You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Brian Lee <bl...@macys.com> on 2004/11/09 20:45:12 UTC
Resource Permissions
Can someone tell me how permissions work? Looking at the source - in
particular the stores code in WCK and Slide itself, I don't see anything
that checks for authorization to perform actions -such as reading,
deleting, .... The only thing I see for security is access to Slide
itself (I'm not too sure how ACL is implemented) If it isn't there, can
someone give me advice on implementing a security check before each action?
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Morten <li...@kikobu.com>.
Thanks James. I will spend some time writing some examples for both
client and server.
Best,
Morten
On Tue, 9 Nov 2004, James Mason wrote:
> Morten,
>
> I can give you hints, but it kind of depends on what you mean by "Slide
> API". Using the client API you just need to replicate the sequence of
> WebDAV methods in the howto document using the Slide client library. It
> should be fairly obvious (PROPFIND, MKCOL, PROPPATCH, etc).
>
> Using the server API is probably slightly more difficult (and I can't
> help you much there since I'm not very familiar with server API). The
> concept is the same, though. You need to create an ObjectNode for the
> user and set some properties in its NodeRevisionDescriptor. Then you
> need to get the NodeRevisionDescriptor for the role node and update its
> group-member-set property.
>
> -James
>
> On Tue, 2004-11-09 at 23:19 +0100, Morten wrote:
> > Oliver - I think what Brian is looking for is the same as me: A place,
> > above DAV protocol level, to get started with authorization. A
> > programmatic way of using all the goodnes you've implemented from
> > RFC3744, ie. what API to add/remove/configure the principals, groups,
> > privileges and ACLs defined by the RFC.
> >
> > Basically it's the functionality demonstrated using DAV Explorer here:
> > http://jakarta.apache.org/slide/howto-create-users.html
> >
> > An example on how to, programatically - using the Slide API, accomplish
> > what's done in the above link would be a great starting point to coding
> > for the Slide API. Basically it's:
> >
> > 1. Lookup /slide/users node
> > 2. Create collection (user) under this node
> > 3. Add password property for newly created user
> > 4. Lookup /slide/roles/user node
> > 5. Add newly created user to the group-member-set property of the node
> >
> > Can any of you cook up a basic example on how to do this using the Slide
> > API? Or give a few hints and I would be more than happy to take a shot
> > myself.
> >
> > Thanks,
> >
> > Morten
> >
> >
> > Oliver Zeigermann wrote:
> > > Securiy is checked according to
> > >
> > > http://www.greenbytes.de/tech/webdav/rfc3744.html
> > >
> > > Oliver
> > >
> > >
> > > On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
> > >
> > >>Can someone tell me how permissions work? Looking at the source - in
> > >>particular the stores code in WCK and Slide itself, I don't see anything
> > >>that checks for authorization to perform actions -such as reading,
> > >>deleting, .... The only thing I see for security is access to Slide
> > >>itself (I'm not too sure how ACL is implemented) If it isn't there, can
> > >>someone give me advice on implementing a security check before each action?
> > >>
> > >>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail: slide-user-help@jakarta.apache.org
> > >>
> > >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by James Mason <ma...@apache.org>.
Morten,
I can give you hints, but it kind of depends on what you mean by "Slide
API". Using the client API you just need to replicate the sequence of
WebDAV methods in the howto document using the Slide client library. It
should be fairly obvious (PROPFIND, MKCOL, PROPPATCH, etc).
Using the server API is probably slightly more difficult (and I can't
help you much there since I'm not very familiar with server API). The
concept is the same, though. You need to create an ObjectNode for the
user and set some properties in its NodeRevisionDescriptor. Then you
need to get the NodeRevisionDescriptor for the role node and update its
group-member-set property.
-James
On Tue, 2004-11-09 at 23:19 +0100, Morten wrote:
> Oliver - I think what Brian is looking for is the same as me: A place,
> above DAV protocol level, to get started with authorization. A
> programmatic way of using all the goodnes you've implemented from
> RFC3744, ie. what API to add/remove/configure the principals, groups,
> privileges and ACLs defined by the RFC.
>
> Basically it's the functionality demonstrated using DAV Explorer here:
> http://jakarta.apache.org/slide/howto-create-users.html
>
> An example on how to, programatically - using the Slide API, accomplish
> what's done in the above link would be a great starting point to coding
> for the Slide API. Basically it's:
>
> 1. Lookup /slide/users node
> 2. Create collection (user) under this node
> 3. Add password property for newly created user
> 4. Lookup /slide/roles/user node
> 5. Add newly created user to the group-member-set property of the node
>
> Can any of you cook up a basic example on how to do this using the Slide
> API? Or give a few hints and I would be more than happy to take a shot
> myself.
