You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Morten <li...@kikobu.com> on 2004/11/01 19:15:34 UTC
Custom authorization and authentication best practices
Hi.
I will be using Slide as a file system based content repository. It will
be part of a web-application which contains a UI to add/remove users and
set permissions at folder level.
This means I need to integrate Slide with my web-app. I see 2 possible
methods:
1. Slide accesses an external data-source for authentication and
authorization, possibly via a custom plug-in (could be done using WCK,
but that impacts DeltaV).
2. The users and permissions get set in Slide explicitly using an API
(pointers to which greatly appreciated).
Functionally, I need to be able to answer the questions "Is user X with
password Y a valid user?" and "Can user X access folder Z?"
Which of the above is the preferred approach and what is the "proper"
way to go about it? What's considered best practices? Studying WCK,
Realms, JAAS, Projector gives lots of options on authentication, but I
fail to find options for authorization.
Br,
Morten
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Use Tx store for /users and /roles and DB store for rest ?
Posted by Nick Longinow <ni...@vanhooseassociates.com>.
Excellent option! I will look into it.
Nick
-----Original Message-----
From: Oliver Zeigermann [mailto:oliver.zeigermann@gmail.com]
Sent: Wednesday, November 03, 2004 10:31 AM
To: Nick Longinow; Slide Users Mailing List
Subject: Re: Use Tx store for /users and /roles and DB store for rest ?
Ah, I see! Did not know this was the limitation in Oracle. Now I
understand your problem...
Anyway, storing user information to the file system should cause no
problems from Slide's point of view. However, when you consider backup
and restoring of your repository and half your data is in Oracle and
the other half is in the file system this might be non ideal.
Hmmmm, what about storing the property value in a blob? Wouldn't this
work? Probably a bit slower and maybe a problem for search. However,
not when there are indices anyway.
Maybe this could be an option?
Oliver
On Wed, 3 Nov 2004 09:32:57 -0500, Nick Longinow
<ni...@vanhooseassociates.com> wrote:
> This is the size of a single property, such as group-member-set. The size
> of the default string value of that property in the shipping slide is
about
> 188 bytes. If I up the PROPERTY_VALUE VARCHAR2(4000) that is as high as
it
> can go in Oracle 9x.
>
> Nick
>
>
>
> -----Original Message-----
> From: Oliver Zeigermann [mailto:oliver.zeigermann@gmail.com]
> Sent: Tuesday, November 02, 2004 5:24 PM
> To: Slide Users Mailing List
> Subject: Re: Use Tx store for /users and /roles and DB store for rest ?
>
> This certainly is possible. However, quoting from what I have found
>
> "PROPERTY_VALUE" VARCHAR2(255),
>
> the maximum length of a property value is 255 characters only. But why
> not just giving it much more space? Is there any limitation in Oracle?
>
> I'd recommend to just update the size to what you consider reasonable.
> The Slide code itself does not care...
>
> Oliver
>
> On Tue, 2 Nov 2004 15:45:24 -0500, Nick Longinow
> <ni...@vanhooseassociates.com> wrote:
> > Is it possible to do this ? I am finding that the column length
> limitation
> > in Oracle is 4000 characters, which will limit the length of a property
> > string in the Properties table. So, you can not update the members of a
> > group (ie, users) to have more than about 50 users (given the size of
each
> > xml fragment representing a user member of the /roles/users group.
> >
> > Is it possible then to have part of the slide tree go to the Tx store,
so
> as
> > to get around this limitation, and the rest go to a Db store ?
> >
> > Nick
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org] On Behalf Of Morten
> > Sent: Tuesday, November 02, 2004 12:32 PM
> > To: slide-user@jakarta.apache.org
> > Subject: Re: Custom authorization and authentication best practices
> >
> > lixin chu wrote:
> > > Sorry for not giving any anwser - I actually have the
> > > same question.
> > >
> > > I am thinking a third option: let another application
> > > handles authentication and authorization.
> >
> > I'm considering that also. I thought of putting Apache in front, and
> > implement it using .htaccess but that doesn't scale well (too hard to
> > maintain).
> >
> > I'm currently toying with an idea of implementing a ServletFilter and
> > put that in front of the WebdavServlet, that is a non-intrusive and
> > somewhat clean approach where I can consider Slide a shrink-wrap
> > standalone product. If it's the best approach I don't know, that's still
> > to be determined. But do let me know what you end up doing, I'm curious!
