Hi Eric
> Alternatively, if this code works, then maybe it could be
> submitted as the
> replacement for the existing security?
The framework is not a replacement for Turbine's current security
implementation. It is actually a complement to it. The framework allows to
map turbine resources (actions, events, templates) of misc. components to a
set of security requirements (ACL if you will).
This is done through a "SecurityContext" which is a logical group of
aforementioned turbine resources assigned to a specific set of security
requirements. A grouping of multiple SecurityContexts reside within a
"SecrurityScope." The framework allows for multiple scope definitions.
I have also provided a session pull tool that can be used to authorize a
user to a specific resource within a specific scope.
$securityTool.isAuthorizedTemplate("catalog,ViewCart.vm","catalog")
where "catalog,ViewCart.vm" is the template and "catalog" is the scope that
contains the SecurityContext that contains "catalog,ViewCart.vm"
You can also define (for templates only) within a SecurityContext a whole
collection (directory) of templates. So, if the framework cannot find:
$securityTool.isAuthorizedTemplate("catalog,ViewCart.vm","catalog") it will
check to see if a SecurityContext has "catalog" defined and will
subsequently apply that security to "catalog,ViewCart.vm"
portion of a working security scope
<!-- *** Sample requirement **-->
<Requirement name="shopper">
<group name="226">
<role name="shopper"/>
</group>
<group name="51">
<role name="shopper"/>
</group>
<group name="55">
<role name="shopper"/>
</group>
<group name="56">
<role name="shopper"/>
</group>
<group name="Customer 2">
<role name="shopper"/>
</group>
<group name="Default Customer">
<role name="shopper"/>
</group>
<group name="New Customer">
<role name="shopper"/>
</group>
<group name="test">
<role name="shopper"/>
</group>
</Requirement>
<!-- ** Secure Catalog Section ** -->
<SecurityContext name="shopping_cart" requirement="shopper">
<component name="OrderGrid"/>
<template name="catalog,ProductCart.vm"/>
<template name="catalog,ViewCart.vm"/>
<action name="shoppingcart.ShoppingCart"/>
</SecurityContext>
<!-- ** Unsecure Section ** -->
<!-- the "none" is a reserved word that gives unrestricted access to anyone
-->
<SecurityContext name="public" requirement="none">
<!-- Applied to everything in the catalog directory unless other security
has been pre-defined-->
<template name="catalog"/>
</SecurityContext>
the entire implementation is pluggable so that if turbine's security service
is re-written, a new version of the security context/requirement framework
can be easily plugged in.
Also, security scopes are materialized using a scope loader class. All
scopes to be loaded are centrally defined within a ScopeDescriptor.xml which
points to the location of the security scopes and uses the loader specified
loader class.
<ScopeDescriptor>
<Scope id="default"
classname="org.apache.turbine.security.turbine.EnhancedSecurityScope">
<resource name="file">WEB-INF/conf/DefaultScope.xml</resource>
</Scope>
</ScopeDescriptor>
hth,
Scott
> -----Original Message-----
> From: Eric Pugh [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 03, 2002 11:17 AM
> To: 'Turbine Users List'
> Subject: RE: Security framework
>
>
> Is the version that Saimon created available? And would it
> be possible to
> put this code into CVS somewhere? A crontrib directory? I
> am thinking
> about moving to T2.2 with the decoupled Torque, but all the
> posts about the
> pain of having two different versions of torque to support Intake and
> security is holding me off...
>
> Alternatively, if this code works, then maybe it could be
> submitted as the
> replacement for the existing security?
>
> Maybe this should go to Turbine Dev list...?
>
> Eric Pugh
