You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Vamsavardhana Reddy <c1...@gmail.com> on 2006/11/08 15:37:59 UTC
RTC Certification Authority (CA) portlet
I have posted a patch to "GERONIMO-2413 Add a Certification Authority (CA)
portlet to Geronimo console". The patch contains CA portlet and CA Helper
application. JIRA comment provides a few instructions on a minimal
(end-to-end setup of CA and the helper application) task that can be
performed using the portlet. Please take time to review the patch, try the
CA portlet and the helper application.
Thanks,
vamsi
PS: JIRA also has patch for branches\1.1 . This patch is only intended for
those who want to try the portlet in 1.1.x.
Re: RTC Certification Authority (CA) portlet
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Paul,
Thank you for reviewing the CA portlet and providing your comments. My
response to your queries and comments:
o On the UI, I did my best. I have tested the page navigation etc and it
seems to be ok. There may be some minor issues which I am not aware of.
Those will be addressed as they surface.
o Copyright headers will be updated before the patch is committed.
o The helper application is a reference application. In producton, ideally
it should be running on HTTPS and some of the pages like, request
certificate and download certificate should have restricted access based on
userid, password, etc.
o The helper application should be started only after completing the CA
initialization part.
o Regarding making this as a portlet in Console, I wanted to take advantage
of the framework we already have in console UI and spend more time on the CA
functionality.
o Portlet title will be changed so that it won't wrap.
o I will take a look at GERONIMO-2007 to take care of the BasicProxyManager
warnings.
Regards,
Vamsi
On 11/14/06, Paul McMahan <pa...@gmail.com> wrote:
>
> Great work!! This patch represents a tremendous amount of effort and I
> am excited about seeing this new functionality in Geronimo. I am not
> a security expert so I'm not able to comment on some of the more
> technical aspects of this new feature. But from a high level I
> understand what is being provided and am in favor of it being made
> available to Geronimo users.
>
> Here are a few questions and comments:
> - nice job on the UI
> - the copyright headers should be updated per GERONIMO-2537 (I think
> this applies to JSPs as well but I am not sure)
> - the helper application does not define any security constraints in
> its web.xml. I think a constraint is needed since the application
> affects the server's security
> - the helper application is not started by default. is that intentional?
>
> I'm not totally clear on why this feature was implemented partly as a
> web application and partly as an admin portlet. Since CA activities
> are not core to the management of the application server per se it
> seems like an ideal candidate to implement entirely as a pair of web
> applications that can be installed as plugins. If its possible to
> refactor the CA portion into a webapp without sacrificing too much
> time/effort then I'm highly favor of that approach.
>
> But I may be overlooking some important aspect of the design or just
> need to broaden my view of what the admin console is used for. So if
> the current implementation remains as is then here are some additional
> comments about the CA portlet:
> - the portlet title in the console's navigation area wraps
> "Certifcation Authority". Can a non-breaking space ( ) be used
> in the title? if not then can it be shortened?
> - the CA portlet issues warnings, which I think are benign but can
> probably be avoided. they look like:
> [BasicProxyManager] Could not load interface org.apache.geron
> imo.security.ca.GeronimoCertificationAuthority in provided ClassLoader for
> org.a
> pache.geronimo.configs/j2ee-security/1.2-SNAPSHOT/car?ServiceModule=
> org.apache.g
> eronimo.configs
> /j2ee-security/1.2-SNAPSHOT/car,j2eeType=CertificationAuthority,n
> ame=geronimo-ca
> (see GERONIMO-2007)
>
> Again, great work on this new feature and I look forward to seeing it
> being made available to Geronimo users!
>
> Best wishes,
> Paul
>
> On 11/9/06, Vamsavardhana Reddy <c1...@gmail.com> wrote:
> > Hi Paul,
> >
> > Yes, I intend to make this available in 1.2. Please review whenever it
> is
> > possible for you..
> >
> > Thanks,
> > Vamsi
> >
> > On 11/9/06, Paul McMahan <pa...@gmail.com> wrote:
> > > I definitely plan to take a look at this but I have a couple of items
> > > to finish up on first. Do you intend to make this available in 1.2?
> > >
> > > Best wishes,
> > > Paul
> > >
> > > On 11/8/06, Vamsavardhana Reddy < c1vamsi1c@gmail.com> wrote:
> > > > I have posted a patch to "GERONIMO-2413 Add a Certification
> Authority
> > (CA)
> > > > portlet to Geronimo console". The patch contains CA portlet and CA
> > Helper
> > > > application. JIRA comment provides a few instructions on a minimal
> > > > (end-to-end setup of CA and the helper application) task that can be
> > > > performed using the portlet. Please take time to review the patch,
> try
> > the
> > > > CA portlet and the helper application.
> > > >
> > > > Thanks,
> > > > vamsi
> > > > PS: JIRA also has patch for branches\1.1 . This patch is only
> intended
> > for
> > > > those who want to try the portlet in 1.1.x.
> > > >
> > >
> >
> >
>
Re: RTC Certification Authority (CA) portlet
Posted by Paul McMahan <pa...@gmail.com>.
