Why is SchemaService so low in the interceptors stack?

[Emmanuel Lecharny <el...@apache.org>]

Hi guys !

I have just a formal question : why can't we call the SchemaService 
earlier ? The stack is usually the following :
- normalizationService (N°1, plain normal)
- authenticationService (N°2, make sense too)
- referralService
- authorizationService
- defaultAuthorizationService ( difference from the previous service ?)
- exceptionService ( what is it used for ?)
- operationalAttributeService
- schemaService <-- here we check that the entry is consistent
... (other services)

I wonder if we shouldn't acll schemaService just after the 
authenticationService.

Why do I ask this question? Because while fixing some code in 
AuthorizationService, I found that we are doing some checks that are 
delegated to the schemaService. Typically, we are controling the 
existence of an attributeType, and if not present, we check that this AT 
is not requested by the MUST attribute of a specific ObjectClass. This 
has two main drawbacks :
- we do the check twice (should not be a big deal though, because the 
test is pretty fast, but anyway
- we are doing a wrong test : it's not enough to check that a specific 
OC (here, it's the AccessControlSubentry OC) is not in the OC list for 
this entry, because many other OC can contain this tested attribute

Ok, this is something very unlikely, but this can be seen as a potential 
failure.

Now, I'm not sure that if we put the schemaService higher, it won't 
break the whole server. So my question. If it's not possible, then I see 
no other solution than to fix the AuthorizationService code (TupleCache 
class) :)

Emmanuel

Re: Why is SchemaService so low in the interceptors stack?

[Ersin Er <er...@gmail.com>]

Hi,

I think it's reasonable to call have the schemaService higher in the
stack. To authorize a user to do an operation, first we should ckeck
if it's a valid operation or not. Some more comments inlined below..

On 4/24/07, Emmanuel Lecharny <el...@apache.org> wrote:
> Hi guys !
>
> I have just a formal question : why can't we call the SchemaService
> earlier ? The stack is usually the following :
> - normalizationService (N°1, plain normal)
> - authenticationService (N°2, make sense too)
> - referralService
> - authorizationService
> - defaultAuthorizationService ( difference from the previous service ?)

Yes, this provides the minimum level of authorization even in the
absence of the regular authorizationService.

> - exceptionService ( what is it used for ?)

I don't think it fully serves its purpose now.

> - operationalAttributeService
> - schemaService <-- here we check that the entry is consistent

operationalAttributeService attribute service itself does some schema
checking on "virtual" attributes. So operationalAttributeService may
need to be above the schemaService.

> ... (other services)
>
> I wonder if we shouldn't acll schemaService just after the
> authenticationService.
>
> Why do I ask this question? Because while fixing some code in
> AuthorizationService, I found that we are doing some checks that are
> delegated to the schemaService. Typically, we are controling the
> existence of an attributeType, and if not present, we check that this AT
> is not requested by the MUST attribute of a specific ObjectClass. This
> has two main drawbacks :
> - we do the check twice (should not be a big deal though, because the
> test is pretty fast, but anyway
> - we are doing a wrong test : it's not enough to check that a specific
> OC (here, it's the AccessControlSubentry OC) is not in the OC list for
> this entry, because many other OC can contain this tested attribute
>
> Ok, this is something very unlikely, but this can be seen as a potential
> failure.
>
> Now, I'm not sure that if we put the schemaService higher, it won't
> break the whole server. So my question. If it's not possible, then I see
> no other solution than to fix the AuthorizationService code (TupleCache
> class) :)
>
> Emmanuel
>


-- 
Ersin