svn commit: r797164 - /websites/staging/rave/trunk/content/rave/documentation/security-model-permission.html

[bu...@apache.org]

Author: buildbot
Date: Tue Oct 18 19:19:19 2011
New Revision: 797164

Log:
Staging update by buildbot

Added:
    websites/staging/rave/trunk/content/rave/documentation/security-model-permission.html

Added: websites/staging/rave/trunk/content/rave/documentation/security-model-permission.html
==============================================================================
--- websites/staging/rave/trunk/content/rave/documentation/security-model-permission.html (added)
+++ websites/staging/rave/trunk/content/rave/documentation/security-model-permission.html Tue Oct 18 19:19:19 2011
@@ -0,0 +1,135 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE- 2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+  <link rel="shortcut icon" href="/rave/images/RAVE-icon.ico" type="image/x-icon" />
+  <link href="/rave/css/rave.css" rel="stylesheet" type="text/css">
+  <title></title>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+</head>
+
+<body>
+  <div id="banner">
+    <img id="logo" alt="Apache Rave (Incubating)" src="/rave/images/RAVE-logo_main-logo-small.png"/>
+  </div>
+  
+  <div id="navigation">
+  <h1 id="general">General</h1>
+<ul>
+<li><a href="/rave/index.html">About</a></li>
+<li><a href="/rave/documentation/index.html">Documentation</a></li>
+<li><a href="/rave/downloads.html">Downloads</a></li>
+<li><a href="http://incubator.apache.org/projects/rave.html">Incubator page</a></li>
+<li><a href="/rave/license.html">License</a></li>
+</ul>
+<h1 id="community">Community</h1>
+<ul>
+<li><a href="/rave/get-involved.html">Get Involved</a></li>
+<li><a href="/rave/mailing-lists.html">Mailing Lists</a></li>
+<li><a href="/rave/people.html">People</a></li>
+</ul>
+<h1 id="development">Development</h1>
+<ul>
+<li><a href="/rave/source.html">Getting Started</a></li>
+<li><a href="/rave/ide-settings-and-debugging.html">IDE Settings and debugging</a></li>
+<li><a href="/rave/release-management.html">Release Management</a></li>
+<li><a href="/rave/issue-management.html">Issue Tracker</a></li>
+<li><a href="https://builds.apache.org/hudson/view/M-R/view/Rave/">Continuous Integration</a></li>
+<li><a href="https://analysis.apache.org/dashboard/index/58996">Sonar Dashboard</a></li>
+<li><a href="/rave/edit-website.html">Website</a></li>
+</ul>
+<h1 id="asf">ASF</h1>
+<ul>
+<li><a href="http://www.apache.org">Apache Software Foundation</a></li>
+<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+<li><a href="http://www.apache.org/security/">Security</a></li>
+</ul>
+    <a alt="Apache Incubator" href="http://incubator.apache.org">
+      <img id="asf-logo" alt="Apache Incubator" src="/rave/images/apache-incubator-logo.png"/>
+    </a>
+  </div>
+
+  <div id="content">
+    <h1 class="title"></h1>
+    <p><strong>How Rave Model Permission Security Works</strong></p>
+<p>In a nutshell, Rave uses Spring Security annotations to protect the service layer methods.  Below is an overview of the permission related classes in rave-core and what each is used for:</p>
+<p><em>org.apache.rave.portal.security</em></p>
+<p>ModelPermissionEvaluator</p>
+<ul>
+<li>
+<p>Interface that defines the various model Permission functions that need to be implemented.  Also defines a Permission enum to standardize the possible permission values across the model security code. </p>
+</li>
+<li>
+<p>Each model class in Rave will have an  associated default implementation of this interface.  For example, there is a DefaultPagePermissionEvaluator class in the org.apache.rave.portal.security.impl package that defines all of the permission logic for Page model objects.</p>
+</li>
+</ul>
+<p><em>org.apache.rave.portal.security.impl</em></p>
+<p>RaveMethodSecurityExpressionHandler</p>
+<ul>
+<li>
+<p>Extension of the org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler class which handles the logic for expression language security annotations.  The filter method needed to be overridden because the default implementation tries to modify the filterTarget parameter passed in, which can be a Collection or Array object.  Certain implementations of JPA (such as the default OpenJPA used by Rave) create unmodifiable Collection types which cause exceptions to be thrown.  The Rave implementation makes a copy of the Collection and passes it to the super method so it can be modified (filtered).</p>
+</li>
+<li>
+<p>This class is wired into Rave as the “expressionHandler” bean in the applicationContext-security.xml file under rave-portal-resources</p>
+</li>
+</ul>
+<p>RavePermissionEvaluator</p>
+<ul>
+<li>
+<p>Implements the org.springframework.security.access.PermissionEvaluator interface which allows us to inject our custom model permission logic into the Spring Security stack.  This class will be autowired with a List of ModelPermissionEvaluator implementation classes for each of the Rave model classes and stored internally.  The overridden hasPermission functions of this classs inspect the type (class) of targetDomainObject being passed in via the security annotation and use the appropriate ModelPermissionEvalutor to check for permissions.</p>
+</li>
+<li>
+<p>this class is wired into Rave as a property to the RaveMethodSecurityExpressionHandler in the applicationContext-security.xml file under rave-portal-resources</p>
+</li>
+</ul>
+<p>RaveSecurityContext</p>
+<ul>
+<li>This is used as a Context object in the security annotation expression language for situations where permissions need to be checked on an object that is not necessarily the Model object that is being accessed. It contains two properties: Object id and String type.  type is the fully qualified class name of the Object, and id is the id.  See org.apache.rave.portal.service.PageService.getAllPages as an example on how this class is used.</li>
+</ul>
+<p>AbstractModelPermissionEvaluator</p>
+<ul>
+<li>an abstract implementation of the ModelPermissionEvaluator interface to define common functionality that should be shared across all ModelPermissionEvaluator implementations:
+   a) hasPermission: checks to see if the user is a Rave administrator, which trumps all other granular permission checks
+   b) getLoadOrder: returns the integer 1.  This function is used by the RavePermissionEvaluator constructor to sort all of the component scanned ModelPermissionEvaluators before building its internal map.  This allows an easy way to override any of the default ModelPermissionEvaluator classes by third parties.  Overridden classes just need to override getLoadOrder() and return a number greater than 1 to ensure it gets put into the map after the default implementation.  A best practice could be to return super.getLoadOrder() + 1 which would allow an infinite number of overrides for a given ModelPermissionEvaluator.</li>
+</ul>
+<p>Default[Model]PermissionEvaluator classes</p>
+<ul>
+<li>the default implementation of each of the ModelPermissionEvaluator classes, such as DefaultPagePermissionEvaluator.  These implementations contain the default permission security logic for their associated Model class.</li>
+</ul>
+<p><em>org.apache.rave.portal.security.util</em></p>
+<p>AuthenticationUtils</p>
+<ul>
+<li>common helper functions related to org.springframework.security.core.Authentication objects</li>
+</ul>
+  </div>
+
+  <div id="footer">
+    <div class="copyright">
+      <p>
+        Copyright &copy; 2011 The Apache Software Foundation, Licensed under
+        the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+        <br />
+        Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+      </p>
+    </div>
+  </div>
+
+</body>
+</html>