You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by David Jencks <da...@yahoo.com> on 2006/01/27 09:06:44 UTC

More ideas on security/permissions

I have some more ideas on how the jetspeed permissions might be  
changed so many fewer permission checks are needed.  However, before  
I start working on them I really need to wait for JS2-475 to be  
resolved.  I've now spent a lot of time redoing patches for 475  due  
both to my own lack of care to save enough versions of my work and  
overlapping patches and even more due to the code changing under my  
patch and having to reimplement portions in the changed code.  I  
believe the code in JS2-444 geronmo-jetspeed11.zip is current with   
jetspeed source.  i may have trouble justifying much more time spent  
keeping it up to date with source changes.

So, my ideas:

I think it is possible to combine PagePermission and FolderPermission  
into one, perhaps PathPermission with slightly more complex patch  
comparison operations.  I don't understand how FragmentPermission is  
used well enough yet to have an idea as to whether FragmentPermission  
can also use the same class.  The goal here is to construct a single  
PathPermission for a request and evaluate it against the set of  
PathPermissions for the user.  If we can test a PagePermission  
against a FolderPermission then at least one fewer call into  
AccessController will be needed if the access is granted by a  
FolderPermission rather than a PagePermission.

The other idea is that it should not be necessary to recursively  
check folder view permissions down to the root.  This can be  
precomputed statically before runtime so that the permissions set  
only includes view permissions for which every folder on the path to  
the root has view access.

I've previously mentioned the possibility of converting the  
constraints system to use masks rather than extensive string  
manipulations, in line with the permissions changes in JS2-475.  On  
the other hand there is a lot of duplicate logic between the  
permissions and constraint security implementations and I wonder if  
it would be possible to either base the logic decisions in the  
constraints on permission instances or simply extend the permissions  
system to have the same capabilities of the constraints system and  
use only permissions.  Again, I can't really move forward on this  
until JS2-475 is resolved.

Many thanks,
david jencks


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: More ideas on security/permissions

Posted by Randy Watler <wa...@wispertel.net>.

David,

I am currently distracted getting maven2 into Jetspeed. If others have 
not managed to fit this in, I can look again perhaps next week or the 
following weekend. I appreciate the effort and understand why you are 
holding off.

I may be needing feedback on the packaging of J2 as I get to those areas 
of the build. I also may need to pick your brain on other aspects of the 
conversion if you dont mind... :-).

Thanks for the hard work so far!

Randy

David Jencks wrote:
> I have some more ideas on how the jetspeed permissions might be 
> changed so many fewer permission checks are needed.  However, before I 
> start working on them I really need to wait for JS2-475 to be 
> resolved.  I've now spent a lot of time redoing patches for 475  due 
> both to my own lack of care to save enough versions of my work and 
> overlapping patches and even more due to the code changing under my 
> patch and having to reimplement portions in the changed code.  I 
> believe the code in JS2-444 geronmo-jetspeed11.zip is current with  
> jetspeed source.  i may have trouble justifying much more time spent 
> keeping it up to date with source changes.
>
> So, my ideas:
>
> I think it is possible to combine PagePermission and FolderPermission 
> into one, perhaps PathPermission with slightly more complex patch 
> comparison operations.  I don't understand how FragmentPermission is 
> used well enough yet to have an idea as to whether FragmentPermission 
> can also use the same class.  The goal here is to construct a single 
> PathPermission for a request and evaluate it against the set of 
> PathPermissions for the user.  If we can test a PagePermission against 
> a FolderPermission then at least one fewer call into AccessController 
> will be needed if the access is granted by a FolderPermission rather 
> than a PagePermission.
>
> The other idea is that it should not be necessary to recursively check 
> folder view permissions down to the root.  This can be precomputed 
> statically before runtime so that the permissions set only includes 
> view permissions for which every folder on the path to the root has 
> view access.
>
> I've previously mentioned the possibility of converting the 
> constraints system to use masks rather than extensive string 
> manipulations, in line with the permissions changes in JS2-475.  On 
> the other hand there is a lot of duplicate logic between the 
> permissions and constraint security implementations and I wonder if it 
> would be possible to either base the logic decisions in the 
> constraints on permission instances or simply extend the permissions 
> system to have the same capabilities of the constraints system and use 
> only permissions.  Again, I can't really move forward on this until 
> JS2-475 is resolved.
>
> Many thanks,
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

Re: More ideas on security/permissions

Posted by David Le Strat <dl...@yahoo.com>.

All,

I will go ahead and commit J2-475 today.  I ran into a
couple unit test issues but should have this completed
today.  Thanks for all your hard work David.

Regards,

David Le Strat

--- David Jencks <da...@yahoo.com> wrote:

> I have some more ideas on how the jetspeed
> permissions might be  
> changed so many fewer permission checks are needed. 
> However, before  
> I start working on them I really need to wait for
> JS2-475 to be  
> resolved.  I've now spent a lot of time redoing
> patches for 475  due  
> both to my own lack of care to save enough versions
> of my work and  
> overlapping patches and even more due to the code
> changing under my  
> patch and having to reimplement portions in the
> changed code.  I  
> believe the code in JS2-444 geronmo-jetspeed11.zip
> is current with   
> jetspeed source.  i may have trouble justifying much
> more time spent  
> keeping it up to date with source changes.
> 
> So, my ideas:
> 
> I think it is possible to combine PagePermission and
> FolderPermission  
> into one, perhaps PathPermission with slightly more
> complex patch  
> comparison operations.  I don't understand how
> FragmentPermission is  
> used well enough yet to have an idea as to whether
> FragmentPermission  
> can also use the same class.  The goal here is to
> construct a single  
> PathPermission for a request and evaluate it against
> the set of  
> PathPermissions for the user.  If we can test a
> PagePermission  
> against a FolderPermission then at least one fewer
> call into  
> AccessController will be needed if the access is
> granted by a  
> FolderPermission rather than a PagePermission.
> 
> The other idea is that it should not be necessary to
> recursively  
> check folder view permissions down to the root. 
> This can be  
> precomputed statically before runtime so that the
> permissions set  
> only includes view permissions for which every
> folder on the path to  
> the root has view access.
> 
> I've previously mentioned the possibility of
> converting the  
> constraints system to use masks rather than
> extensive string  
> manipulations, in line with the permissions changes
> in JS2-475.  On  
> the other hand there is a lot of duplicate logic
> between the  
> permissions and constraint security implementations
> and I wonder if  
> it would be possible to either base the logic
> decisions in the  
> constraints on permission instances or simply extend
> the permissions  
> system to have the same capabilities of the
> constraints system and  
> use only permissions.  Again, I can't really move
> forward on this  
> until JS2-475 is resolved.
> 
> Many thanks,
> david jencks
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail:
> jetspeed-dev-help@portals.apache.org
> 
> 


________________________
David Le Strat
Blogging @ http://dlsthoughts.blogspot.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org