>
> Thanks,
>
> Morten
>
>
> Oliver Zeigermann wrote:
> > Securiy is checked according to
> >
> > http://www.greenbytes.de/tech/webdav/rfc3744.html
> >
> > Oliver
> >
> >
> > On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
> >
> >>Can someone tell me how permissions work? Looking at the source - in
> >>particular the stores code in WCK and Slide itself, I don't see anything
> >>that checks for authorization to perform actions -such as reading,
> >>deleting, .... The only thing I see for security is access to Slide
> >>itself (I'm not too sure how ACL is implemented) If it isn't there, can
> >>someone give me advice on implementing a security check before each action?
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Morten <li...@kikobu.com>.
Oliver - I think what Brian is looking for is the same as me: A place,
above DAV protocol level, to get started with authorization. A
programmatic way of using all the goodnes you've implemented from
RFC3744, ie. what API to add/remove/configure the principals, groups,
privileges and ACLs defined by the RFC.
Basically it's the functionality demonstrated using DAV Explorer here:
http://jakarta.apache.org/slide/howto-create-users.html
An example on how to, programatically - using the Slide API, accomplish
what's done in the above link would be a great starting point to coding
for the Slide API. Basically it's:
1. Lookup /slide/users node
2. Create collection (user) under this node
3. Add password property for newly created user
4. Lookup /slide/roles/user node
5. Add newly created user to the group-member-set property of the node
Can any of you cook up a basic example on how to do this using the Slide
API? Or give a few hints and I would be more than happy to take a shot
myself.
Thanks,
Morten
Oliver Zeigermann wrote:
> Securiy is checked according to
>
> http://www.greenbytes.de/tech/webdav/rfc3744.html
>
> Oliver
>
>
> On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
>
>>Can someone tell me how permissions work? Looking at the source - in
>>particular the stores code in WCK and Slide itself, I don't see anything
>>that checks for authorization to perform actions -such as reading,
>>deleting, .... The only thing I see for security is access to Slide
>>itself (I'm not too sure how ACL is implemented) If it isn't there, can
>>someone give me advice on implementing a security check before each action?
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Resource Permissions
Posted by Nick Longinow <ni...@vanhooseassociates.com>.
In a sense, yes.
This link is a very good read, it will clear much up.
http://greenbytes.de/tech/webdav/draft-ietf-webdav-acl-13.html#privileges
Nick
-----Original Message-----
From: Brian Lee [mailto:blee@macys.com]
Sent: Tuesday, November 09, 2004 4:18 PM
To: Slide Users Mailing List
Subject: Re: Resource Permissions
The thing is, I do not know 'who' is making the webdav request. By
principal do you mean username?
Oliver Zeigermann wrote:
>It is the principal you authenticated with. The second part of the
>question is not clear to me. If you want to implement your own
>authentication from scratch, do whatever you see fit and just throw an
>access denied exception when you do not want to serve a specific
>request. If you want to use something already done use Slide's
>internal security mechanism which works as described in the link I
>have sent. If you do so, access rights will be checked before WCK
>methods even get called, i.e. if you do not have the right to execute
>a certain action, you won't even get an invocation of any
>BasicWebdavStore methods.
>
>Hope this helps,
>
>Oliver
>
>
>On Tue, 09 Nov 2004 12:37:13 -0800, Brian Lee <bl...@macys.com> wrote:
>
>
>>hmmmm let me be more specific -
>>
>>what is found in principal of
>>
>>void begin(Service service, Principal principal, Object connection,
>>LoggerFacade logger, Hashtable parameters)
>> throws ServiceAccessException,
>>ServiceParameterErrorException, ServiceParameterMissingException
>>
>>for a custom store based on WCK - what do you recommend I do for
>>permissions on resources based on what I can get (in terms of
>>parameters) for each instance of the BasicWebdavStore?
>>
>>
>>
>>Oliver Zeigermann wrote:
>>
>>
>>
>>>Securiy is checked according to
>>>
>>>http://www.greenbytes.de/tech/webdav/rfc3744.html
>>>
>>>Oliver
>>>
>>>
>>>On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
>>>
>>>
>>>
>>>
>>>>Can someone tell me how permissions work? Looking at the source - in
>>>>particular the stores code in WCK and Slide itself, I don't see anything
>>>>that checks for authorization to perform actions -such as reading,
>>>>deleting, .... The only thing I see for security is access to Slide
>>>>itself (I'm not too sure how ACL is implemented) If it isn't there, can
>>>>someone give me advice on implementing a security check before each
action?
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>
>>
>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Brian Lee <bl...@macys.com>.
The thing is, I do not know 'who' is making the webdav request. By
principal do you mean username?
Oliver Zeigermann wrote:
>It is the principal you authenticated with. The second part of the
>question is not clear to me. If you want to implement your own
>authentication from scratch, do whatever you see fit and just throw an
>access denied exception when you do not want to serve a specific
>request. If you want to use something already done use Slide's
>internal security mechanism which works as described in the link I
>have sent. If you do so, access rights will be checked before WCK
>methods even get called, i.e. if you do not have the right to execute
>a certain action, you won't even get an invocation of any
>BasicWebdavStore methods.
