You are viewing a plain text version of this content. The canonical link for it is here.

Posted to slide-user@jakarta.apache.org by Mikko Hämäläinen <mi...@hotmail.com> on 2003/09/05 15:32:56 UTC

What are the roles for?

Hi,
what is the purpose of roles in the Slide? What are the differences in the privileges over the system between the users with different roles, what exactly can the user with 'root' role do that the user with the role 'user' can't? Or are they just a way to group users? 

I'm using JDBC store with Slide and for Tomcat's authentication. I am using Slide trough HTTP with PHP-scripts. I have defined three roles in the authentication DB: admin, coach and student. The roles are used also for different purposes in the PHP-scripts. The roles are defined as follows:

In Domain.xml:

<role name="student">slideroles.basic.UserRole</role>
<role name="admin">slideroles.basic.UserRole</role>
<role name="coach">slideroles.basic.RootRole</role>

..and in web.xml:

<auth-constraint>
    <role-name>admin</role-name>   
    <role-name>coach</role-name>
    <role-name>student</role-name> 
</auth-constraint>

I have created three users and assigned the role student for the user kkoe001, roles student and coach for the user kkoe002 and the role coach for the user kkoe003. However when I look at the Slide-DB's object table, every user has only the slideroles.basic.UserRoleImpl assigned for them.. Is this wrong or have I misunderstood something?

mysql> select * from objects where classname like '%slideroles.basic%';
+-----------------+-------------------------------+
| uri             | classname                     |
+-----------------+-------------------------------+
| /users/kkoe001  | slideroles.basic.UserRoleImpl |
| /users/kkoe002  | slideroles.basic.UserRoleImpl |
| /users/kkoe003  | slideroles.basic.UserRoleImpl |
+-----------------+-------------------------------+
3 rows in set (0.01 sec)


Regards,

Mikko Hämäläinen

Espoon-Vantaan teknillinen ammattikorkeakoulu - EVTEK

Re: What are the roles for?

Posted by Peter Paulus <pa...@neroc.nl>.

on 9/5/03 15:32, Mikko Hämäläinen at mikkosh@hotmail.com wrote:
Hi Mikko,

After strugling a while with this myself, I found that there is a default
setting for the assigned role when you have:
<auto-create-users>true</auto-create-users> in Domain.xml.

There is a second setting that doesn't have to show up in Domain.xml:
<auto-create-users-role>slideroles.basic.UserRole</auto-create-users-role>

When you trace the .java sources you can reconstruct this:

In org/apache/slide/security/SecurityImpl.java there is a method
getPrincipal(). There is a section that checks whether "auto-create-users"
is true: namespaceConfig.isAutoCreateUsers(). If so, it creates a new
principal that get the "auto-create-users-role":
namespaceConfig.getAutoCreateUsersRole().

The member field namespaceConfig is of type
org.apache.slide.common.NamespaceConfig. If you look in
org/apache/common/NamespaceConfig.java at the method
getAutoCreateUsersRole() it simply returns the member field
autoCreateUsersRole.

This member field is initialized to 'slideroles.basic.UserRoleImpl'.

protected String autoCreateUsersRole = "slideroles.basic.UserRoleImpl".

But in the method initializeNamespaceConfig() you'll find:

config.getConfiguration("auto-create-users")

and

autoCreateUsersRole =
config.getConfiguration("auto-create-users-role").getValue();

This retrieves both settings from Domain.xml. (Of course you can trace
further, to actually see this).

I cannot tell from your information whether you have added the 'student',
'admin' and 'coach' roles, replacing 'guest', 'user' and 'root'.

I'm not sure if Slide can distinguish between 'student' and 'admin' in your
case. I guess, as far as Slide is concerned, it is the same role, although
it is presented differently. I.e. the role 'student' has now a alias 'admin'
and vice versa?

I cannot say whether this is good or bad for your aplication. For our
application I've created new java classes to circumvent this uncertainty.

You need to create a token interface for the role, say:

com/evtek.CoachRole.java
package com.evtek;

public interface CoachRole
{
}

And an implementation for this, say

com/evtek/CoachRoleImpl.java
package com.evtek;

import org.apache.slide.structure.SubjectNode;
import com.evtek.CoachRole;
import java.util.Vector;

public class CoachRole extends SubjectNode implements CoachRole
{

public CoachRoleImpl()
{
super();
}

public CoachRoleImpl(String uri)
{
super(uri);
}

public CoachRoleImpl(String uri, Vector children, Vector links)
{
super(uri, children, links);
}

}

Don't try to build hierarchies of Roles, like I did, i.e. have interface
com.evtek.CoachRole extend interface slideroles.basic.UserRole. Some were
down the line I got into trouble. I've asked some questions about this in
either this maillist or the cocoon maillist. (It had to do with java
reflection.)

Hope this helps,

Kind regards,
Peter Paulus

> Hi,
> what is the purpose of roles in the Slide? What are the differences in the
> privileges over the system between the users with different roles, what
> exactly can the user with 'root' role do that the user with the role 'user'
> can't? Or are they just a way to group users?
> 
> I'm using JDBC store with Slide and for Tomcat's authentication. I am using
> Slide trough HTTP with PHP-scripts. I have defined three roles in the
> authentication DB: admin, coach and student. The roles are used also for
> different purposes in the PHP-scripts. The roles are defined as follows:
> 
> In Domain.xml:
> 
> <role name="student">slideroles.basic.UserRole</role>
> <role name="admin">slideroles.basic.UserRole</role>
> <role name="coach">slideroles.basic.RootRole</role>
> 
> ..and in web.xml:
> 
> <auth-constraint>
> <role-name>admin</role-name>
> <role-name>coach</role-name>
> <role-name>student</role-name>
> </auth-constraint>
> 
> I have created three users and assigned the role student for the user kkoe001,
> roles student and coach for the user kkoe002 and the role coach for the user
> kkoe003. However when I look at the Slide-DB's object table, every user has
> only the slideroles.basic.UserRoleImpl assigned for them.. Is this wrong or
> have I misunderstood something?
> 
> mysql> select * from objects where classname like '%slideroles.basic%';
> +-----------------+-------------------------------+
> | uri             | classname                     |
> +-----------------+-------------------------------+
> | /users/kkoe001  | slideroles.basic.UserRoleImpl |
> | /users/kkoe002  | slideroles.basic.UserRoleImpl |
> | /users/kkoe003  | slideroles.basic.UserRoleImpl |
> +-----------------+-------------------------------+
> 3 rows in set (0.01 sec)
> 
> 
> Regards,
> 
> Mikko Hämäläinen
> 
> Espoon-Vantaan teknillinen ammattikorkeakoulu - EVTEK