Re: rbac-integration continuum branch

[Jason van Zyl]

On 28 Sep 06, at 9:28 AM 28 Sep 06, Carlos Sanchez wrote:
is it using maven-user? there's already all user management code there
to avoid duplication in different applications.


Joakim, to the best of my knowledge used bits and pieces from Maven  
User but the implementation in plexus-security package is better in  
my opinion and has been worked on by more people (I've looked at it  
and agree though a critique of some things in p-sec in general is  
coming from me). Myself, Jesse, and Joakim were involved and the  
speed with which p-sec was integrated into Continuum is a testament  
to its ease of use. The user management is part of that system.

On 9/28/06, Emmanuel Venisse <[EMAIL PROTECTED]> wrote:
+1 for the merge

Emmanuel

Jesse McConnell a écrit :
> Over the course of the past 3 weeks I've worked with joakim on the
> plexus-security effort to bring rbac based security to Archiva.
> We succeeded.
>
> Last Friday (or so) I took the continuum/trunk and created the
> rbac-integration branch.
> I wanted from to test the integration of rbac based security, using
> the plexus-security project, into continuum.
>
> It integrated beautifully, without a whole lot of work, in record
> time, and is pretty functional now ...
>
> Some of the fun things that plexus-security brings with it are:
>
> * full separation between application webapp and security  
(lightweight
> integration).
> * proper modularization for security components (authentication,
> authorization, policy, system, web, etc...)
> * rbac (role based access control) authorization provider.
> * full user management war overlay (using healthy chunk of maven- 
user
> to make it happen)
> * toggle-able guest user authorization.
> * remember me and single sign on authentication.
> * forced admin account creation (through use of interceptor)
> * key based authentication (remember me, single sign on, new user
> validation emails, and password resets).
> * http auth filters (basic and digest).
> * aggressive plexus utilization.
> * aggressive xwork / webwork integration.
> * xwork interceptors for force admin, auto login (remember me),
> secured action, and environment checks.
> * secured actions for all of the /security namespace and at  
least one
> continuum secured action (these are enforced by the
> pssSecureActionInterceptor)
> * all the password validation, user management stuff (again  
maven-user
> origins)
> * continuum-security artifact containing the actual static and  
dynamic
> roles, and a continuum role manager that merges permissions to the
> core system, user, and guest users
> * ifAuthorized, ifAnyAuthorized, elseAuthorized jsp tags.
> * placeholders for ldap authentication, authorization and user  
details
> retrieval using plexus ldap components
> * ability to re-use Acegi for authentication
>
> I think it is very usable now, its a matter of some jsp and action
> work to clean up some things and hide some other knobs and buttons.
>
> I'd like to get feedback and discussion from the others here  
about the
> implementation, and consider a vote to merge it to trunk after  
that. I
> believe it is stable enough to move forward with.
>
> jesse
>




--
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
                            -- The Princess Bride