RE: New Security Service [was RE: TurbineUser - Extending it? May be you should not have to.]

[Paul Smith <Pa...@lawlex.com.au>]

Hi Dan,

I think your design of the security framework is first rate.  What I am not
sure about, and as I said before it probably related to my lack of clear
understanding of JAAS, is that your framework (can) effectively "wrap" JAAS.
If Sun is pushing JAAS as their "security" architecture, wouldn't it be
better for your framework to effectively _BE_ the JAAS implementation.  That
way Turbine could be seen to be JAAS compatible (always nice to promote
standards), and your framework is the actual guts of it.

Put in another way, the J2EE spec is the framework that all developers code
against, and JBoss is a specific implementation of that framework that you
use, then JAAS is the framework, and your code is the bits that are actually
used.

Hope I make sense, but probably am I off the mark.

I am keen to discuss this whole concept further and explore because Turbine
could really benefit from a nicely separated security architecture.

cheers,

Paul Smith

> -----Original Message-----
> From: Dan Diephouse [mailto:dan@envoisolutions.com]
> Sent: Friday, 10 January 2003 5:21 PM
> To: turbine-dev@jakarta.apache.org
> Subject: Re: New Security Service [was RE: TurbineUser - Extending it?
> May be you should not have to.]
> 
> 
> What is your judgement on my framework?  I tried to design it 
> so anyone 
> can use whatever method they want.  Hopefully it is application 
> agnostic.  I would like to have that any application might be able to 
> use, not just Turbine.
> 
> Think about this.  If you wanted to use my framework and JAAS with 
> turbine, we might want to authenticate against a "web page" resource 
> type.  You would first want to register your implementation of the 
> ResourceAccessController class with the ResourceManager, like so
> 
> DefaultResourceManager myResourceManager = new 
> DefaultResourceManager();
> myResourceManager.register("webpagetype", 
> myJAASResourceAccessController);
> 
> where myJAASResourceAccessController is a class you would 
> design (well, 
> actually, we would have several default implementations of 
> this class - 
> I already designed a basic XML one.  Please see my docs).  In your 
> applications code, which would be a valve in the 
> TurbinePipline for T3, 
> you woudl find this "Resource"'s ResourceAccessController this way:
> 
> ResourceAccessController controller = 
> myResourceManager.lookup("webpagetype");
> 
> this controller with be an implementation that you registered earlier 
> with the DefaultResourceManager.  You can than test for a specific 
> credential like so:
> 
> controller.hasCredential( userEntity, new 
> BasicCredential("read"),  new 
> WebPageResource("/store/buy.html");
> 
> In fact, we can even develop custom resource types, for if we 
> wanted to 
> not only base resources on the webpage name, but on the current 
> "project" or "group" of the user (most people - like the original 
> turbine code, made the mistake of thinking that groups are a 
> credential 
> when they are really a *resource*).  We would do this like so:
> 
> ResourceAccessController projectcontroller = 
> myResourceManager.lookup("projectwebpagetype");
> controller.hasCredential( userEntity, new 
> BasicCredential("read"),  new 
> ProjectPageResource("/store/buy.html", "Project1034");
> 
> Do you see how this all works now?  I went into more depth in this 
> message so everyone can get a feel for it.  Please see the docs too! 
> Remember, those ResourceAccessControllers can be either an 
> implementation that comes boxed - such as a database 
> implementation, or 
> your own custom implementation, like a JAAS one.
> 
> Cheers,
> 
> - Dan Diephouse
> 
> 
> Paul Smith wrote:
> > Hi All,
> > 
> > What ever the security mechanism is that is chosen, I think 
> it should be a
> > number #1 priority to fit into Sun's JAAS model (it's in 
> JDK 1.4 now so we
> > can't hide from it). NOw I am no expert on JAAS, but IMHO 
> that will enable
> > people to integrate a bit easier into other Java related 
> technologies (i.e.
> > J2EE). It still amazes me that everyone keeps having to 
> roll their own
> > security layers into their apps (not just in Turbine, and 
> hey, I've just
> > done this myself in the last 12 months).  The more 
> integration with already
> > proven technologies the best chance of success, and shorter 
> time to release
> > (possibly a bold statement).
> > 
> > cheers,
> > 
> > Paul Smith
> > 
> > 
> >>-----Original Message-----
> >>From: Colin Chalmers [mailto:colin.chalmers@maxware.nl]
> >>Sent: Wednesday, 8 January 2003 5:00 AM
> >>To: Turbine Developers List
> >>Subject: Re: New Security Service [was RE: TurbineUser - 
> Extending it?
> >>Maybe you should not have to.]
> >>
> >>
> >>Would it be able to plug into other systems? ie Tomcat's 
> >>Realm or Suns JAAS?
> >>
> >>The discussion surrounding security was quite lively about a 
> >>year ago (was
> >>it really a year ago?) with some good suggestions on 
> >>improving the current
> >>service.
> >>
> >>Should we perhaps re-waken this discussion and see if we get 
> >>any further?
> >>
> >>/c
> >>
> >>
> >>
> >>>>Speaking of this topic, I had an idea one night about 
> >>
> >>security.  After a
> >>
> >>>>couple hours I came up with this:
> >>>>
> >>>>http://dan.envoisolutions.com/jasf/
> >>>>
> >>>>It seems to be pretty flexible, but I'm not sure everyone 
> >>
> >>would like
> >>
> >>>>using it.  I wanted something where I could authenticate not only
> >>>>webpages, but other resources - such as access to various 
> >>
> >>components in
> >>
> >>>>my system.  I even wrote a XML user and permission based 
> >>
> >>system for it.
> >>
> >>>>Thoughts?
> >>>
> >>>I like it. How do you specify the controllers you want to use? I'm
> >>>thinking from the point of view of a Turbine security service, you
> >>>would probably want to configure that from the properties file.
> >>>
> >>>In fact, I think it works pretty much like the thing I 
> came up with.
> >>>Good work! ;-)
> >>>
> >>>
> >>>>- Dan Diephouse
> >>>
> >>>Regards,
> >>>
> >>>
> >>>--
> >>>Gonzalo A. Diethelm
> >>>gonzalo.diethelm@aditiva.com
> >>>
> >>>
> >>>--
> >>>To unsubscribe, e-mail:
> >>
> >><ma...@jakarta.apache.org>
> >>
> >>>For additional commands, e-mail:
> >>
> >><ma...@jakarta.apache.org>
> >>
> >>>
> >>
> >>--
> >>To unsubscribe, e-mail:   
> > 
> > <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> 
> 
> 
> --
> To unsubscribe, e-mail:   
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Service [was RE: TurbineUser - Extending it? May be you should not have to.]

