Hi, I think it's reasonable to call have the schemaService higher in the stack. To authorize a user to do an operation, first we should ckeck if it's a valid operation or not. Some more comments inlined below..
On 4/24/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
Hi guys ! I have just a formal question : why can't we call the SchemaService earlier ? The stack is usually the following : - normalizationService (N°1, plain normal) - authenticationService (N°2, make sense too) - referralService - authorizationService - defaultAuthorizationService ( difference from the previous service ?)
Yes, this provides the minimum level of authorization even in the absence of the regular authorizationService.
- exceptionService ( what is it used for ?)
I don't think it fully serves its purpose now.
- operationalAttributeService - schemaService <-- here we check that the entry is consistent
operationalAttributeService attribute service itself does some schema checking on "virtual" attributes. So operationalAttributeService may need to be above the schemaService.
... (other services) I wonder if we shouldn't acll schemaService just after the authenticationService. Why do I ask this question? Because while fixing some code in AuthorizationService, I found that we are doing some checks that are delegated to the schemaService. Typically, we are controling the existence of an attributeType, and if not present, we check that this AT is not requested by the MUST attribute of a specific ObjectClass. This has two main drawbacks : - we do the check twice (should not be a big deal though, because the test is pretty fast, but anyway - we are doing a wrong test : it's not enough to check that a specific OC (here, it's the AccessControlSubentry OC) is not in the OC list for this entry, because many other OC can contain this tested attribute Ok, this is something very unlikely, but this can be seen as a potential failure. Now, I'm not sure that if we put the schemaService higher, it won't break the whole server. So my question. If it's not possible, then I see no other solution than to fix the AuthorizationService code (TupleCache class) :) Emmanuel
-- Ersin
