directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: Why is SchemaService so low in the interceptors stack?
Date Tue, 24 Apr 2007 07:11:03 GMT
Hi,

I think it's reasonable to call have the schemaService higher in the
stack. To authorize a user to do an operation, first we should ckeck
if it's a valid operation or not. Some more comments inlined below..

On 4/24/07, Emmanuel Lecharny <elecharny@apache.org> wrote:
> Hi guys !
>
> I have just a formal question : why can't we call the SchemaService
> earlier ? The stack is usually the following :
> - normalizationService (N°1, plain normal)
> - authenticationService (N°2, make sense too)
> - referralService
> - authorizationService
> - defaultAuthorizationService ( difference from the previous service ?)

Yes, this provides the minimum level of authorization even in the
absence of the regular authorizationService.

> - exceptionService ( what is it used for ?)

I don't think it fully serves its purpose now.

> - operationalAttributeService
> - schemaService <-- here we check that the entry is consistent

operationalAttributeService attribute service itself does some schema
checking on "virtual" attributes. So operationalAttributeService may
need to be above the schemaService.

> ... (other services)
>
> I wonder if we shouldn't acll schemaService just after the
> authenticationService.
>
> Why do I ask this question? Because while fixing some code in
> AuthorizationService, I found that we are doing some checks that are
> delegated to the schemaService. Typically, we are controling the
> existence of an attributeType, and if not present, we check that this AT
> is not requested by the MUST attribute of a specific ObjectClass. This
> has two main drawbacks :
> - we do the check twice (should not be a big deal though, because the
> test is pretty fast, but anyway
> - we are doing a wrong test : it's not enough to check that a specific
> OC (here, it's the AccessControlSubentry OC) is not in the OC list for
> this entry, because many other OC can contain this tested attribute
>
> Ok, this is something very unlikely, but this can be seen as a potential
> failure.
>
> Now, I'm not sure that if we put the schemaService higher, it won't
> break the whole server. So my question. If it's not possible, then I see
> no other solution than to fix the AuthorizationService code (TupleCache
> class) :)
>
> Emmanuel
>


-- 
Ersin
Mime
View raw message