You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by David Sean Taylor <da...@bluesunrise.com> on 2002/10/14 21:27:42 UTC
FW: Security Team
Anyone (committer) wanna be our liaison on the Apache Security Team?
-----Original Message-----
From: Ben Laurie [mailto:ben@algroup.co.uk]
Sent: Friday, October 11, 2002 8:24 AM
To: committers@apache.org
Subject: Security Team
Hi,
At the ASF board meeting on Wednesday, a motion to create a board
committee (known as the Apache Security Team) responsible for security
across the whole ASF was passed. Whilst we are still figuring out
exactly how this will work, one of the things that is required is that
every project should appoint a liaison to the team. This liaison will
need to have commit access to the project, and the technical ability to
make releases for the project.
So, please be thinking about who that should be for any projects you are
involved in (more that one liaison is fine).
Once you know who it should be, please email security@apache.org with
details.
We'll also be needing one or more volunteer(s) to maintain the security
team's webpages, so if that's you, speak up.
Cheers,
Ben (Chair, Apache Security Team).
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Apache Security Team
Posted by Santiago Gala <sg...@hisitech.com>.
Paul Spencer wrote:
> David,
> I so not have the time :(
>
> Paul Spencer
>
> David Sean Taylor wrote:
>
>> Anyone (committer) wanna be our liaison on the Apache Security Team?
>>
I wonder it anyone took this duty.
Even if I have shown very little activity in the last months, I will
have more time in the next future, and security is definitely one of the
things that I will be devoted to.
If the liaison is still needed, I could be the one.
Regards,
Santiago
>> -----Original Message-----
>> From: Ben Laurie [mailto:ben@algroup.co.uk]
>> Sent: Friday, October 11, 2002 8:24 AM
>> To: committers@apache.org
>> Subject: Security Team
>>
>>
>> Hi,
>>
>> At the ASF board meeting on Wednesday, a motion to create a board
>> committee (known as the Apache Security Team) responsible for security
>> across the whole ASF was passed. Whilst we are still figuring out
>> exactly how this will work, one of the things that is required is that
>> every project should appoint a liaison to the team. This liaison will
>> need to have commit access to the project, and the technical ability
>> to make releases for the project.
>>
>> So, please be thinking about who that should be for any projects you
>> are involved in (more that one liaison is fine).
>>
>> Once you know who it should be, please email security@apache.org with
>> details.
>>
>> We'll also be needing one or more volunteer(s) to maintain the
>> security team's webpages, so if that's you, speak up.
>>
>> Cheers,
>>
>> Ben (Chair, Apache Security Team).
>>
>>
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: FW: Security Team
Posted by Paul Spencer <pa...@apache.org>.
David,
I so not have the time :(
Paul Spencer
David Sean Taylor wrote:
> Anyone (committer) wanna be our liaison on the Apache Security Team?
>
> -----Original Message-----
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> Sent: Friday, October 11, 2002 8:24 AM
> To: committers@apache.org
> Subject: Security Team
>
>
> Hi,
>
> At the ASF board meeting on Wednesday, a motion to create a board
> committee (known as the Apache Security Team) responsible for security
> across the whole ASF was passed. Whilst we are still figuring out
> exactly how this will work, one of the things that is required is that
> every project should appoint a liaison to the team. This liaison will
> need to have commit access to the project, and the technical ability to
> make releases for the project.
>
> So, please be thinking about who that should be for any projects you are
> involved in (more that one liaison is fine).
>
> Once you know who it should be, please email security@apache.org with
> details.
>
> We'll also be needing one or more volunteer(s) to maintain the security
> team's webpages, so if that's you, speak up.
>
> Cheers,
>
> Ben (Chair, Apache Security Team).
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Upgrading to Latest Jars
Posted by Martin Poeschl <mp...@marmot.at>.
David Sean Taylor wrote:
> I'd like to upgrade to the latest versions of :
>
> Torque
> Turbine
> Stratum
> Fulcrum
>
> I checked out all four projects from cvs head, built them and then modified
> Jetspeed to bring it up-to-date.
> Ran unit tests, everything seems to be working against Hypersonic SQL.
there will be no major changes before the turbine 2.2 and torque 3.0 releases.
so after this update jetspeed will work with the final versions without any changes :-)
martin
>
> Anyone have any objections to migrating Jetspeed to work with these latest
> versions?
