You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@archiva.apache.org by Joakim Erdfelt <jo...@erdfelt.com> on 2008/02/19 15:36:51 UTC
RBAC vs JASS/Roles (was: Re: Plan to migrate towards Spring?)
nicolas de loof wrote:
> "Integrate RedBack / Spring into Archiva."
>
> What is the advantage of redback compared to spring-security (aka "acegi") ?
>
> spring-security allready supports role-based secutiry, DB user store and
> "remember me".
>
> Nico.
>
Redback is an RBAC implementation.
RBAC at NIST - http://csrc.nist.gov/groups/SNS/rbac/
RBAC FAQ - http://csrc.nist.gov/groups/SNS/rbac/faq.html
RBAC on Wikipedia - http://en.wikipedia.org/wiki/RBAC
Spring and Acegi do not have an RBAC implementation.
The Redback <--> Spring integration is likely to take the form of
another acegi authorization provider, but it's still a little early yet
to speculate on how this will occur.
A more general question would be ... do we need RBAC for Archiva? or
can we get away with standard JAAS Roles?
- Joakim
RE: RBAC vs JASS/Roles (was: Re: Plan to migrate towards Spring?)
Posted by "Simmons, Robert" <RS...@icat.com>.
The trend to single sign on is compelling. More and more companies out
there are chosing to use LDAP as the authorization mechanism rather than
just authentication. What would be improtant to me is if I could set
user roles in LDAP and use that information to restrict deployment to
the archiva repository as well as restrict the use of the repository. I
don't have detailed knowledge of the structure of archiva itself so I
couldn't speak to how to accomplish this.
-- Robert
-----Original Message-----
From: Brett Porter [mailto:brett@apache.org]
Sent: Tuesday, February 19, 2008 10:23 AM
To: archiva-dev@maven.apache.org
Subject: Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards
Spring?)
On 20/02/2008, at 4:15 AM, Simmons, Robert wrote:
> The benefit to JAAS would be easier integration with companies that
> use LDAP to manage roles within a company.
Actually - this raises a good point - would just having this at the
WebDAV level be sufficient? I realise a lot of people are purely looking
to operate Archiva as a secured proxy and the administration features of
the webapp could be separately secured since there are often less users
needing to be set up for that.
- Brett
>
>
> -- Robert
>
> -----Original Message-----
> From: Brett Porter [mailto:brett@apache.org]
> Sent: Tuesday, February 19, 2008 9:44 AM
> To: archiva-dev@maven.apache.org
> Subject: Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards
> Spring?)
>
>
> On 20/02/2008, at 1:36 AM, Joakim Erdfelt wrote:
>
>> nicolas de loof wrote:
>>> "Integrate RedBack / Spring into Archiva."
>>>
>>> What is the advantage of redback compared to spring-security (aka
>>> "acegi") ?
>>>
>>> spring-security allready supports role-based secutiry, DB user store
>>> and "remember me".
>>>
>>> Nico.
>>>
>> Redback is an RBAC implementation.
>
> Don't forget that 80% of what Archiva uses Redback for is the web
> application user/role management.
>
>>
>> The Redback <--> Spring integration is likely to take the form of
>> another acegi authorization provider, but it's still a little early
>> yet to speculate on how this will occur.
>>
>> A more general question would be ... do we need RBAC for Archiva?
>> or can we get away with standard JAAS Roles?
>
> An even more general question would be - it works, why change it? :)
>
> - Brett
>
> --
> Brett Porter
> brett@apache.org
> http://blogs.exist.com/bporter/
>
>
>
> Confidentiality Note: This message contains information that may be
> confidential and/or privileged. If you are not the intended
> recipient, you should not use, copy, disclose, distribute or take
> any action based on this message. If you have received this message
> in error, please advise the sender immediately by reply email and
> delete this message. Although ICAT Managers, LLC scans e-mail and
> attachments for viruses, it does not guarantee that either are virus-
> free and accepts no liability for any damage sustained as a result
> of viruses. Thank you.
>
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/
Confidentiality Note: This message contains information that may be confidential and/or privileged. If you are not the intended recipient, you should not use, copy, disclose, distribute or take any action based on this message. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Although ICAT Managers, LLC scans e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. Thank you.
Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards Spring?)
Posted by Brett Porter <br...@apache.org>.
On 20/02/2008, at 4:15 AM, Simmons, Robert wrote:
> The benefit to JAAS would be easier integration with companies that
> use
> LDAP to manage roles within a company.
