Return-Path: X-Original-To: apmail-incubator-deltaspike-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-deltaspike-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 13842DC84 for ; Fri, 27 Jul 2012 23:02:42 +0000 (UTC) Received: (qmail 10534 invoked by uid 500); 27 Jul 2012 23:02:41 -0000 Delivered-To: apmail-incubator-deltaspike-dev-archive@incubator.apache.org Received: (qmail 10511 invoked by uid 500); 27 Jul 2012 23:02:41 -0000 Mailing-List: contact deltaspike-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: deltaspike-dev@incubator.apache.org Delivered-To: mailing list deltaspike-dev@incubator.apache.org Received: (qmail 10503 invoked by uid 99); 27 Jul 2012 23:02:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jul 2012 23:02:41 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_FRT_INTEREST X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lightguard.jp@gmail.com designates 209.85.213.47 as permitted sender) Received: from [209.85.213.47] (HELO mail-yw0-f47.google.com) (209.85.213.47) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jul 2012 23:02:37 +0000 Received: by yhjj56 with SMTP id j56so3430033yhj.6 for ; Fri, 27 Jul 2012 16:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=J01sxJRJ+eRs5dAhXOa/Vd6FTlK/sVA2NT82qPNty24=; b=odKXvRbcgw8aGbiWnZVU2jAJvLXSQWA/FtyCWOhtKytr4AAiHiOMiYxpF5r9yvtjA7 ezhlZlMTP0usoKQFxU7MV/oBfQZ+xhgurxJmQwjn/0PZ9RA+a0Mutao1ouj91ytCGQbb m1iOtBehQ820cCPFzZDEZlZsHgjNQa9HHcX5CiA2VY3CBVvkgzIZ71jTWi+r1RHbTaNv 6HCsoaKH67LjljbiiYhr86wbU9fFHTAOxy0j0pzFQoiNFYoWcmzm50MuFQ1HlsCsjdnJ 7MMP2y1aoisypDv3SC2NxMP2Dmi2l8kS//94WgEnibFZsCrQazLLobJWct51CsaA8izD TycA== Received: by 10.50.106.136 with SMTP id gu8mr6111139igb.23.1343430136219; Fri, 27 Jul 2012 16:02:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.50.37.243 with HTTP; Fri, 27 Jul 2012 16:01:55 -0700 (PDT) In-Reply-To: References: <1343342474.1574.YahooMailNeo@web28905.mail.ir2.yahoo.com> <5012A4FD.1050800@gmail.com> <1343428168.23451.YahooMailNeo@web28901.mail.ir2.yahoo.com> From: Jason Porter Date: Fri, 27 Jul 2012 17:01:55 -0600 Message-ID: Subject: Re: IDM impl feedback To: deltaspike-dev@incubator.apache.org Content-Type: multipart/alternative; boundary=e89a8f23579d0cc73d04c5d7b422 X-Virus-Checked: Checked by ClamAV on apache.org --e89a8f23579d0cc73d04c5d7b422 Content-Type: text/plain; charset=UTF-8 That's fine, we can address this at a later time. I'd prefer to get v0.3 out the door sooner. On Fri, Jul 27, 2012 at 4:54 PM, Gerhard Petracek < gerhard.petracek@gmail.com> wrote: > hi jason, > > i removed them as well (in the preview), because they don't work without > org.apache.deltaspike.security.api.idm.User. > since we agreed on a different/new goal, we can re-visit those parts for > the upcoming module. > (maybe we will re-add e.g. some of the events, but for now we don't know > what we will need.) > > if we just revert back to what we had in v0.2, we wouldn't change a lot > (and we have more or less the same). > > regards, > gerhard > > > > 2012/7/28 Jason Porter > > > You're thinking in v0.4 then? There's not a LOT of new stuff in v0.3 but > we > > have waited a while to release, we should probably get started soon on > the > > release. > > > > On Fri, Jul 27, 2012 at 4:29 PM, Mark Struberg > wrote: > > > > > I'd rather have the mini-auth + some composite components + a small > > > default login handling in a separate module. > > > > > > LieGrue, > > > strub > > > > > > > > > > > > ----- Original Message ----- > > > > From: Jason Porter > > > > To: deltaspike-dev@incubator.apache.org > > > > Cc: > > > > Sent: Saturday, July 28, 2012 12:11 AM > > > > Subject: Re: IDM impl feedback > > > > > > > >G erhard, you heard my thoughts on adding the authentication stuff > back > > > in. > > > > I'd like to suggest doing this either for v0.3 or v0.4 if we don't > add > > > > it > > > > in to v0.3. > > > > > > > > On Fri, Jul 27, 2012 at 