Ben,
Thanks for the feedback. Here are the responses to your questions and
comments:
- I'll start working on updating to 0.9.0 next month. We are close to a
deployment of our own and I don't want to start refactoring until after
that.
- PortletSessionContextIntegrationInterceptor is in the zip file in the
net.sf.acegisecurity.context package.
PortletSecurityEnforcementInterceptor was intentionally excluded because
my implementation is not mature enough yet. I have removed the
reference to it from the app-context-examples.txt file.
- You are correct that the portlet container performs the authentication
and then provides a String username to portlets running within the
portlet container. It is very similar to CAS and X509 and I modeled the
code after those two quite a bit. Unfortunately, the JSR-168 spec
completely delegates the authentication to the portlet-container and
does not provide a standard way to plug an authentication mechanism into
it. Of course, a portlet container implementation could use Acegi
directly (I believe that the Gridsphere team is considering this in the
near future). I have not created a default implementation of
PortletAuthoritiesPopulator at this point. The only authorities
mechanism in JSR-168 is the same isUserInRole method as in the Servlet
spec. I suppose we could create a default PortletAuthoritiesPopulator
that could be configured with a list of roles to check.
- I have not yet created any unit tests directly for these classes. We
have unit tests in our application that test higher-level services that
depend on these, but they are obviously out-of-scope for Acegi itself.
I will work on creating some unit tests after I have updated to 0.9.0
next month.
I'll keep you posted on my progress. Thanks again!
John
Ben Alex wrote:
John Lewis wrote:
I'm very interested in your feedback. When you get a chance to take
a look at it all, let me know what you think.
Hi John
Thanks for contributing this code. I just had a quick look, and have a
couple of questions and comments:
- Could you make it compatible with 0.9.0 snapshot? I notice you're
using the <= 0.8.3 context management code, which has been refactored.
- PortletSecurityEnforcementInterceptor and the
PortletSessionContextIntegrationInterceptor do not appear to be in the
ZIP file.
- Am I correct in reading the code that the portlet container performs
the authentication, which yields a String-based username, and your
classes implement a PortletAuthoritiesPopulator (like CAS and X509)?
If so, is there scope to plug in Acegi Security so that the portlet
container can use our AuthenticationManager? Also, is there a default
implementation of PortletAuthoritiesPopulator?
- Are there any unit tests available?
Cheers
Ben
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your
very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
