portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Le Strat <dlest...@yahoo.com>
Subject Re: More ideas on security/permissions
Date Sat, 28 Jan 2006 18:37:52 GMT
All,

I will go ahead and commit J2-475 today.  I ran into a
couple unit test issues but should have this completed
today.  Thanks for all your hard work David.

Regards,

David Le Strat

--- David Jencks <david_jencks@yahoo.com> wrote:

> I have some more ideas on how the jetspeed
> permissions might be  
> changed so many fewer permission checks are needed. 
> However, before  
> I start working on them I really need to wait for
> JS2-475 to be  
> resolved.  I've now spent a lot of time redoing
> patches for 475  due  
> both to my own lack of care to save enough versions
> of my work and  
> overlapping patches and even more due to the code
> changing under my  
> patch and having to reimplement portions in the
> changed code.  I  
> believe the code in JS2-444 geronmo-jetspeed11.zip
> is current with   
> jetspeed source.  i may have trouble justifying much
> more time spent  
> keeping it up to date with source changes.
> 
> So, my ideas:
> 
> I think it is possible to combine PagePermission and
> FolderPermission  
> into one, perhaps PathPermission with slightly more
> complex patch  
> comparison operations.  I don't understand how
> FragmentPermission is  
> used well enough yet to have an idea as to whether
> FragmentPermission  
> can also use the same class.  The goal here is to
> construct a single  
> PathPermission for a request and evaluate it against
> the set of  
> PathPermissions for the user.  If we can test a
> PagePermission  
> against a FolderPermission then at least one fewer
> call into  
> AccessController will be needed if the access is
> granted by a  
> FolderPermission rather than a PagePermission.
> 
> The other idea is that it should not be necessary to
> recursively  
> check folder view permissions down to the root. 
> This can be  
> precomputed statically before runtime so that the
> permissions set  
> only includes view permissions for which every
> folder on the path to  
> the root has view access.
> 
> I've previously mentioned the possibility of
> converting the  
> constraints system to use masks rather than
> extensive string  
> manipulations, in line with the permissions changes
> in JS2-475.  On  
> the other hand there is a lot of duplicate logic
> between the  
> permissions and constraint security implementations
> and I wonder if  
> it would be possible to either base the logic
> decisions in the  
> constraints on permission instances or simply extend
> the permissions  
> system to have the same capabilities of the
> constraints system and  
> use only permissions.  Again, I can't really move
> forward on this  
> until JS2-475 is resolved.
> 
> Many thanks,
> david jencks
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail:
> jetspeed-dev-help@portals.apache.org
> 
> 


________________________
David Le Strat
Blogging @ http://dlsthoughts.blogspot.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message