+1 to merge this work into continuum/trunk - Joakim
Jesse McConnell wrote: > Over the course of the past 3 weeks I've worked with joakim on the > plexus-security effort to bring rbac based security to Archiva. > We succeeded. > > Last Friday (or so) I took the continuum/trunk and created the > rbac-integration branch. > I wanted from to test the integration of rbac based security, using > the plexus-security project, into continuum. > > It integrated beautifully, without a whole lot of work, in record > time, and is pretty functional now ... > > Some of the fun things that plexus-security brings with it are: > > * full separation between application webapp and security (lightweight > integration). > * proper modularization for security components (authentication, > authorization, policy, system, web, etc...) > * rbac (role based access control) authorization provider. > * full user management war overlay (using healthy chunk of maven-user > to make it happen) > * toggle-able guest user authorization. > * remember me and single sign on authentication. > * forced admin account creation (through use of interceptor) > * key based authentication (remember me, single sign on, new user > validation emails, and password resets). > * http auth filters (basic and digest). > * aggressive plexus utilization. > * aggressive xwork / webwork integration. > * xwork interceptors for force admin, auto login (remember me), > secured action, and environment checks. > * secured actions for all of the /security namespace and at least one > continuum secured action (these are enforced by the > pssSecureActionInterceptor) > * all the password validation, user management stuff (again maven-user > origins) > * continuum-security artifact containing the actual static and dynamic > roles, and a continuum role manager that merges permissions to the > core system, user, and guest users > * ifAuthorized, ifAnyAuthorized, elseAuthorized jsp tags. > * placeholders for ldap authentication, authorization and user details > retrieval using plexus ldap components > * ability to re-use Acegi for authentication > > I think it is very usable now, its a matter of some jsp and action > work to clean up some things and hide some other knobs and buttons. > > I'd like to get feedback and discussion from the others here about the > implementation, and consider a vote to merge it to trunk after that. I > believe it is stable enough to move forward with. > > jesse >