The way it sounds is that principal should really be renamed to role. Roles typically have 0 or more permissions.
Although if you consider the hive as a mapping of roles to permissions then you are really back to what I said earlier where swarm is handy if your application pre-defines the roles that are available. -Craig Mr Mean wrote: > > I am open to suggestions for alternate names, or if someone could > point me to the naming standards :) > > Right now swarm operates the following way: A user is associated with > 1 or more Subjects, each Subject has 0 or more Principals. Each > Principal is mapped to 1 or more Permissions. > Each Permission has 0 or more Actions. > > Permissions and actions are named pretty straight forward i think. > > Maurice > > On 6/29/07, craigdd <[EMAIL PROTECTED]> wrote: >> >> Just my two cents but I think the API should change, or I guess not >> really >> the API but the implementation(swarm) to better reflect industry naming >> standards which will hopefully cut down on the confusion and hopefully >> make >> it a little easier to integrate other security frameworks. >> >> I use acegi as an example, they have an Authentication object that has a >> method "getPrincipal" which if you read their javadoc makes it pretty >> clear >> that an authenticated entity has one principal, which also seems to fit >> with >> JAAS. >> >> -Craig >> >> >> Mr Mean wrote: >> > >> > Neither am i :) And you could be right about me misusing the >> > principal, but using the actions of a permission for read write and >> > then logically separating permissions with read from permissions with >> > write in different principals does not seem like stretch to me. >> > >> > Maurice >> > >> > On 6/29/07, craigdd <[EMAIL PROTECTED]> wrote: >> >> >> >> I understand what you are saying and I see how you have accomplished >> >> something similar to what I'm trying to do, however it seems to me >> that >> >> you >> >> are miss using the concept of a Principal. I'm not a security expert >> but >> >> a >> >> principal seems to point to an individual and not with something >> called >> >> write. Write fits a little better into the concepts of ACL. >> >> >> >> -Craig >> >> >> >> >> >> Mr Mean wrote: >> >> > >> >> >> By the way, I'm not saying wicket security is bad, other than my >> >> example >> >> >> I >> >> >> think it is a well put together framework that beats the hell out >> of >> >> >> using >> >> >> JAAS. >> >> > >> >> > Thanks, i appreciate that :) >> >> > >> >> >> I've had a pretty good look at wicket security but the conclusion >> that >> >> >> I've >> >> >> come to with that is it only supports the fact that you have pre >> >> defined >> >> >> roles within your application. >> >> >> >> >> > >> >> > Well i am not saying it is impossible to declare and add new >> >> > permissions / principals at runtime but i think it is generally >> >> > undesirable to do so. Instead you should make your principals fine >> >> > grained enough to be used as building blocks for roles. >> >> > >> >> >> I'm currently working on a multi tenant web application where the >> >> >> application provided a set of permission, such and read / write >> access >> >> to >> >> >> an >> >> >> object and each tenant in the application defines their own role >> >> heirachy >> >> >> based on those permissions. >> >> > >> >> > This is exactly what we are doing in our application. We have >> >> > literally +- 1000 principals defined in our system. By allowing the >> >> > users to group principals together they can build there own roles. >> We >> >> > have multiple organizations in our application and each of them can >> >> > completely redesign there user roles in the system (well only up to >> a >> >> > point because we could not allow that, but that aside they could). >> We >> >> > provide each organization with a set of default roles as we think >> will >> >> > suit most of them but they are completely free to alter/ rename/ >> >> > delete/ whatever do with those roles because we do not depend on the >> >> > roles but on the underlying principals, which are controlled by us. >> A >> >> > big help is the fact that we made our principals imply each other >> >> > (write implies read, etc) So when a user designs there roles they >> >> > don't have to check read access to page A and write access to page A >> >> > but can suffice with write access to page A. Although most of our >> >> > principals handle a couple of related pages we also have principals >> >> > going as deep as individual components. For instance we have a large >> >> > data grid, the principals are fine grained enough to give you read >> or >> >> > write access up to the individual cell. >> >> > >> >> > Correct me if i am wrong but this seems to be what you want too. >> >> > >> >> > Maurice >> >> > >> >> > >> >> > On 6/28/07, craigdd <[EMAIL PROTECTED]> wrote: >> >> >> >> >> >> I've had a pretty good look at wicket security but the conclusion >> that >> >> >> I've >> >> >> come to with that is it only supports the fact that you have pre >> >> defined >> >> >> roles within your application. >> >> >> >> >> >> I'm currently working on a multi tenant web application where the >> >> >> application provided a set of permission, such and read / write >> access >> >> to >> >> >> an >> >> >> object and each tenant in the application defines their own role >> >> heirachy >> >> >> based on those permissions. >> >> >> >> >> >> We are currently using acegi and I'm trying to figure out the best >> way >> >> to >> >> >> bake acl into wicket's components. Example, a link is set to >> >> invisible >> >> >> if >> >> >> the authenticated use doesn't contain a role with the given >> permission >> >> of >> >> >> that link. So lets say the link is to delete an object, the user >> must >> >> >> have >> >> >> a role with the permission to delete that object or the link will >> not >> >> >> show >> >> >> on the page. >> >> >> >> >> >> By the way, I'm not saying wicket security is bad, other than my >> >> example >> >> >> I >> >> >> think it is a well put together framework that beats the hell out >> of >> >> >> using >> >> >> JAAS. >> >> >> >> >> >> -Craig >> >> >> >> >> >> >> >> >> Mr Mean wrote: >> >> >> > >> >> >> > If you mean java Jaas like acl than swarm is what you are looking >> >> for. >> >> >> > Optionally if you really want to use jaas and not some look alike >> i >> >> >> > made up you could practically copy swarm and replace most objects >> >> with >> >> >> > there jaas counterparts. >> >> >> > However i chose not to use jaas because we are using that in one >> of >> >> >> > our projects right now and although it works it is less than >> optimal >> >> >> > :) As soon as we make the switch to wicket 1.3.0 jaas will be >> >> replaced >> >> >> > by swarm. >> >> >> > >> >> >> > You can also check out the example project here >> >> >> > >> >> >> >> >> >> https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/trunk/wicket-security-examples >> >> >> > >> >> >> > >> >> >> > Maurice >> >> >> > >> >> >> > On 6/21/07, Igor Vaynberg <[EMAIL PROTECTED]> wrote: >> >> >> >> wicket's security model is completely generic >> >> >> >> >> >> >> >> see IAuthorizationStrategy - it is very abstract and thus can be >> >> used >> >> >> to >> >> >> >> implement any kind of authorization >> >> >> >> >> >> >> >> wicket-auth is just an example that implements basic role-based >> >> model >> >> >> >> >> >> >> >> see wicket-stuff wasp and swarm projects >> >> >> >> >> >> >> >> >> http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security >> >> >> >> >> >> >> >> -igor >> >> >> >> >> >> >> >> >> >> >> >> On 6/21/07, craigdd <[EMAIL PROTECTED]> wrote: >> >> >> >> > >> >> >> >> > Is wicket security based only on role based authorization or >> >> could >> >> >> it >> >> >> >> somehow >> >> >> >> > be used with a more traditional ACL type of file / logic. >> >> >> >> > >> >> >> >> > -Craig >> >> >> >> > -- >> >> >> >> > View this message in context: >> >> >> >> >> >> >> >> >> >> http://www.nabble.com/wicket-security-and-acl-files-tf3960558.html#a11239024 >> >> >> >> > Sent from the Wicket - User mailing list archive at >> Nabble.com. >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> >> > This SF.net email is sponsored by DB2 Express >> >> >> >> > Download DB2 Express C - the FREE version of DB2 express and >> take >> >> >> >> > control of your XML. No limits. Just data. Click to get it >> now. >> >> >> >> > http://sourceforge.net/powerbar/db2/ >> >> >> >> > _______________________________________________ >> >> >> >> > Wicket-user mailing list >> >> >> >> > Wicket-user@lists.sourceforge.net >> >> >> >> > https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> >> This SF.net email is sponsored by DB2 Express >> >> >> >> Download DB2 Express C - the FREE version of DB2 express and >> take >> >> >> >> control of your XML. No limits. Just data. Click to get it now. >> >> >> >> http://sourceforge.net/powerbar/db2/ >> >> >> >> _______________________________________________ >> >> >> >> Wicket-user mailing list >> >> >> >> Wicket-user@lists.sourceforge.net >> >> >> >> https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> > This SF.net email is sponsored by DB2 Express >> >> >> > Download DB2 Express C - the FREE version of DB2 express and take >> >> >> > control of your XML. No limits. Just data. Click to get it now. >> >> >> > http://sourceforge.net/powerbar/db2/ >> >> >> > _______________________________________________ >> >> >> > Wicket-user mailing list >> >> >> > Wicket-user@lists.sourceforge.net >> >> >> > https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> > >> >> >> > >> >> >> >> >> >> -- >> >> >> View this message in context: >> >> >> >> >> >> http://www.nabble.com/wicket-security-and-acl-files-tf3960558.html#a11350022 >> >> >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> This SF.net email is sponsored by DB2 Express >> >> >> Download DB2 Express C - the FREE version of DB2 express and take >> >> >> control of your XML. No limits. Just data. Click to get it now. >> >> >> http://sourceforge.net/powerbar/db2/ >> >> >> _______________________________________________ >> >> >> Wicket-user mailing list >> >> >> Wicket-user@lists.sourceforge.net >> >> >> https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> >> >> > >> >> > >> >> >> ------------------------------------------------------------------------- >> >> > This SF.net email is sponsored by DB2 Express >> >> > Download DB2 Express C - the FREE version of DB2 express and take >> >> > control of your XML. No limits. Just data. Click to get it now. >> >> > http://sourceforge.net/powerbar/db2/ >> >> > _______________________________________________ >> >> > Wicket-user mailing list >> >> > Wicket-user@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> > >> >> > >> >> >> >> -- >> >> View this message in context: >> >> >> http://www.nabble.com/wicket-security-and-acl-files-tf3960558.html#a11352386 >> >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> This SF.net email is sponsored by DB2 Express >> >> Download DB2 Express C - the FREE version of DB2 express and take >> >> control of your XML. No limits. Just data. Click to get it now. >> >> http://sourceforge.net/powerbar/db2/ >> >> _______________________________________________ >> >> Wicket-user mailing list >> >> Wicket-user@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> > >> > >> ------------------------------------------------------------------------- >> > This SF.net email is sponsored by DB2 Express >> > Download DB2 Express C - the FREE version of DB2 express and take >> > control of your XML. No limits. Just data. Click to get it now. >> > http://sourceforge.net/powerbar/db2/ >> > _______________________________________________ >> > Wicket-user mailing list >> > Wicket-user@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/wicket-user >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/wicket-security-and-acl-files-tf3960558.html#a11360562 >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> Wicket-user mailing list >> Wicket-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/wicket-user >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > > -- View this message in context: http://www.nabble.com/wicket-security-and-acl-files-tf3960558.html#a11361537 Sent from the Wicket - User mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