>
>Hope this helps,
>
>Oliver
>
>
>On Tue, 09 Nov 2004 12:37:13 -0800, Brian Lee <bl...@macys.com> wrote:
>
>
>>hmmmm let me be more specific -
>>
>>what is found in principal of
>>
>>void begin(Service service, Principal principal, Object connection,
>>LoggerFacade logger, Hashtable parameters)
>> throws ServiceAccessException,
>>ServiceParameterErrorException, ServiceParameterMissingException
>>
>>for a custom store based on WCK - what do you recommend I do for
>>permissions on resources based on what I can get (in terms of
>>parameters) for each instance of the BasicWebdavStore?
>>
>>
>>
>>Oliver Zeigermann wrote:
>>
>>
>>
>>>Securiy is checked according to
>>>
>>>http://www.greenbytes.de/tech/webdav/rfc3744.html
>>>
>>>Oliver
>>>
>>>
>>>On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
>>>
>>>
>>>
>>>
>>>>Can someone tell me how permissions work? Looking at the source - in
>>>>particular the stores code in WCK and Slide itself, I don't see anything
>>>>that checks for authorization to perform actions -such as reading,
>>>>deleting, .... The only thing I see for security is access to Slide
>>>>itself (I'm not too sure how ACL is implemented) If it isn't there, can
>>>>someone give me advice on implementing a security check before each action?
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>
>>
>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Oliver Zeigermann <ol...@gmail.com>.
It is the principal you authenticated with. The second part of the
question is not clear to me. If you want to implement your own
authentication from scratch, do whatever you see fit and just throw an
access denied exception when you do not want to serve a specific
request. If you want to use something already done use Slide's
internal security mechanism which works as described in the link I
have sent. If you do so, access rights will be checked before WCK
methods even get called, i.e. if you do not have the right to execute
a certain action, you won't even get an invocation of any
BasicWebdavStore methods.
Hope this helps,
Oliver
On Tue, 09 Nov 2004 12:37:13 -0800, Brian Lee <bl...@macys.com> wrote:
> hmmmm let me be more specific -
>
> what is found in principal of
>
> void begin(Service service, Principal principal, Object connection,
> LoggerFacade logger, Hashtable parameters)
> throws ServiceAccessException,
> ServiceParameterErrorException, ServiceParameterMissingException
>
> for a custom store based on WCK - what do you recommend I do for
> permissions on resources based on what I can get (in terms of
> parameters) for each instance of the BasicWebdavStore?
>
>
>
> Oliver Zeigermann wrote:
>
> >Securiy is checked according to
> >
> >http://www.greenbytes.de/tech/webdav/rfc3744.html
> >
> >Oliver
> >
> >
> >On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
> >
> >
> >>Can someone tell me how permissions work? Looking at the source - in
> >>particular the stores code in WCK and Slide itself, I don't see anything
> >>that checks for authorization to perform actions -such as reading,
> >>deleting, .... The only thing I see for security is access to Slide
> >>itself (I'm not too sure how ACL is implemented) If it isn't there, can
> >>someone give me advice on implementing a security check before each action?
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >>
> >>
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Brian Lee <bl...@macys.com>.
hmmmm let me be more specific -
what is found in principal of
void begin(Service service, Principal principal, Object connection,
LoggerFacade logger, Hashtable parameters)
throws ServiceAccessException,
ServiceParameterErrorException, ServiceParameterMissingException
for a custom store based on WCK - what do you recommend I do for
permissions on resources based on what I can get (in terms of
parameters) for each instance of the BasicWebdavStore?
Oliver Zeigermann wrote:
>Securiy is checked according to
>
>http://www.greenbytes.de/tech/webdav/rfc3744.html
>
>Oliver
>
>
>On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
>
>
>>Can someone tell me how permissions work? Looking at the source - in
>>particular the stores code in WCK and Slide itself, I don't see anything
>>that checks for authorization to perform actions -such as reading,
>>deleting, .... The only thing I see for security is access to Slide
>>itself (I'm not too sure how ACL is implemented) If it isn't there, can
>>someone give me advice on implementing a security check before each action?
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Resource Permissions
Posted by Oliver Zeigermann <ol...@gmail.com>.
Securiy is checked according to
http://www.greenbytes.de/tech/webdav/rfc3744.html
Oliver
On Tue, 09 Nov 2004 11:45:12 -0800, Brian Lee <bl...@macys.com> wrote:
> Can someone tell me how permissions work? Looking at the source - in
> particular the stores code in WCK and Slide itself, I don't see anything
> that checks for authorization to perform actions -such as reading,
> deleting, .... The only thing I see for security is access to Slide
> itself (I'm not too sure how ACL is implemented) If it isn't there, can
> someone give me advice on implementing a security check before each action?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org