> >
> > Morten
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Use Tx store for /users and /roles and DB store for rest ?
Posted by Oliver Zeigermann <ol...@gmail.com>.
Ah, I see! Did not know this was the limitation in Oracle. Now I
understand your problem...
Anyway, storing user information to the file system should cause no
problems from Slide's point of view. However, when you consider backup
and restoring of your repository and half your data is in Oracle and
the other half is in the file system this might be non ideal.
Hmmmm, what about storing the property value in a blob? Wouldn't this
work? Probably a bit slower and maybe a problem for search. However,
not when there are indices anyway.
Maybe this could be an option?
Oliver
On Wed, 3 Nov 2004 09:32:57 -0500, Nick Longinow
<ni...@vanhooseassociates.com> wrote:
> This is the size of a single property, such as group-member-set. The size
> of the default string value of that property in the shipping slide is about
> 188 bytes. If I up the PROPERTY_VALUE VARCHAR2(4000) that is as high as it
> can go in Oracle 9x.
>
> Nick
>
>
>
> -----Original Message-----
> From: Oliver Zeigermann [mailto:oliver.zeigermann@gmail.com]
> Sent: Tuesday, November 02, 2004 5:24 PM
> To: Slide Users Mailing List
> Subject: Re: Use Tx store for /users and /roles and DB store for rest ?
>
> This certainly is possible. However, quoting from what I have found
>
> "PROPERTY_VALUE" VARCHAR2(255),
>
> the maximum length of a property value is 255 characters only. But why
> not just giving it much more space? Is there any limitation in Oracle?
>
> I'd recommend to just update the size to what you consider reasonable.
> The Slide code itself does not care...
>
> Oliver
>
> On Tue, 2 Nov 2004 15:45:24 -0500, Nick Longinow
> <ni...@vanhooseassociates.com> wrote:
> > Is it possible to do this ? I am finding that the column length
> limitation
> > in Oracle is 4000 characters, which will limit the length of a property
> > string in the Properties table. So, you can not update the members of a
> > group (ie, users) to have more than about 50 users (given the size of each
> > xml fragment representing a user member of the /roles/users group.
> >
> > Is it possible then to have part of the slide tree go to the Tx store, so
> as
> > to get around this limitation, and the rest go to a Db store ?
> >
> > Nick
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org] On Behalf Of Morten
> > Sent: Tuesday, November 02, 2004 12:32 PM
> > To: slide-user@jakarta.apache.org
> > Subject: Re: Custom authorization and authentication best practices
> >
> > lixin chu wrote:
> > > Sorry for not giving any anwser - I actually have the
> > > same question.
> > >
> > > I am thinking a third option: let another application
> > > handles authentication and authorization.
> >
> > I'm considering that also. I thought of putting Apache in front, and
> > implement it using .htaccess but that doesn't scale well (too hard to
> > maintain).
> >
> > I'm currently toying with an idea of implementing a ServletFilter and
> > put that in front of the WebdavServlet, that is a non-intrusive and
> > somewhat clean approach where I can consider Slide a shrink-wrap
> > standalone product. If it's the best approach I don't know, that's still
> > to be determined. But do let me know what you end up doing, I'm curious!
> >
> > Morten
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: slide-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
RE: Use Tx store for /users and /roles and DB store for rest ?
Posted by Nick Longinow <ni...@vanhooseassociates.com>.
This is the size of a single property, such as group-member-set. The size
of the default string value of that property in the shipping slide is about
188 bytes. If I up the PROPERTY_VALUE VARCHAR2(4000) that is as high as it
can go in Oracle 9x.
Nick
-----Original Message-----
From: Oliver Zeigermann [mailto:oliver.zeigermann@gmail.com]
Sent: Tuesday, November 02, 2004 5:24 PM
To: Slide Users Mailing List
Subject: Re: Use Tx store for /users and /roles and DB store for rest ?
This certainly is possible. However, quoting from what I have found
"PROPERTY_VALUE" VARCHAR2(255),
the maximum length of a property value is 255 characters only. But why
not just giving it much more space? Is there any limitation in Oracle?
I'd recommend to just update the size to what you consider reasonable.
