portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dlest...@apache.org
Subject svn commit: r224480 - in /portals/jetspeed-2/trunk: ./ components/security/docs/ components/security/src/java/ components/security/src/java/org/apache/jetspeed/security/util/test/ components/security/xdocs/ components/security/xdocs/images/
Date Sat, 23 Jul 2005 17:12:28 GMT
Author: dlestrat
Date: Sat Jul 23 10:12:17 2005
New Revision: 224480

URL: http://svn.apache.org/viewcvs?rev=224480&view=rev
Log:
Security documentation started. Provide Architecture Overview,
Custom Policy Overview, Login Module Overview.  I will keep adding
to this over the next few days.  Feedback are welcome.

Added:
    portals/jetspeed-2/trunk/components/security/xdocs/arch.xml
    portals/jetspeed-2/trunk/components/security/xdocs/atn-spi.xml
    portals/jetspeed-2/trunk/components/security/xdocs/atn.xml
    portals/jetspeed-2/trunk/components/security/xdocs/atz-jaas.xml
    portals/jetspeed-2/trunk/components/security/xdocs/atz.xml
    portals/jetspeed-2/trunk/components/security/xdocs/images/atn-arch-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/atn-provider-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/atn-spi-arch-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/atz-provider-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/default-login-module-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/rdbms-policy-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/images/security-provider-c.gif   (with props)
    portals/jetspeed-2/trunk/components/security/xdocs/login-module.xml
    portals/jetspeed-2/trunk/components/security/xdocs/permission.xml
Removed:
    portals/jetspeed-2/trunk/components/security/docs/SecurityDesignNotes.txt
    portals/jetspeed-2/trunk/components/security/docs/securitySchema_v1.1.pdf
Modified:
    portals/jetspeed-2/trunk/.classpath
    portals/jetspeed-2/trunk/components/security/src/java/login.conf
    portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/test/AbstractSecurityTestcase.java
    portals/jetspeed-2/trunk/components/security/xdocs/index.xml
    portals/jetspeed-2/trunk/components/security/xdocs/navigation.xml

Modified: portals/jetspeed-2/trunk/.classpath
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/.classpath?rev=224480&r1=224479&r2=224480&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/.classpath (original)
+++ portals/jetspeed-2/trunk/.classpath Sat Jul 23 10:12:17 2005
@@ -20,6 +20,8 @@
 	<classpathentry excluding="**/.svn/*" kind="src" path="components/page-manager/src/test"/>
 	<classpathentry excluding="**/.svn/*" kind="src" path="components/portal/src/java"/>
 	<classpathentry excluding="**/.svn/*" kind="src" path="components/portal/src/test"/>
+	<classpathentry kind="src" path="components/portal-site/src/java"/>
+	<classpathentry kind="src" path="components/portal-site/src/test"/>
 	<classpathentry excluding="**/.svn/*" kind="src" path="components/portlet-factory/src/java"/>
 	<classpathentry excluding="**/.svn/*" kind="src" path="components/prefs/src/java"/>
 	<classpathentry excluding="**/.svn/*|Log4j.properties" kind="src" path="components/prefs/src/test"/>

Modified: portals/jetspeed-2/trunk/components/security/src/java/login.conf
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/src/java/login.conf?rev=224480&r1=224479&r2=224480&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/login.conf (original)
+++ portals/jetspeed-2/trunk/components/security/src/java/login.conf Sat Jul 23 10:12:17 2005
@@ -1,3 +1,3 @@
 Jetspeed {
-   org.apache.jetspeed.security.impl.DefaultLoginModule required debug=true;
+   org.apache.jetspeed.security.impl.DefaultLoginModule required;
 };

Modified: portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/test/AbstractSecurityTestcase.java
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/test/AbstractSecurityTestcase.java?rev=224480&r1=224479&r2=224480&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/test/AbstractSecurityTestcase.java (original)
+++ portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/util/test/AbstractSecurityTestcase.java Sat Jul 23 10:12:17 2005
@@ -86,10 +86,7 @@
     {
 
         super.setUp();
-        
-        
-        
-        
+
         // SPI Security handlers.
         securityAccess = (SecurityAccess) ctx.getBean("org.apache.jetspeed.security.spi.SecurityAccess");
         ch =  (CredentialHandler) ctx.getBean("org.apache.jetspeed.security.spi.CredentialHandler");

Added: portals/jetspeed-2/trunk/components/security/xdocs/arch.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/arch.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/arch.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/arch.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,93 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Architecture Overview</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Architecture Overview">
+            <p>
+                Jetspeed 2 security leverages J2EE authentication and authorization standards for both authentication 
+                and authorization through the implementation of a default <code>LoginModule</code> and a default authorization
+                <code>Policy</code>.
