Move spring security configuration out of main and into web-app
---------------------------------------------------------------
Key: GEOS-4487
URL: http://jira.codehaus.org/browse/GEOS-4487
Project: GeoServer
Issue Type: Task
Components: Security
Reporter: Gabriel Roldán
Assignee: Gabriel Roldán
Fix For: 2.1.x, 2.2.x
spring security is configured in applicationSecurityContext.xml but is embedded
into the main module's jar, implying the following problems:
- security config is a cross-cutting concern, and right now the main module
imposes assumptions on things it doesn't know about or shouldn't enforce
- it is very difficult to set up an alternate web application that overrides
the security subsystem default weaving of spring beans, specially because some
of them are engaged at run time by app context inspection, so even if providing
a different set of security objects, some from main engage at runtime.
The solution would be that the app security context is defined in the web-app
module, allowing alternate web applications to depend on geoserver modules
without the impositions of the security context in main.
To do so, it is needed that:
- the app security context is moved to web-app
- there's still a security context used for unit tests that require it, but it
shall not interfere with the normal application (proposal is putting the config
file in main's test resources under a different name, for the sake of
simplicity, instead of having to provide an alternate file for each unit test
that requires security)
- the servlet filter classes in web-app should be moved to web-core, for other
web applications to use them.
The following git branch provides such a patch and does not break any test:
[https://github.com/groldan/geoserver_trunk/compare/master...security_breakdown]
The proposal is to apply this to trunk, and if everything works ok port to
2.1.x after 2.1.0 is released, because the GeoNode project needs to lay out
it's own web app based on GeoServer 2.1.x components and to set up its own
security context.
As a side note, what's being proposed here is the same that the GeoWebCache
project does. It defines the security context in its web application module,
allowing GeoServer to depend on GeoWebcache without carrying over GWC's
settings for security, which as a matter of fact still use the acegi framework
instead of the spring-security replacement as GeoServer does.
In this case, GeoNode needs to depend on GeoServer the same way GeoServer does
on GWC, so this seems like the correct approach.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
