You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@turbine.apache.org by Scott Eade <se...@backstagetech.com.au> on 2001/12/06 05:20:39 UTC

New Security Groups require a restart?

It seems that it is necessary to restart my turbine application
in order to be able to use a newly created group.  Here
is the order of events:

1. Create a new Group "newgroup"
2. Create a new User and grant the Role "arole" in the group
"newgroup".
3. Login as the new user and execute 
user.getACL().hasRole("arole", "newgroup") - returns false
4. Restart the application
5 Login as the new user and execute
user.getACL().hasRole("arole", "newgroup") - returns true

Is the restart absolutely necessary, or is there a way to make
this work without it?

Also, my current design involves creating a large number 
of groups.  Is this going to become inefficient?  Am I better
of restructuring the security around a small number of groups?

Thanks,

Scott


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by Scott Eade <se...@backstagetech.com.au>.

Hi Colm,

> I had a similar problem but I wasn't creating groups at runtime so a
> restart fixed it... But, from the API docs:
>
> > Constructor Detail
> > AccessControlList
> > public AccessControlList(java.util.Map roleSets,
> >                          java.util.Map permissionSets)
> > Constructs a new AccessControlList.
> >
> >  This class follows 'immutable' pattern - it's objects can't be modified
> >  once they are created. This means that the permissions the users have
are
> >  in effect form the moment they log in to the moment they log out, and
> >  changes made to the security settings in that time are not reflected
> >  in the state of this object. If you need to reset an user's permissions
> >  you need to invalidate his session.
> > The objects that constructs an AccessControlList must supply hashtables
> >  of role/permission sets keyed with group objects.
>
> Did you try logging out and back in?

I had seen that, however the group is created and allocated to a new
user (not myself) and then the new user logs in.  To my reckoning this
should be fine.  I can fully understand the need to log out and back in
if I was changing my own permissions, but not those of other not
currently logged in users.

It actually appears that when the first user logs in the ACL structure
that will be used for all users is resolved and it is not possible to
bring additional groups into effect without the restart.  I had a brief
look at the source for ACL and couldn't see why this is so.

BTW: The API docs for Turbine and Velocity come with the tdk.
After you start catalina, surf to http://localhost:8080/ and all will
be revealed.

Cheers,

Scott


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by josef richberg <sq...@yahoo.com>.

Found 'em..

Thanks,
  josef
--- Colm McCartan <co...@owl.co.uk> wrote:
> 
> 
> josef richberg wrote:
> 
> > Where did you find the api docs. I downloaded the
> TDK,
> > but couldn't find them anywhere.
> 
> 
> Have a look under the 'site' dir in the webapps area
> that the TDK 
> creates - they should be in there for tdk2.1
> (AFAIK)...
> 
> I believe there is also an ant target for building
> the docs - take a 
> look at the build.xml in the tdk dir. They can be
> fetched from the 
> jakarta-turbine-2 CVS repo as a last resort.
> 
> colm
> 
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by Colm McCartan <co...@owl.co.uk>.

josef richberg wrote:

> Where did you find the api docs. I downloaded the TDK,
> but couldn't find them anywhere.

Have a look under the 'site' dir in the webapps area that the TDK 
creates - they should be in there for tdk2.1 (AFAIK)...

I believe there is also an ant target for building the docs - take a 
look at the build.xml in the tdk dir. They can be fetched from the 
jakarta-turbine-2 CVS repo as a last resort.

colm

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by josef richberg <sq...@yahoo.com>.

Where did you find the api docs. I downloaded the TDK,
but couldn't find them anywhere.

--josef
--- Colm McCartan <co...@owl.co.uk> wrote:
> Scott
> 
> I had a similar problem but I wasn't creating groups
> at runtime so a 
> restart fixed it... But, from the API docs:
> 
> > Constructor Detail
> > AccessControlList
> > public AccessControlList(java.util.Map roleSets,
> >                          java.util.Map
> permissionSets)
> > Constructs a new AccessControlList.
> > 
> >  This class follows 'immutable' pattern - it's
> objects can't be modified
> >  once they are created. This means that the
> permissions the users have are
> >  in effect form the moment they log in to the
> moment they log out, and 
> >  changes made to the security settings in that
> time are not reflected
> >  in the state of this object. If you need to reset
> an user's permissions
> >  you need to invalidate his session.
> > The objects that constructs an AccessControlList
> must supply hashtables 
> >  of role/permission sets keyed with group objects.
> 
> Did you try logging out and back in?
> 
> colm
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by Colm McCartan <co...@owl.co.uk>.

Scott

I had a similar problem but I wasn't creating groups at runtime so a 
restart fixed it... But, from the API docs:

> Constructor Detail
> AccessControlList
> public AccessControlList(java.util.Map roleSets,
>                          java.util.Map permissionSets)
> Constructs a new AccessControlList.
> 
>  This class follows 'immutable' pattern - it's objects can't be modified
>  once they are created. This means that the permissions the users have are
>  in effect form the moment they log in to the moment they log out, and 
>  changes made to the security settings in that time are not reflected
>  in the state of this object. If you need to reset an user's permissions
>  you need to invalidate his session.
> The objects that constructs an AccessControlList must supply hashtables 
>  of role/permission sets keyed with group objects.

Did you try logging out and back in?

colm


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by Scott Eade <se...@backstagetech.com.au>.

From: "John McNally" <jm...@collab.net>
> The security service was caching the groups, but was not updating the
> cache when new groups were added.  I did not have time to fix it and
> keep the cache, so I removed the caching.  This has been in cvs for
> probably a couple weeks.
> 
> john mcnally

Thanks John, I'll take a look in cvs.



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: New Security Groups require a restart?

Posted by John McNally <jm...@collab.net>.

The security service was caching the groups, but was not updating the
cache when new groups were added.  I did not have time to fix it and
keep the cache, so I removed the caching.  This has been in cvs for
probably a couple weeks.

john mcnally

Scott Eade wrote:
> 
> It seems that it is necessary to restart my turbine application
> in order to be able to use a newly created group.  Here
> is the order of events:
> 
> 1. Create a new Group "newgroup"
> 2. Create a new User and grant the Role "arole" in the group
> "newgroup".
> 3. Login as the new user and execute
> user.getACL().hasRole("arole", "newgroup") - returns false
> 4. Restart the application
> 5 Login as the new user and execute
> user.getACL().hasRole("arole", "newgroup") - returns true
> 
> Is the restart absolutely necessary, or is there a way to make
> this work without it?
> 
> Also, my current design involves creating a large number
> of groups.  Is this going to become inefficient?  Am I better
> of restructuring the security around a small number of groups?
> 
> Thanks,
> 
> Scott
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>