+            </p>
+            <p>
+                Authentication establishes the identity of the user and populates the <code>Subject</code> with all
+                the user principals.  In a portal context, the populated <code>Subject</code> is added to the session
+                in the <code>org.apache.jetspeed.security.SecurityValve</code> implementation.  The <code>Subject</code>
+                principals are then used to authorize the user's access to a given resource.  It leverages JAAS authorization
+                by checking the user's permission with the
+                <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html">AccessController</a>.  More details
+                on authorization are provided in the <a href="atz-jaas.html">JAAS authorization section</a> of this documentation.
+            </p>
+        </section>
+        <section name="Authentication Architecture Overview">
+            <p>
+                For authentication, Jetspeed 2 leverages Java 
+                <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/spi/LoginModule.html">LoginModule</a> 
+                architecture.  It provides a <a href="login-module.html">DefaultLoginModule</a> implementation and a
+                flexible architecture to be able to authenticate user against multiple user repositories and provide user
+                management capabilities across those repository.  A <code>UserManager</code> provides a set of coarsed
+                services for authenticating and managing users.  The class diagram below illustrates how the 
+                <code>UserManager</code> provides authentication to the <code>DefaultLoginModule</code> and leverages the
+                SPI to interact with various implementation and user stores.
+            </p>
+            <p>
+                <img src="images/atn-arch-c.gif" border="0" />
+            </p>
+            <p>
+                The various components described above fulfill the following functions:
+                <table>
+                    <tr>
+                        <th>Component</th>
+                        <th>Description</th>
+                    </tr>
+                    <tr>
+                        <td><code>DefaultLoginModule</code></td>
+                        <td>Jetspeed 2 default <a href="login-module.html">LoginModule</a> implementation which
+                        leverages the <code>authenticate()</code> method of the <code>UserManager</code> to provide
+                        authentication against the various <code>AuthenticationProvider</code> implementation currently
+                        configured.</td>
+                    </tr>
+                    <tr>
+                        <td><code>UserManager</code></td>
+                        <td>Coarsed service providing authentication and user management.  The <code>UserManager</code>code>
+                        leverages the various <code>AuthenticationProvider</code> implementations exposed to it through
+                        the <code>AuthenticationProviderProxy</code> through the <code>SecurityProvider</code>.
+                        </td>
+                    </tr>
+                    <tr>
+                        <td><code>SecurityProvider</code></td>
+                        <td>Provides access to the security providers exposing SPI implementation to the coarsed security
+                        services.
+                        </td>
+                    </tr>
+                    <tr>
+                        <td><code>AuthenticationProviderProxy</code></td>
+                        <td>A proxy to the various <code>AuthenticationProvider</code> implementations.  The <code>AuthenticationProviderProxy</code>
+                        is responsible of invoking the correct <code>AuthenticationProvider</code> to authenticate or manage
+                        a specific user against a specific data store.</td>
+                    </tr>
+                </table>
+            </p>
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/trunk/components/security/xdocs/atn-spi.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/atn-spi.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/atn-spi.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/atn-spi.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Authentication SPI</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Authentication SPI Overview">            
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/trunk/components/security/xdocs/atn.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/atn.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/atn.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/atn.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Login Module</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Authentication Overview">            
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/trunk/components/security/xdocs/atz-jaas.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/atz-jaas.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/atz-jaas.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/atz-jaas.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,106 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Login Module</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Overview of JAAS Authorization">
+            <p>
+                A good overview of JAAS authorization is provided on 
+                <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc2.html">Sun's web site</a>.
