On Thu, Oct 1, 2015 at 11:26 AM, Christian Mueller < christian.muel...@os-solutions.at> wrote:
> Hi > > About the restart. The security subsystem caches the the roles of a user > (and the roles derived from group membership) for performance reasons. This > holds true for stateless authentication (e. g. Basic Authentication) and > for session cookies (interactive login). Otherwise we would pay a high > performance penalty for each request. Look at the J2EE architecture, > (web.xml as an example). If you change the security settings in the web.xml > file you have to restart the container. > I understand the need for performance reasons, but don't we have a way to either drop the caches, or to quickly check if the user roles got modified? For example, in GeoFence we have a cache of the authorization results for performance reasons, but the cache is short lived and there is a REST call that can be used to drop it immediately. Having roles cached until the user logs out (I do hope a logout clears the cache, right?) seems like a security liability. > > About the group concept. I think it is not the best idea to assign rules > to users directly. IMHO a good practice is to assign roles to user groups > and configure group membership for individual users. > I see where you're going with this, it implies a uniformity of roles for the users in the group, and the notion that when a change is made, it's made for all users in the group. Makes sense. > Again, this is not my concept, it is a J2EE concept. > Erk, J2EE has been wrong in some many ways over the last 15 years that I normally associate it with "slow to build, slow to run, outdated in design". I'd certainly would never defend an idea by associating it with J2EE ;-) Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. -------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
