portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r711543 - in /portals/jetspeed-2/portal/trunk/src/site: resources/images/extending-organization.jpg site.xml xdoc/new-security.xml
Date Wed, 05 Nov 2008 09:40:30 GMT
Author: taylor
Date: Wed Nov  5 01:40:29 2008
New Revision: 711543

URL: http://svn.apache.org/viewvc?rev=711543&view=rev
new security documentation, Dennis wrote this and I converted it to xdoc

 (with props)

Added: portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg?rev=711543&view=auto
Binary file - no diff available.

Propchange: portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg
    svn:mime-type = application/octet-stream

Modified: portals/jetspeed-2/portal/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/site.xml?rev=711543&r1=711542&r2=711543&view=diff
--- portals/jetspeed-2/portal/trunk/src/site/site.xml (original)
+++ portals/jetspeed-2/portal/trunk/src/site/site.xml Wed Nov  5 01:40:29 2008
@@ -30,10 +30,10 @@
-      <item name="Jetspeed-1" href="http://portals.apache.org/jetspeed-1" target="_nw"/>
-      <item name="Jetspeed-2.1.3" href="http://portals.apache.org/jetspeed-2/jetspeed-2.1.3"
-      <item name="Jetspeed-2" href="http://portals.apache.org/jetspeed-2" target="_nw"/>
-      <item name="Bridges" href="http://portals.apache.org/bridges" target="_nw"/>
+      <item name="Applications" href="http://portals.apache.org/applications/" target="_nw"/>
+      <item name="Jetspeed-2.1.3" href="http://portals.apache.org/jetspeed-2.1.3/" target="_nw"/>
+      <item name="Jetspeed-2" href="http://portals.apache.org/jetspeed-2/" target="_nw"/>
+      <item name="Bridges" href="http://portals.apache.org/bridges/" target="_nw"/>
       <!-- TODO: During build, pdf docs need to be generated. 
       <item name="PDF Documentation" href="/jetspeed2.pdf" img="images/pdf.gif" />
@@ -57,9 +57,10 @@
     <menu name="Documentation">
         <item name="Documentation Guides" href="guides/index.html" />
+        <item name="New Security for 2.2" href="new-security.html"/>
         <item name="Jetspeed Tutorial - Maven-2 Custom Build" href="http://portals.apache.org/tutorials/jetspeed-2/"
         <item name="Jetspeed Tutorial - Ant Custom Build (incomplete)" href="http://portals.apache.org/tutorials/jetspeed-2-ant/"
-        <item name="Jetspeed-2 API" href="http://portals.apache.org/jetspeed-2/multiproject/jetspeed-api/apidocs/index.html"
+        <item name="Jetspeed-2 API" href="http://portals.apache.org/jetspeed-2/apidocs/index.html"
     <menu name="About Jetspeed-2">
         <item name="For Jetspeed-1 Users" href="j1-users.html" />

Added: portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml?rev=711543&view=auto
--- portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml (added)
+++ portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml Wed Nov  5 01:40:29 2008
@@ -0,0 +1,158 @@
+<?xml version="1.0"?>
+	Licensed to the Apache Software Foundation (ASF) under one or more
+	contributor license agreements.  See the NOTICE file distributed with
+	this work for additional information regarding copyright ownership.
+	The ASF licenses this file to You under the Apache License, Version 2.0
+	(the "License"); you may not use this file except in compliance with
+	the License.  You may obtain a copy of the License at
+	http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	See the License for the specific language governing permissions and
+	limitations under the License.
+	<properties>
+		<title>Security 2.2</title>
+		<subtitle>New Security in Version 2.2</subtitle>
+		<authors>
+			<person name="Dennis Dam" email="d.dam@onehippo.com" />
+			<person name="David Sean Taylor" email="taylor@apache.org" />
+		</authors>
+	</properties>
+	<body>
+		<section name="Jetspeed Security Framework">
+			<subsection name="Key Concepts: Subjects, Principals, Credentials">
+			<p>
+Jetspeed supports Subject-based security as defined by JAAS (Java Authentication and Authorization
+A subject is an aggregation of security information for a security entity, like a person.

+A subject can have several identities, also called principals. For example, a user logging
into a 
+Jetspeed portal is associated with one Subject, which contains a user principal, zero or
more role principals, zero or more group principals, etc. 
+Each principal can be associated with a set of permissions that allow the user to perform
certain actions, like accessing a page, updating secured objects, etc. 
+Finally, user principals in Jetspeed can be associated with a credential. A credential is,
simply put, a username / password combination.			
+			</p>
+			</subsection>
+			<subsection name="Jetspeed Security Component">
+			<p>
+All the security identity information above is managed by the Jetspeed Security Component.
The Jetspeed Security Component provides a mechanism to access and update principal,
+ credential and permission data. When a user is authenticated in Jetspeed, a user principal
is resolved for that user, based on the credentials that the user provided on login. 
+ A user principal can then be associated with several other principals, which can be of the
same (user principal) or different type (e.g. role, group, ..). 
+ Principals are resolved in a nested manner, which means that each principal that is associated
with the user principal can also be associated with other principals, 
+ which can in turn be associated with other principals, etc. The final collection of principals
found in this way is aggregated and attached to the Subject that is 
+ resolved for the authenticated user. The Subject is used throughout Jetspeed for security
purposed and can also be used by portlet applications to secure custom objects 
+ using standard JAAS API.			
+			</p>
+			</subsection>
+			<subsection name="Pluggable Security Architecture: Adapting to Different Security Models">
+			<p>
+Every project usually requires different security models, with meaningful relations between
security principals that make sense for that project. 
+Most projects can get away with using standard principal types like users, roles and groups,
with regular associations between those principal types, 
+like a user being a member of a role or group, a group being a member of a role, etc. There
are also projects however, which go beyond that and require 
+new principal types and custom associations between principal types. These projects create
the need for a pluggable security architecture where new principal types
+ and principal associations can be added easily. This is exactly what the Jetspeed Security
Component provides. This is best explained by illustrating 
+ a custom security model, where a user is related to an organization. Jetspeed contains built-in
support for users, groups and roles and associations between those, 
+ but not for organizations and associations between users and organizations. To achieve that
though, the following changes can be made to plugin organizations:
+			</p>
+<li>create a new class "Organization", implementing JetspeedPrincipal</li>
+<li>implement an OrganizationManager, based on the BaseJetspeedPrincipalManager.</li>

