From continuum-dev-return-5250-apmail-maven-continuum-dev-archive=maven.apache.org@maven.apache.org Thu Sep 28 01:58:12 2006
Return-Path: <continuum-dev-return-5250-apmail-maven-continuum-dev-archive=maven.apache.org@maven.apache.org>
Delivered-To: apmail-maven-continuum-dev-archive@www.apache.org
Received: (qmail 69132 invoked from network); 28 Sep 2006 01:58:11 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 28 Sep 2006 01:58:11 -0000
Received: (qmail 29125 invoked by uid 500); 28 Sep 2006 01:58:11 -0000
Delivered-To: apmail-maven-continuum-dev-archive@maven.apache.org
Received: (qmail 29101 invoked by uid 500); 28 Sep 2006 01:58:11 -0000
Mailing-List: contact continuum-dev-help@maven.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:continuum-dev-help@maven.apache.org>
List-Unsubscribe: <mailto:continuum-dev-unsubscribe@maven.apache.org>
List-Post: <mailto:continuum-dev@maven.apache.org>
List-Id: <continuum-dev.maven.apache.org>
Reply-To: continuum-dev@maven.apache.org
Delivered-To: mailing list continuum-dev@maven.apache.org
Received: (qmail 29090 invoked by uid 99); 28 Sep 2006 01:58:11 -0000
Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org) (140.211.166.84)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Sep 2006 18:58:11 -0700
Authentication-Results: idunn.apache.osuosl.org header.from=jesse.mcconnell@gmail.com; domainkeys=good
X-ASF-Spam-Status: No, hits=0.5 required=5.0 tests=DNS_FROM_RFC_ABUSE
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
Received: from [66.249.82.228] ([66.249.82.228:63679] helo=wx-out-0506.google.com)
	by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP
	id 16/82-04219-23C2B154 for <continuum-dev@maven.apache.org>; Wed, 27 Sep 2006 18:58:10 -0700
Received: by wx-out-0506.google.com with SMTP id h30so437573wxd
        for <continuum-dev@maven.apache.org>; Wed, 27 Sep 2006 18:58:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
        b=ZVzRbohcIceIohlERYroBcT9RweD5wyLernDFeGJUBHv7LiauCGJ04H4SvRzqrHhhg5CKTSCFQPb5LBpqbFJviDmjHOKNj4WdAGj05UqsZgwQ0ZJF8qCye+97qe05dhhDr2SakJcgFeuXiG8/eU95k6BuwN6Q3euhYRANMhGcoI=
Received: by 10.90.52.2 with SMTP id z2mr638528agz;
        Wed, 27 Sep 2006 18:58:07 -0700 (PDT)
Received: by 10.90.72.13 with HTTP; Wed, 27 Sep 2006 18:58:07 -0700 (PDT)
Message-ID: <a43524d00609271858g4d6f606dpf274b694ba0eaa@mail.gmail.com>
Date: Wed, 27 Sep 2006 20:58:07 -0500
From: "Jesse McConnell" <jesse.mcconnell@gmail.com>
To: continuum-dev@maven.apache.org
Subject: rbac-integration continuum branch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Over the course of the past 3 weeks I've worked with joakim on the
plexus-security effort to bring rbac based security to Archiva.
We succeeded.

Last Friday (or so) I took the continuum/trunk and created the
rbac-integration branch.
I wanted from to test the integration of rbac based security, using
the plexus-security project, into continuum.

It integrated beautifully, without a whole lot of work, in record
time, and is pretty functional now ...

Some of the fun things that plexus-security brings with it are:

* full separation between application webapp and security (lightweight
integration).
* proper modularization for security components (authentication,
authorization, policy, system, web, etc...)
* rbac (role based access control) authorization provider.
* full user management war overlay (using healthy chunk of maven-user
to make it happen)
* toggle-able guest user authorization.
* remember me and single sign on authentication.
* forced admin account creation (through use of interceptor)
* key based authentication (remember me, single sign on, new user
validation emails, and password resets).
* http auth filters (basic and digest).
* aggressive plexus utilization.
* aggressive xwork / webwork integration.
* xwork interceptors for force admin, auto login (remember me),
secured action, and environment checks.
* secured actions for all of the /security namespace and at least one
continuum secured action (these are enforced by the
pssSecureActionInterceptor)
* all the password validation, user management stuff (again maven-user origins)
* continuum-security artifact containing the actual static and dynamic
roles, and a continuum role manager that merges permissions to the
core system, user, and guest users
* ifAuthorized, ifAnyAuthorized, elseAuthorized jsp tags.
* placeholders for ldap authentication, authorization and user details
retrieval using plexus ldap components
* ability to re-use Acegi for authentication

I think it is very usable now, its a matter of some jsp and action
work to clean up some things and hide some other knobs and buttons.

I'd like to get feedback and discussion from the others here about the
implementation, and consider a vote to merge it to trunk after that. I
believe it is stable enough to move forward with.

jesse

-- 
jesse mcconnell
jesse.mcconnell@gmail.com