> I will tag the cvs before doing so with a tag called
> PRE-JAKARTA-UPDATE-2002-10-15
> Will also document, on the website, the exact date that I checked out these
> 4 jars, so that if anyone needs the source they can check out by date.
>
> If no one objects, will start tomorrow morning PST (Tuesday Oct 15)......
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
IRC
Posted by David Sean Taylor <da...@bluesunrise.com>.
Created a channel for jetspeed-dev at irc.werken.com #Jetspeed
thanks! to Jason and Bob @ Werken Co for allowing us to use their IRC server
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Upgrading to Latest Jars
Posted by David Sean Taylor <da...@bluesunrise.com>.
A heads-up for what we all will be getting into when Jetspeed upgrades to
Torque-3.0-b5-dev. (We were on Torque-3.0-b2-dev)
I've already done this for core Jetspeed. However your application code will
need to make the same changes in order to compile and run against b5:
- All Torque queries that used to return java.util.Vector now return
java.util.List
- DBConnection has been removed. You must convert your code to use
java.sql.Connection
- accessors for PKs and FK columns return the actual data type, including
Java primitive data types, not an ObjectKey (or derivative).
For ex: a column that is an INTEGER called USER_ID will return have
accessors :
int getUserId()
void setUser(int userId)
- Torque.getConnection() (with no params) now throws TorqueException,
java.sql.SQLException, javax.naming.NamingException
(it used to throw just TorqueException)
- releaseConnection() was changed to closeConnection(), and it no longer
throws an exception
- It appears that maxExpiryTime and connectionWaitTime have changed from
milliseconds to seconds
- {$webapp_root} no longer seems to work, just remove it
- You have a lot more choice for Connection pooling, such as using JNDI,
Jdbc2Pool, and ConnectionPoolDataSource.
See the Torque.properties in Jetspeed cvs for examples
- Torque.properties now prefixes Torque properties with "torque."
- Components are all prefixed with "services.ComponentService.
- We need to include build-torque.properties in your ant build and call it
from your build.properties
- Torque now supports excludes and includes (I can't find any docs) to
choose which xml files to build.
If you don't specify excludes and includes, Torque will generate for all
xml files found in the schemaDirectory
torque.schema.sql.includes = security-schema.xml, turbine-schema.xml,
coffees-schema.xml
torque.schema.create-db.includes = security-schema.xml, turbine-schema.xml,
coffees-schema.xml
torque.schema.init-sql.includes = security-schema.xml, turbine-schema.xml,
coffees-schema.xml
torque.schema.om.includes = security-schema.xml, turbine-schema.xml,
coffees-schema.xml
I could be missing something. Also see
http://jakarta.apache.org/turbine/torque/changes.html
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Upgrading to Latest Jars
Posted by David Sean Taylor <da...@bluesunrise.com>.
> -----Original Message-----
> From: Glenn R. Golden [mailto:ggolden@umich.edu]
> Sent: Wednesday, October 23, 2002 4:14 PM
> To: Jetspeed Developers List
> Subject: Re: Upgrading to Latest Jars
>
>
> David -
>
> This is great! Thanks.
>
> Do you know where we got our velocity?
>
> 347357 Sep 8 21:31 velocity-1.3.jar
>
Its the release jar.
Found at http://jakarta.apache.org/builds/jakarta-velocity/release/v1.3/
They now have a release candidate, which they are strongly recommending due
to bug fixes
Should we upgrade?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Upgrading to Latest Jars
Posted by "Glenn R. Golden" <gg...@umich.edu>.
David -
This is great! Thanks.
Do you know where we got our velocity?
347357 Sep 8 21:31 velocity-1.3.jar
Is that a released 1.3 version, or some partial one? I think that's
one more major package we should doc. the cvs co line for on that page.
- Glenn
On Tuesday, October 15, 2002, at 11:59 PM, David Sean Taylor wrote:
>> +1 ! I often find the need to look at the source, and have to guess
>> as
>> to the version used. This will be very helpful!
