You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by ta...@apache.org on 2008/11/05 10:40:30 UTC
svn commit: r711543 - in /portals/jetspeed-2/portal/trunk/src/site:
resources/images/extending-organization.jpg site.xml xdoc/new-security.xml
Author: taylor
Date: Wed Nov 5 01:40:29 2008
New Revision: 711543
URL: http://svn.apache.org/viewvc?rev=711543&view=rev
Log:
new security documentation, Dennis wrote this and I converted it to xdoc
Added:
portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg (with props)
portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml
Modified:
portals/jetspeed-2/portal/trunk/src/site/site.xml
Added: portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg?rev=711543&view=auto
==============================================================================
Binary file - no diff available.
Propchange: portals/jetspeed-2/portal/trunk/src/site/resources/images/extending-organization.jpg
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: portals/jetspeed-2/portal/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/site.xml?rev=711543&r1=711542&r2=711543&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/src/site/site.xml (original)
+++ portals/jetspeed-2/portal/trunk/src/site/site.xml Wed Nov 5 01:40:29 2008
@@ -30,10 +30,10 @@
<body>
<links>
- <item name="Jetspeed-1" href="http://portals.apache.org/jetspeed-1" target="_nw"/>
- <item name="Jetspeed-2.1.3" href="http://portals.apache.org/jetspeed-2/jetspeed-2.1.3" target="_nw"/>
- <item name="Jetspeed-2" href="http://portals.apache.org/jetspeed-2" target="_nw"/>
- <item name="Bridges" href="http://portals.apache.org/bridges" target="_nw"/>
+ <item name="Applications" href="http://portals.apache.org/applications/" target="_nw"/>
+ <item name="Jetspeed-2.1.3" href="http://portals.apache.org/jetspeed-2.1.3/" target="_nw"/>
+ <item name="Jetspeed-2" href="http://portals.apache.org/jetspeed-2/" target="_nw"/>
+ <item name="Bridges" href="http://portals.apache.org/bridges/" target="_nw"/>
<!-- TODO: During build, pdf docs need to be generated.
<item name="PDF Documentation" href="/jetspeed2.pdf" img="images/pdf.gif" />
-->
@@ -57,9 +57,10 @@
</menu>
<menu name="Documentation">
<item name="Documentation Guides" href="guides/index.html" />
+ <item name="New Security for 2.2" href="new-security.html"/>
<item name="Jetspeed Tutorial - Maven-2 Custom Build" href="http://portals.apache.org/tutorials/jetspeed-2/" />
<item name="Jetspeed Tutorial - Ant Custom Build (incomplete)" href="http://portals.apache.org/tutorials/jetspeed-2-ant/" />
- <item name="Jetspeed-2 API" href="http://portals.apache.org/jetspeed-2/multiproject/jetspeed-api/apidocs/index.html" />
+ <item name="Jetspeed-2 API" href="http://portals.apache.org/jetspeed-2/apidocs/index.html" />
</menu>
<menu name="About Jetspeed-2">
<item name="For Jetspeed-1 Users" href="j1-users.html" />
Added: portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml?rev=711543&view=auto
==============================================================================
--- portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml (added)
+++ portals/jetspeed-2/portal/trunk/src/site/xdoc/new-security.xml Wed Nov 5 01:40:29 2008
@@ -0,0 +1,158 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Security 2.2</title>
+ <subtitle>New Security in Version 2.2</subtitle>
+ <authors>
+ <person name="Dennis Dam" email="d.dam@onehippo.com" />
+ <person name="David Sean Taylor" email="taylor@apache.org" />
+ </authors>
+ </properties>
+ <body>
+ <section name="Jetspeed Security Framework">
+ <subsection name="Key Concepts: Subjects, Principals, Credentials">
+ <p>
+Jetspeed supports Subject-based security as defined by JAAS (Java Authentication and Authorization Services).
+A subject is an aggregation of security information for a security entity, like a person.
+A subject can have several identities, also called principals. For example, a user logging into a
+Jetspeed portal is associated with one Subject, which contains a user principal, zero or more role principals, zero or more group principals, etc.
+Each principal can be associated with a set of permissions that allow the user to perform certain actions, like accessing a page, updating secured objects, etc.
+Finally, user principals in Jetspeed can be associated with a credential. A credential is, simply put, a username / password combination.
+ </p>
+ </subsection>
+ <subsection name="Jetspeed Security Component">
+ <p>
+All the security identity information above is managed by the Jetspeed Security Component. The Jetspeed Security Component provides a mechanism to access and update principal,
+ credential and permission data. When a user is authenticated in Jetspeed, a user principal is resolved for that user, based on the credentials that the user provided on login.
+ A user principal can then be associated with several other principals, which can be of the same (user principal) or different type (e.g. role, group, ..).
+ Principals are resolved in a nested manner, which means that each principal that is associated with the user principal can also be associated with other principals,
+ which can in turn be associated with other principals, etc. The final collection of principals found in this way is aggregated and attached to the Subject that is
+ resolved for the authenticated user. The Subject is used throughout Jetspeed for security purposed and can also be used by portlet applications to secure custom objects
+ using standard JAAS API.
+ </p>
+ </subsection>
+ <subsection name="Pluggable Security Architecture: Adapting to Different Security Models">
+ <p>
+Every project usually requires different security models, with meaningful relations between security principals that make sense for that project.
