SCHAECK
Fri, 23 Feb 2001 03:51:45 -0800
Craig Berry wrote: > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 22, 2001 6:18 AM > > > > We also have plans in this direction, I think we should agree > > on a common interface for what we do. > > Absolutely. That's why I threw out a skeletal proposal for discussion. > > > Some first thoughts on this topic ... > > > > I think there are actually two points where access control > > must be applied: > > > > - Customization - users should only be offered portlets that they are > > allowed to use > > - Access to portlets - before displaying a portlet or > > allowing to perform > > an action on it, the portal needs to check whether the user still has > > access rights > > In either case, the access decision should be obtained via the same > > interface. > > Definitely need both, yes. That's what motivated my proposal of using > getPortletSet as a filtering chokepoint, as anything using the portlets > for any purpose will go through that API. That's one of the relevant points, it would involve access control in customization and display of portal pages which contain a set of portlets. However, this would not control access to portlets that does not go through aggregation or customization, e.g. via the maximized URL for a portlet. Some initial ideas how this may work - I think we need something like this in addition: +---------+---------+---------+ +---------+ | Portlet | Portlet | Portlet |...| Portlet | +----------------+ +-------------------------------------------+ | Access Control | | Portlet Invoker |->| Check I/F | +-------------+---------------+-------------+ +----------------+ | Aggregation | Customization | Other Views | +-------------+---------------+-------------+ Every call to a portlet should go through an access control component. That component may have methods like public void service(PortletID id, String user/groupID, PortletRequest portletReq, PortletResponse portletRsp) public void actionPerformed(PortletID id, String user/groupID, ActionEvent actionEvent) ... etc. (Note that this is just for illustration, this is not intended as a concrete proposal) The PortletInvoker should make the required checks using the access control interface for checking permissions and then invoke portlets like this portlet.service(portletReq, portletRsp) actionPerformed(actionEvent) ... if the permission check was successful. All aggregation modules, customizers and other components in JetSpeed should invoke portlets only through the portlet invoker. This ensures that the invoker can always apply proper access control checking, calling the currently configured service via the JetSpeed access control interface. > > [snip] > > To accommodate usage of either store, JetSpeed should define > > an interface > > to check permissions, i.e. a call like > > > > checkPermission(user, portletID, action) or > > checkPermission(group, portletID, action) > > > > "action" may be something like display, edit, config, ... > > Makes sense. > > > There should be pluggable services implementing this interface, > > e.g. one using settings in jetspeed.jcfg, one using a database, > > one using an authorization engine, etc. One option to implement the > > pluggable services would be Turbine Services, i.e. we would have > > Turbine Authorization Services that would be invoked through the > > JetSpeed Authorization Interface. > > I like the pluggable service model, and it should definitely be a > Turbine service. That would most likely be a service that would be pert of the JetSpeed code base implementing the generic Turbine service interface and adding the portlet access control methods defined in the JetSpeed access control interface. > > -- > Craig Berry - (310) 570-4140 > VP Technology > GlueCode > 1452 Second St > Santa Monica CA 90401 Best regards, Thomas Thomas Schaeck Portal Architect IBM Pervasive Computing Division Phone: +49-(0)7031-16-3479 Mobile: +49-(0)171-6928407 e-mail: [EMAIL PROTECTED] Fax: +49-(0)7031-16-4888 Address: IBM Deutschland Entwicklung GmbH, Schoenaicher Str. 220, 71032 Boeblingen, Germany -- -------------------------------------------------------------- To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/> List Help?: [EMAIL PROTECTED]