>>
>
> http://jakarta.apache.org/jetspeed/site/supporting-projects.html
>
> There is also a link to the full projects zipped up
> Both Turbine and Torque will be putting out a release soon
> We can then update one more time with the their releases, and put out a
> Jetspeed release soon after
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
- Glenn
---------------------------------------------------------------------
Glenn R. Golden Systems Research Programmer
School of Information University of Michigan
ggolden@umich.edu 734-615-1419
---------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Upgrading to Latest Jars
Posted by David Sean Taylor <da...@bluesunrise.com>.
> +1 ! I often find the need to look at the source, and have to guess as
> to the version used. This will be very helpful!
>
http://jakarta.apache.org/jetspeed/site/supporting-projects.html
There is also a link to the full projects zipped up
Both Turbine and Torque will be putting out a release soon
We can then update one more time with the their releases, and put out a
Jetspeed release soon after
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Upgrading to Latest Jars
Posted by "Glenn R. Golden" <gg...@umich.edu>.
On Monday, October 14, 2002, at 07:30 PM, David Sean Taylor wrote:
> I'd like to upgrade to the latest versions of :
>
> Torque
> Turbine
> Stratum
> Fulcrum
>
> I checked out all four projects from cvs head, built them and then
> modified
> Jetspeed to bring it up-to-date.
> Ran unit tests, everything seems to be working against Hypersonic SQL.
>
> Anyone have any objections to migrating Jetspeed to work with these
> latest
> versions?
+1
> I will tag the cvs before doing so with a tag called
> PRE-JAKARTA-UPDATE-2002-10-15
> Will also document, on the website, the exact date that I checked out
> these
> 4 jars, so that if anyone needs the source they can check out by date.
+1 ! I often find the need to look at the source, and have to guess as
to the version used. This will be very helpful!
Thanks!
- Glenn
---------------------------------------------------------------------
Glenn R. Golden Systems Research Programmer
School of Information University of Michigan
ggolden@umich.edu 734-615-1419
---------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Upgrading to Latest Jars
Posted by David Sean Taylor <da...@bluesunrise.com>.
About to tag cvs: PRE-JAKARTA-UPDATE-2002-10-15
> -----Original Message-----
> From: David Sean Taylor [mailto:david@bluesunrise.com]
> Sent: Monday, October 14, 2002 4:30 PM
> To: Jetspeed Developers List
> Subject: Upgrading to Latest Jars
>
>
> I'd like to upgrade to the latest versions of :
>
> Torque
> Turbine
> Stratum
> Fulcrum
>
> I checked out all four projects from cvs head, built them and
> then modified
> Jetspeed to bring it up-to-date.
> Ran unit tests, everything seems to be working against Hypersonic SQL.
>
> Anyone have any objections to migrating Jetspeed to work with these latest
> versions?
> I will tag the cvs before doing so with a tag called
>
> Will also document, on the website, the exact date that I checked
> out these
> 4 jars, so that if anyone needs the source they can check out by date.
>
> If no one objects, will start tomorrow morning PST (Tuesday Oct 15)......
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Class cast exception
Posted by David Sean Taylor <da...@bluesunrise.com>.
Is anyone else seeing this:
[14 Oct 2002 16:20:36 ERROR] - DocumentWatcher: Error in iteration...
java.lang.ClassCastException: org.apache.jetspeed.om.profile.BaseProfile
at
org.apache.jetspeed.services.psmlmanager.CastorPsmlManagerService.refresh(Ca
storPsmlManagerService.java:473)
at
org.apache.jetspeed.services.psmlmanager.CastorPsmlManagerService$DocumentWa
tcher.run(CastorPsmlManagerService.java:764)
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Upgrading to Latest Jars
Posted by David Sean Taylor <da...@bluesunrise.com>.
I'd like to upgrade to the latest versions of :
Torque
Turbine
Stratum
Fulcrum
I checked out all four projects from cvs head, built them and then modified
Jetspeed to bring it up-to-date.
Ran unit tests, everything seems to be working against Hypersonic SQL.
Anyone have any objections to migrating Jetspeed to work with these latest
versions?
I will tag the cvs before doing so with a tag called
PRE-JAKARTA-UPDATE-2002-10-15
Will also document, on the website, the exact date that I checked out these
4 jars, so that if anyone needs the source they can check out by date.