3:01 PM, Gerhard Petracek < > > > > gerhard.petracek@gmail.com> wrote: > > > > > > > >> hi @ all, > > > >> > > > >> since also everybody involved in the original implementation agreed > > > with > > > >> 4b, i've created a jira-ticket [1] for the first two steps. > > > >> please review the changes for step #1. if there are no objections, > > i'll > > > >> push it to our repository in two days and i'll close the > jira-tickets > > > >> related to those topics. > > > >> > > > >> regards, > > > >> gerhard > > > >> > > > >> [1] https://issues.apache.org/jira/browse/DELTASPIKE-249 > > > >> > > > >> > > > >> > > > >> 2012/7/27 Marius Bogoevici > > > >> > > > >> > 4b looks a good way to go for me as well. > > > >> > > > > >> > > > > >> > On 2012-07-27 9:44 AM, Cody Lerum wrote: > > > >> > > > > >> >> +1 4b > > > >> >> On Jul 26, 2012 4:41 PM, "Mark Struberg" > > > > wrote: > > > >> >> > > > >> >> Oki, here we go. > > > >> >>> > > > >> >>> We had a quick chat about where we basically stand today. > > > >> >>> > > > >> >>> > > > >> >>> This is not intended to be a a 'what shall be' but > > > > more a 'what do we > > > >> >>> have' + 'what do we really need' email. > > > >> >>> > > > >> >>> > > > >> >>> 1.) What we have today: > > > >> >>> I've looked at the Security module and what I understand > > > > it's pretty > > > >> >>> powerful and complex. > > > >> >>> There are aprox. 30++ Interfaces which are very flexible but > > > > also very > > > >> >>> hard to get right. Having lots of flexibility also makes it > > > > easy to do > > > >> >>> things wrong as user. E.g. IdentityManager which allows to > > > > create > > > >> users. > > > >> >>> The RoleQuery and the whole Role management is pretty complete > > > > from the > > > >> >>> API > > > >> >>> level but I've never seen it used in such detail in any > > > > application > > > >> yet. > > > >> >>> Most times there is an additional mapping role -> rights. > > > > And the right > > > >> >>> is > > > >> >>> what gets used in the application (e.g. in rendered= ). > > > >> >>> > > > >> >>> 2.) What is available in projects: > > > >> >>> In my last 10 projects we never had the choice to define our > > > > own login > > > >> >>> logic. Some customers had radius, others authenticated against > > > > SAP or > > > >> >>> kerberos. Then there are some LDAP and we even have a single > > > > sign on > > > >> >>> based > > > >> >>> on Smalltalk. And there is absolutely no way to get rid of > > > > those! Most > > > >> of > > > >> >>> the time you cannot even create your own users... Of course > > > > there is > > > >> the > > > >> >>> need for a simple html based user login for _some_ > > > > applications. But > > > >> this > > > >> >>> is most times only needed for green-field projects. Whenever > > > > you do > > > >> >>> projects for a bigger company you most likely will find some > > > > well > > > >> >>> established SSO in place. > > > >> >>> > > > >> >>> 3.) what is needed in those projects: > > > >> >>> I did quite some integration already in the past and the only > > > > thing > > > >> which > > > >> >>> we did really need was > > > >> >>> > > > >> >>> 3.a.) to express some interrest: "current user likes > > > > to do actionX" > > > >> >>> This can be done via a @Secured interceptor, via @ViewConfig, > > > > via > > > >> >>> @PageBean etc -> might get provided by DS. > > > >> >>> > > > >> >>> 3.b.) to evaluate the "is the current user allowed to > > > > do actionX" > > > >> >>> Like with JAAS Voters this can be done via a simple Interface > > > > which > > > >> >>> returns a boolean. This is really similar to what Seam2 had > > > > and also > > > >> what > > > >> >>> CODI did. > > > >> >>> All the evaluation and binding to an existing authorisation > > > > and > > > >> >>> authentication can be done in this > > > > AccessVoter/checkPermission. -> we > > > >> >>> might > > > >> >>> provide the Interfaces