On Monday 25 January 2010 15:22:42 James Carman wrote: > On Mon, Jan 25, 2010 at 9:11 AM, Emond Papegaaij > > The current wicket-security code is somewhat limited in what you can do > > with it. WASP provides a much richer (probably too rich) interface for > > security. I see WASP as a viable basis for the wicket-security API where > > providers can plug in to. One of these providers will be SWARM, but also > > wicket-security- shiro and wicket-security-spring. Maybe even auth-roles. > > Agreed it's limited, so we should definitely make the API rich enough > so that you can do very fine-grained authorization control or more > coarse-grained. Some projects (like ours) will be okay with just > saying "this page has to have this role."
I think a good security framework needs to provide an API that allows, but not require, fine-grained control. > > However WASP in its current state is a too bloated for this. It will > > require a major cleanup. On the other hand, the current wicket-security > > API is too limited for a real security framework to plug in to. For this > > to work, we need to find the fine line that provides a clean, but > > complete API. > > Agreed. When I look at the documentation for SWARM/WASP, I cringe. > I, being one of the (now defunct) Apache HiveMind committers, also > take offense to the name of the HiveMind class. :) Actually, I really > don't like the cutesy names in the API at all. The names don't make > any sense? Why is a "hive" called a "hive" for instance? Why is the > HiveMind class called HiveMind. Just looking at it, it's really not > intuitive. There also seems to be a lot of configuration required to > get things off the ground properly. Most of the complicated stuff is from SWARM, which indeed requires a lot of configuration. The difference between WASP and SWARM is not quite clear from the documentation, nor is the separation of the two. Some of the naming could use some improvement indeed :). The HiveMind manages the Hives used in the VM. A Hive contains all principals and permissions of an application and ultimately determines if a permission is granted or not. However, the Hive (and mind) are part of SWARM and should not be part of a general API. The main elements of WASP are: - A set of secure components - Several security checks - The ActionFactory, with a set of default actions - The WaspAuthorizationStrategy, which implements IAuthorizationStrategy With this, WASP only provides an interface to make you Wicket application secure. It has no implementation what-so-ever on how to check the security. Therefore, I think it is a good starting point for creating a general security API for Wicket. Emond --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