Great work!! This patch represents a tremendous amount of effort and I
am excited about seeing this new functionality in Geronimo. I am not
a security expert so I'm not able to comment on some of the more
technical aspects of this new feature. But from a high level I
understand what is being provided and am in favor of it being made
available to Geronimo users.
Here are a few questions and comments:
- nice job on the UI
- the copyright headers should be updated per GERONIMO-2537 (I think
this applies to JSPs as well but I am not sure)
- the helper application does not define any security constraints in
its web.xml. I think a constraint is needed since the application
affects the server's security
- the helper application is not started by default. is that intentional?
I'm not totally clear on why this feature was implemented partly as a
web application and partly as an admin portlet. Since CA activities
are not core to the management of the application server per se it
seems like an ideal candidate to implement entirely as a pair of web
applications that can be installed as plugins. If its possible to
refactor the CA portion into a webapp without sacrificing too much
time/effort then I'm highly favor of that approach.
But I may be overlooking some important aspect of the design or just
need to broaden my view of what the admin console is used for. So if
the current implementation remains as is then here are some additional
comments about the CA portlet:
- the portlet title in the console's navigation area wraps
"Certifcation Authority". Can a non-breaking space ( ) be used
in the title? if not then can it be shortened?
- the CA portlet issues warnings, which I think are benign but can
probably be avoided. they look like:
[BasicProxyManager] Could not load interface org.apache.geron
imo.security.ca.GeronimoCertificationAuthority in provided ClassLoader for org.a
pache.geronimo.configs/j2ee-security/1.2-SNAPSHOT/car?ServiceModule=org.apache.g
eronimo.configs/j2ee-security/1.2-SNAPSHOT/car,j2eeType=CertificationAuthority,n
ame=geronimo-ca
(see GERONIMO-2007)
Again, great work on this new feature and I look forward to seeing it
being made available to Geronimo users!
Best wishes,
Paul
On 11/9/06, Vamsavardhana Reddy <c1...@gmail.com> wrote:
> Hi Paul,
>
> Yes, I intend to make this available in 1.2. Please review whenever it is
> possible for you..
>
> Thanks,
> Vamsi
>
> On 11/9/06, Paul McMahan <pa...@gmail.com> wrote:
> > I definitely plan to take a look at this but I have a couple of items
> > to finish up on first. Do you intend to make this available in 1.2?
> >
> > Best wishes,
> > Paul
> >
> > On 11/8/06, Vamsavardhana Reddy < c1vamsi1c@gmail.com> wrote:
> > > I have posted a patch to "GERONIMO-2413 Add a Certification Authority
> (CA)
> > > portlet to Geronimo console". The patch contains CA portlet and CA
> Helper
> > > application. JIRA comment provides a few instructions on a minimal
> > > (end-to-end setup of CA and the helper application) task that can be
> > > performed using the portlet. Please take time to review the patch, try
> the
> > > CA portlet and the helper application.
> > >
> > > Thanks,
> > > vamsi
> > > PS: JIRA also has patch for branches\1.1 . This patch is only intended
> for
> > > those who want to try the portlet in 1.1.x.
> > >
> >
>
>
Re: RTC Certification Authority (CA) portlet
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Hi Paul,
Yes, I intend to make this available in 1.2. Please review whenever it is
possible for you..
Thanks,
Vamsi
On 11/9/06, Paul McMahan <pa...@gmail.com> wrote:
>
> I definitely plan to take a look at this but I have a couple of items
> to finish up on first. Do you intend to make this available in 1.2?
>
> Best wishes,
> Paul
>
> On 11/8/06, Vamsavardhana Reddy <c1...@gmail.com> wrote:
> > I have posted a patch to "GERONIMO-2413 Add a Certification Authority
> (CA)
> > portlet to Geronimo console". The patch contains CA portlet and CA
> Helper
> > application. JIRA comment provides a few instructions on a minimal
> > (end-to-end setup of CA and the helper application) task that can be
> > performed using the portlet. Please take time to review the patch, try
> the
> > CA portlet and the helper application.
> >
> > Thanks,
> > vamsi
> > PS: JIRA also has patch for branches\1.1 . This patch is only intended
> for
> > those who want to try the portlet in 1.1.x.
> >
>
Re: RTC Certification Authority (CA) portlet
Posted by Paul McMahan <pa...@gmail.com>.
I definitely plan to take a look at this but I have a couple of items
to finish up on first. Do you intend to make this available in 1.2?
Best wishes,
Paul
On 11/8/06, Vamsavardhana Reddy <c1...@gmail.com> wrote:
> I have posted a patch to "GERONIMO-2413 Add a Certification Authority (CA)
> portlet to Geronimo console". The patch contains CA portlet and CA Helper
> application. JIRA comment provides a few instructions on a minimal
> (end-to-end setup of CA and the helper application) task that can be
> performed using the portlet. Please take time to review the patch, try the
> CA portlet and the helper application.
>
> Thanks,
> vamsi
> PS: JIRA also has patch for branches\1.1 . This patch is only intended for
> those who want to try the portlet in 1.1.x.
>