Craig Berry
Thu, 22 Feb 2001 16:20:32 -0800
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 22, 2001 6:18 AM > > We also have plans in this direction, I think we should agree > on a common interface for what we do. Absolutely. That's why I threw out a skeletal proposal for discussion. > Some first thoughts on this topic ... > > I think there are actually two points where access control > must be applied: > > - Customization - users should only be offered portlets that they are > allowed to use > - Access to portlets - before displaying a portlet or > allowing to perform > an action on it, the portal needs to check whether the user still has > access rights > In either case, the access decision should be obtained via the same > interface. Definitely need both, yes. That's what motivated my proposal of using getPortletSet as a filtering chokepoint, as anything using the portlets for any purpose will go through that API. [snip] > To accommodate usage of either store, JetSpeed should define > an interface > to check permissions, i.e. a call like > > checkPermission(user, portletID, action) or > checkPermission(group, portletID, action) > > "action" may be something like display, edit, config, ... Makes sense. > There should be pluggable services implementing this > interface, e.g. one > using settings in jetspeed.jcfg, one using a database, one using an > authorization engine, etc. One option to implement the > pluggable services > would be Turine Services, i.e. we would have Turbine > Authorization Services > that would be invoked through the JetSpeed Authorization Interface. I like the pluggable service model, and it should definitely be a Turbine service. -- Craig Berry - (310) 570-4140 VP Technology GlueCode 1452 Second St Santa Monica CA 90401 -- -------------------------------------------------------------- To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/> List Help?: [EMAIL PROTECTED]