> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 22, 2001 6:18 AM
>
> We also have plans in this direction, I think we should agree
> on a common interface for what we do.
Absolutely. That's why I threw out a skeletal proposal for discussion.
> Some first thoughts on this topic ...
>
> I think there are actually two points where access control
> must be applied:
>
> - Customization - users should only be offered portlets that they are
> allowed to use
> - Access to portlets - before displaying a portlet or
> allowing to perform
> an action on it, the portal needs to check whether the user still has
> access rights
> In either case, the access decision should be obtained via the same
> interface.
Definitely need both, yes. That's what motivated my proposal of using
getPortletSet as a filtering chokepoint, as anything using the portlets
for any purpose will go through that API.
[snip]
> To accommodate usage of either store, JetSpeed should define
> an interface
> to check permissions, i.e. a call like
>
> checkPermission(user, portletID, action) or
> checkPermission(group, portletID, action)
>
> "action" may be something like display, edit, config, ...
Makes sense.
> There should be pluggable services implementing this
> interface, e.g. one
> using settings in jetspeed.jcfg, one using a database, one using an
> authorization engine, etc. One option to implement the
> pluggable services
> would be Turine Services, i.e. we would have Turbine
> Authorization Services
> that would be invoked through the JetSpeed Authorization Interface.
I like the pluggable service model, and it should definitely be a
Turbine service.
--
Craig Berry - (310) 570-4140
VP Technology
GlueCode
1452 Second St
Santa Monica CA 90401
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/>
List Help?: [EMAIL PROTECTED]