The Slide code itself does not care...
Oliver
On Tue, 2 Nov 2004 15:45:24 -0500, Nick Longinow
<ni...@vanhooseassociates.com> wrote:
> Is it possible to do this ? I am finding that the column length
limitation
> in Oracle is 4000 characters, which will limit the length of a property
> string in the Properties table. So, you can not update the members of a
> group (ie, users) to have more than about 50 users (given the size of each
> xml fragment representing a user member of the /roles/users group.
>
> Is it possible then to have part of the slide tree go to the Tx store, so
as
> to get around this limitation, and the rest go to a Db store ?
>
> Nick
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Morten
> Sent: Tuesday, November 02, 2004 12:32 PM
> To: slide-user@jakarta.apache.org
> Subject: Re: Custom authorization and authentication best practices
>
> lixin chu wrote:
> > Sorry for not giving any anwser - I actually have the
> > same question.
> >
> > I am thinking a third option: let another application
> > handles authentication and authorization.
>
> I'm considering that also. I thought of putting Apache in front, and
> implement it using .htaccess but that doesn't scale well (too hard to
> maintain).
>
> I'm currently toying with an idea of implementing a ServletFilter and
> put that in front of the WebdavServlet, that is a non-intrusive and
> somewhat clean approach where I can consider Slide a shrink-wrap
> standalone product. If it's the best approach I don't know, that's still
> to be determined. But do let me know what you end up doing, I'm curious!
>
> Morten
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Use Tx store for /users and /roles and DB store for rest ?
Posted by Oliver Zeigermann <ol...@gmail.com>.
This certainly is possible. However, quoting from what I have found
"PROPERTY_VALUE" VARCHAR2(255),
the maximum length of a property value is 255 characters only. But why
not just giving it much more space? Is there any limitation in Oracle?
I'd recommend to just update the size to what you consider reasonable.
The Slide code itself does not care...
Oliver
On Tue, 2 Nov 2004 15:45:24 -0500, Nick Longinow
<ni...@vanhooseassociates.com> wrote:
> Is it possible to do this ? I am finding that the column length limitation
> in Oracle is 4000 characters, which will limit the length of a property
> string in the Properties table. So, you can not update the members of a
> group (ie, users) to have more than about 50 users (given the size of each
> xml fragment representing a user member of the /roles/users group.
>
> Is it possible then to have part of the slide tree go to the Tx store, so as
> to get around this limitation, and the rest go to a Db store ?
>
> Nick
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of Morten
> Sent: Tuesday, November 02, 2004 12:32 PM
> To: slide-user@jakarta.apache.org
> Subject: Re: Custom authorization and authentication best practices
>
> lixin chu wrote:
> > Sorry for not giving any anwser - I actually have the
> > same question.
> >
> > I am thinking a third option: let another application
> > handles authentication and authorization.
>
> I'm considering that also. I thought of putting Apache in front, and
> implement it using .htaccess but that doesn't scale well (too hard to
> maintain).
>
> I'm currently toying with an idea of implementing a ServletFilter and
> put that in front of the WebdavServlet, that is a non-intrusive and
> somewhat clean approach where I can consider Slide a shrink-wrap
> standalone product. If it's the best approach I don't know, that's still
> to be determined. But do let me know what you end up doing, I'm curious!
>
> Morten
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Use Tx store for /users and /roles and DB store for rest ?
Posted by Nick Longinow <ni...@vanhooseassociates.com>.
Is it possible to do this ? I am finding that the column length limitation
in Oracle is 4000 characters, which will limit the length of a property
string in the Properties table. So, you can not update the members of a
group (ie, users) to have more than about 50 users (given the size of each
xml fragment representing a user member of the /roles/users group.
Is it possible then to have part of the slide tree go to the Tx store, so as
to get around this limitation, and the rest go to a Db store ?
Nick
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Morten
Sent: Tuesday, November 02, 2004 12:32 PM
To: slide-user@jakarta.apache.org
Subject: Re: Custom authorization and authentication best practices
lixin chu wrote:
> Sorry for not giving any anwser - I actually have the
> same question.
>
> I am thinking a third option: let another application
> handles authentication and authorization.
I'm considering that also. I thought of putting Apache in front, and
implement it using .htaccess but that doesn't scale well (too hard to
maintain).
