incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmür <r...@apache.org>
Subject Re: Auth management in Clerezza
Date Fri, 15 Jun 2012 10:50:28 GMT
Salut!

Addiing some comments inline...

On Fri, Jun 15, 2012 at 12:26 PM, Daniel Spicar
<daniel.spicar@trialox.org>wrote:

> We do have a system for Permissions in Clerezza. Some documentation can be
> found at http://incubator.apache.org/clerezza/documentation/ (search for
> the heading "Security"). I do not know too much about them though, they
> look like JAAS permissions though.


It doesn't just look like it is JAAS. When using rdf libraries (TcManager)
outside clerezza the graphs work the same way as file-access in the
standard java-libraries, if security is activate it checks for the
respective permissions. So you can follow one of the JAAS tutorials (
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnAndAzn.html),
what they say for FilePermissions also work for the TcPermissions.



> I used them from time to time and just
> checked how it has been used by some bundles and copied the approach. Maybe
> someone else can give more detailed information.
>
> When it comes to graph access via TcManager, there is a permission for
> checking read and write access:
> (org.apache.clerezza.rdf.core.access.security.TcPermission "<graphUri>"
> "readwrite").

Graph-Uri can contain a trailing wildcard so that permissions to many
graphs can be granted.


> The security system is tied to Clerezza platform users who
> can have those permissions assigned to them.


The authentication mechanism is tied to this platform database of the
users. For authorization standard JAAS is used so that permission to use
functionality of Clerezza libraries can be used in any application server.


> So when a user is
> authenticated (cookie and http basic auth are supported by the platfrom)
>
and web-id

> all accesses to a graph run inside this user's security context and
> permissions are checked. If you want other authentication methods you will
> need to implement a Clerezza WeightedAutenicationMethod OSGi service.
>
> Now when you want the uses managed by a LDAP server you will most likely
> need to implement this support first.


This is very likely the easiest way to go (but might not be applicable if
you're not using the zz-platform but only the rdf libraries).

Cheers,
Reto

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message