Re: CoWarp (was Re: svn commit: r232855...)

Wed, 17 Aug 2005 06:59:31 -0700

That is a lot of Spring definitions. Frankly, I suspect that to use Acegi we would require something like CoWarp in front of it anyway. The thing is, we ended up writing something like Acegi for our use and it would be nice to use an open source framework instead.
I looked at CoWarp last night and I didn't see anything to support roles or permission. 

Ralph

Leszek Gawron wrote:


Ralph Goers wrote:


The only concern I would have in bringing CoWarp into Cocoon (beside 
the name making me think it is an add-on for OS/2 :-) ) is that I'd 
want to evaluate it against using acegi as the "standard" 
authentication mechanism.  Having said that, I have no familiarity 
with CoWarp and have only read some high level stuff about acegi, but 
from that reading it looks like a very robust framework.  There was 
some discussion about it on the users list a few months ago 
http://marc.theaimsgroup.com/?t=111755000500004&r=1&w=2



Acegi is a very robust framework. Although the author states it could 
be used without Spring [1] he strongly encourages not to :). I quite 
got the point when I implemented the first application context which 
just secures a single method in a dummy business service:



<beans>
    <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

    <bean id="accessDecisionManager" 
class="net.sf.acegisecurity.vote.AffirmativeBased">
        <property 
name="allowIfAllAbstainDecisions"><value>false</value></property>

        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter"/>
            </list>
      </property>
    </bean>

    <bean id="authenticationDao" 
class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">

        <property name="userMap">
            <value>
                marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR
                dianne=emu,ROLE_TELLER
                scott=wombat,ROLE_TELLER
                peter=opal,disabled,ROLE_TELLER
                ouzo=ouzo,ROLE_ADMIN
            </value>
        </property>
    </bean>

    <bean id="cacheManager" 
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
        <property 
name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property> 


    </bean>

    <bean id="userCacheBackend" 
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
        <property name="cacheManager"><ref 
local="cacheManager"/></property>

        <property name="cacheName"><value>userCache</value></property>
    </bean>

    <bean id="userCache" 
class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
        <property name="cache"><ref 
local="userCacheBackend"/></property>

    </bean>

    <bean id="daoAuthenticationProvider" 
class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao"><ref 
bean="authenticationDao"/></property>

        <property name="userCache"><ref bean="userCache"/></property>
    </bean>

    <bean id="testingAuthenticationProvider" 
class="net.sf.acegisecurity.providers.TestingAuthenticationProvider"/>
    <bean id="authenticationManager" 
class="net.sf.acegisecurity.providers.ProviderManager">

        <property name="providers">
            <list>
                <!-- ref bean="daoAuthenticationProvider"/ -->
                <ref bean="testingAuthenticationProvider"/>
            </list>
        </property>
    </bean>

    <bean id="beanSecurityInterceptor" 
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> 

        <property 
name="validateConfigAttributes"><value>true</value></property>
        <property name="authenticationManager"><ref 
bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref 
bean="accessDecisionManager"/></property>
        <!-- property name="runAsManager"><ref 
bean="runAsManager"/></property -->

        <property name="objectDefinitionSource">
            <value>
                com.mobilebox.acegi.SecureBean.*=ROLE_ADMIN
            </value>
        </property>
    </bean>

    <bean id="autoProxyCreator" 
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> 


        <property name="interceptorNames">
            <list>
                <idref local="beanSecurityInterceptor"/>
            </list>
        </property>
        <property name="beanNames">
            <list>
                <value>secureBean</value>
            </list>
        </property>
    </bean>
    <!-- 'application beans' -->
    <bean id="secureBean" class="com.mobilebox.acegi.SecureBeanImpl"/>
</beans>




This is ONLY business method security. "Basic" acegi sample has 
applicationContext.xml at least twice this big.



Thing is: even if it's possible to use it without Spring it will be a 
total hell to wrap everything as ECM components without Dependency 
Injection.



Still I would love to have a functionality that replaces ANT based 
request URI expressions:



   <bean id="channelProcessingFilter" 
class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
      <property name="channelDecisionManager"><ref 
local="channelDecisionManager"/></property>

      <property name="filterInvocationDefinitionSource">
         <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
                \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
                \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
                \A.*\Z=REQUIRES_INSECURE_CHANNEL
         </value>
      </property>
   </bean>

   <bean id="filterInvocationInterceptor" 
class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref 
bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref 
local="httpRequestAccessDecisionManager"/></property>

      <property name="objectDefinitionSource">
         <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /index.jsp=ROLE_ANONYMOUS,ROLE_USER
                /hello.htm=ROLE_ANONYMOUS,ROLE_USER
                /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
                /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
                /**=ROLE_USER
         </value>
      </property>
   </bean>



and integrates it with our sitemap and pipelines definitions.

[1] http://acegisecurity.sourceforge.net/standalone.html
[2] http://acegisecurity.sourceforge.net/index.html
























					Reply via email to