+                At a high level, JAAS authorization leverages:
+                <ul>
+                    <li><a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Permission.html">Permission</a>
+                    that associates actions to resources.</li>
+                    <li><a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html">Principal</a>
+                    that represents an entity in the system.  In Jetspeed 2, 3 principals are used to represent users,
+                    roles and groups.</li>
+                    <li><a href="http://java.sun.com/j2se/1.4.2/docs/api/java/security/Policy.html">Policy</a>
+                    that associates principals to permissions.</li>
+                </ul>
+            </p>   
+            <p>
+                Jetspeed 2 provides a custom policy implemention that allow the portal to secure resources as follow:
+                <source><![CDATA[
+grant principal o.a.j.security.UserPrincipal "theUserPrincipal" {
+  permission o.a.j.security.PagePermission "mypage", "view";
+  permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+  permission o.a.j.security.TabPermission "mytab", "view";
+};
+
+grant principal o.a.j.security.RolePrincipal "theRolePrincipal" {
+  permission o.a.j.security.PagePermission "mypage", "view";
+  permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+  permission o.a.j.security.TabPermission "mytab", "view";
+};   
+
+grant principal o.a.j.security.GroupPrincipal "theGroupPrincipal" {
+  permission o.a.j.security.PagePermission "mypage", "view";
+  permission o.a.j.security.PortletPermission "myportlet", "view,edit,minimize,maximize";
+  permission o.a.j.security.TabPermission "mytab", "view";
+};]]>
+                </source>
+            </p> 
+            <p>
+                The custom security policy provides a <code>java.security.Policy</code> implementation that
+                stores the association between principals and permissions in a relational database as opposed to
+                leveraging the default JDK policy.  In the case of Sun's JDK, the default policy is 
+                <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html#DefaultImpl">sun.security.provider.PolicyFile</a>
+                a file based policy.
+            </p>
+            <p>
+                In the code sample above, the <code>UserPrincipal</code> identify with the <code>Principal.getName()</code> 
+                &quot;theUserPrincipal&quot; has permission to &quot;view&quot; the page called &quot;mypage&quot;, to
+                &quot;view,edit,minimize,maximize&quot; the portlet portlet called &quot;myportlet&quot;      
+            </p>
+        </section>
+        <section name="Jetspeed JAAS Policy">
+            <p>
+                The <code>RdbmsPolicy</code> implements <code>java.security.Policy</code>.  It leverages the 
+                <code>PermissionManager</code> to get the permissions associated with a given <code>Subject</code>
+                principals.
+                <source><![CDATA[
+pms.getPermissions(user.getPrincipals());
+                ]]></source>
+                The class diagram below illustrate the association between the <code>RdbmsPolicy</code> and 
+                the <code>PermissionManager</code>.
+            </p>
+            <p>
+                A good article on custom policies implementation is available on 
+                <a href="http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442">IBM web site</a>.
+            </p>
+            <p>
+                <img src="images/rdbms-policy-c.gif" border="0"/>
+            </p>
+            <p>
+                To get more detail about the implementation of the <code>PermissionManager</code>, see 
+                <a href="permission.html">Permissions and Authorization Policies</a>.
+            </p>
+            <p>
+                <u>Note:</u> The current <code>RdbmsPolicy</code> manages the policies to apply.  It applies <code>RdbmsPolicy</code>
+                in conjunction with the default policy configured in the runtime environment. 
+                Jetspeed 2 should explore providing
+                <a href="http://java.sun.com/j2ee/javaacc/index.html">JACC</a> adapters for its custom policy for
+                specific application servers.
+            </p>
+        </section>
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/trunk/components/security/xdocs/atz.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/atz.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/atz.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/atz.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Login Module</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Authorization Overview">       
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-arch-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/atn-arch-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-arch-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-provider-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/atn-provider-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-provider-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-spi-arch-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/atn-spi-arch-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/atn-spi-arch-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/atz-provider-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/atz-provider-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/atz-provider-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/default-login-module-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/default-login-module-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/default-login-module-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/rdbms-policy-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/rdbms-policy-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/rdbms-policy-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: portals/jetspeed-2/trunk/components/security/xdocs/images/security-provider-c.gif
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/images/security-provider-c.gif?rev=224480&view=auto
==============================================================================
Binary file - no diff available.