+<li>configure an "isMemberOf" association handler between a user and organization principal
+		<p>
+The OrganizationManager is a strongly typed manager with methods for accessing and storing
organizations. The BaseJetspeedPrincipalManager class however, is a weakly typed manager,
+ which only operates on abstract principals. This means that for the most part, the OrganizationManager
class can delegate back to the base class, except for some specific 
+ organization handling and typecasting abstract principals back to organization instances.
+		</p>
+		<p>
+Configuring an association between users and organizations is in this case very simple, because
an "isMemberOf" association handler is provided by default by Jetspeed. 
+Configuring it is a matter of specifying a new instance of that handler and wiring it to
both the UserManager and the OrganizationManager.
+ The custom security model setup is depicted in Figure 1.
+		<img src="images/extending-organization.jpg"/>
+		<i>Figure 1: Extending the security model with organizations</i>		
+		</p>
+			</subsection>
+			<subsection name="Principals and Attributes">
+			<p>
+A Jetspeed principal is basically nothing more than a set of security attributes describing
the principal. 
+The attributes are custom and can differ per project. A user principal for example, can have
contact information attributes.
+ An organization principal (from the example above) can have geographical coordinates of
the office as an attribute. 
+ The set of allowed attributes can be configured through Spring for each principal type.

+ Besides the attributes, a principal also has several constraints in its usage and access
that can be configured, 
+ such as whether the principal is read-only, can be removed, is enabled, etc. 
+			</p>
+			</subsection>
+			<subsection name="Principal Associations">
+			<p>
+A principal association is a relation between two principals, where the relation always has
a direction: it goes from one principal to another. For example,
+ in the relation "user is part of a group", the user is the starting point of the relation
(the from principal) and the group is the ending point of the relation (the to principal).
+  The naming convention using "to" and "from" is used in the Jetspeed Security API. An example
is a method in the JetspeedPrincipalManager interface called getAssociatedTo(..), 
+  which fetches a list of associated principals given the name of a principal representing
the "to" side of the association, and given the type of association. 
+  The list of principals returned represent the "from" principals in the association. Associations
have several characteristics, that influence the creation and deletion of 
+  the principals in the association, or affect the way associations can be made between principals.
The following list contains an overview of these characteristics:
+			</p>
+			<table>
+			<tr>
+			<th>Characteristic</th>
+			<th> Description</th>
+			</tr>
+			<tr>
+			<td>required</td>
+			<td>the "from" principal cannot be created without this association</td>
+			</tr>
+			<tr>
+			<td>dependent</td>
+			<td>the "from" principal will be deleted when the "to" principal is deleted</td>
+			</tr>
+			<tr>
+			<td>singular</td>
+			<td>the "from" principal can be associated from at most once</td>
+			</tr>
+			<tr>
+			<td>dominant</td>
+			<td>the "to" principal can be associated to at most once</td>
+			</tr>
+			</table>
+			<p>
+			All these characteristics are configured for an association through Spring.
+			</p>
+			<p>
+The built-in implementations of associations by Jetspeed are (and should be) independent
of specific principal types. The advantage of that is that associations 
+are pluggable and can be re-used between different pairs of principal types.
+			</p>			
+			</subsection>
+			<subsection name="Storage of Principals and Associations">
+			<p>
+The storage engine of the Jetspeed Security Component uses a database to store and retrieve
security data. By only allowing one type of data store, 
+the storage and retrieval methods used internally by Jetspeed can be optimized and fine-tuned.
An additional advantage is that more complex queries
+ on security data are possible, which would be difficult to achieve if the storage engine
was abstracted in such a way that any data store could be supported.
+ 			</p>
+ 			<p> 
+If the security model in Jetspeed is extended with new principals and/or associations, nothing
has to be changed in database scripts or other code related to database. 
+Jetspeed's generic storage engine will take care of storing and retrieving data.
+Although the storage engine works on top of a database internally, you have the possibility
to synchronize data from another datastore. This will be discussed in the next section.
+			</p>
+			</subsection>
+			<subsection name="Synchronization and Replication">
+			<p>
+Security data can be synchronized from an external data store, and mapped to the database
used internally by Jetspeed. Currently, LDAP is the only type of external 
+data store supported by Jetspeed. LDAP data can be synchronized periodically, on startup
or on authentication of a user. When synchronizing on authentication of a user, 
+only the data related to that user is synchronized. Replication refers to writing back security
data to the external store whenever security data in the database is updated. 
+Synchronization is a mechanism which ensures that the contents of the external data store
are the same as the internal database, where the external datastore has the highest 
+priority. LDAP synchronization and replication is discussed in more detail in the LDAP Mapping
+			</p>			
+			</subsection>
+			<subsection name="Credentials">
+			<p>
+			</p>			
+			</subsection>
+			<subsection name="Permissions">
+			<p>
+			</p>			
+			</subsection>			
+		</section>
+	</body>

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message