continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason van Zyl <ja...@maven.org>
Subject Re: rbac-integration continuum branch
Date Thu, 28 Sep 2006 07:41:24 GMT
On 28 Sep 06, at 9:28 AM 28 Sep 06, Carlos Sanchez wrote:

> is it using maven-user? there's already all user management code there
> to avoid duplication in different applications.
>

Joakim, to the best of my knowledge used bits and pieces from Maven  
User but the implementation in plexus-security package is better in  
my opinion and has been worked on by more people (I've looked at it  
and agree though a critique of some things in p-sec in general is  
coming from me). Myself, Jesse, and Joakim were involved and the  
speed with which p-sec was integrated into Continuum is a testament  
to its ease of use. The user management is part of that system.

> On 9/28/06, Emmanuel Venisse <emmanuel@venisse.net> wrote:
>> +1 for the merge
>>
>> Emmanuel
>>
>> Jesse McConnell a écrit :
>> > Over the course of the past 3 weeks I've worked with joakim on the
>> > plexus-security effort to bring rbac based security to Archiva.
>> > We succeeded.
>> >
>> > Last Friday (or so) I took the continuum/trunk and created the
>> > rbac-integration branch.
>> > I wanted from to test the integration of rbac based security, using
>> > the plexus-security project, into continuum.
>> >
>> > It integrated beautifully, without a whole lot of work, in record
>> > time, and is pretty functional now ...
>> >
>> > Some of the fun things that plexus-security brings with it are:
>> >
>> > * full separation between application webapp and security  
>> (lightweight
>> > integration).
>> > * proper modularization for security components (authentication,
>> > authorization, policy, system, web, etc...)
>> > * rbac (role based access control) authorization provider.
>> > * full user management war overlay (using healthy chunk of maven- 
>> user
>> > to make it happen)
>> > * toggle-able guest user authorization.
>> > * remember me and single sign on authentication.
>> > * forced admin account creation (through use of interceptor)
>> > * key based authentication (remember me, single sign on, new user
>> > validation emails, and password resets).
>> > * http auth filters (basic and digest).
>> > * aggressive plexus utilization.
>> > * aggressive xwork / webwork integration.
>> > * xwork interceptors for force admin, auto login (remember me),
>> > secured action, and environment checks.
>> > * secured actions for all of the /security namespace and at  
>> least one
>> > continuum secured action (these are enforced by the
>> > pssSecureActionInterceptor)
>> > * all the password validation, user management stuff (again  
>> maven-user
>> > origins)
>> > * continuum-security artifact containing the actual static and  
>> dynamic
>> > roles, and a continuum role manager that merges permissions to the
>> > core system, user, and guest users
>> > * ifAuthorized, ifAnyAuthorized, elseAuthorized jsp tags.
>> > * placeholders for ldap authentication, authorization and user  
>> details
>> > retrieval using plexus ldap components
>> > * ability to re-use Acegi for authentication
>> >
>> > I think it is very usable now, its a matter of some jsp and action
>> > work to clean up some things and hide some other knobs and buttons.
>> >
>> > I'd like to get feedback and discussion from the others here  
>> about the
>> > implementation, and consider a vote to merge it to trunk after  
>> that. I
>> > believe it is stable enough to move forward with.
>> >
>> > jesse
>> >
>>
>>
>
>
> -- 
> I could give you my word as a Spaniard.
> No good. I've known too many Spaniards.
>                             -- The Princess Bride
>


Mime
View raw message