Propchange: portals/jetspeed-2/trunk/components/security/xdocs/images/security-provider-c.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Modified: portals/jetspeed-2/trunk/components/security/xdocs/index.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/index.xml?rev=224480&r1=224479&r2=224480&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/index.xml (original)
+++ portals/jetspeed-2/trunk/components/security/xdocs/index.xml Sat Jul 23 10:12:17 2005
@@ -1,118 +1,118 @@
 <?xml version="1.0"?>
 <!--
-Copyright 2004 The Apache Software Foundation
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
 -->
 <document>
-<properties>
-	<title>Jetspeed 2 Security Architecture</title>
-    <authors>
-      <person name="David Le Strat" email="dlestrat@apache.org"/>
-    </authors>
-</properties>
-<body>
-<section name="Overview">
-<p>
-Jetspeed 2 security architecture provides a comprehensive suite of security services
-that can be used to protect a wide ranging type of portal resources.  At its core, Jetspeed 2
-security services rely entirely on JAAS to provide authentication and authorization services to
-the portal:
-</p>
-<ul>
-<li>
-Authentication services are implemented through the use of JAAS login modules.
-</li>
-<li>
-Authorization services are implemented through the use of custom JAAS policies.
-</li>
-</ul>
-<p>
-Both authentication and authorization services have been implemented with the goal of providing a direct
-plugin to the underlying application server security framework.  Jetspeed 2 can leverage the underlying
-application server login module as well as through the use of JACC, the application server policy management
-capabilities available in J2EE 1.4 (see <a href="http://java.sun.com/j2ee/javaacc/">API Specifications</a>).
-</p>
-</section>
-<section name="Jetspeed 2 Security Service">
-<p>
-JAAS defines the contract for authentication and authorization but does not specify any guidelines for the management
-of the security resources.  Jetspeed 2 provide a modular set of components aims at providing management functionality
-for the portal security components.
-</p>
-<p>
-Leveraging Jetspeed 2 component, architecture, the security services provide a set of loosely coupled components providing
-specialized services:
-</p>
-<ul>
-<li>
-UserManager: Service providing user management capabilities.
-</li>
-<li>
-GroupManager: Service providing group management capabilities.
-</li>
-<li>
-RoleManager: Service providing role management capabilities.
-</li>
-<li>
-PermissionManager: Service providing permission management capabilities.
-</li>
-</ul>
-</section>
-<section name="A Modular and Pluggable Architecture">
-<p><img src="images/components.jpg" align="right" border="0" hspace="1" vspace="2"/>
-Jetspeed 2 security services are founded on a set of modular and extensible security modules exposed through an SPI model.
-The SPI model provides the ability to modify the behavior of the security services through the modification and configuration
-of specialized handlers.  For instance, Jetspeed security services can be configured to retrieve user security principals through
-the default Jetspeed store or through an LDAP store or both.<br/>
-A <code>SecurityProvider</code> exposes the configured SPI handlers to the security services.  Jetspeed component assembly 
-(based on Spring) architecture provides an easy way to reconfigure the security services to satisfy the needs of a 
-specific implementation.
