Jacopo,No this comment is 100% appropriate and exactly what I am looking for. When I picked this design, I was thinking it may be easier for vertical applications to be able to simply implement an interface, and one of these stock implementations would be to call a server. I was thinking the default (if no class was defined) would be this.
However, I'm not sure if it makes such a big difference. Service vs implementing an interface. So, I guess the question should be; do we leave the interface (is there any reason to have it?) or change it to only accept a service?
Andrew On Jan 8, 2007, at 9:04 AM, Jacopo Cappellato wrote:
Andy,maybe hooking a service call (instead of a call to a Java method) would be a more linear and standardized approach (the service could then be implemented as a Java method or in minilang etc...); as a cons there could be a small overhead for the service call but maybe it is an acceptable cost to have. What do you think?Please, consider that I just had a very cursory look at your work and so this comment could be inappropriate... if so, just ignore it!Jacopo Andrew Zeneski wrote:It is my believe and I am sure there are others who agree, the base permission scheme in OFBiz just doesn't cut it for application specific security. What I want to propose and make an initial decision on is a generic schema for developing custom security implementations for specific application purposes. What I checked in to SVN today is an initial idea I have for implementing this. I called it ServiceSecurity.java. In any service definition you can specify a class to call to decide if a user has permission to invoke the service.Since this is a generic interface this allows the following:1) A simple method implementation. We can implement this interface to call a simple method which would return a boolean. Then security permissions can be implemented using simple methods (i.e. there are a number of these types of methods already in OFBiz today, so this would be a good first step). 2) A service implementation. Having a interface service which returns a Boolean object to decide if the user has permission. 3) A custom Java implementation. Create a new class which implements this interface which has a single method hasPermission(). The reason I went this direction was to provide a very generic and flexible way to implement security. It has been brought to my attention that all we really need is to do this via a service, which in turn could be simple method, java or whatever. I am now opening the floor to discussion; should we stick with a generic interface and implement various classes to handle different options, change this only operate as a service call, or should we do something completely different. As always the decision made here is never final, technologies may change, new ideas arise, but what I really want to do now is settle on our initial plan of attack. To see what is there today, see the new ServiceSecurity.java interface and the permission section of a service definition (services.xsd).Andrew
smime.p7s
Description: S/MIME cryptographic signature