I'm currently toying with an idea of implementing a ServletFilter and
put that in front of the WebdavServlet, that is a non-intrusive and
somewhat clean approach where I can consider Slide a shrink-wrap
standalone product. If it's the best approach I don't know, that's still
to be determined. But do let me know what you end up doing, I'm curious!
Morten
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Custom authorization and authentication best practices
Posted by lixin chu <li...@yahoo.com>.
I have not started, just going through all the
documents I can find abt Slide, I am still trying to
understand the basic concepts and architecture.
I am usig Struts, hibernate and Spring framework. I am
developing a generic 'program' management application.
I already have a User and Role table managed by MySQL.
I have a securiryfilter to handle the authentication;
after which it goes through the authorization process
to determine what the user can see/do - for example,
which menu items they can see (I am using Struts Menu
plus my own role based permission adaptor to filter
the menu items).
Files are created for each program in a particular
department, and only the members of the program can
access the files.
The reasons why I am thinking of a seperate RBAC (role
based access control) rather than using the Slide one
are:
1) I do nto know how Slide canl handle this model
2) I already have my authentication and authorization
mechnism, maybe it is easier for me to extend it to
support document management.
3) Will that be possible to keep a WebDaResource open
in the application context so I do not need to
open/close everytime - since I can use one dedicated
user/passwd for all user request ? Will this improve
performance a little bit ?
--- Morten <li...@kikobu.com> wrote:
> lixin chu wrote:
> > Sorry for not giving any anwser - I actually have
> the
> > same question.
> >
> > I am thinking a third option: let another
> application
> > handles authentication and authorization.
>
> I'm considering that also. I thought of putting
> Apache in front, and
> implement it using .htaccess but that doesn't scale
> well (too hard to
> maintain).
>
> I'm currently toying with an idea of implementing a
> ServletFilter and
> put that in front of the WebdavServlet, that is a
> non-intrusive and
> somewhat clean approach where I can consider Slide a
> shrink-wrap
> standalone product. If it's the best approach I
> don't know, that's still
> to be determined. But do let me know what you end up
> doing, I'm curious!
>
> Morten
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> slide-user-help@jakarta.apache.org
>
>
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Custom authorization and authentication best practices
Posted by Morten <li...@kikobu.com>.
lixin chu wrote:
> Sorry for not giving any anwser - I actually have the
> same question.
>
> I am thinking a third option: let another application
> handles authentication and authorization.
I'm considering that also. I thought of putting Apache in front, and
implement it using .htaccess but that doesn't scale well (too hard to
maintain).
I'm currently toying with an idea of implementing a ServletFilter and
put that in front of the WebdavServlet, that is a non-intrusive and
somewhat clean approach where I can consider Slide a shrink-wrap
standalone product. If it's the best approach I don't know, that's still
to be determined. But do let me know what you end up doing, I'm curious!
Morten
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Custom authorization and authentication best practices
Posted by lixin chu <li...@yahoo.com>.
Sorry for not giving any anwser - I actually have the
same question.
I am thinking a third option: let another application
handles authentication and authorization.
my application handles role base access control for
other resources - menu items for example. I am
thinking of extending this to manage the documents as
well.
but I do not know if it is an efficient option or not.
--- Morten <li...@kikobu.com> wrote:
> Hi.
>
> I will be using Slide as a file system based content
> repository. It will
> be part of a web-application which contains a UI to
> add/remove users and
> set permissions at folder level.
>
> This means I need to integrate Slide with my
> web-app. I see 2 possible
> methods:
>
> 1. Slide accesses an external data-source for
> authentication and
> authorization, possibly via a custom plug-in (could
> be done using WCK,
> but that impacts DeltaV).
>
> 2. The users and permissions get set in Slide
> explicitly using an API
> (pointers to which greatly appreciated).
>
> Functionally, I need to be able to answer the
> questions "Is user X with
> password Y a valid user?" and "Can user X access
> folder Z?"
>
> Which of the above is the preferred approach and
> what is the "proper"
> way to go about it? What's considered best
> practices? Studying WCK,
> Realms, JAAS, Projector gives lots of options on
> authentication, but I
> fail to find options for authorization.
>
> Br,
>
> Morten
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> slide-user-help@jakarta.apache.org
>
>
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org