Hello.
We are getting close to adding LDAP support to Turbine. Another
programmer from e-point will be working on this starting on Monday.
I was reviewing the security code, and I found several rough edges
that could use some polishing, as well as some things that need
changing to make things really flexible.
We are determined to do whatever it takes to perform this
reorganization, because our project's deadlines are drawing
closer. We need the LDAP stuff to be woring on Oct 1st.
Below is more or less complete list of changes that I want to
make. Each paragraph describes an atomic set of changes
that should gain compiling and working tree. After some
basic testing, I'll be commiting the code to get multiple
sets of the eyes on the code as soon as possible.
------------------------------------------------------------------------
definde more precise Exceptions
java.lang.Exception
org.apache.turbine.util.security.SecurityException;
org.apache.turbine.util.security.AccessControlException;
org.apache.turbine.util.security.DataBackendException;
org.apache.turbine.util.security.PasswordMismatchException;
org.apache.turbine.util.security.UnknownEntityException;
org.apache.turbine.util.security.EntityExistsException;
make the org.apache.services.security classes use them.
remove om.security.LoginFailedException
move AccessControlList along with PermissionSet and RoleSet to
org.apache.turbine.util.security
move User,TurbineUser,TurbineNoDbUser to org.apache.turbine.om.security
rename TurbineUser to DBUser, TurbineNoDbUser to StandaloneUser
move TurbineNoDbUserPeer, TurbineUserPeer, VisitorRolePeer to
org.apache.turbine.om.security
rename TurbineUser peer to DBUserPeer, TurbineNoDbUserPeer to
StandaloneUserPeer
create a Peer for the Group object. Change VisitorRolePeer to make
use of the Groups.
make UserFactory delegate functionality to TurbineSecurity and
deprecate it
when all references to UserFactory are fixed, remove it completly
along with org.apache.turbine.om.user and org.apache.turbine.om.user.peer
create abstract class om.security.BaseUser that will take most of the
TurbineUser functionality (all except saveToStorage() / retrieveFromStorage())
make DBUser extend BaseUser
move the constants that are used for referencing common fields in Perm
hashable to User interface. Remove StandaloneUserPeer (don't think this class
is usefull for anything else)
Replace constructors in ACL with setter methods, ACL objects are built by
the SecurityService.
Add methods hasRole(Group, Role) and hasPermission(Group, Permission) to
AccessControlList, and make hasRole(Role) and hasPermission(Permission)
reference GLOBAL_GROUP
Move functionality from DefaultAccessControl into DBSecurityService,
remove om.security.AccessControlBuilder and om.security.DefaultAccessControl
code structure would look like that after the modifications:
org.apache.turbine.om.security.Group
org.apache.turbine.om.security.Role
org.apache.turbine.om.security.Permission
org.apache.turbine.om.security.User
org.apache.turbine.om.security.BaseUser
org.apache.turbine.om.security.DBUser
org.apache.turbine.om.security.peer.GroupPeer
org.apache.turbine.om.security.peer.RolePeer
org.apache.turbine.om.security.peer.PermissionPeer
org.apache.turbine.om.security.peer.VisitorRolePeer
org.apache.turbine.om.security.peer.RolePermissionPeer
org.apache.turbine.util.security.AccessControlList
org.apache.turbine.util.security.RoleSet
org.apache.turbine.util.security.PermissionSet
org.apache.turbine.util.security.SecurityException;
org.apache.turbine.util.security.AccessControlException;
org.apache.turbine.util.security.DataBackendException;
org.apache.turbine.util.security.PasswordMismatchException;
org.apache.turbine.util.security.UnknownEntityException;
org.apache.turbine.util.security.EntityExistsException;
org.apache.turbine.services.security.SecurityService
org.apache.turbine.services.security.BaseSecurityService
org.apache.turbine.services.security.DBSecurityService
org.apache.turbine.services.security.TurbineSecurity
when we have LDAP support ready, the following classes will show up
org.apache.turbine.om.security.LDAPUser
org.apache.turbine.services.security.LDAPSecurityService
with the proposed setup, the User implementation is pluggable independently
from ACL implementation. I believe this is good, because it's quite probable
that you will be able to use LDAP to auth your user, but your ACLs will stay
in the DB, because you won't have control over the LDAP server.
The other possiblility is to write an User implementation that keeps personal
data in the DB but uses JAAS to authenticate the user in a NT domain.
----------------------------------------------------------------------------
The work has already started, please update your sources and build javadocs.
The SecurityService is in the CVS.
Please, share your comments.
Rafal
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