-</p>
-</section>
-<section name="Role Based Access Control">
-<p>
-Role based access control (RBAC) in Jetspeed 2 support multiple hierarchy resolution strategies as defined in 
-<a href="http://www.doc.ic.ac.uk/~ecl1/papers/rbac99.pdf">The Uses of Hierarchy in Access Control</a>.  Two hierarchy resolution
-strategies are supported for authorization decisions:
-</p>
-<ul>
-<li>
-Hierarchy resolution by Generalization: This is the default hierarchy resolution in Jetspeed.  If a hierarchy uses a
-generalization strategy, each role is more general than the previous one.  For instance, if a user has the role
-[roleA.roleB.roleC] then <code>user.getSubject().getPrincipals()</code> returns:
-<ul>
-<li>/role/roleA</li>
-<li>/role/roleA/roleB</li>
-<li>/role/roleA/roleB/roleC</li>
-</ul>
-</li>
-<li>
-Hierarchy resolution by Aggregation: If a hierarchy uses a aggregation strategy, the higher role is responsible for 
-a superset of the activities of the lower role.  For instance, if the following roles are available:
-<ul>
-<li>roleA</li>
-<li>roleA.roleB</li>
-<li>roleA.roleB.roleC</li>
-</ul>
-If a user has the role [roleA] then, <code>user.getSubject().getPrincipals()</code> returns:
-<ul>
-<li>/role/roleA</li>
-<li>/role/roleA/roleB</li>
-<li>/role/roleA/roleB/roleC</li>
-</ul>
-</li>
-</ul>
-</section>
-</body>
+    <properties>
+        <title>Jetspeed 2 Security Architecture</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Overview">
+            <p>
+                Jetspeed 2 security architecture provides a comprehensive suite of security services that can be used to protect a wide ranging type of portal
+                resources. The security service implementation is fairly independent of the other portal services and 
+                can be reused outside of the portal application.  At its core, Jetspeed 2 security services rely entirely 
+                on JAAS to provide authentication and authorization services to the portal:
+            </p>
+            <ul>
+                <li>Authentication services are implemented through the use of JAAS login modules.</li>
+                <li>Authorization services are implemented through the use of custom JAAS policies.</li>
+            </ul>
+            <p>
+                Both authentication and authorization services have been implemented with the goal of providing a direct plugin to the underlying application
+                server security framework. Jetspeed 2 can leverage the underlying application server login module as well as through the use of JACC, the
+                application server policy management capabilities available in J2EE 1.4 (see
+                <a href="http://java.sun.com/j2ee/javaacc/">API Specifications</a>
+                ).
+            </p>
+        </section>
+        <section name="Jetspeed 2 Security Services">
+            <p>
+                JAAS defines the contract for authentication and authorization but does not specify any guidelines for the management of the security resources.
+                Jetspeed 2 provide a modular set of components aims at providing management functionality for the portal security components.
+            </p>
+            <p>
+                Leveraging Jetspeed 2 component, architecture, the security services provide a set of loosely coupled components providing specialized services:
+            </p>
+            <ul>
+                <li>UserManager: Service providing user management capabilities.</li>
+                <li>GroupManager: Service providing group management capabilities.</li>
+                <li>RoleManager: Service providing role management capabilities.</li>
+                <li>PermissionManager: Service providing permission management capabilities.</li>
+            </ul>
+        </section>
+        <section name="A Modular and Pluggable Architecture">
+            <p>
+                Jetspeed 2 security components are assembled using
+                <a href="http://martinfowler.com/articles/injection.html">Dependency Injection</a>
+                . By default, Jetspeed uses the
+                <a href="http://www.springframework.org">Spring Framework</a>
+                as its default IoC container.
+            </p>
+            <p>
+                <img src="images/components.jpg" align="right" border="0" hspace="1" vspace="2" />
+                Jetspeed 2 security services are founded on a set of modular and extensible security modules exposed through an SPI model. The SPI model
+                provides the ability to modify the behavior of the security services through the modification and configuration of specialized handlers. For
+                instance, Jetspeed security services can be configured to retrieve user security principals through the default Jetspeed store or through an
+                LDAP store or both.
+                <br />
+                A
+                <code>SecurityProvider</code>
+                exposes the configured SPI handlers to the security services. Jetspeed component assembly (based on Spring) architecture provides an easy way to
+                reconfigure the security services to satisfy the needs of a specific implementation.