+Most projects can get away with using standard principal types like users, roles and groups, with regular associations between those principal types,
+like a user being a member of a role or group, a group being a member of a role, etc. There are also projects however, which go beyond that and require
+new principal types and custom associations between principal types. These projects create the need for a pluggable security architecture where new principal types
+ and principal associations can be added easily. This is exactly what the Jetspeed Security Component provides. This is best explained by illustrating
+ a custom security model, where a user is related to an organization. Jetspeed contains built-in support for users, groups and roles and associations between those,
+ but not for organizations and associations between users and organizations. To achieve that though, the following changes can be made to plugin organizations:
+ </p>
+<ul>
+<li>create a new class "Organization", implementing JetspeedPrincipal</li>
+<li>implement an OrganizationManager, based on the BaseJetspeedPrincipalManager.</li>
+<li>configure an "isMemberOf" association handler between a user and organization principal type</li>
+</ul>
+ <p>
+The OrganizationManager is a strongly typed manager with methods for accessing and storing organizations. The BaseJetspeedPrincipalManager class however, is a weakly typed manager,
+ which only operates on abstract principals. This means that for the most part, the OrganizationManager class can delegate back to the base class, except for some specific
+ organization handling and typecasting abstract principals back to organization instances.
+ </p>
+ <p>
+Configuring an association between users and organizations is in this case very simple, because an "isMemberOf" association handler is provided by default by Jetspeed.
+Configuring it is a matter of specifying a new instance of that handler and wiring it to both the UserManager and the OrganizationManager.
+ The custom security model setup is depicted in Figure 1.
+ <img src="images/extending-organization.jpg"/>
+ <i>Figure 1: Extending the security model with organizations</i>
+ </p>
+ </subsection>
+ <subsection name="Principals and Attributes">
+ <p>
+A Jetspeed principal is basically nothing more than a set of security attributes describing the principal.
+The attributes are custom and can differ per project. A user principal for example, can have contact information attributes.
+ An organization principal (from the example above) can have geographical coordinates of the office as an attribute.
+ The set of allowed attributes can be configured through Spring for each principal type.
+ Besides the attributes, a principal also has several constraints in its usage and access that can be configured,
+ such as whether the principal is read-only, can be removed, is enabled, etc.
+ </p>
+ </subsection>
+ <subsection name="Principal Associations">
+ <p>
+A principal association is a relation between two principals, where the relation always has a direction: it goes from one principal to another. For example,
+ in the relation "user is part of a group", the user is the starting point of the relation (the from principal) and the group is the ending point of the relation (the to principal).
+ The naming convention using "to" and "from" is used in the Jetspeed Security API. An example is a method in the JetspeedPrincipalManager interface called getAssociatedTo(..),
+ which fetches a list of associated principals given the name of a principal representing the "to" side of the association, and given the type of association.
+ The list of principals returned represent the "from" principals in the association. Associations have several characteristics, that influence the creation and deletion of
+ the principals in the association, or affect the way associations can be made between principals. The following list contains an overview of these characteristics:
+ </p>
+ <table>
+ <tr>
+ <th>Characteristic</th>
+ <th> Description</th>
+ </tr>
+ <tr>
+ <td>required</td>
+ <td>the "from" principal cannot be created without this association</td>
+ </tr>
+ <tr>
+ <td>dependent</td>
+ <td>the "from" principal will be deleted when the "to" principal is deleted</td>
+ </tr>
+ <tr>
+ <td>singular</td>
+ <td>the "from" principal can be associated from at most once</td>
+ </tr>
+ <tr>
+ <td>dominant</td>
+ <td>the "to" principal can be associated to at most once</td>
+ </tr>
+ </table>
+ <p>
+ All these characteristics are configured for an association through Spring.
+ </p>
+ <p>
+The built-in implementations of associations by Jetspeed are (and should be) independent of specific principal types. The advantage of that is that associations
+are pluggable and can be re-used between different pairs of principal types.
+ </p>
+ </subsection>
+ <subsection name="Storage of Principals and Associations">
+ <p>
+The storage engine of the Jetspeed Security Component uses a database to store and retrieve security data. By only allowing one type of data store,
+the storage and retrieval methods used internally by Jetspeed can be optimized and fine-tuned. An additional advantage is that more complex queries
+ on security data are possible, which would be difficult to achieve if the storage engine was abstracted in such a way that any data store could be supported.
+ </p>
+ <p>
+If the security model in Jetspeed is extended with new principals and/or associations, nothing has to be changed in database scripts or other code related to database.
+Jetspeed's generic storage engine will take care of storing and retrieving data.
+Although the storage engine works on top of a database internally, you have the possibility to synchronize data from another datastore. This will be discussed in the next section.
+ </p>
+ </subsection>
+ <subsection name="Synchronization and Replication">
+ <p>
+Security data can be synchronized from an external data store, and mapped to the database used internally by Jetspeed. Currently, LDAP is the only type of external
+data store supported by Jetspeed. LDAP data can be synchronized periodically, on startup or on authentication of a user. When synchronizing on authentication of a user,
+only the data related to that user is synchronized. Replication refers to writing back security data to the external store whenever security data in the database is updated.
+Synchronization is a mechanism which ensures that the contents of the external data store are the same as the internal database, where the external datastore has the highest
+priority. LDAP synchronization and replication is discussed in more detail in the LDAP Mapping guide.
+ </p>
+ </subsection>
+ <subsection name="Credentials">
+ <p>
+ </p>
+ </subsection>
+ <subsection name="Permissions">
+ <p>
+ </p>
+ </subsection>
+ </section>
+ </body>
+</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org