without a whole lot of work, in record
> > time, and is pretty functional now ...
> >
> > Some of the fun things that plexus-security brings with it are:
> >
> > * full separation between application webapp and security (lightweight
> > integration).
> > * proper modularization for security components (authentication,
> > authorization, policy, system, web, etc...)
> > * rbac (role based access control) authorization provider.
> > * full user management war overlay (using healthy chunk of maven-user
> > to make it happen)
> > * toggle-able guest user authorization.
> > * remember me and single sign on authentication.
> > * forced admin account creation (through use of interceptor)
> > * key based authentication (remember me, single sign on, new user
> > validation emails, and password resets).
> > * http auth filters (basic and digest).
> > * aggressive plexus utilization.
> > * aggressive xwork / webwork integration.
> > * xwork interceptors for force admin, auto login (remember me),
> > secured action, and environment checks.
> > * secured actions for all of the /security namespace and at least one
> > continuum secured action (these are enforced by the
> > pssSecureActionInterceptor)
> > * all the password validation, user management stuff (again maven-user
> > origins)
> > * continuum-security artifact containing the actual static and dynamic
> > roles, and a continuum role manager that merges permissions to the
> > core system, user, and guest users
> > * ifAuthorized, ifAnyAuthorized, elseAuthorized jsp tags.
> > * placeholders for ldap authentication, authorization and user details
> > retrieval using plexus ldap components
> > * ability to re-use Acegi for authentication
> >
> > I think it is very usable now, its a matter of some jsp and action
> > work to clean up some things and hide some other knobs and buttons.
> >
> > I'd like to get feedback and discussion from the others here about the
> > implementation, and consider a vote to merge it to trunk after that. I
> > believe it is stable enough to move forward with.
> >
> > jesse
> >
>
>


-- 
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
                             -- The Princess Bride

Mime
View raw message