+            </p>
+        </section>
+        <section name="Role Based Access Control">
+            <p>
+                Role based access control (RBAC) in Jetspeed 2 support multiple hierarchy resolution strategies as defined in
+                <a href="http://www.doc.ic.ac.uk/~ecl1/papers/rbac99.pdf">The Uses of Hierarchy in Access Control</a>
+                . Two hierarchy resolution strategies are supported for authorization decisions:
+            </p>
+            <ul>
+                <li>
+                    Hierarchy resolution by Generalization: This is the default hierarchy resolution in Jetspeed. If a hierarchy uses a generalization strategy,
+                    each role is more general than the previous one. For instance, if a user has the role [roleA.roleB.roleC] then
+                    <code>user.getSubject().getPrincipals()</code>
+                    returns:
+                    <ul>
+                        <li>/role/roleA</li>
+                        <li>/role/roleA/roleB</li>
+                        <li>/role/roleA/roleB/roleC</li>
+                    </ul>
+                </li>
+                <li>
+                    Hierarchy resolution by Aggregation: If a hierarchy uses a aggregation strategy, the higher role is responsible for a superset of the
+                    activities of the lower role. For instance, if the following roles are available:
+                    <ul>
+                        <li>roleA</li>
+                        <li>roleA.roleB</li>
+                        <li>roleA.roleB.roleC</li>
+                    </ul>
+                    If a user has the role [roleA] then,
+                    <code>user.getSubject().getPrincipals()</code>
+                    returns:
+                    <ul>
+                        <li>/role/roleA</li>
+                        <li>/role/roleA/roleB</li>
+                        <li>/role/roleA/roleB/roleC</li>
+                    </ul>
+                </li>
+            </ul>
+        </section>
+    </body>
 </document>

Added: portals/jetspeed-2/trunk/components/security/xdocs/login-module.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/login-module.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/login-module.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/login-module.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,154 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Login Module</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Login Module Overview">
+            <p>
+                For authentication purpose, Jetspeed 2 provide a default login module implementation. Login modules provide a standard way to expose
+                authentication services for java application. More information about login modules can be found in the JDK
+                <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/spi/LoginModule.html">LoginModule interface</a>
+                documentation.
+            </p>
+        </section>
+        <section name="Login Module Configuration">
+            <p>
+                Configuration is central to JAAS authentication. By default, Jetspeed 2 is configured to use its
+                <code>DefaultLoginModule</code>
+                implementation. The configuration file (login.conf) for the login module ship with the
+                <code>jetspeed2-security-{version}.jar</code>
+                component and provide the following configuration:
+                <source>
+                    <![CDATA[
+Jetspeed {
+   org.apache.jetspeed.security.impl.DefaultLoginModule required;
+};]]>
+                </source>
+            </p>
+            <p>
+                In order to override this configuration, you can place your own login.conf file in your web application class path under WEB-INF/classes. The
+                location of the login.conf file is configured in the
+                <code>security-providers.xml</code>
+                as described below. For more information on how to configure the security providers, see
+                <a href="config.html">the configuration section</a>.
+            </p>
+            <p>
+                <source>
+                    <![CDATA[
+<!-- Security: Default Authentication Provider -->
+<bean id="org.apache.jetspeed.security.AuthenticationProvider" 
+  	  class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl"
+>  	   
+    <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>
+  	<constructor-arg index="1"><value>The default authenticator</value></constructor-arg>
+  	<constructor-arg index="2"><value>login.conf</value></constructor-arg>
+  	<constructor-arg index="3">
+  	    <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>
+  	</constructor-arg>
+  	<constructor-arg index="4">
+  	    <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>
+    </constructor-arg>
+</bean>]]>
+                </source>
+            </p>
+            <p>
+                The <code>AuthenticationProvider</code> configures the <code>LoginModule</code> to be used by the
+                application by setting the System property <code>java.security.auth.login.config</code> to the 
+                <code>login.conf</code> specified in the component configuration.
+            </p>
+        </section>
+        <section name="Login Module Implementation">
+            <p>
+                The
+                <code>DefaultLoginModule</code>
+                implementation is illustrated by the class diagram below:
+                <br />
+            </p>
+            <table>
+                <tr>
+                    <td style="background-color:#FFFFFF;" align="center">
+                        <img src="images/default-login-module-c.gif" border="0" />
+                    </td>
+                </tr>
+            </table>
+            <p>
+                The roles of the classes used to implement the DefaultLoginModule are:
+            </p>
+            <table>
+                <tr>
+                    <th>Class</th>
+                    <th>Description</th>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.impl.DefaultLoginModule</code></td>
+                    <td>
+                        The
+                        <code>javax.security.auth.spi.LoginModule</code>
+                        implementation. The
+                        <code>DefaultLoginModule</code>
+                        authentication decision is encapsulated behind the
+                        <code>UserManager</code>
+                        interface which leverages the SPI implementation to decide which authenticator should be used in order to authenticate a user against a
+                        specific system of record. For more information on how to implement your own authenticator, see the
+                        <a href="atn-spi.html">authentication SPI documentation</a>.
