You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by David Jencks <da...@yahoo.com> on 2006/01/27 09:06:44 UTC
More ideas on security/permissions
I have some more ideas on how the jetspeed permissions might be
changed so many fewer permission checks are needed. However, before
I start working on them I really need to wait for JS2-475 to be
resolved. I've now spent a lot of time redoing patches for 475 due
both to my own lack of care to save enough versions of my work and
overlapping patches and even more due to the code changing under my
patch and having to reimplement portions in the changed code. I
believe the code in JS2-444 geronmo-jetspeed11.zip is current with
jetspeed source. i may have trouble justifying much more time spent
keeping it up to date with source changes.
So, my ideas:
I think it is possible to combine PagePermission and FolderPermission
into one, perhaps PathPermission with slightly more complex patch
comparison operations. I don't understand how FragmentPermission is
used well enough yet to have an idea as to whether FragmentPermission
can also use the same class. The goal here is to construct a single
PathPermission for a request and evaluate it against the set of
PathPermissions for the user. If we can test a PagePermission
against a FolderPermission then at least one fewer call into
AccessController will be needed if the access is granted by a
FolderPermission rather than a PagePermission.
The other idea is that it should not be necessary to recursively
check folder view permissions down to the root. This can be
precomputed statically before runtime so that the permissions set
only includes view permissions for which every folder on the path to
the root has view access.
I've previously mentioned the possibility of converting the
constraints system to use masks rather than extensive string
manipulations, in line with the permissions changes in JS2-475. On
the other hand there is a lot of duplicate logic between the
permissions and constraint security implementations and I wonder if
it would be possible to either base the logic decisions in the
constraints on permission instances or simply extend the permissions
system to have the same capabilities of the constraints system and
use only permissions. Again, I can't really move forward on this
until JS2-475 is resolved.
Many thanks,
david jencks
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: More ideas on security/permissions
Posted by Randy Watler <wa...@wispertel.net>.
David,
I am currently distracted getting maven2 into Jetspeed. If others have
not managed to fit this in, I can look again perhaps next week or the
following weekend. I appreciate the effort and understand why you are
holding off.
I may be needing feedback on the packaging of J2 as I get to those areas
of the build. I also may need to pick your brain on other aspects of the
conversion if you dont mind... :-).
Thanks for the hard work so far!
Randy
David Jencks wrote:
> I have some more ideas on how the jetspeed permissions might be
> changed so many fewer permission checks are needed. However, before I
> start working on them I really need to wait for JS2-475 to be
> resolved. I've now spent a lot of time redoing patches for 475 due
> both to my own lack of care to save enough versions of my work and
> overlapping patches and even more due to the code changing under my
> patch and having to reimplement portions in the changed code. I
> believe the code in JS2-444 geronmo-jetspeed11.zip is current with
> jetspeed source. i may have trouble justifying much more time spent
> keeping it up to date with source changes.
>
> So, my ideas:
>
> I think it is possible to combine PagePermission and FolderPermission
> into one, perhaps PathPermission with slightly more complex patch
> comparison operations. I don't understand how FragmentPermission is
> used well enough yet to have an idea as to whether FragmentPermission
> can also use the same class. The goal here is to construct a single
> PathPermission for a request and evaluate it against the set of
> PathPermissions for the user. If we can test a PagePermission against
> a FolderPermission then at least one fewer call into AccessController
> will be needed if the access is granted by a FolderPermission rather
> than a PagePermission.
>
> The other idea is that it should not be necessary to recursively check
> folder view permissions down to the root. This can be precomputed
> statically before runtime so that the permissions set only includes
> view permissions for which every folder on the path to the root has
> view access.
>
> I've previously mentioned the possibility of converting the
> constraints system to use masks rather than extensive string
> manipulations, in line with the permissions changes in JS2-475. On
> the other hand there is a lot of duplicate logic between the
> permissions and constraint security implementations and I wonder if it
> would be possible to either base the logic decisions in the
> constraints on permission instances or simply extend the permissions
> system to have the same capabilities of the constraints system and use
> only permissions. Again, I can't really move forward on this until
> JS2-475 is resolved.
>
> Many thanks,
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: More ideas on security/permissions
Posted by David Le Strat <dl...@yahoo.com>.
All,
I will go ahead and commit J2-475 today. I ran into a
couple unit test issues but should have this completed
today. Thanks for all your hard work David.
Regards,
David Le Strat
--- David Jencks <da...@yahoo.com> wrote:
> I have some more ideas on how the jetspeed
> permissions might be
> changed so many fewer permission checks are needed.
> However, before
> I start working on them I really need to wait for
> JS2-475 to be
> resolved. I've now spent a lot of time redoing
> patches for 475 due
> both to my own lack of care to save enough versions
> of my work and
> overlapping patches and even more due to the code
> changing under my
> patch and having to reimplement portions in the
> changed code. I
> believe the code in JS2-444 geronmo-jetspeed11.zip
> is current with
> jetspeed source. i may have trouble justifying much
> more time spent
> keeping it up to date with source changes.
>
> So, my ideas:
>
> I think it is possible to combine PagePermission and
> FolderPermission
> into one, perhaps PathPermission with slightly more
> complex patch
> comparison operations. I don't understand how
> FragmentPermission is
> used well enough yet to have an idea as to whether
> FragmentPermission
> can also use the same class. The goal here is to
> construct a single
> PathPermission for a request and evaluate it against
> the set of
> PathPermissions for the user. If we can test a
> PagePermission
> against a FolderPermission then at least one fewer
> call into
> AccessController will be needed if the access is
> granted by a
> FolderPermission rather than a PagePermission.
>
> The other idea is that it should not be necessary to
> recursively
> check folder view permissions down to the root.
> This can be
> precomputed statically before runtime so that the
> permissions set
> only includes view permissions for which every
> folder on the path to
> the root has view access.
>
> I've previously mentioned the possibility of
> converting the
> constraints system to use masks rather than
> extensive string
> manipulations, in line with the permissions changes
> in JS2-475. On
> the other hand there is a lot of duplicate logic
> between the
> permissions and constraint security implementations
> and I wonder if
> it would be possible to either base the logic
> decisions in the
> constraints on permission instances or simply extend
> the permissions
> system to have the same capabilities of the
> constraints system and
> use only permissions. Again, I can't really move
> forward on this
> until JS2-475 is resolved.
>
> Many thanks,
> david jencks
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail:
> jetspeed-dev-help@portals.apache.org
>
>
________________________
David Le Strat
Blogging @ http://dlsthoughts.blogspot.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org