RE: Portlet security

David Sean Taylor Thu, 22 Feb 2001 18:13:19 -0800
You can find the other security proposal in the build:

/jetspeed/proposals/0004.txt


>   <viewable-by group="foo" role="bar" perm="baz" />

is this permission under the portlet definition?
I believe it would be better to use an ACL approach, to represent the
permission association between the portlet and role, and decouple the
security def. from the portlet def.
Look at the Turbine schema, the TURBINE_ROLE_PERMISSION table.

Once the new architecture is formalised, we can identify entities needing
security, possibly  portlets, panes, templates.
Turbine already gives us users, groups and roles.
I was working on security wrt psml files. Will psml files be around in the
next release? :)

>
> To accommodate usage of either store, JetSpeed should define an interface
> to check permissions, i.e. a call like
>
> checkPermission(user, portletID, action) or
> checkPermission(group, portletID, action)
>

Turbine already does a lot of the work for you wrt users and groups:

@see
        turbine.util.security.AccessControlList
        turbine.util.SecurityCheck
        turbine.util.TemplateSecurityCheck

>From rundata, you can make checks like this:

data.getACL().hasPermission(permission)

or use the utility classes

> There should be pluggable services implementing this interface, e.g. one

> using settings in jetspeed.jcfg, one using a database, one using an
> authorization engine, etc. One option to implement the pluggable services
> would be Turine Services, i.e. we would have Turbine
> Authorization Services
> that would be invoked through the JetSpeed Authorization Interface.
>

I like that (authorization service)
I like making use of the role-permission approach already defined in
Turbine.
The problem is that portlets and other jetspeed objects are stored in a JCFG
registry, where users and groups are defined in the database.
I know its very easy to edit the JCFG file, but mine is getting very large
and unmanageable.
Plus I have multiple configurations....

Has anyone ever considered storing the registries in a database?
Using Torque, we could still define our object model in XML Schema, and
deploy to whatever JDBC datastore we want.
Im not sure if Torque can persist to XML files. My guess is that it always
needs to go thru a JDBC driver...








--
--------------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/jetspeed@list.working-dogs.com/>
List Help?:          [EMAIL PROTECTED]
RE: Portlet security

Reply via email to