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.LoginModuleProxy</code></td>
+                    <td>
+                        A utility component used to expose the
+                        <code>UserManager</code>
+                        to the
+                        <code>DefaultLoginModule</code>.
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.User</code></td>
+                    <td>
+                        The
+                        <code>User</code>
+                        is an interface that holds the
+                        <code>javax.security.auth.Subject</code>
+                        and his/her
+                        <code>java.util.prefs.Preferences</code>. The
+                        <code>UserManager</code>
+                        upon user authentication populates the user subject with all user
+                        <code>java.security.Principal</code>. Jetspeed 2 implements 3 types of principals:
+                        <ul>
+                            <li>UserPrincipal: The principal holding the user unique identifier for the application.</li>
+                            <li>RolePrincipal: The principal representing a role for the system.</li>
+                            <li>GroupPrincipal: The principal representing a group for the system.</li>
+                        </ul>
+                    </td>
+                </tr>
+                <tr>
+                    <td><code>org.apache.jetspeed.security.UserManager</code></td>
+                    <td>
+                        The interface exposing all user operations. This interfaces fronts the aggregates various SPI to provide developers with the ability to
+                        map users to their specific system of record.
+                    </td>
+                </tr>
+            </table>
+        </section>
+
+    </body>
+</document>
\ No newline at end of file

Modified: portals/jetspeed-2/trunk/components/security/xdocs/navigation.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/navigation.xml?rev=224480&r1=224479&r2=224480&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/navigation.xml (original)
+++ portals/jetspeed-2/trunk/components/security/xdocs/navigation.xml Sat Jul 23 10:12:17 2005
@@ -1,34 +1,40 @@
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!--
-Copyright 2004 The Apache Software Foundation
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
 -->
 <project>
-  <body>
-    <links>
-      <item name="Jetspeed 2" href="../../index.html"/>
-    </links>
-    <menu name="Jetspeed 2 Security Documentation">
-      <item name="Overview" href="index.html"/>
-      <item name="Authentication" href="#"/>
-      <item name="Authorization Security Services" href="#"/>
-      <item name="Aggregate Security Services" href="#"/>
-      <item name="SPI Architecture" href="#"/>
-      <item name="Security Services Configuration" href="config.html"/>
-    </menu>
-    <menu name="Misc.">
-      <item name="Tasks" href="tasks.html"/>
-    </menu>
-  </body>
+    <body>
+        <links>
+            <item name="Jetspeed 2" href="../../index.html" />
+        </links>
+        <menu name="Jetspeed 2 Security Documentation">
+            <item name="Overview" href="index.html" />
+            <item name="Architecture Overview" href="arch.html"/>
+            <item name="Authentication" href="atn.html">
+                <item name="Login Module" href="login-module.html" />
+                <item name="Authentication SPI" href="atn-spi.html"/>
+            </item>
+            <item name="Authorization" href="atz.html">
+                <item name="JAAS Authorization" href="atz-jaas.html"/>
+                <item name="Permissions and Authorization Policies" href="permission.html"/>
+            </item>
+            <item name="Aggregate Security Services" href="#" />
+            <item name="Security Services Configuration" href="config.html" />
+        </menu>
+        <menu name="Misc.">
+            <item name="Tasks" href="tasks.html" />
+        </menu>
+    </body>
 </project>

Added: portals/jetspeed-2/trunk/components/security/xdocs/permission.xml
URL: http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/xdocs/permission.xml?rev=224480&view=auto
==============================================================================
--- portals/jetspeed-2/trunk/components/security/xdocs/permission.xml (added)
+++ portals/jetspeed-2/trunk/components/security/xdocs/permission.xml Sat Jul 23 10:12:17 2005
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!--
+    Copyright 2004 The Apache Software Foundation
+    
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Jetspeed 2 Security - Permissions and Authorization Policies</title>
+        <authors>
+            <person name="David Le Strat" email="dlestrat@apache.org" />
+        </authors>
+    </properties>
+    <body>
+        <section name="Permissions and Authorization Policies Overview">            
+        </section>
+
+    </body>
+</document>
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message