directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Tence <>
Subject Re: AuthX timeframe
Date Fri, 18 Mar 2005 14:24:45 GMT
It's hard enough to predict when a project will be done when you work full
time on it. It's even harder when you don't know how much effort you'll be

I'm not clear today on what needs to be ready for a 1.0 release. Anyway,
1.0 or 0.x, every release will be fully tested and usable and delivered as
early as possible. AuthX will be delivered incrementally, the mark for 1.0
may come when integration with ApacheDS is completed and documentation is
ready. It's open to discussion ...

What we will be working on next is LDAP backend support and integration
with ApacheDS.

-- Vincent

> Vincent:
> Thanks for your answer. Your mail confirmed my guess that ApacheDS will
> use AuthX in the future to extend its ACP and ACL support. It could be
> very powerful if we could hook it up with a workflow engine. I saw the
> roadmap online, but could you tell me if you have a planed timeframe? Say,
> within 3 months, are we able to see a possible 1.0 release of AuthX and
> within 6 months are we going to see a possible combination of DS with
> AuthX?
> Hope you could receive the mail.
> Thanks again!
> Minggui
> -----Original Message-----
> From: Vincent Tence []
> Sent: Wednesday, March 16, 2005 5:25 PM
> To: Chen, Minggui
> Cc:
> Subject: RE: AuthX information
>> I did check out the policy.xml and permissions.xml from the source and
>> read more api in order to understand more. I list my understandings here
>> in case that I might have made it wrong:
>> (1) The rule set (permissions) could be created initially from xml;
> This is indeed one way to do it. The other one is to define your rules in
> groovy (other scripting languages could be added, such as beanshell,
> pnuts, rhino).
>> (2) The rule set could be updated dynamically through Policy class;
> Correct.
>> (3) All the rules should be loaded in memory (?)
> Currently yes
>> (4) Every entry in every Access Control List is a rule.
> Close enough
>> Based on that, here is my concerns:
>> (1) If there is a rule conflict, for example:
>> "/a/" contains many subfolders, if I define a rule as:
>> User1 could read "/a/*",
>> but User1 could not read "/a/b/*",
>> what will happen?
> Rules are packaged in a group known as a ruleset, which uses a conflict
> resolution algorithm. The following algos are provided:
> - PermitOverrides: permit overrides any other decision
> - DenyOverrides: deny overrides any other decision
> - LastApplicable: the last permit or deny wins
> - FirstApplicable: the first permit or deny wins
>> (2) If I have to support user based access control list (not just role
>> based), I might have to define many rules.
> You could also use groups.
>> That could cause a memory
>> problem if I have to load all rules into the memory. There should be one
>> way to load only a small part (caching) from the repository dynamically.
> That could be an interesting addition indeed.
>> (3) How could I dynamically sync rule set with permission repository
>> such
>> as a file or a DB?
> Currently there's no support for storing rules in BD.
> As for files, it's easy to do if your rules are written in groovy. We
> could provide an implementation of the RuleSet that you feed with script
> urls instead of rule objects. At runtime, whenever the script file has
> changed, the rule would be reloaded (there's already support automatically
> reloading groovy scripts).
> If you use XML definitions, we could put up an implementation of the
> Authorizer that checks at runtime if the xml file has changed and reloads
> the rule set accordingly.
>> (4) There seems no direct relation with LDAP. Will ApacheDS use it and
>> how?
> Next step for AuthX is to use ApacheDS as a storage mechanism and use
> AuthX as the server's internal Authentication and Authorization framework.
>> We really like the project and hope we could use it
> I'm delighted to read that. Thanks for your interest!
>>, so I have to ask you
>> a lot stupid questions. I wish you will not mind. Thank you for your
>> kind
>> help.
> There aren't any stupid questions. Don't hesitate to ask.
> I suggest you subscribe to (send a empty mail
> to, so that we can discuss that on
> the list.
> Cheers,
> -- Vincent
>> Minggui
>> -----Original Message-----
>> From: Vincent Tence []
>> Sent: Wednesday, March 16, 2005 2:11 PM
>> To: Chen, Minggui
>> Subject: Re: AuthX information
>>> Vincent:
>>> Please pardon me for sending mail directly to you. I think I am
>>> bothering
>>> you a lot. But there is no way for me to get the answer from apache.
>> No worries. I'm not sure what you mean when you say there's no way to
>> get
>> an answer from apache. Have you tried writing to the directory users
>> list
>> ad This is our new mailing list for users
>> now.
>>> Currently we are very interested on the Apache directory project being
>>> developed by you guys, and we really appreciate your work. Since it is
>>> still in incubator, we are eager to know some information for our
>>> business
>>> decision.
>> Thanks. We appreciate the fact that you're having interest in the
>> project.
>>> For now I can only guess to what extend AuthX is trying to do. My
>>> understanding is that it is a rule based framework.
>> AuthX is an Authentication, Authorization and Accounting framework that
>> aims to help build security into Java application. With AuthX, is should
>> be easier and much cheaper to implement data driven security into an
>> application. Currently, the J2EE spec doesn't help much in terms of
>> authorization decisions that must be taken based on the data being
>> accessed as well as the identity and attributes of the subject.
>> AuthX uses a rule-based authorization framework. Instead of being only
>> RBAC, it uses rules to describe security policy. With the rule approach,
>> building an RBAC system is straightforward, and more complex security
>> schemes are possible as well.
>>> OK, but do I need to
>>> implement the interface to interpret the rule set or do I only need to
>>> define the rules through GUI or config file after AuthX is eventually
>>> finished?
>> There's no GUI since AuthX is a framework. There could be supporting
>> tools
>> at some point, but it's not the priority right now.
>> There is 2 ways you can define your own rules:
>> 1. Using an XML file. You can plug into the XML policy builder to use
>> your
>> own grammar
>> 2. Using a scripting language such as groovy. You write your
>> authorization
>> rules using groovy and load them using the provided framework classes.
>> This gives you greatest flexibility with min coding.
>> There is an example application in the SVN source tree that can help you
>> understand how to use authx. Also, on the wiki, there's a general
>> overview
>> of the concepts behind authx:
>> That's not much. Documentation is a major concern at this point, I
>> realize
>> that. I'll be working on it.
>>> I understand that it's going to support LDAP realm. But I am not sure
>>> if
>>> it is going to support LDAP authorization. Could you explain a little
>>> bit
>>> more? Such as its relationship with ACP and ACL?
>> LDAP will be used as a storage mechanism for usernames/passwords, groups
>> and roles defintion. This feature is on the way.
>>> Just curious if you could give me a suggestion. If I am going to use
>>> LDAP
>>> to support role based authorization, I am not sure if I should use LDAP
>>> ACL (and sure I have to write the code to implement the policy), or
>>> AuthX
>>> will solve the problem for me.
>> If you look at the diagram on the wiki, you'll see that authorization
>> rules are separated from the concern of loading subject attributes
>> (rules
>> or groups the user might belong to). Rules only use this information to
>> take decisions. Usernames, passwords, roles, groups are all meant to be
>> stored in a LDAP directory, but I don't see rules sitting there. Rules
>> are
>> dynamic, application specific and subject to change. They'll more likely
>> reside in XML files or script files along with the application.
>>> Your kind reply will be highly appreciated!
>> Hope that help,
>> -- Vincent
>> P.S. Do you mind if I copy the directory users lists in order to help
>> other users as well?

View raw message