[Dan Diephouse <da...@envoisolutions.com>]

Stephen Haberman wrote:
> On Fri, Jan 10, 2003 at 05:28:48PM +1100, Paul Smith wrote:
> 
>>I think your design of the security framework is first rate.  What I am not
>>sure about, and as I said before it probably related to my lack of clear
>>understanding of JAAS, is that your framework (can) effectively "wrap" JAAS.
>>If Sun is pushing JAAS as their "security" architecture, wouldn't it be
>>better for your framework to effectively _BE_ the JAAS implementation.  That
>>way Turbine could be seen to be JAAS compatible (always nice to promote
>>standards), and your framework is the actual guts of it.
> 
> 
> Unless Dan or someone more intimate with JAAS corrects me, I really
> don't see how JAAS fits into the Turbine picture.
> 
> From the tidbits I picked up on the Sun site, JAAS is
> authentication/authorization framework for the likes of
> rlogin/SSH/telnet/Kerebos/etc. For users logging into boxes to get
> terminals/files/etc. Not for applications doing
> tens/hundreds/thousands of authentications/authorizations per second
> as users hit a web application or similar service.
> 
> Unless that is what Dan envisions his framework being; e.g. a
> Fulcrum/Turbine interface that interacts with enterprise
> systems and the like. But I was fairly sure it was offered as a
> replacement for the current security framework for merely checking
> against a JDBC/XML source whether a user has access to X or Y.
> 
> I looked at Dan's framework for about as long as I looked at the
> JAAS stuff, so I could be wrong. And not long enough to make a good
> judgement call on the quality of Dan's framework, other than I
> really appreciate the effort as the current solution works well, but
> could be a better.
> 
> - Stephen

Stephen is right.  It does not make sense for a web application security 
to be strictly JAAS.  The purpose of this solution is to make it so 
developers can use whatever framework they desire.  JAAS has a narrow 
spectrum.  Just because it has the words "Java" and "Security" and is 
made by Sun, does not mean it needs to be the basis of every application :).

I will try and write up more of the framework in the next two nights and 
post it.  Hopefully this will give people a better idea of how it will 
work.  I'd like to start the Turbine integration - which should be 
pretty simple.  Once it is integrated into Turbine, people can just 
right the own ResourceAccessControllers for the web page resource type. 
    So, this we'll have a go at it with this framework?  I would still 
like to hear from of the more longtime developers on the Turbine 
framework and their thoughts.  Everyone has a lot of vested interest in 
this project, but I'll volunteer to come up with a working 
implementation of this framework.

- Dan



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Service [was RE: TurbineUser - Extending it? May be you should not have to.]

[Stephen Haberman <st...@beachead.com>]

On Fri, Jan 10, 2003 at 05:28:48PM +1100, Paul Smith wrote:
> I think your design of the security framework is first rate.  What I am not
> sure about, and as I said before it probably related to my lack of clear
> understanding of JAAS, is that your framework (can) effectively "wrap" JAAS.
> If Sun is pushing JAAS as their "security" architecture, wouldn't it be
> better for your framework to effectively _BE_ the JAAS implementation.  That
> way Turbine could be seen to be JAAS compatible (always nice to promote
> standards), and your framework is the actual guts of it.

Unless Dan or someone more intimate with JAAS corrects me, I really
don't see how JAAS fits into the Turbine picture.

>From the tidbits I picked up on the Sun site, JAAS is
authentication/authorization framework for the likes of
rlogin/SSH/telnet/Kerebos/etc. For users logging into boxes to get
terminals/files/etc. Not for applications doing
tens/hundreds/thousands of authentications/authorizations per second
as users hit a web application or similar service.

Unless that is what Dan envisions his framework being; e.g. a
Fulcrum/Turbine interface that interacts with enterprise
systems and the like. But I was fairly sure it was offered as a
replacement for the current security framework for merely checking
against a JDBC/XML source whether a user has access to X or Y.

I looked at Dan's framework for about as long as I looked at the
JAAS stuff, so I could be wrong. And not long enough to make a good
judgement call on the quality of Dan's framework, other than I
really appreciate the effort as the current solution works well, but
could be a better.

- Stephen

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>