in DS. The impl is _always_ up to the > > > > user. > > > >> >>> > > > >> >>> 4.) what are our options: > > > >> >>> > > > >> >>> 4.a.) fully implement our own security manager. This will > > > > surely > > > >> still > > > >> >>> take some time as this is a complex topic! Many of the > > > > interfaces are > > > >> ok > > > >> >>> but there is not yet an impl behind it. My personal estimation > > > > is that > > > >> we > > > >> >>> now hit the 15% line, and a few people already spent a good > > > > amount of > > > >> >>> power > > > >> >>> for it. So this will not be finished for the next 5 months I > > > > fear. > > > >> >>> > > > >> >>> 4.b) implement a simple Voter + @Secured and let the user deal > > > > with the > > > >> >>> rest. In both Seam2 and CODI this turned out to not only be > > > > extremely > > > >> >>> flexible, but it is also rather easy to integrate [1]. We > > > > could also > > > >> >>> provide an additional module which contains a composite > > > > component with > > > >> >>> login userId + pwd fields + a simple backend for it. But just > > > > as a > > > >> small > > > >> >>> additional module which might optionally be used for easier > > > > integration > > > >> >>> into JSF apps if there is not yet an existing SSO > > > > implementation. > > > >> >>> > > > >> >>> LieGrue, > > > >> >>> strub > > > >> >>> > > > >> >>> > > > >> >>> [1] > > > >> >>> https://github.com/struberg/**lightweightEE/blob/master/gui/** > > > >> >>> src/main/java/de/jaxenter/**eesummit/caroline/gui/** > > > >> >>> security/AdminAccessVoter.**java#L36< > > > >> > > > > > > > > > > https://github.com/struberg/lightweightEE/blob/master/gui/src/main/java/de/jaxenter/eesummit/caroline/gui/security/AdminAccessVoter.java#L36 > > > >> > > > > >> >>> > > > >> >>> > > > >> >>> ----- Original Message ----- > > > >> >>> > > > >> >>>> From: Jason Porter > > > >> >>>> To: deltaspike-dev@incubator.**apache.org< > > > >> deltaspike-dev@incubator.apache.org> > > > >> >>>> Cc: > > > >> >>>> Sent: Thursday, July 26, 2012 9:03 PM > > > >> >>>> Subject: IDM impl feedback > > > >> >>>> > > > >> >>>> T he implementation that's in HEAD right now is > > > > incomplete. There are > > > >> >>>> many > > > >> >>>> methods which are basic IDE generated stubs in multiple > > > > classes. I'll > > > >> >>>> > > > >> >>> hold > > > >> >>> > > > >> >>>> off on any feedback until it's complete. > > > >> >>>> > > > >> >>>> -- > > > >> >>>> Jason Porter > > > >> >>>> http://lightguard-jp.blogspot.**com < > > > >> http://lightguard-jp.blogspot.com> > > > >> >>>> http://twitter.com/**lightguardjp > > > > > > > >> >>>> > > > >> >>>> Software Engineer > > > >> >>>> Open Source Advocate > > > >> >>>> Author of Seam Catch - Next Generation Java Exception > > > > Handling > > > >> >>>> > > > >> >>>> PGP key id: 926CCFF5 > > > >> >>>> PGP key available at: keyserver.net, pgp.mit.edu > > > >> >>>> > > > >> >>>> > > > >> > > > > >> > > > > > > > > > > > > > > > > -- > > > > Jason Porter > > > > http://lightguard-jp.blogspot.com > > > > http://twitter.com/lightguardjp > > > > > > > > Software Engineer > > > > Open Source Advocate > > > > Author of Seam Catch - Next Generation Java Exception Handling > > > > > > > > PGP key id: 926CCFF5 > > > > PGP key available at: keyserver.net, pgp.mit.edu > > > > > > > > > > > > > > > -- > > Jason Porter > > http://lightguard-jp.blogspot.com > > http://twitter.com/lightguardjp > > > > Software Engineer > > Open Source Advocate > > Author of Seam Catch - Next Generation Java Exception Handling > > > > PGP key id: 926CCFF5 > > PGP key available at: keyserver.net, pgp.mit.edu > > > -- Jason Porter http://lightguard-jp.blogspot.com http://twitter.com/lightguardjp Software Engineer Open Source Advocate Author of Seam Catch - Next Generation Java Exception Handling PGP key id: 926CCFF5 PGP key available at: keyserver.net, pgp.mit.edu --e89a8f23579d0cc73d04c5d7b422--