Actually - this raises a good point - would just having this at the
WebDAV level be sufficient? I realise a lot of people are purely
looking to operate Archiva as a secured proxy and the administration
features of the webapp could be separately secured since there are
often less users needing to be set up for that.
- Brett
>
>
> -- Robert
>
> -----Original Message-----
> From: Brett Porter [mailto:brett@apache.org]
> Sent: Tuesday, February 19, 2008 9:44 AM
> To: archiva-dev@maven.apache.org
> Subject: Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards
> Spring?)
>
>
> On 20/02/2008, at 1:36 AM, Joakim Erdfelt wrote:
>
>> nicolas de loof wrote:
>>> "Integrate RedBack / Spring into Archiva."
>>>
>>> What is the advantage of redback compared to spring-security (aka
>>> "acegi") ?
>>>
>>> spring-security allready supports role-based secutiry, DB user store
>>> and "remember me".
>>>
>>> Nico.
>>>
>> Redback is an RBAC implementation.
>
> Don't forget that 80% of what Archiva uses Redback for is the web
> application user/role management.
>
>>
>> The Redback <--> Spring integration is likely to take the form of
>> another acegi authorization provider, but it's still a little early
>> yet to speculate on how this will occur.
>>
>> A more general question would be ... do we need RBAC for Archiva?
>> or can we get away with standard JAAS Roles?
>
> An even more general question would be - it works, why change it? :)
>
> - Brett
>
> --
> Brett Porter
> brett@apache.org
> http://blogs.exist.com/bporter/
>
>
>
> Confidentiality Note: This message contains information that may be
> confidential and/or privileged. If you are not the intended
> recipient, you should not use, copy, disclose, distribute or take
> any action based on this message. If you have received this message
> in error, please advise the sender immediately by reply email and
> delete this message. Although ICAT Managers, LLC scans e-mail and
> attachments for viruses, it does not guarantee that either are virus-
> free and accepts no liability for any damage sustained as a result
> of viruses. Thank you.
>
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/
RE: RBAC vs JASS/Roles (was: Re: Plan to migrate towards Spring?)
Posted by "Simmons, Robert" <RS...@icat.com>.
The benefit to JAAS would be easier integration with companies that use
LDAP to manage roles within a company.
-- Robert
-----Original Message-----
From: Brett Porter [mailto:brett@apache.org]
Sent: Tuesday, February 19, 2008 9:44 AM
To: archiva-dev@maven.apache.org
Subject: Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards
Spring?)
On 20/02/2008, at 1:36 AM, Joakim Erdfelt wrote:
> nicolas de loof wrote:
>> "Integrate RedBack / Spring into Archiva."
>>
>> What is the advantage of redback compared to spring-security (aka
>> "acegi") ?
>>
>> spring-security allready supports role-based secutiry, DB user store
>> and "remember me".
>>
>> Nico.
>>
> Redback is an RBAC implementation.
Don't forget that 80% of what Archiva uses Redback for is the web
application user/role management.
>
> The Redback <--> Spring integration is likely to take the form of
> another acegi authorization provider, but it's still a little early
> yet to speculate on how this will occur.
>
> A more general question would be ... do we need RBAC for Archiva?
> or can we get away with standard JAAS Roles?
An even more general question would be - it works, why change it? :)
- Brett
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/
Confidentiality Note: This message contains information that may be confidential and/or privileged. If you are not the intended recipient, you should not use, copy, disclose, distribute or take any action based on this message. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Although ICAT Managers, LLC scans e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. Thank you.
Re: RBAC vs JASS/Roles (was: Re: Plan to migrate towards Spring?)
Posted by Brett Porter <br...@apache.org>.
On 20/02/2008, at 1:36 AM, Joakim Erdfelt wrote:
> nicolas de loof wrote:
>> "Integrate RedBack / Spring into Archiva."
>>
>> What is the advantage of redback compared to spring-security (aka
>> "acegi") ?
>>
>> spring-security allready supports role-based secutiry, DB user
>> store and
>> "remember me".
>>
>> Nico.
>>
> Redback is an RBAC implementation.
Don't forget that 80% of what Archiva uses Redback for is the web
application user/role management.
>
> The Redback <--> Spring integration is likely to take the form of
> another acegi authorization provider, but it's still a little early
> yet to speculate on how this will occur.
>
> A more general question would be ... do we need RBAC for Archiva?
> or can we get away with standard JAAS Roles?
An even more general question would be - it works, why change it? :)
- Brett
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/