portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Watler <wat...@wispertel.net>
Subject Re: More ideas on security/permissions
Date Fri, 27 Jan 2006 14:40:19 GMT
David,

I am currently distracted getting maven2 into Jetspeed. If others have 
not managed to fit this in, I can look again perhaps next week or the 
following weekend. I appreciate the effort and understand why you are 
holding off.

I may be needing feedback on the packaging of J2 as I get to those areas 
of the build. I also may need to pick your brain on other aspects of the 
conversion if you dont mind... :-).

Thanks for the hard work so far!

Randy

David Jencks wrote:
> I have some more ideas on how the jetspeed permissions might be 
> changed so many fewer permission checks are needed.  However, before I 
> start working on them I really need to wait for JS2-475 to be 
> resolved.  I've now spent a lot of time redoing patches for 475  due 
> both to my own lack of care to save enough versions of my work and 
> overlapping patches and even more due to the code changing under my 
> patch and having to reimplement portions in the changed code.  I 
> believe the code in JS2-444 geronmo-jetspeed11.zip is current with  
> jetspeed source.  i may have trouble justifying much more time spent 
> keeping it up to date with source changes.
>
> So, my ideas:
>
> I think it is possible to combine PagePermission and FolderPermission 
> into one, perhaps PathPermission with slightly more complex patch 
> comparison operations.  I don't understand how FragmentPermission is 
> used well enough yet to have an idea as to whether FragmentPermission 
> can also use the same class.  The goal here is to construct a single 
> PathPermission for a request and evaluate it against the set of 
> PathPermissions for the user.  If we can test a PagePermission against 
> a FolderPermission then at least one fewer call into AccessController 
> will be needed if the access is granted by a FolderPermission rather 
> than a PagePermission.
>
> The other idea is that it should not be necessary to recursively check 
> folder view permissions down to the root.  This can be precomputed 
> statically before runtime so that the permissions set only includes 
> view permissions for which every folder on the path to the root has 
> view access.
>
> I've previously mentioned the possibility of converting the 
> constraints system to use masks rather than extensive string 
> manipulations, in line with the permissions changes in JS2-475.  On 
> the other hand there is a lot of duplicate logic between the 
> permissions and constraint security implementations and I wonder if it 
> would be possible to either base the logic decisions in the 
> constraints on permission instances or simply extend the permissions 
> system to have the same capabilities of the constraints system and use 
> only permissions.  Again, I can't really move forward on this until 
> JS2-475 is resolved.
>
> Many thanks,
> david jencks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message