If no one objects, will start tomorrow morning PST (Tuesday Oct 15)......
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Securing VelocityPortlet actions
Posted by David Sean Taylor <da...@bluesunrise.com>.
Well, originally I was thinking we'd get the constraints from the portlet or
portlet instance.
That way we don't need a xreg file.
But if we go for the more granular solution, then yes, I suppose we have
some possibilities:
<security-entry name="owner-only">
<access action="actionEvent:MyPortlet.doUpdate">
<allow-if-owner/>
</access>
</security-entry>
For me, Im fine without the example above and simply going with portlet or
portlet instance security constraints.
The finer granularity can come later.
Problem is, still don't know how to get the action to link up to the portlet
at action execution time.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Securing VelocityPortlet actions
Posted by Mark Orciuch <ma...@ngsltd.com>.
David,
> > Actually, JspPortletAction will not run any of its build* methods unless
> > there's a "portlet" attribute in the request. This attribute gets
> > set in the
> > JspPortlet so if the action was invoked via URL, it wouldn't
> run. I think
> > that VelocityPortlet works in similar fashion. Well, I know it
> > does, because
> > I modeled JspPortletAction on VelocityPortletAction. What I am missing?
>
> If I remember, calling context.get("portlet") in an action event (doXXXX)
> returns NULL.
>
> VelocityPortlet portlet =
> (VelocityPortlet)context.get("portlet");
>
> This doesn't happen until the control builds its context
>
> context.put("portlet", portlet );
>
I based my assumptions on observing the debug statements for invoking
http://localhost/jetspeed/portal/action/portlets.browser.DatabaseBrowserActi
on:
[Mon Oct 14 15:49:49 CDT 2002] -- DEBUG -- Action: building action context
[Mon Oct 14 15:49:49 CDT 2002] -- DEBUG -- Action: try executing events
[Mon Oct 14 15:49:49 CDT 2002] -- DEBUG -- Action: calling doPerform
[Mon Oct 14 15:49:49 CDT 2002] -- DEBUG -- VelocityAction: retrieved
context: org.apache.velocity.VelocityContext@a6eb8e45
[Mon Oct 14 15:49:49 CDT 2002] -- DEBUG -- VelocityAction: retrieved
portlet: null
Portlet was null and therefore action did not proceed. I guess I should have
asked for an example of this being a security hole.
>
> For Velocity Action events, I was thinking it would be attached to the
> portlet or portlet instance constraint.
I'm in agreement here.
> However, one could argue that each action event should have its own
> constraints.
>
Why? Portlet action serves a portlet and should be meaningless without it.
> As for Turbine actions, why not create a new type of resource: action.
> The PortalAccessController interface doesn't support actions
> Don't confuse the 2nd parameter, its an 'action' as in permission
>
>
> public interface PortalAccessController extends Service
> {
> // check a portlet instance for a given permission/action
> public boolean checkPermission(JetspeedUser user, Entry entry, String
> action, String owner);
>
> // check a portlet for a given permission/action
> public boolean checkPermission(JetspeedUser user, Portlet portlet,
> String action, String owner);
>
> // check a Portal Resource for a given permission/action
> public boolean checkPermission(JetspeedUser user, PortalResource
> resource, String action);
> }
>
> The third looks promising:
>
> public class PortalResource implements Serializable
> {
> public static final int TYPE_PORTLET = 100;
> public static final int TYPE_ENTRY = 200;
> public static final int TYPE_ENTRY_PARAMETER = 201;
> public static final int TYPE_REGISTRY = 300;
> public static final int TYPE_REGISTRY_PARAMETER = 301;
>
> why don't we add
>
> public static final int TYPE_ACTION = 400;
> public static final int TYPE_ACTION_EVENT = 401;
>
> and then new constructors
>
> public PortalResource(Action action )
> public PortalResource(ActionEvent actionEvent)
>
That is exactly what I had in mind (except that you went more granular by
constraining individual action events - cool!). But how do we associate a
turbine action with security constraint? Surely not with actions.xreg? Or do
we "embed" security contraint within an action (via hardcoding or property
entry)?
Best regards,
Mark C. Orciuch
Next Generation Solutions, Ltd.
e-Mail: mark_orciuch@ngsltd.com
web: http://www.ngsltd.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>