portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject More ideas on security/permissions
Date Fri, 27 Jan 2006 08:06:44 GMT
I have some more ideas on how the jetspeed permissions might be  
changed so many fewer permission checks are needed.  However, before  
I start working on them I really need to wait for JS2-475 to be  
resolved.  I've now spent a lot of time redoing patches for 475  due  
both to my own lack of care to save enough versions of my work and  
overlapping patches and even more due to the code changing under my  
patch and having to reimplement portions in the changed code.  I  
believe the code in JS2-444 geronmo-jetspeed11.zip is current with   
jetspeed source.  i may have trouble justifying much more time spent  
keeping it up to date with source changes.

So, my ideas:

I think it is possible to combine PagePermission and FolderPermission  
into one, perhaps PathPermission with slightly more complex patch  
comparison operations.  I don't understand how FragmentPermission is  
used well enough yet to have an idea as to whether FragmentPermission  
can also use the same class.  The goal here is to construct a single  
PathPermission for a request and evaluate it against the set of  
PathPermissions for the user.  If we can test a PagePermission  
against a FolderPermission then at least one fewer call into  
AccessController will be needed if the access is granted by a  
FolderPermission rather than a PagePermission.

The other idea is that it should not be necessary to recursively  
check folder view permissions down to the root.  This can be  
precomputed statically before runtime so that the permissions set  
only includes view permissions for which every folder on the path to  
the root has view access.

I've previously mentioned the possibility of converting the  
constraints system to use masks rather than extensive string  
manipulations, in line with the permissions changes in JS2-475.  On  
the other hand there is a lot of duplicate logic between the  
permissions and constraint security implementations and I wonder if  
it would be possible to either base the logic decisions in the  
constraints on permission instances or simply extend the permissions  
system to have the same capabilities of the constraints system and  
use only permissions.  Again, I can't really move forward on this  
until JS2-475 is resolved.

Many thanks,
david jencks

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message